Full Text
CYBERSECURITY POLICY AND PROCEDURES 1. Purpose The purpose of this policy is to establish the City’s guidelines for computer security and the protection of an organization’s networks and its content or knowledge base, and to minimize the risk of internal and external cyber threats. 2. Scope This policy applies to all City elected officials, employees, contractors, consultants, and others specifically authorized to access information and associated assets owned, operated, controlled, or managed by the City of Woodburn. 3. Policy The City of Woodburn is committed to building a solid cybersecurity program to support, maintain, and secure critical infrastructure and data systems. To achieve this, the City will identify, evaluate, and take steps to avoid or mitigate risk to the City's information assets and prevent unauthorized digital or physical access, damage, theft, compromise, or interference to the City's information systems and facilities. These steps include implementing and operating controls to manage the City's information security risks and ensuring that all users of information assets are aware of their responsibilities in protecting those assets while complying with all applicable federal, state, or other regulations. 4. Responsibilities Roles and responsibilities must be separated so that a single individual, account, or function cannot intentionally or unintentionally subvert a critical process. Controls must also be put in place so that no single person can access, modify, or use assets without authorization or detection. Achieving and maintaining cybersecurity is a shared responsibility. ---PAGE BREAK--- Information Technology Manager will ensure that a written Cybersecurity Policy is implemented, reviewed and updated on a periodic basis; including providing training and updates to City staff; confirm identification, acquisition, and implementation of information system software and hardware; identify locations where Personally Identifiable Information (PII) is stored and accessible; provide input for who should have access to PII and with what types of privileges or access rights, performing periodic classification assessments and ensuring regular reviews to update and manage changes to risk; assess system vulnerabilities and implement security tools and safeguards for protecting PII; ensure implementation, enforcement, and effectiveness of IT Security policies and procedures; plan, execute, and lead security audits across the City; facilitate an understanding and awareness that security requires participation and support at all organizational levels; and oversee daily activities and use of information systems to ensure employees, business partners, and contractors adhere to these policies and procedures. Under the direction of the IT Manager, the Information Technology Assistant Manager will help implement and enforce the items outlined in this policy. They will manage logs and events of all systems, utilizing a SIEM (Security Information and Event Management) system, and conducting periodic reviews to ensure our cybersecurity. All users, including employees, elected officials, and contractors, must comply with all aspects of this policy and are responsible for the acceptable use and security of infrastructure and data. Users are accountable for their actions in use of City Technology Resources and information and may be held liable to administrative or criminal sanctions for any unauthorized actions found to be intentional, malicious or negligent. Users are required to protect the confidentiality, integrity and availability of City Confidential or Restricted Information they use, transmit and store. Examples of confidential or sensitive information include but are not limited to; criminal justice data, pending litigation records, employee personnel records, health benefits information and medical files, payment card numbers, in-process procurement evaluation and contract negotiation materials, driver license numbers, social security numbers, dates of birth, intellectual property and all other information expressly exempt from Oregon public records laws. Users must report all suspected security and/or policy violations to their supervisor and IT department. 5. Standards 5.1 Asset Management An inventory of all approved hardware and software on the City network and systems will be maintained that documents the following: • The employee in possession of the hardware or software • Date of purchase ---PAGE BREAK--- • Serial number • Type of device and description • For licensed software: # of licenses, license renewal date(s), other restrictions, etc. All software used on City devices, or hosted by an internet-based service provider, must be appropriately and legally acquired and used according to a City procurement approved licensing agreement. Possession or use of illegal copies of software or data is expressly prohibited. 