9-4 Information Technology Professionals Policy -Section II: Roles and Responsibilities
Return to Information Technology Professionals Policy Table of Contents
What’s on this Page
II. Roles and Responsibilities
Read next: Section III: Access Control Policy
II. Roles and Responsibilities
Information security extends well beyond Information Technology (IT). Information security is a critical business function that touches all aspects of an organization including, fiscal, legal, human resources and IT. The County of Sonoma (County) is fully committed to information security and asserts that every person employed by or on behalf of the County has important responsibilities to maintain the security of Local Agency IT resources and data.
- Chief Information Security Officer
The County Information Systems Director serves as the Chief Information Security Officer and is responsible for:- Overseeing and managing the County Information Technology and Security Program, which includes:
- Developing and maintaining the County information security strategy;
- Providing information security related technical, regulatory and policy leadership;
- Facilitating the implementation of County information technology and security policies; and
- Approving or denying policy waivers.
- Overseeing and managing the County Information Technology and Security Program, which includes:
- Information Security Steering Committee
The Information Security Steering Committee is the coordinating body for all County information security-related activities and is composed of the County Privacy Officer, Information Security Officer and individuals designated by the IT Governance Council. The Information Security Steering Committee is responsible for:- Developing and proposing County information technology and security policies, standards, and guidelines;
- Reviewing County information technology and security policies and policy waivers annually;
- Reviewing Local Agency policy exception requests and making recommendations for CISO approval or denial;
- Maintaining documentation of policy waivers;
- As requested, reviewing Local Agency information technology and security policies for compliance with County policies; and
- Identifying and recommending industry best practices for information security.
- Local Agency Department Head/General Manager
The Local Agency Department Head/General Manager and/or Designee are responsible for:- Periodically reviewing security processes to ensure compliance with relevant security policies and standards;
- Establishing supplemental information technology and security policies as needed for their business purposes, provided they are not less restrictive than County policies;
- Establishing procedures and guidelines as needed in support of this Policy manual; and
- Designation of an information security representative.
- Information Security Representative
The Information Security Representative is designated by the Local Agency Department Head/General Manager to coordinate information security within their Local Agency and is responsible for:- Assisting in the development of any Local Agency information technology and security policy;
- Reviewing Local Agency information technology and security policies for compliance with County policies; and
- Representing the Local Agency’s information security concerns countywide.
- Local Information Services Providers
The County Information Systems Department, the Human Services Department Information Integration Division, the Sonoma County Sheriff's Office Technical Services Bureau, and the County Water Agency Computer Application and Instrumentation Support Section serve as Local Information Service Providers and are responsible for:- Providing network infrastructure, network access, data storage and e-mail services to Local Agencies;
- Maintaining an inventory of Local Agency IT resources;
- Configuring Local Agency IT resources in accordance with County information technology and security standards;
- Implementing and maintaining technology-based services that adhere to the intent and purpose of applicable information technology and security policies, standards and guidelines;
- Investigation, remediation and documentation of information security incidents; and
- Establishing and implementing standards, procedures, and guidelines as needed for this Policy manual.
- Data Owner
The Data Owner is the Local Agency Department Head/General Manager or other individual authorized by law, regulation or policy to collect and manage the data that supports their business operations and is responsible for:- Identifying applicable law, regulations, or standards that contain information security requirements for the data they own;
- Classification of Local Agency data and IT resources based upon law, regulation, common business practice, liability or reputational factors;
- Establishing as needed, Local Agency policies and procedures for the data and IT resources they own; and
- Responsible for ensuring mitigation of known or suspected information security incidents, and notification to individuals or agencies in the event of a data breach involving unencrypted personal information.
- Data Steward
The Data Steward is designated by the Data Owner to protect the confidentiality, integrity, and availability of the data that supports their business operations and is responsible for:- Assisting the Data Owner in the classification of Local Agency data;
- Implementing protection requirements for the data and IT resources entrusted to their stewardship; and
- Authorizing access to Local Agency data in accordance with the classification of the data.
- Data Custodian
The Local Information Service Provider serves as the Data Custodian and is responsible for:- Implementing the necessary safeguards to protect Local Agency data and IT resources at the level classified by the Data Owner or the Data Steward;
- Granting access privileges as authorized by the Data Owner or Data Steward;
- Complying with any additional security policies and procedures established by the Data Owner and/or Data Steward;
- Advising the Data Owner and/or Data Steward of vulnerabilities that may present a threat to their Local Agency data and of specific means of protecting that data; and
- Notifying the Data Owner of any known or suspected information security incident.