ICMARC Associate Handbook August 2016

CHAPTER 9 INFORMATION SECURITY

ICMA‑RC’s corporate data and computer resources are vital assets. Information Security Department is responsible for protecting the confidentiality, integrity, and availability of all ICMA‑RC’s information processing activities, but all associates play a part. All information traveling over ICMA‑RC’s computer networks is a corporate asset, and the corporation prohibits the unauthorized access, disclosure, duplication, modification, diversion, loss, misuse or theft of this information. Further, it bears mention that information belonging to third parties (e.g., information entrusted to ICMA‑RC in confidence) is also included in this prohibition, as ICMA‑RC is contractually obligated to keep the information of our clients and partners secure. In an effort to safeguard ICMA‑RC’s information resources, Information Security & Technical Operations (ISTO) Division has developed a suite of ICMA‑RC policies all associates must follow. These policies provide guidance on all levels of interaction with ICMA‑RC’s data and information systems. While there is no substitute for familiarity with every ISTO-sponsored policy — all of which are available on ICMA‑RC’s intranet under the heading Computer Security Policies — the following policies provide guidance most applicable to and most referenced by the largest number of ICMA‑RC associates. Acceptable Use Policy This policy provides guidance at the highest level for how ICMA‑RC expects its associates to interact with its technology and handle its data. Associates will find in its pages handling instructions for sensitive data, password restrictions, reporting requirements for when equipment is stolen, and social media restrictions. Readers will also find prohibitions against distributing offensive material, unauthorized access attempts, and probing electronic security measures. All associates must read and sign the ICMA‑RC Acceptable Use Policy annually. Internet Use Policy This policy provides detailed guidance on acceptable Internet use on or through ICMA‑RC information systems. Specifically, the document provides direction on the use of proper security controls when transmitting ICMA‑RC data, as well as information regarding ICMA‑RC Internet-monitoring practices. This document also details ICMA‑RC Web-surfing limitations, and prohibitions against excessive personal Internet use, illegal use, and attempts to circumvent ICMA‑RC’s Internet security controls. Password Security Policy In the ICMA‑RC Password Security Policy (and its associated standard), you will find the corporation’s password complexity requirements, including specific, minimum construction standards user and administrator passwords must meet to be acceptable. You will also find information regarding ICMA‑RC password testing, handling, and limitations on password use.

Remote Access Policy The ICMA‑RC Remote Access Policy defines the minimum acceptable measures required for accessing

Confidential — for Internal Use Only

Associate Handbook August 2016 | 99