5.2 Personally Identifiable Information (PII) An inventory of all current PII information by type and location will be maintained. The following table will be used to inventory PII. Location PII by type Essential Location Owner Website Contractors File in a staff office File in building File offsite Desktop HR System Financial System Laptop Flash drive Cell phones Tablets Other With the exception of the Police Department who have their own records retention policy, each manager will determine if PII being collected by their department is essential. If PII is not essential, it will either not be collected, or (if collected) will be destroyed per Oregon records retention schedule and as approved by the City Recorder per City policy and procedures. The City will not collect sensitive information, such as Social Security numbers if there is no legitimate business need. The Oregon Identity Theft Protection Act prohibits anyone (individual, private or public corporation, or business) who maintains Social Security numbers from: • Printing a consumer's SSN on any mailed materials not requested by the consumer unless redacted • Printing a consumer's SSN on a card used by the consumer that is required to access products or services • Publicly posting or displaying a consumer's SSN, such as on a website ---PAGE BREAK--- Exceptions include requirements by state or federal laws, including statute records (such as W2s, W4s, 1099s, etc.) that are required by law to be made available to the public for use for internal verification or administrative processes, or for enforcing a judgment or court order. 5.3 Identity Management, Authentication and Access Control Information Technology Manager is responsible for ensuring that access to the City’s systems and data is appropriately controlled. All systems housing City data (including laptops, desktops, tablets, and cell phones) are required to be protected with a password or other form of authentication. Except for the instances noted in this policy, users with access to the City systems and data shall not share passwords with anyone. The City has established the following password configuration requirements for all systems and applications (where applicable): • Minimum password length: 8 characters • Password complexity: use a rather than a password • Prohibited reuse for six iterations • Changed periodically (every 180 days) • Invalid login attempts set to lock after three Employees must follow further safeguards such as: • Not allowing PII on mobile storage media • Locking screens when away from their desks • Use extreme caution when opening email attachments received from unknown senders, which may contain malware. • Complete assigned training on cybersecurity report suspicious emails to IT department • Utilizing Locking file cabinets • Not allowing PII left on desktops • sensitive files on computers • Requiring password protection • Enabling multi-factor authentication • Following the record retention plan and destroying records no longer required Where possible, multi-factor authentication will be used when users authenticate to the City’s systems. • Users are granted access only to the system data and functionality necessary for their job responsibilities. ---PAGE BREAK--- • Privileged and administrative access is limited to authorized users who require escalated access for their job responsibilities and where possible will have two accounts: one for administrator functions and a standard account for day to day activities. • All user access requests must be approved by the Information Technology Manager. • Information Technology Manager shall make sure all system access is removed of all users who separate from the City within 48 hours. No Bluetooth Device shall be used or connected to City equipment that does not meet a minimum of Bluetooth v2.1 specifications without written authorization from the IT department. When Bluetooth is not in use, users must turn it off. Bluetooth must be used in “hidden” mode instead of “discoverable” mode, whenever possible. Users must not tamper with or disable information security software or settings, including but not limited to network password mechanisms, system logs, virus protection software, security auditing and asset management tools, system clocks and software distributions tools. Users and unauthorized users are not to access or attempt to access systems, networks or information for which they are not authorized, nor provide access to unauthorized users. Users are not to attempt to receive non-City business information or access information by unauthorized means, such as impersonating another system, user or person, misuse of User credentials (user I.D.s, passwords, etc.) or by causing any technological component to function incorrectly. Users and unauthorized users are not to possess, intercept or transfer information or communications for which they are not authorized. Entering information into a computer or database that is known to be false and/or unauthorized, or altering a database, document, or computer disk with false and/or unauthorized information is prohibited. On an annual basis, a review of user access will be conducted by the departments under the direction of the Information Technology Manager to confirm compliance with the access control policies outlined above. 5.4 Awareness and Training City staff are required to complete City assigned security training: 1. Upon hire and within 30 days of receiving login credentials 2. Annually 3. As assigned On an annual basis, the IT Manager will conduct email phishing exercises of its users. The purpose of these tests is to help educate users on common phishing scenarios. It will assess the ---PAGE BREAK--- level of awareness and comprehension of phishing, understanding, compliance with policy around safe handling of emails containing links and/or attachments, and the ability to recognize a questionable or fraudulent message. 