Cyber Security Policy Manual

implemented in a timely manner to ef fectively mitigate the risk to City of Greensboro’s systems and information. 5) Encryption controls must be implemented to protect the confidentiality and integrity of confidential information being processed by, transmitted through, and stored in City of Gre ensboro’s systems and applications. Encryption keys must be protected from unauthorized access and disclosure. 6) An information classification model must be defined to provide a framework for categorizing data collected, stored and managed by the City of Greensboro and securing this data from risks including unauthorized access, destruction, modification, disclosure, use and removal. 7) Information security controls must be implemented to ensure that all employees obey laws, regulations, and City policies when using IT resources. This includes copyright laws, software-licensing agreements, data privacy and protection laws and standards including HIPPA and PCI, and contractual requirements related to intellectual property rights and use of proprietary software products . C ontrols must also be implemented to protect the confidentiality of personal identifiable information, personal health information, and financial information. 8) Change management process must be implemented to manage change to IT infrastructure including hardware, software, and services and ensure the availability of systems and applications by minimizing risk and disruption to IT infrastructure caused by change. 9) Secure configuration standards must be defined and implemented for workstation, servers, databases, and network devices to protect systems and information from unauthorized access and disclosure of confidential information. 10) Incident management process must be implemented to ensure that information security incidents are properly reported and appropriately investigated. The process must outline the activities required to successfully manage incidents from reporting to closure. 11) Secure software development process must be defined and implemented to ensure that secure coding practices are followed when designing and developing applications. These practices protect confidential information from unauthorized access or modification and ensure the continuous availability of systems and applications to City of Greensboro employees, residents and partners. 12) Continuity of operations plans must be defined and implemented to ensure the availability of systems and applications in the event of a disaster. The plans must include recovery procedures for systems and applications and must be tested regularly to identify and mitigate any potential gaps. 13) Information security training must be provided to all City of Greensboro employees regularly to promote good security practices and educate employees about threats and countermeasures to protect City of Greensboro’s systems and information. Information security training must also be provided to application developers to ensure that developed

Cyber Security Policy Manual

9