ICMARC Associate Handbook August 2016

ICMA‑RC information systems and data from a non-ICMA‑RC location (e.g., telecommuting, field work). This document stipulates remote access approval requirements, general behavior mandates that ICMA‑RC expects of its associates when remotely connecting, and reporting requirements for lost or stolen remote- access-related equipment and policy infractions. Data Classification Policy All data residing on ICMA‑RC’s information systems must be classified as one of the following: Public, Non-public, Confidential, and Highly Confidential. The ICMA‑RC Data Classification Policy gives specific guidance regarding who is responsible for classifying data, as well as who are responsible for ensuring commensurate controls are in place based on that classification. The policy also indicates specific handling and storage guidance, including encryption and other access restrictions. Third-Party Cybersecurity Policy ICMA‑RC has very specific security requirements to which its associates must adhere when establishing and managing third-party (i.e., technology vendor) relationships. The ICMA‑RC Third-Party Cybersecurity Policy conveys these requirements, including appropriate security programs and procedures a third party must have before they are approved to handle ICMA‑RC data, as well as a questionnaire these third parties must complete before ICMA‑RC will consider them viable. This policy also indicates the importance of an ICMA‑RC owner for each third-party relationship, as well as the minimum monitoring activities ICMA‑RC requires. Computer Software Anti-Piracy Policy This policy is in place to prevent copyright infringements and protect ICMA‑RC’s computer environment from viruses. As part of the licensing agreement ICMA‑RC maintains with various software manufacturers and developers, the corporation may copy software for backup and archival purposes only. The duplication of any licensed software or related documentation for use either on ICMA‑RC premises or elsewhere is prohibited, unless the corporation is expressly authorized otherwise by the licenser. You may use software on local area networks or on multiple machines only in accordance with applicable licensing agreements. In addition, you are prohibited from the following: P P Giving software to anyone for professional or personal use, including other ICMA‑RC associates, clients, contractors or vendors, unless expressly authorized by the Vice President of Information Technology P P Loading software, including games, not licensed through the corporation onto ICMA‑RC computers P P Loading corporate-owned software onto an outside computer without explicit authorization from Information Security Unauthorized duplication of software may subject both you and the corporation to civil and criminal penalties under the U.S. Copyright Act. Associates in violation of this policy may be subject to disciplinary action including termination of employment and/or legal action.

Confidential — for Internal Use Only

Associate Handbook August 2016 | 100