5.5 Data Security 5.5.1 Data Classification Users must adhere to the Records Retention Policy regarding the storage and destruction of data. Data residing on City’s systems must be continually evaluated and classified into the following categories: • Users’ Personal Use: Includes individual user's personal data, emails, documents, etc. This policy does not apply to a user’s personal information. • Marketing or Informational Material: Includes already-released marketing material, commonly known information, data freely available to the public, etc. and this policy does not apply. • Operational: Includes data for basic organizational operations, communications with vendors, employees, etc. (non-confidential). Most data will fall into this category. • Confidential: Any information deemed confidential. The following list provides guidelines on what type of information is typically considered confidential. Confidential data may include: o Employee or customer Social Security numbers or personally identifiable information (PII) o Personnel files o Protected Health Information (PHI) o Network diagrams and security configurations o Privileged communications regarding legal matters o o Bank account information and routing numbers o Payroll information o Credit card information o Any confidential data held for a third party (be sure to adhere to any confidential data agreement covering such information) 5.5.2 Data Storage The following guidelines apply to the storage of the different types of organizational data. ---PAGE BREAK--- • Operational: Operational data should be stored on a server that gets the most frequent backups. Some type of system- or disk-level redundancy is encouraged. • Confidential: Confidential information must be removed from desks, computer screens, and common areas unless it is currently in use. Confidential information should be stored under lock and key (or keycard/keypad), with the key, keycard or code secured. 5.5.3 Data Transmission The following guidelines apply to transmitting the different types of organizational data. • Confidential: Confidential data shall not be 1) Transmitted outside the City’s network without strong 2) Left on voicemail systems, either inside or outside the organization's network. 3) Transmitted via email, outside of the organization’s network. Data while transmitted, includes any data sent across the City’s network or any data sent to or from a City-owned or City-provided system. Types of transmitted data that shall be include: • VPN tunnels • Remote access sessions • Web applications • Email and email attachments • Remote desktop access • Communications with applications/databases 5.5.4 Data Destruction Employees must follow the State’s and City’s records retention policy and procedures before destroying any data. • Confidential: Confidential data must be destroyed in a manner that makes recovery of the information impossible. The following guidelines apply to data located on City- owned or City-provided systems, devices, media, etc.: o Storage media (CD's, DVD's): Physical destruction is required, some shredders may be able to perform this function. o Hard drives/systems/mobile storage media: At a minimum, DoD three pass data wiping must be used. Simply reformatting a drive does not make the data unrecoverable. If wiping is used, the City shall use the most secure commercially ---PAGE BREAK--- available methods. Alternatively, the City may physically destroy the storage media. 5.5.5 Data Storage Stored Data includes any data located on City-owned or City-provided systems, devices, media, etc. Examples of options for stored data include: • Whole disk • of partitions/files • of disk drives • of personal storage media/USB drives • of backups • of data generated by applications 6. Information Protection Processes and Procedures 6.1 Secure Software Development Where applicable, all software development activities performed by the City or by vendors on behalf of the organization shall employ secure coding practices, including those outlined below. A minimum of 2 software environments for developing software systems should be available – development/training and a production environment. Software developers or programmers are required to develop in the development/training environment and promote objects into the production environments. The development/training environment is used for assurance testing by the end-user and the developer. The end-user should use the production environment solely for production data and applications. Compiling objects and the source code is not allowed in the production environment. 6.2 Contingency Planning The City’s business contingency capability is based upon cloud and local backups of all critical business data, which is defined as “the data that is critical to successful organization operation.” Full data backups will be performed daily, and confirmation that backups were performed successfully will be conducted daily. Testing of cloud backups and restoration capability will be performed ---PAGE BREAK--- During a contingency event, the Information Technology Manager will coordinate and direct all IT decisions and activities. The following are some examples of possible business contingency scenario procedures: • In the event that one or more of City ’s systems or applications are deemed corrupted or inaccessible, the Information Technology Manager will work with the respective vendor(s) to restore data from the most recent cloud and local backup and, if necessary, acquire replacement hardware. • In the event that the location housing the City systems are no longer accessible, the Information Technology Manager will work with the respective vendor(s) to acquire any necessary replacement hardware and software, implement these at one of the City’s other sites, and restore data from the most recent cloud, off-site, or local backup. 