9-2 Information Technology Use and Security Policy Manual - Chapter VII: Mobile Computing
Return to IT Use and Security Policy Manual Table of Contents
Approved by: Board of Supervisors of the County of Sonoma (“County”), and the Boards of Directors of the Northern Sonoma County Air Pollution Control District, the Russian River County Sanitation District, Sonoma Valley County Sanitation District, Occidental County Sanitation District, South Park County Sanitation District, and the Board of Directors of the Sonoma County Agricultural Preservation and Open Space District (collectively referred to hereinafter as “Special Districts”), and the Sonoma County Water Agency (“Agency”), and the Board of Commissioners of the Sonoma County Community Development Commission (“Commission”). The County, Special Districts, Agency and Commission are collectively referred to herein as “Local Agencies” or singularly as “Local Agency.”
Read next: VIII. Security Awareness Training and Education Policy
What's on this Page
This section establishes requirements for the use of mobile devices (both personally owned and Local Agency provided) to work on or access Local Agency resources and data.
A. Personally Owned Devices
Personally-owned devices include, but are not limited to, smartphones, laptops, notebooks, tablets( e.g. iPads, Android) including, but not limited to any such devices for which Staff Development or other similar County-provided funds were used to purchase the device in whole or in part.
- The Expectation of Privacy: The County of Sonoma will respect the privacy of a user’s voluntary use of a personally-owned device to access Local Agency IT resources. Users cannot be required and/or can refuse to use their personally-owned devices to work on or access Local Agency resources.
- The County of Sonoma will only request access to the personally-owned device and password in order to implement security controls; to respond to litigation hold (aka e-discovery) requests arising out of administrative, civil, or criminal directives, Public Record Act Requests, and subpoenas; or as otherwise required or permitted by applicable state or federal laws. Such access will be performed by an authorized Local Information Service Provider technician or designee using a legitimate software process.
- Users should receive prior approval from their manager to use their personally owned mobile device to access Local Agency IT resources or data.
- Users should be aware that the Data Owner retains ownership of Local Agency data created or stored on their personally-owned device. Users should also be aware that they can view but not store and/or download confidential or restricted data when technically feasible on their personally owned device.
- Users are responsible for backing up their personal data, settings, media, and applications on their personally owned device.
- Users should be aware that some personally owned devices may require the purchase of a software application and corresponding software license and/or subscription, to allow the device to comply with County and/or Local Agency policy and/or standards, and that they may be responsible for all costs of required software applications.
- Users are responsible for maintaining their personally-owned device with the manufacturer’s security and operating system updates.
- Users will not install software on their personally owned device that bypasses the built-in security features and controls.
- Users should use the built-in encryption feature on their personally-owned device when available.
- Users should remove Local Agency data from their personally-owned device, prior to removing access to Local Agency IT resources or data, leaving county employment, or disposing of their personally-owned device.
- Users should be aware that it is their responsibility to immediately report a lost or stolen personally-owned device to their manager/supervisor and Local Information Services Provider. Users should be aware that if their personally-owned device is lost or stolen, their personally-owned device will attempt to be remotely wiped of all data.
- Users should be aware that is their responsibility to setup their individual cellular plan with their provider and to pay all or a portion of the charges incurred, in accordance with applicable law. Any service or billing issues with the cellular or data provider may be the user’s sole responsibility and obligation.
- Physical Protection: Unattended mobile devices must be physically stored in a safe and secured manner.
B. Local Agency Provided Devices
- The Data Owner retains the right of ownership to all data created or stored on mobile devices in support of Local Agency business.
- Use of a mobile device to work on or access Local Agency IT resources and data must be first approved by the User’s supervisor/manager based on its benefit to Local Agency operations.
- The Local Agency may install security controls to manage the local agency provided mobile device.
- Right to IT Resource Monitoring: The Local Information Service provider has the right to monitor any and all aspects of Local Agency data access and use from mobile devices.
- Physical Protection: Unattended mobile devices must be physically stored in a safe and secured manner.
- Users of mobile devices accessing or storing Local Agency data must comply with all applicable local, state and federal laws related to the use of mobile devices.
- Remote Access: All users authorized to connect remotely to any Local Agency network and access Local Agency IT resources and data via the Internet must do so via the appropriate encrypted connection, such as a virtual private network or other secure method (e.g. SSL or TLS ).
- Data Security Measures: All users of mobile devices must employ security measures in accordance with their Local Information Service Provider standards.
- Disposition: Local Agencies must ensure that prior to reuse, recycle, or disposal of any mobile device, that Local Agency data is removed. Any mobile device assigned to employee no longer employed by the county that was used to access or store Local Agency data must be remotely wiped of all data. Loss or Theft: The loss or theft of any mobile device used to access or store Local Agency data must be reported as soon as possible to the User’s manager/supervisor, Information Security Representative or Local Information Services Provider.