Cyber Security Policy Manual

scheduling any necessary regular internal and external communications relevant to the City of Greensboro’s ISMS.

The City of Greensboro communicates its cyber security program documents to their employees and users via the Citynet SharePoint site. The Cyber Security Team communicates rules and gu idelines for using the City of Greensboro’s network and IT resources to all employees. On monthly basis, the Cyber Security Team also communicates cyber security advisories to all employees to increase employees’ awareness about threats and cyber -attacks and help protect systems and information. When deemed necessary, the Cyber Security Team engages with the Communications department to communicate issues and concerns related to the City of Greensboro’s ISMS to residents and vendors. The City of Greensboro Council and Management Team follows the guidelines defined in the City Council and Staff Communications Guidelines to establish and help foster effective communications between Council members, management team and employees. I NTERNAL A UDIT The City of Greensboro will undergo an internal audit to provide information on whether the information security management system conforms to the City of Greensboro’s information security requirements and the international standard’s requirements as defined in Clauses 4 -10 and Annex controls 5-18 of the ISO27001:2013 standards. Internal audits are conducted on an annual basis by the onsite 3rd party cyber security consultant to ensure objectivity and the impartiality of the audit process. The credentials for the third-party Cyber Security Consultant (Cyber Security Specialist) include the following certification: Certified Information System Security Professional (CISSP) and Certified Information Security Manager (CISM), which qualifies the Cyber Security Consultant (Cyber Security Specialist) to conduct the internal audit. The third-party Cyber Security Consultant (Cyber Security Specialist) will use the “Internal Audit Checklist” document, which contains the audit criteria, and audit requirements, interview the City’s Cyber Security T eam personnel and review all security policies, processes and technologies to ensure the effectiveness of the information security controls. The audit results will be documented and communicated to all stakeholders. All identified non-conformities will be addressed and mitigated in timely manner. M ANAGEMENT R EVIEW The Cyber Security Team will provide monthly updates to management in the form of a monthly cyber security report that includes the following aspects of the information security management system: 1. The status of actions from previous monthly reports

Cyber Security Policy Manual

46