6.3 Network Infrastructure The City will use a firewall to protect its electronic communications network from the Internet. For maximum protection, the network devices shall meet the following configuration standards: • Vendor recommended, and industry standard configurations will be used. • Changes to firewall and router configuration will be approved by the Information Technology Manager. • Both router and firewall passwords shall be secured and difficult to guess. • The firewall's default policy for handling inbound traffic shall be to block all packets and connections unless the traffic type and connections have been specifically permitted. • Inbound traffic containing ICMP (Internet Control Message Protocol) traffic shall not be passed in from the Internet, or from any un-trusted external network. • All web services running on routers shall be disabled. • The Simple Network Management Protocol (SNMP) Community Strings shall be made “private” (changed from the default “public”). 6.4 Network Servers Servers typically accept connections from several sources, both internal and external. As a general rule, the more sources connected to a system, the more risk associated with that system, so it is particularly important to secure network servers. • Unnecessary files, services, and ports shall be removed or blocked. A server-hardening guide, which is available from the leading operating system manufacturers, shall be followed if possible. ---PAGE BREAK--- • Network servers, even those meant to accept public connections, shall be protected by a firewall or access control list. • When possible, a standard installation process shall be developed for the City's network servers. A standard process will provide consistency across servers no matter which employee or contractor handles the installation. • Clocks on network servers shall be with the City's other networking hardware using NTP or another means. This will, among other benefits, aid in problem resolution and security incident investigation. 6.5 Network Segmentation Network segmentation is used to limit access to data within the City network based on data sensitivity. The City maintains two wireless networks. The guest/public wireless network grants the user internet access only. Access to the secure wireless network is limited to City staff and devices and provides the user with access to the intranet. Under the direction of the Information Technology Manager, a third-party network administrator manages the network user accounts, monitors firewall logs, and operating system event logs. The Information Technology Manager authorizes vendor access to the system components as maintenance requires. 7. Protective Technology 7.1 Email Filtering The City shall filter email, at minimum, at the Internet gateway and/or the mail server. This filtering will help reduce spam, viruses, or other messages deemed either contrary to this policy or a potential risk to the City's IT security. Additionally, email or anti-malware programs may be implemented to identify and quarantine emails that are deemed suspicious. 7.2 Internet Filtering The IT Department shall block access to internet websites and protocols deemed inappropriate or pose a security risk. Some examples of blocked categories are adult/sexually explicit material, advertisements, hacking, violence and hate content. 7.3 Mobile Devices Users should not download City information onto personal devices. The download of City data to personal devices exposes users to the possibility of subpoena or Records Requests. ---PAGE BREAK--- City Confidential Information stored on Mobile Devices or Removable Media must use IT department approved techniques for temporary data storage. City Confidential and Restricted Information must not be transmitted via wireless technology to/or from a Mobile Device unless IT department approved wireless transmission protocols are implemented. Mobile devices and Removable Media must have approved storage anti-malware capability, and device firewall operational and always activated. Use of services, such as backups for mobile devices local device remote services, and websites) must be controlled through Mobile Device Management (MDM) or other centralized management solution. Mobile devices may not access City networks unless their integrity is verified (including whether the device has been rooted/jailbroken, software patches, OS patches, etc.). Mobile devices that cannot support the above requirements are required at a minimum to implement a six-digit PIN with a fifteen-minute inactivity lockout. Non-City owned mobile devices and remote access services that require City network connectivity must conform to City information security policies and standards. Non-City owned or managed mobile devices may have limited access rights to City technology resources and information. All City Users must secure Mobile Devices and Removable Media in their care and possession and immediately report any loss or theft of such devices to the IT Department. 