Information Technology Policy Manual 2022

16) Continuity of operations plan must be defined and implemented to ensure the availability of systems and applications in the event of unforeseen disaster. The plan must include recovery procedures for systems and applications and must be tested regularly to identify gaps and areas of improvements. 17) Vulnerability assessments must be conducted regularly to identify and mitigate system and application vulnerabilities that could be exploited by unauthorized users to gain access to confidential information. Critical vulnerabilities must be mitigated in a timely manner to protect the City of Greensboro systems and information.

18 ) IT compliance reviews must be conducted regularly to ensure compliance to policies, procedures and standards. The reviews must include the following activities:

• Ensure that semi-annual backup and recovery tests are conducted and all identified issues are mitigated • Ensure that monthly internal and external vulnerability assessments are conducted for single-tenant systems and results are analyzed and communicated for remediation • Ensuring that security patches have been deployed to systems and applications • Perform quarterly firewall reviews to identify and mitigate configuration weaknesses that may allow unauthorized access into systems and applications • Perform annual software compliance checks to ensure that all software installed on endpoints is licensed for the use • Perform regular reviews of domain and system admin access to ensure that appropriate rights have been assigned to proper individuals • Perform monthly secure configuration reviews to ensure that systems and applications adhere to secure configuration standards • Perform monthly reviews of change requests to ensure compliance to policy and procedure • Perform weekly reviews of incidents to ensure that corrective and preventative measure are documented and implemented • Perform regular incident exercise to improve incident response process • Perform annual disaster recovery exercise to improve disaster recovery processes Compliance deficiencies must be analyzed, documented, and immediately communicated to the individuals responsible for the function or activity to ensure that corrective actions are implemented to mitigate the deficiency.

41 | P a g e