Cyber Security Policy Manual

CYBER SECURITY POLICY MANUAL

PREPARED BY IT CYBER SECURITY DIVISION Information Technology Department

Cyber Security Policy Manual City of Greensboro, NC Cyber Security Division

T ABLE OF C ONTENTS

DOCUMENT INFORMATION

5

CYBER SECURITY & COMPLIANCE POLICY

7

P URPOSE

7 7 7 8 8

S COPE

D EFINITIONS

R OLES AND RESPONSIBILITIES

P OLICY

VULNERABILITY MANAGEMENT POLICY

11

P URPOSE

11 11 11 11 11

S COPE

D EFINITIONS

R OLES AND RESPONSIBILITIES

P OLICY

PATCH MANAGEMENT POLICY

14

P URPOSE

14 14 14 14 15

S COPE

D EFINITIONS

R OLES AND RESPONSIBILITIES

P OLICY

DATA CLASSIFICATION POLICY

16

P URPOSE

16 16 16 16

S COPE

D EFINITIONS

R OLES AND RESPONSIBILITIES

Cyber Security Policy Manual

1

P OLICY

17

ENCRYPTION POLICY

20

P URPOSE

20 20 20 20 21

S COPE

D EFINITIONS

R OLES AND RESPONSIBILITIES

P OLICY

REMOTE ACCESS POLICY

22

P URPOSE

22 22 23

S COPE P OLICY

USER PROVISIONING POLICY

25

P URPOSE

25 25 25 25 26

S COPE

D EFINITIONS

R OLES AND RESPONSIBILITIES

P OLICY

SUPPLIER RISK MANAGEMENT POLICY

28

P URPOSE

28 28 28 28 29

S COPE

D EFINITIONS

R OLES AND RESPONSIBILITIES

P OLICY

MOBILE DEVICE POLICY

31

P URPOSE

31 31 31 31 31

S COPE

D EFINITIONS

R OLES AND RESPONSIBILITIES

P OLICY

NETWORK ACCESS POLICY

34

Cyber Security Policy Manual

2

P URPOSE

34 34 34 34

S COPE

R OLES AND RESPONSIBILITIES

P OLICY

CYBER SECURITY INCIDENT RESPONSE PROCEDURE

36

P URPOSE

36 36 36 37 37

S COPE

D EFINITIONS

R OLES AND RESPONSIBILITIES

P ROCEDURE

INFORMATION SECURITY MANAGEMENT SYSTEM (ISMS) POLICY

40

P URPOSE

40 40 40 41 41 41 43 44 44 44 45 45 45 46 46 47

S COPE

R OLES AND RESPONSIBILITIES

I NTRODUCTION

S COPE S TATEMENT

E XTERNAL /I NTERNAL I SSUES

I NTERESTED P ARTIES

I NTERFACES AND D EPENDENCIES

I NFORMATION S ECURITY M ANAGEMENT S YSTEM

L EADERSHIP AND C OMMITMENT

P LANNING

C HANGES TO P OLICIES , P ROCESSES AND P ROCEDURES

C OMMUNICATIONS I NTERNAL A UDIT

M ANAGEMENT R EVIEW

C ONTINUAL I MPROVEMENTS

CARD PAYMENT HANDLING POLICY

48

P URPOSE

48 48 48 49

S COPE

R OLES AND RESPONSIBILITIES

P OLICY

POLICY ENFORCEMENT

51

Cyber Security Policy Manual

3

POLICY COMPLIANCE

51

POLICY EXCEPTIONS

51

Cyber Security Policy Manual

4

D OCUMENT I NFORMATION

Policy Name: Cyber Security Policy Manual Document Reference Number: GSO-CSPM-001 Version : 1.6 Effective from : 3/1/2018 Document Change History and Revision Control

Version

Sections Revised

Description of Revision

Changed By

Date

1.0

All

-

Initial Document Creation

Cyber Security Team Cyber Security Team Cyber Security Team

2/7/2018

1.1

-

Updated Social Media Policy section Updated the internal audit section of the ISMS policy

2/4/2019

1.2

-

1/28/2020

-

Added Card Payment Handling Policy Updated password configuration in User Provisioning Policy

-

1.3

-

Provided updates to Social Media Policy

Law & Compliance Team

5/13/2020

1.4

-

Updated Vulnerability Management Policy

Cyber Security Team

1/29/2021

1.5

-

Updated Mobile Device Policy

Cyber Security Team

1/31/2023

1.6

All

-

Updated roles and responsibilities throughout the policy Removed Social Media Policy

Cyber Security Team

2/16/2024

-

Cyber Security Policy Manual

5

Approval Details

Reviewed & Approved By

Role

Signature

Date

Rodney Roberts

Chief Information Officer

2/21/2024

Nick Brown

Network Services Manager

2/21/2024

Cyber Security Policy Manual

6

C YBER S ECURITY & C OMPLIANCE P OLICY

P URPOSE The purpose of this policy is to define the principles by which the City of Greensboro will protect the confidentiality, integrity and availability of systems and information and ensure compliance with data privacy laws and industry regulations. Protecting systems and information and ensuring compliance with laws and regulations is fundamental to the successful operation of the City of Greensboro.