7.3 Network Vulnerability Assessments Every quarter, the IT Department will perform both internal and external network vulnerability assessments. These assessments aim to establish a comprehensive view of the organization’s network as it appears internally and externally. These evaluations will be conducted under the direction of the Information Technology Manager to identify weaknesses in the network configuration that could allow unauthorized and/or unsuspected access to the organization’s data and systems. In addition, annual penetration testing will be run to identify weaknesses or vulnerabilities that must be addressed. 8. Anomalies and Events The following logging activities are conducted by IT System Administrator under the direction of the Information Technology Manager: ---PAGE BREAK--- • Domain Controllers - Active Directory event logs will be configured to log the following security events: account creation, escalation of privileges, login failures, and excessive repeated login attempts. • Application Servers - Logs from application servers web, email, database servers) will be configured to log the following events: errors, faults, login failures, and excessive repeated login attempts. • Network Devices - Logs from network devices firewalls, network switches, routers) will be configured to log the following events: errors, faults, login failures, and excessive repeated login attempts. Passwords should not be contained in logs. The IT system administrator will review the logs of the above events at least once per month, utilizing a SIEM (Security Information and Event Management). Event logs will be configured to maintain a record of the above events for at least three months. 9. Security Continuous Monitoring 9.1 Anti-Malware Tools All City servers and workstations shall utilize endpoint protection software to protect systems from malware and viruses. Real-time scanning will be enabled on all systems, and weekly malware scans will be performed. The IT system administrator will review the endpoint protection software dashboard to confirm the status of virus definition updates and scans. 9.2 Patch management All software updates and patches will be distributed to all City systems as follows: • Workstations shall be configured to install software updates every night automatically. • Server software updates shall be manually installed at least quarterly. • Any exceptions shall be documented. 10. Response Planning The City’s annual security awareness training shall include direction and guidance for the types of security incidents users could encounter, what actions to take when an incident is suspected, and who is responsible for responding to an incident. A security incident, as it relates to the City’s information assets, can be defined as either an Electronic or Physical Incident. ---PAGE BREAK--- Information Technology Manager is responsible for coordinating all activities during a significant incident, including notification and communication activities and the chain of escalation and deciding if/when outside agencies, need to be contacted. 10.1 Electronic Incidents This type of incident can range from an attacker or user accessing the network for unauthorized/malicious purposes to a virus outbreak or a suspected Trojan or malware infection. The steps below should be taken in order when an electronic incident is suspected. 1. Remove the compromised device from the network by unplugging or disabling the network connection. Do not power down the machine. 2. Report the incident to the IT System Administrator or Information Technology Manager. 3. Contact the third-party service provider (and/or computer forensic specialist) as needed. The remaining steps should be conducted with the assistance of the third-party IT service provider and/or computer forensics specialist. 4. Disable the compromised account(s) as appropriate. 5. Backup all data and logs on the machine, or copy/image the machine to another system. 6. Determine exactly what happened and the scope of the incident. 7. Determine how the attacker gained access and disable it. 8. Rebuild the system, including a complete operating system reinstall. 9. Restore any needed data from the last known good backup and put the system back online. 10. Take actions, as possible, to ensure that the vulnerability will not reappear. 11. Conduct a post-incident evaluation. What can be learned? What could be done differently? 10.2 Physical Incidents A physical IT security incident involves the loss or theft of a laptop, mobile device, PDA/Smartphone, portable storage device, or other digital apparatus that may contain the City’s information. All suspected physical security incidents should be reported immediately to the IT System Administrator or Information Technology Manager. 10.3 Notification ---PAGE BREAK--- If an electronic or physical security incident is suspected of having resulted in the loss of, or unauthorized access to employee PPI or third-party/customer data, notify the City Attorney's office for direction on procedures for notifying the public or affected entities as well as necessary government agencies. 