(A) The city utilities adopts the following security procedures:
(1) Paper documents, files, and electronic media containing secure information will be stored in locked file cabinets. File cabinets will be stored in a locked room.
(2) Only specially identified employees with a legitimate need will have keys to the room and cabinet.
(3) Files containing personally identifiable information are kept in locked file cabinets except when an employee is working on the file.
(4) Employees will not leave sensitive papers out on their desks when they are away from their workstations.
(5) Employees store files when leaving their work areas.
(6) Employees log off their computers when leaving their work areas.
(7) Employees lock file cabinets when leaving their work areas.
(8) Employees lock file room doors when leaving their work areas.
(9) Access to offsite storage facilities is limited to employees with a legitimate business need.
(10) Any sensitive information shipped using outside carriers or contractors will be encrypted.
(11) Any sensitive information shipped will be shipped using a shipping service that allows tracking of the delivery this information.
(12) Visitors who must enter areas where sensitive files are kept must be escorted by an employee of the utility.
(13) No visitor will be given any entry codes or allowed unescorted access to the office.
(14) Access to sensitive information will be controlled using “strong” passwords. Employees will choose passwords with a mix of letters, numbers, and characters. User names and passwords will be different. Passwords will be changed at least monthly.
(15) Passwords will not be shared or posted near workstations.
(16) When installing new software, immediately change vendor-supplied default passwords to a more secure strong password.
(17) Sensitive information that is sent to third parties over public networks will be encrypted.
(18) Sensitive information that is stored on computer network or portable storage devices used by employees will be encrypted.
(19) E-mail transmissions within your business will be encrypted if they contain personally identifying information.
(20) Anti-virus and anti-spyware programs will be run on individual computers and on servers daily.
(21) When sensitive data is received or transmitted, secure connections will be used.
(22) The use of laptops is restricted to those employees who need them to perform their jobs.
(23) Laptops are stored in secure place.
(24) Laptop users will not store sensitive information on their laptops.
(25) Laptops which contain sensitive data will be encrypted.
(26) If a laptop must be left in a vehicle, the vehicle must be locked.
(27) The computer network will have a firewall where the network connects to the Internet.
(28) Any wireless network in use is secured.
(29) Maintain central log files of security-related information to monitor activity on the network.
(30) Monitor incoming traffic for signs of a data breach.
(31) Monitor outgoing traffic for signs of a data breach.
(32) Implement a breach response plan.
(33) Check references or do background checks before hiring employees who will have access to sensitive data.
(34) New employees sign an agreement to follow the company’s confidentiality and security standards for handling sensitive data.
(35) Access to customer’s personal identity information is limited to employees with a “need to know.”
(36) Procedures exist for making sure that workers who leave your employ or transfer to another part of the company no longer have access to sensitive information.
(37) Implement a regular schedule of employee training.
(38) Employees will be alert to attempts at phone phishing.
(39) Employees are required to notify the general manager immediately if there is a potential security breach, such as a lost or stolen laptop.
(40) Employees who violate security policy are subjected to discipline, up to and including dismissal.
(41) Service providers notify of any security incidents they experience, even if the incidents may not have led to an actual compromise of data.
(42) Paper records will be shredded before being placed into the trash.
(43) Any data storage media will be disposed of by shredding, punching holes in, or incineration.
(B) A report will be prepared annually and submitted to the governing body to include matter related to the program, the effectiveness of the policies and procedures, the oversight and effectiveness of any third party billing and account establishment entities, a summary of any identity theft incidents and the response to the incident, and recommendations for substantial changes to the program, if any.
(Ord. 8-2009, passed 4-14-09)