S COPE This policy applies to:

1) All Information Technology assets leased, owned and operated by the City of Greensboro 2) All data stored, processed and transmitted by City of Greensboro systems and applications 3) All City of Greensboro employees, contractors, and consultants

D EFINITIONS Confidential Information

The type of information that if lost or stolen could severely impact the City of Greensboro and its employees and residents. Examples include personal identifiable information, credit card numbers, bank account numb ers, users’ names and passwords Improving the reliability of a system or application to make it always available for employees, residents and partners

Availability

OWASP

Open Web Application Security Project – Defines security standards to follow to develop and implement secure web applications

PCI

Payment Card Industry standards designed to ensure that companies that process, store or transmit credit card information maintain a secure environment Health Insurance Portability and Accountability Act – a US legislation that provides data privacy and security provisions for safeguarding medical information

HIPPA

Cyber Security Policy Manual

7

R OLES AND RESPONSIBILITIES Function

Responsibility

Chief Information Officer

Support efforts to ensure that proper security controls are implemented to protect the City of Greensboro’s systems and information and comply with data privacy laws and industry regulations security management to ensure that information security controls are defined and implemented to protect City of Greensboro systems and information and comply with data privacy laws and industry regulations - Communicate risks and mitigation recommendations to IT and City management and define, implement and manage security controls to protect City of Greensboro systems and information Adhere to all security policies and controls that have been implemented to protect City of Greensboro systems and information - Provide strategic direction and information

Cyber Security Team

All employees, contractors, and consultants

P OLICY 1) Systems and applications must be protected against network intrusions and cyber-attacks that aim at compromising the confidentiality, integrity and availability of City of Greensboro information. Network detection and prevention controls must be implemented to identify and stop these intrusions and cyber-attacks. 2) Access control mechanisms must be implemented to ensure that access to systems and information is provided to users that have been authorized and approved. Unauthorized access attempts to systems and information must be detected and blocked. 3) Vulnerability assessments must be conducted regularly to identify and mitigate system and application vulnerabilities that could be exploited by unauthorized users to gain access to confidential information. Critical vulnerabilities must be mitigated in a timely manner to protect City of Greensboro systems and information. 4) Security patch management process must be implemented to provide efficient and reliable method for the assessment, testing and implementation of security patches to systems, applications and network devices. The process must ensure that security patches are

Cyber Security Policy Manual

8

implemented in a timely manner to ef fectively mitigate the risk to City of Greensboro’s systems and information. 5) Encryption controls must be implemented to protect the confidentiality and integrity of confidential information being processed by, transmitted through, and stored in City of Gre ensboro’s systems and applications. Encryption keys must be protected from unauthorized access and disclosure. 6) An information classification model must be defined to provide a framework for categorizing data collected, stored and managed by the City of Greensboro and securing this data from risks including unauthorized access, destruction, modification, disclosure, use and removal. 7) Information security controls must be implemented to ensure that all employees obey laws, regulations, and City policies when using IT resources. This includes copyright laws, software-licensing agreements, data privacy and protection laws and standards including HIPPA and PCI, and contractual requirements related to intellectual property rights and use of proprietary software products . C ontrols must also be implemented to protect the confidentiality of personal identifiable information, personal health information, and financial information. 8) Change management process must be implemented to manage change to IT infrastructure including hardware, software, and services and ensure the availability of systems and applications by minimizing risk and disruption to IT infrastructure caused by change. 9) Secure configuration standards must be defined and implemented for workstation, servers, databases, and network devices to protect systems and information from unauthorized access and disclosure of confidential information. 10) Incident management process must be implemented to ensure that information security incidents are properly reported and appropriately investigated. The process must outline the activities required to successfully manage incidents from reporting to closure. 11) Secure software development process must be defined and implemented to ensure that secure coding practices are followed when designing and developing applications. These practices protect confidential information from unauthorized access or modification and ensure the continuous availability of systems and applications to City of Greensboro employees, residents and partners. 12) Continuity of operations plans must be defined and implemented to ensure the availability of systems and applications in the event of a disaster. The plans must include recovery procedures for systems and applications and must be tested regularly to identify and mitigate any potential gaps. 13) Information security training must be provided to all City of Greensboro employees regularly to promote good security practices and educate employees about threats and countermeasures to protect City of Greensboro’s systems and information. Information security training must also be provided to application developers to ensure that developed