11. Recovery & Restoration Recovery processes and procedures shall be executed and maintained to ensure the timely restoration of systems and/or assets affected by cybersecurity events. Information Technology Manager manages and directs activities during an incident, including the recovery steps. Recovery planning and processes are improved by incorporating lessons learned into future activities. Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet service providers, owners of the affected systems, victims, and vendors. External communications should only be handled by designated individuals at the direction of the City Administrator. Recovery activities are communicated to internal stakeholders, executives, and management teams. 12. References Oregon Administrative Rules Chapter 166, Division 200 City general records retention schedule Oregon Revised Code Chapter 192 Records, public reports and meetings Oregon Identity Theft Protection Act, ORS 646A.600 – 628. ORS 646A.622 City of Woodburn HR Rules City of Woodburn Use of City Information Technology Policy & Procedures City of Woodburn Social Media Policy and Procedures 12. Review of Policy and Procedures This policy will be reviewed annually or as state and federal regulations are revised, necessitating a policy or procedure change. Adopted: July 2021 Revised: October 2024 ---PAGE BREAK--- Appendix B – Confidentiality and Non-Disclosure Agreement This Confidentiality and Nondisclosure Agreement (the "Agreement") is entered into by and between City of Woodburn ("Disclosing Party") and ("Receiving Party") for the purpose of preventing the unauthorized disclosure of Confidential Information as defined below. The parties agree to enter into a confidential relationship with respect to the disclosure of certain proprietary and confidential information ("Confidential Information"). 1. Definition of Confidential Information. For purposes of this Agreement, "Confidential Information" shall include all information or material that has or could have commercial value or other utility in the business in which the Disclosing Party is engaged. Examples of Confidential Information include the following: • Employee or customer Social Security numbers or personal information • Customer data • Entity financial data • Product and/or service plans, details, and schematics, • Network diagrams and security configurations • Communications about entity legal matters • Passwords • Bank account information and routing numbers • Payroll information • Credit card information • Any confidential data held for a third party 2. Exclusions from Confidential Information. Receiving Party's obligations under this Agreement do not extend to information that is: publicly known at the time of disclosure or subsequently becomes publicly known through no fault of the Receiving Party; discovered or created by the Receiving Party before disclosure by Disclosing Party; learned by the Receiving Party through legitimate means other than from the Disclosing Party or Disclosing Party's representatives; or is disclosed by Receiving Party with Disclosing Party's prior written approval. 3. Obligations of Receiving Party. The receiving Party shall hold and maintain the Confidential Information in strictest confidence for the sole and exclusive benefit of the Disclosing Party. The receiving Party shall carefully restrict access to Confidential Information to employees, contractors, and third parties as is reasonably required and shall require those persons to sign nondisclosure restrictions that are at least as protective as those in this Agreement. Receiving Party shall not, without the prior written approval of Disclosing Party, use for Receiving Party's own benefit, publish, copy, or otherwise disclose to others, or permit the use by others for their benefit or to the detriment of Disclosing Party, any Confidential Information. Receiving Party shall return to Disclosing Party any and all records, notes, and ---PAGE BREAK--- other written, printed, or tangible materials in its possession pertaining to Confidential Information immediately if Disclosing Party requests it in writing. 4. Time Periods. The nondisclosure provisions of this Agreement shall survive the termination of this Agreement and Receiving Party's duty to hold Confidential Information in confidence shall remain in effect until the Confidential Information no longer qualifies as a confidential or until the Disclosing Party sends the Receiving Party written notice releasing Receiving Party from this Agreement, whichever occurs first. 5. Relationships. Nothing contained in this Agreement shall be deemed to constitute either party a partner, joint venture or employee of the other party for any purpose. 6. Severability. If a court finds any provision of this Agreement invalid or unenforceable, the remainder of this Agreement shall be interpreted to best affect the parties' intent. 7. Integration. This Agreement expresses the parties’ complete understanding of the subject matter and supersedes all prior proposals, agreements, representations, and understandings. This Agreement may not be amended except in a writing signed by both parties. 8. Waiver. The failure to exercise any right provided in this Agreement shall not be a waiver of prior or subsequent rights. This Agreement and each party's obligations shall be binding on the representatives, assigns, and successors of such party. Each party has signed this Agreement through its authorized representative. Disclosing Party By: Printed Name: Title: Dated: Receiving Party ---PAGE BREAK--- By: Printed Name: Title: Dated: