The purpose of these Administrative Rules is to ensure the security and availability of technology systems and networks. It also helps ensure confidentiality, integrity and availability of electronic information captured, maintained and used by the City of Portland. This policy shall be used as a foundation document for all policies, standards, procedures, and guidelines that are developed and implemented by the City, related to information security.
The Information Security Policies are to be "living" documents that will be altered as required to deal with changes in technology, applications, procedures, legal and social imperatives and perceived dangers.
All users (employees, contractors, vendors, and other parties) are responsible for complying with these policies.
Authority and Compliance
The Chief Technology Officer (CTO) shall establish and provide authority and governance for information security policies, standards, and best practices for City technology in order to secure all City technology systems and assets and promote the most efficient use of technology resources.
The Information Security Manager (ISM) is responsible for developing and enforcing policies and standards for the implementation and use of information technology security standards and compliance on a Citywide basis.
The City of Portland is a public entity. It has custodial responsibilities for a significant and diverse amount of sensitive information. It holds business contracts with a broad range of public and private organizations. It is the recipient of federal and private grants. It owns, maintains and operates significant critical infrastructures and services including those of public health and safety. All of these facts place significant burden on the City regarding the management and use of its extensive technology resources. Not least among these burdens are compliance requirements with many State and Federal laws, regulations, and promulgated rules. Pursuant to Federal and State regulations, management control of access to law enforcement data, specifically NCIC 2000 and LEDS, is under the authority of the Chief of Police of the Portland Police Bureau.
Beyond strict compliance requirements, the City must also understand and consider several additional government and industry standards and best practices that contribute to the objective of “due care”.
In addition to the City’s information security governance and compliance requirements, this policy also reflects the City’s strong commitment to its own institutional ethics and values.
Successful compliance and protection of technology assets requires all business system owners, system operators, data custodians and users of City owned technologies, to learn, understand, and support this City’s information security policy and associated guidelines.
The Information Security Administrative Rules 2.02 through 2.18 include policies covering the following areas:
2.02: ROLES AND RESPONSIBILITIES
2.03: NETWORK ACCESS
2.04: REMOTE NETWORK ACCESS
2.05: USER & ADMINISTRATIVE PASSWORDS
2.06: DATABASE PASSWORDS
2.07: MALWARE PREVENTION & RECOVERY
2.08: INCIDENT REPORTING & RESPONSE
2.09: PORTABLE COMPUTING DEVICES
2.10: WIRELESS 802.11 NETWORKS
2.11: ANALOG MODEMS
2.12: PHYSICAL SECURITY
2.13: INTRUSION DETECTION
2.14: SECURITY AUDITS
2.16: FIREWALL SECURITY & MANAGEMENT
2.17: PAYMENT CARD SECURITY STANDARDS
2.18: INFORMATION CLASSIFICATION & PROTECTION
In addition to the above policies, the following general information security policies apply to all users (employees, contractors, vendors, and other parties) of the City’s technology:
Altering Authorized Access: Personnel are prohibited from changing access controls to allow themselves or others to perform actions outside their authorized privileges and assigned responsibilities.
Background Checks: Background checks may be a requirement for any employee, volunteer, contractor or vendor who will be working with or around confidential or sensitive technology equipment or data under BTS management. Such determination will be at the discretion of the CTO, ISM, and Business System Owner unless it is mandated by law or State/Federal requirement.
Data Protection: Personnel are required to protect the confidentiality, integrity and availability of private or sensitive electronic data they use, transmit and store. Examples of confidential, private or sensitive electronic data include but are not limited to; criminal justice data, pending litigation records, employee personnel records, health benefits data and medical files, payment card numbers, in-process procurement evaluation and contract negotiation materials, driver license numbers, social security numbers, dates of birth, intellectual property and all other data expressly exempt from Oregon public records laws provided by ORS 192.501 to 192.505.
Denial of Service Actions: Personnel are not allowed to prevent authorized users or other systems from performing authorized functions by actions that deny access or the ability to communicate. These include actions that deliberately suppress communications or generate frivolous or unauthorized network traffic.
Malicious Software (Malware): Personnel must not willingly or through an act of gross negligence, introduce or use malware such as computer viruses, Trojan horses, worms or spyware.
Personnel Accountability: Personnel are accountable for their actions in use of City technologies and may be held liable to administrative or criminal sanctions for any unauthorized actions found to be intentional, malicious or grossly negligent.
Reconstruction of Information or Software: Personnel are not allowed to reconstruct or duplicate information or software for which they are not authorized.
Software Licenses: All software used on City devices must be appropriately and legally acquired and used according to the licensing agreement. Possession or use of illegal copies of software or data is expressly prohibited.
Tampering with Information Security Software and Settings: Personnel must not tamper with or disable information security software or settings, including but not limited to network password mechanisms, system logs, virus protection software, security auditing and asset management tools, system clocks and software distributions tools.
Unauthorized Access: Personnel are not to access or attempt to access systems or information for which they are not authorized, nor provide access to unauthorized users. Personnel are not to attempt to receive unintended messages or access information by unauthorized means, such as impersonating another system, user or person, misuse of legal user credentials (user ids, passwords, etc.) or by causing any technology component to function incorrectly. Personnel are not to possess, intercept or transfer information or communications for which they are not authorized or for which is not an assigned function of their responsibility.
Unauthorized Data Alteration: Entering information into a computer or database that is known to be false and/or unauthorized, or altering a database, document, or computer disk with false and/or unauthorized information is prohibited.
This policy is applicable to all Business System Owners, System Operators, Data Custodians, and Users of City technology systems, associated information or any other electronic processing or communications related resources or services.
Exceptions to this policy must be approved by the CTO or the ISM. In each case, the bureau must request the exception waiver, in writing, and include such items as the need for the exception, the scope and extent of the exception, the safeguards to be implemented to mitigate risks, specific timeframe for the exception, organization requesting the exception, and the approval from the bureau director requesting the exception.
Monitoring of User Accounts, Files and Access
Related Administrative Rules governing employee use of information technologies and expectation of privacy, monitoring of use, site blocking, prohibited use, E-mail (including all-employee broadcast E-mail, Union use of E-mail, Netiquette, and Email records retention), and malware protection are included in the Bureau of Human Resources Administrative Rules.
Electronic Data and Records Management
The City generates, processes and stores many forms of information. Records Retention and disposition, maintained by the City Auditor's Office, can be located at http://www.portlandonline.com/auditor/.
All City Business System Owners, Data Custodians, and Users are obligated to understand the nature of the data they generate, use, or store and ensure that they are managing that data in full compliance with City records management policies.
Revised rule adopted by the Chief Administrative Officer of the Office of Management and Finance and filed for inclusion in PPD October 29, 2015.