Cyber Security Policy Manual

9

applications address the OWASP top 10 vulnerabilities. IT personnel must also be trained on using advanced analysis and forensics techniques to identify and remove Malware infections in systems and applications. 14) Risk assessments must be conducted regularly to identify risks to City of Greensboro’s systems and information and implement controls to mitigate identified risks. The risk assessment must take into considerations business objectives, compliance changes and evolving security threats. City of Greensboro information security strategy must be defined according to identified risks and must focus on minimizing these risks to an acceptable level. 15) The City of Greensboro must undergo annual Payment Card Industry (PCI) audits to ensure that proper security controls are implemented to protect credit card information traversing the City’s systems and network. 16) IT compliance program must be established to ensure compliance to laws, regulations, policies and standards. Monthly, quarterly, semi-annually and annual compliance activities must be conducted to identify and mitigate compliance deficiencies.

Cyber Security Policy Manual

10

V ULNERABILITY M ANAGEMENT P OLICY

P URPOSE New technology vulnerabilities emerge on daily basis. It is essential to identify and mitigate these vulnerabilities to protect the City’s systems and applications and safeguard confidential information. For this reason, vulnerability scans must be conducted on regular basis to ensure that system and application vulnerabilities are identified, assessed, communicated and mitigated in a timely manner.

S COPE This policy applies to:

1) All City of Greensboro IT employees, contractors, consultants. 2) All IT resources including software, network devices, servers, workstations, and storage media.

D EFINITIONS Vulnerability

A weakness that, if exploited, allows an attacker to gain access and take control of a system Conducting security checks to identify weaknesses in systems and applications

Scan

R OLES AND RESPONSIBILITIES Function

Responsibility

Cyber Security Team

1. Conduct vulnerability scans to identify vulnerabilities and configuration weaknesses in systems and applications 2. Provide vulnerability mitigation recommendations to IT Administrators Ensure that identified vulnerabilities are mitigated in a timely manner as described in bullet 5 of the policy

IT Administrators

P OLICY 1) The Cyber Security Team is authorized to conduct vulnerability assessments against all systems and applications connected to the City’s network to identify vulnerabilities and

Cyber Security Policy Manual

11

configuration weaknesses. This is required to protect the City’s systems and information from threats and cyber-attacks and comply with all applicable laws and regulations. 2) All systems and applications connected to the City’s network are subject to these assessments, whether or not they are owned or operated by the City of Greensboro. 3) To ensure that vulnerability scans are comprehensive and accurate, scans maybe conducted using an authenticated method. During this method, the vulnerability scanning software logs into the system or application with administrator-level access. 4) The Cyber Security Team requires IT Administrators to review the results of vulnerability scans and evaluate, test and mitigate system and application vulnerabilities appropriately. 5) The timely and consistent mitigation of a reported vulnerability is critical in protecting the City’s systems, applications and data from damage or loss due to threats such as Malware, cyber-attacks or other forms of external and internal threats. For this reason, identified vulnerabilities must be mitigated in accordance with the specific timeframes described here: a. Critical - denotes a vulnerability that an attacker can easily exploit to gain access to a critical system, application or confidential information. These types of vulnerabilities must be mitigated within 1 week. b. Severe - denotes a vulnerability that an attacker could exploit to gain access to a system, application or confidential information. While this class of vulnerabilities is extremely serious, the risk of a breach or compromise is not as urgent as with a critical vulnerability. These types of vulnerabilities must be mitigated within 1 month. c. Moderate - denotes a vulnerability that may allow an attacker to gain access to specific information stored on the system including system settings. The vulnerability allows an attacker to gain access to information that may be used to compromise the system in the future. These types of vulnerabilities must be mitigated within 2 months. d. Low – denotes a vulnerability that may allow an attacker to gain access to system information such as installed software and version numbers. This information can be used in launch various types of reconnaissance attacks against the system in an attempt to gather additional information to gain access to it. These types of vulnerabilities must be mitigated within 3 months . 6) IT Administrators must work with Cyber Security Team to conduct vulnerability assessment against new systems and applications before production migration. 7) In the event of a security vulnerability or incident, devices maybe removed from the network or isolated. IT Administrators will be contacted to identify and resolve the issue. 8) If applicable, system configuration standards must be updated by IT Administrators as new vulnerability issues are found. 9) Vulnerability scans must be conducted frequently and based on the following factors:

Cyber Security Policy Manual

12

a. Incident-response scan – An on demand sc an initiated as a result of a specific security related incident. b. Admin Requested – The system owner with administrative authority over the equipment may request vulnerability scans as a part of the Change Management Process. c. Web Application Scan – Conducted monthly against all public facing web applications. d. PCI DSS Scan – Conducted monthly against all external systems and applications to ensure that payment card systems are not vulnerable to compromise. e. Internal Environment Scanning – Conducted bi-weekly against all internal systems and applications. 10) Should an IT Administrator identify a reported vulnerability as a potential false positive, the Cyber Security Team must be engaged to verify. 11) Vulnerabilities and other policy violations must be resolved by communicating to the user of record, with denial of network access reserved as a last resort. Compromises and other security breaches must follow the City of Greensboro’s Incident Response Policies and related documents.

Cyber Security Policy Manual

13

P ATCH M ANAGEMENT P OLICY

P URPOSE Patch management is a critical part of maintaining the security of systems, applications and network infrastructure. It is a vital component of the City’s cyber security program. Security vulnerabilities are inherent in systems and applications, which allow the development and propagation of Malware that can disrupt the City’s operations in addition to placing confidential data at risk. This policy ensures that there is a process in place to provide efficient and reliable method for the assessment, testing and deployment of software patches to all systems, applications and network devices. The process will ensure patches are deployed in a timely manner to effectively mitigate the risk to the City. S COPE This policy applies to: 1) All City of Greensboro IT employees, contractors, consultants. 2) All IT resources including software, network devices, servers, workstations, and storage media.

D EFINITIONS Vulnerability

A weakness that, if exploited, allows an attacker to gain access and take control of a system A software update designed to fix a vulnerability in a system or application

Patch

R OLES AND RESPONSIBILITIES Function

Responsibility

Cyber Security Team

1) Conduct vulnerability scans to identify missing patches in systems, applications and network devices 2) Communicate the results to IT Administrators Ensure that security patches are tested and deployed to systems, applications and network devices in a timely manner

IT Administrators

Cyber Security Policy Manual

14

P OLICY 1) IT Administrators must review, evaluate, and appropriately apply security updates and software patches to systems, applications and network devices in a timely manner. If patches cannot be applied in timely manner due to hardware or software constraints, other mitigating controls must be evaluated and implemented to reduce the risk to an acceptable level. 2) In order to protect the City’s systems, applications and confidential information, IT Administrators must apply security updates and software patches in accordance with the specific timeframes here: a. For critical or out of band updates (emergency cycle) – security updates and software patches must be tested for 2 days and then deployed to all production systems and applications immediately after. b. For important updates or updates that are released within the normal window (normal cycle) – security updates and software patches must be tested for 2 weeks and then deployed to all production systems and applications immediately after. 3) In the event of a security vulnerability or incident, devices may be removed from the network or isolated. IT Administrators will be contacted to identify and resolve the issue. 4) Each vulnerability alert and patch release must be evaluated to ensure that it applies to the City’s systems and applications prior to taking any action in order to avoid unnecessary patching. 5) Automated tools must be used to deploy security updates and software patches to systems and applications. Manual patching is acceptable for critical systems and applications. 6) Vulnerability scans must be conducted against all systems, applications and network devices to identify vulnerabilities related to missing security updates and software patches. The scan results must be evaluated and communicated to IT Administrators. IT Administrators must mitigate all identified vulnerabilities according to the timeframes defined in the Vulnerability Management Policy. 7) All security updates and software patches must be tested prior to deployment to production systems and applications. 8) IT Administrators must ensure that all systems, applications and network devices are fully patched before production migration. 9) A back out plan that allows safe restoration of systems and applications to their pre-patch state must be devised prior to security update and software patch deployments. The plan can be executed in the event that the patch has unforeseen effects.

Cyber Security Policy Manual

15

D ATA C LASSIFICATION P OLICY

P URPOSE Data classification is the classification of data based on its level of sensitivity and the impact to the City should that data be destroyed, modified or disclosed without authorization. The purpose of this document is to provide a framework for categorizing data collected, stored, and managed by the City, and securing this data from risks including unauthorized destruction, modification, disclosure, access, use, and removal. S COPE This policy applies to: 1) All City of Greensboro employees, contractors, and consultants. 2) All IT resources include, but are not limited to, mobile devices, software applications, network devices, printers, servers, workstations, and storage media.

D EFINITIONS CVV

Authentication procedure established by credit card companies to further efforts towards reducing fraud for internet transactions Firewall rules that defines allowed and denied IP addresses and protocols Intrusion prevention system that detects and blocks intrusion and cyber-attacks against systems and application A standard security technology for establishing an encrypted link to allow for the secure transmission of data

Ruleset

IPS

SSL

R OLES AND RESPONSIBILITIES Function

Responsibility

Cyber Security Team

1) Define the classification model 2) Define the required security controls to protect the classified data 3) Provide user awareness and training about proper data handling 1) Classify data according to data classification model defined in this policy 2) Ensure the proper security controls are in place to protect the classified data

Data Owners

Cyber Security Policy Manual

16

Data User

Handle classified data in accordance with the rules and guidelines defined in this policy

P OLICY 1) Since the classification of data helps determine the appropriate security controls to implement in order to protect the data, all City’s data must be classified into one of the following categories: e. Confidential – this type of data could cause significant impact to the City if destroyed, modified or disclosed without authorization. Examples of confidential data include: o Personally Identifiable Information (PII) – this include name, social security

number, date of birth, state- issued driver’s license number, and other personal characteristics that would make the person easily identifiable. o Payment Card Information – this includes cardholder name, credit card number, service code, expiration date, CVV, PIN, and content of credit card magnetic stripe. o Protected Health Information (PHI) – this include any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. o SCADA and critical infrastructure documents o Other data types that must be protected in accordance with state and federal regulation.

f. Public – this type of data could cause low impact to the City if destroyed, modified or disclosed without authorization. Examples of public data include: o Any information that can be made public through the Public Information Request Tracking (PIRT) system o Publicly accessible websites o Data posted on blogs and other social media outlets o Press releases posted on public websites 2) The classified data must be handled based on the following table. The table also defines the required security controls to protect the classified data

Security Control Category

Data Classification

Confidential

Public

Cyber Security Policy Manual

17

Access Control

- Viewing and modification restricted to authorized individuals as needed for business-related roles - Data Owner or designee grants permission for access. Access requires approval from supervisor - Authentication and authorization required for access - Third Party Access Policy is required for third-party access - Data should only be printed when there is a legitimate need - Copies must be limited to individuals authorized to access the data - Data should not be left unattended on a printer/fax - Encryption required (i.e. SSL or secure file transfer protocols) - Cannot transmit via e-mail unless encrypted - Must use encrypted USB drives if being transported to outside entities - Protection with a network firewall using "default deny" ruleset required - Must reside on isolated segment separate from the internal network - IPS required - Servers hosting the data cannot be visible to the Internet, nor to unprotected subnets on the City’s network - The firewall ruleset must be reviewed periodically

- No restriction for viewing - Authorization by Data Owner or designee required for modification

Copying and Printing

- No restrictions

Transmission

- No restrictions

Network Security

- May reside on a public network but protected with a firewall and IPS system

Cyber Security Policy Manual

18

Data Storage

- Storage on a secure server required - Storage in Secure Data Center required - Must not store on an individual workstation or mobile device - Cannot be stored on a USB drive - Server must be configured according to server secure configuration standards

- Storage on a secure server required - Storage in Secure Data Center required

System Security

- Server must be configured according to server secure configuration standards

3) Data owners are responsible for classifying their data and ensuring the proper security controls are in place to protect the classified data. Data owners are also responsible for ensuring that proper labelling is placed on IT equipment where confidential data is stored.

Cyber Security Policy Manual

19

E NCRYPTION P OLICY

P URPOSE The purpose of this policy is to define the encryption standards and provide guidance on the use of encryption technologies to protect the confidentiality and integrity of information being processed by, transmitted through, and stored on City of Greensboro’s systems and applications. S COPE This policy applies to: 1) All Information Technology assets owned and operated by the City of Greensboro. 2) All employees, contractors and consultants.

D EFINITIONS AES

Advanced Encryption Standards - specification for encrypting data established by National Institute of Standards and Technology (NIST) Secure Hash Algorithm – a hashing function used to mask confidential information in systems and applications. The SHA specification was established by National Institute of Standards and Technology (NIST) Secure Socket Layer - a standard security technology for establishing an encrypted link between a server and a client The key length (measured in bits) of the key used in a cryptographic algorithm. A 256-bit key length is extremely difficult to crack The type of information that if lost or stolen could severely impact the City of Greensboro and its residents. Examples include personal health information, bank account numbers, passwords, personally identifiable information and credit card information

SHA

SSL

256-bit

Confidential Information

R OLES AND RESPONSIBILITIES Function

Responsibility

Cyber Security & Compliance Officer Define data encryption standards to protect City’s confidential information Cyber Security Analyst Monitor systems and applications to ensure compliance to data encryption standards IT Administrators Encrypt data at rest and in transmit according to the standards defined in this policy

Cyber Security Policy Manual

20

City Employees

Follow the encryption standards defined in this policy to prevent unauthorized access to confidential information

P OLICY 1) All implemented encryption standards must support a minimum encryption level of AES 256-bit encryption. Hashing functions must support a minimum hashing level of SHA2 256 bit. 2) Encryption is required when remotely accessing City of Greensboro’s systems and applications via Citrix XenApp, VPN, remote desktop or other remote access tools. 3) T rusted SSL certificates must be used when allowing resident’s access to City of Greensboro’s web applications. 4) If transferring confidential information to third-party via email or other file transfer methods, SSL certificates, email encryption or secure file transfer protocols must be used to protect confidential information from becoming compromised. 5) Confidential information residing in databases must be hashed to prevent unauthorized access to it. 6) The use of proprietary encryption algorithms is not permitted. 7) File and folder encryption must be implemented on laptops that contain confidential information in order to prevent unauthorized access to the information if the laptop is lost or stolen. 8) Encrypted USB drives must be used if there is a business need to copy confidential information on USB drives. This prevents unauthorized access to the information if the USB drive is lost or stolen. 9) Encryption keys and passwords must be stored in a safe location. Access to encryption keys and passwords must be restricted to the individuals that have administrative privileges to the systems and applications where these keys are used.

Cyber Security Policy Manual

21

R EMOTE A CCESS P OLICY

P URPOSE The purpose of this policy is to define rules and requirements for connecting to the City of Greensboro's network from any host. These rules and requirements are designed to minimize the potential exposure to the City of Greensboro from damages which may result from unauthorized use of City of Greensboro resources. Damages include the loss of sensitive or City of Greensboro confidential data, intellectual property, damage to public image, damage to critical City of Greensboro internal systems, and fines or other financial liabilities incurred as a result of those losses. This is not a substitute policy for telecommuting employees. There is a separate Telecommuting Policy (Policy B-17 in the online Personnel Policy Manual) for those employees who telecommute on a regularly scheduled basis. S COPE This policy applies to all City of Greensboro employees, including full-time staff, part-time staff, contractors, consultants, vendors, trainers, temporary staff and the like who utilize City-owned computers to remotely access the organization’s data and networks. Employment at the City of Greensboro does not automatically guarantee the granting of remote access privileges. The City reserves the right to inspect the home workspace during work hours to ensure required conditions are met. The inspection will be conducted by a member of the Human Resources Department in th e Health & Safety Division who should be accompanied by the employee’s department Human Resources Representative (HR Rep) and the employee’s supervisor or manager. Any non-exempt employee working overtime (i.e. checking email/voice mail messages) without prior approval from the supervisor may be denied further remote access privileges and be subject to corrective action up to and including dismissal. Any overtime worked after general scheduled hours will be compensated as required by FLSA. Any and all work performed for the City of Greensboro on said computers by any and all employees, through a remote access connection of any kind, is covered by this policy. Work can include (but is not limited to) e-mail correspondence, Web browsing, utilizing intranet resources, and any other City applications used over the Internet. Remote access is defined as any connection to the City of Greensboro’s network and/or other applications from off - site locations, such as the employee’s home, a hotel room, airports, cafés, satellite office, wireless devices, etc.

Non-City Owned Computers include employee owned laptops and home computers. Non-City owned computers can present risks to the City’s systems and applications. For example, Malware

Cyber Security Policy Manual

22

hidden on a non-City computer that is used to access City resources can record all keystrokes entered, including your City’s username and password, then use the information to gain unauthorized access to the City’s systems and sensitive information.

Non-City Owned Computers can only be used to access:  Exchange Webmail access

Non-City Owned Computers cannot be used for:  Access to internal City systems and applications  Access to the City via VPN  Saving email and attachments when using Exchange Webmail

P OLICY It is the responsibility of City of Greensboro employees, contractors, consultants, vendors, trainers, temporary staff and the like with remote access privileges to City of Greensboro's network to ensure that their remote access connection is given the same consideration as the user's on-site connection to the City of Greensboro. General access to the Internet for recreational use through the City of Greensboro network is strictly limited to City of Greensboro employees, contractors, vendors and agents (hereafter referred to as “Authorized Users”). When accessing the City of Greensboro network from a personal computer, Authorized Users are responsible for preventing access to any City computer resources or data by non-Authorized Users. Performance of illegal activities through the City of Greensboro network by any user (Authorized or otherwise) is prohibited. The Authorized User bears responsibility for and consequences of misuse of the Authorized User’s access. For further information and definitions, see the Information Technology Acceptable Use Policy . 1) Employees will use secure remote access procedures. This will be enforced in accordance with the City of Greensboro’s Password Policy. Employees agree to never disclose their passwords to anyone, particularly to family members if business work is conducted from home. 2) All hosts that are connected to the City of Greensboro internal networks via remote access technologies must use the most up-to-date anti-virus software, this includes personal computers. Third-party connections must comply with requirements as stated in the Third Party Access Policy . 3) Remote users using public hotspots for wireless Internet access must employ for their devices a personal firewall, VPN, and any other security measure deemed necessary by the IT department. VPNs supplied by the wireless service provider should also be used, but only in conjunction with the City’s additional security measures.

Cyber Security Policy Manual

23

4) Employees, contractors, consultants, vendors, trainers, temporary staff and the like will make no modifications of any kind to the remote access connection without the express approval of the City’s IT department. This includes, but is not limited to, split tunneling, dual homing, non-standard hardware or security configurations, etc. 5) Employees, contractors, consultants, vendors, trainers, temporary staff and the like with remote access privileges must ensure that their computers are not connected to any other network while connected to the City’s network via remote access, with the obvi ous exception of Internet connectivity. 6) In order to avoid confusing official City of Greensboro business with personal communications, employees, contractors, consultants, vendors, trainers, temporary staff with remote access privileges must never use non-City e-mail accounts (e.g. Hotmail, Yahoo, etc.) to conduct City of Greensboro business. 7) No employee is to use Internet access through City networks via remote connection for the purpose of illegal transactions, harassment, competitor interests, or obscene behavior, in accordance with other existing employee policies. The City of Greensboro employee bears responsibility for the consequences should the access be misused. 8) All remote access connections must include a “time - out” system. Time -outs will require the user to reconnect and re-authenticate in order to re-enter City networks. 9) If a personally- or City-owned computer or related equipment used for remote access is damaged, lost, or stolen, the authorized user will be responsible for notifying their manager and the City’s IT department immediately. 10) The remote access user also agrees to immediately report to their manager and the City’s IT department any incident or suspected incidents of unauthorized access and/or disclosure of City of Greensboro resources, databases, networks, etc. 11) The remote access user also agrees to and accepts that his or her access and/or connection to the City of Greensboro’s networks may be monitored to record dates, times, duration of access, etc., in order to identify unusual usage patterns or other suspicious activity. As with in-house computers, this is done in order to identify accounts/computers that may have been compromised by external parties.

Cyber Security Policy Manual

24

U SER P ROVISIONING P OLICY

P URPOSE The purpose of this policy is to define the access control principles for creating and removing user accounts and granting access to systems and applications to protect the City of Greensboro’s systems and information from unauthorized access and disclosure. S COPE This policy applies to: 1) All information technology assets owned and operated by the City of Greensboro 2) All City of Greensboro Employees 3) All City of Greensboro Suppliers, contractors and consultants

D EFINITIONS Authentication

The process of identifying an individual based on username and password. It ensures that the individual is who he/she claims to be The process of granting or denying access to a network resource based on user identity. It ensures that only authorized users gain access to network resources The process of keeping track of user’s activities while accessing network resources. It identifies malicious behavior on the network and helps with trend analysis, planning and auditing An approach to restricting system and application access to authorized users based on the role they hold at the City

Authorization

Accounting

Role-based access control

R OLES AND RESPONSIBILITIES Function

Responsibility

Cyber Security Team

1. Review requests for privileged and service accounts and approve/deny these requests 2. Monitor and review the use of privileged accounts 3. Conduct reviews of accounts and passwords to ensure compliance with policy 4. Ensure that accounts provisioned adhere to the policy

Cyber Security Policy Manual

25

IT Administrators

1. Configure password parameters in systems and applications according to the password configurations defined in this policy 1. Reset account passwords if needed 2. Troubleshoot failed logins and other account login issues

IT Service Desk

P OLICY 1) Requests for account creation and system access must be made through the IT Service Desk at 373.2322. The IT Service Desk must assign requests related to account creation and system access to the Cyber Security Analyst. 2) Requests for privileged and service accounts must be reviewed and approved by the Cyber Security Team. 3) Employees, consultants and contractors must complete, agree to and sign the Third Party Access Policy before an account is created. 4) User account must be unique and have an owner assigned to it to ensure that access to systems and applications is restricted by unique user account. 5) User account must follow the naming standard that complies with the City of Greensboro naming standard requirements (Lawson ID or Last Name, First Initial). 6) Access rights must be provided following the principles of least privilege and need to know. 7) Role-based access control must be used to ensure that users are assigned the proper access. Division Managers must determine the proper role to assign to each user in order to perform their job function within the system or application. Role security (if available) must be used to ensure that users have the proper access to tasks and functions within the system or application. 8) Identification, authorization and accounting mechanisms must be implemented to securely link users with access rules and prevent unauthorized access to systems and applications. 9) Access to confidential information must be restricted to authorized users whose job responsibility requires it as determined by Division Managers. 10) User password length must be a minimum of 14 characters. 11) Users must change their passwords every 365 days. 12) User account must be locked out after 5 failed login attempts with lockout duration set to forever or until the IT Service Desk or local IT team unlocks the account. 13) Users must keep their passwords secure and they must not write them down or share them with anyone. Passwords must be changed immediately if compromised or suspected of being compromised. 14) IT Service Desk or local IT team must use secure methods to communicate passwords to users. 15) Passwords must be encrypted or hashed when stored in the system or application.

Cyber Security Policy Manual

26

16) Users have the ability to reset their passwords using the City’s password reset tool. If the IT Service Desk or local IT team is required to reset user’s password, they must verify the use r identity and provide the user with a temporary password to be changed upon user logging into the system or application. 17) Accounts for terminated users must be disabled immediately upon receiving a notification from Human Resources or Division Managers or Supervisors or Technology Liaisons. Disabled accounts must be removed after 30 days unless specified otherwise. 18) Upon termination, Human Resources or Division Managers or Supervisors or Technology Liaisons must ensure that access badges and technology assets are collected from terminated employees. 19) All account creation, deletion, and privilege change activities must be logged and reviewed on regular basis. Failed and successful login attempts must also be logged and reviewed on regular basis to identify unauthorized login attempts.

Cyber Security Policy Manual

27

S UPPLIER R ISK M ANAGEMENT P OLICY

P URPOSE The purpose of this policy is to ensure that City of Greensboro’s engagements with suppliers, contractors and consultants have acceptable levels of risk to the confidentiality, availability and integrity of the City’s systems and information.

S COPE This policy applies to:

1) All City of Greensboro suppliers 2) All City of Greensboro contractors and consultants

D EFINITIONS Confidential Information

The type of information that if lost or stolen could severely impact the City of Greensboro and its residents. Examples include personal health information, bank account numbers, passwords, personally identifiable information and credit card information Any data or combination of data that can be used to uniquely identify, contact, or locate the individual to whom such information pertains Any individually identifiable information which relates to the past, present, or future physical or mental health or condition of an individual or the provision of health care to an individual

Personally Identifiable Information (PII)

Protected Health Information (PHI)

R OLES AND RESPONSIBILITIES Function

Responsibility

Cyber Security Team

Conduct audits and security reviews of suppliers to identify risks and ensure compliance to requirements

Cyber Security Analyst Suppliers, Contractors and Consultants

Assist in supplier risk assessment activities

Adhere to all rules and guidelines defined in this policy

Cyber Security Policy Manual

28

P OLICY 1) Suppliers must strive to identify vulnerabilities, risks and threats, take all actions necessary to protect the City’s information regarding security issues and help limit the likelihood that vulnerabilities in systems and applications are exposed. 2) Suppliers must complete the “Supplier Information Security Questionnaire” and engage with the City’s Cyber Security Personnel to review the completed questionnaire. If deemed necess ary, the City’s Cyber Security T eam will conduct security scans against the application, software or service. If critical security issues are identified after reviewing the security questionnaire and/or conducting the security scans, the supplier must resolve these issues as quickly as possible. 3) The City must not use the service provided by the supplier until all critical security issues have been resolved. 4) If the supplier experiences a data breach that impacts City’s information, the supplier must notify the City as quickly as possible so that certain measures can be taken to limit the impact of such a breach. 5) Supplier’s infrastructure must be protected against network intrusions and cyber -attacks that aim at compromising the confidentiality, integrity and availability of systems and applications. Network detection and prevention controls must also be implemented to identify and stop intrusions and cyber-attacks. 6) Suppliers must conduct vulnerability assessments regularly to identify and mitigate system and application vulnerabilities that could be exploited by unauthorized individuals to gain access to confidential information. 7) Suppliers, contractors or consultants must sign and adhere to the City’s Third Party Access Policy (TPA) to ensure that City’s confidential information is protected against release and disclosure without proper authorization. Suppliers, contractors and consultants must not disclose confidential information to any person other than employees or authorized representatives of the City who require access to such information. Such confidential information include but not limited to information related to business processes, software, application data, resident lists, employee lists, personal identifiable information, protected health information, vendor lists, operational methods, strategic plans, and any other confidential affairs concerning the City of Greensboro and its employees and residents. 8) Suppliers, contractors or consultants must not collect information about City’s employees and residents and distribute or share that information with other third parties or use the information to communicate with employees and residents about products, services or offerings. 9) Suppliers, contractors or consultants must avoid the unauthorized use of copyrighted materials of software or software applications and must confer with the City if they have any questions regarding the permissibility of photocopying, excerpting, electronically copying, or otherwise using copyrighted materials.

Cyber Security Policy Manual

29

10) Suppliers, contractors or consultants must not engage in activities that might harm City’s IT resources. This includes introducing computer viruses, sending spam emails, disrupting services, damaging files or making unauthorized changes to software or information. 11) Suppliers, contractors or consultants must not attempt to circumvent any information security measure s that have been implemented to protect the City’s systems and information. This includes but not limited to using hacking or password cracking programs in an attempt to gain unauthorized access to systems or information.

Cyber Security Policy Manual

30