§ 33.55  PERSONAL INFORMATION SECURITY PROCEDURES.
   The Town of Ellettsville adopts the following security procedures:
   (A)   When opening a new water or wastewater account the customer must apply in person and furnish photo identification, proof of ownership or rental agreement.
   (B)   Paper documents, files, and electronic media containing secure information will be stored in secure file cabinets.
   (C)   Only specially identified employees with a legitimate need will have access to the cabinet.
   (D)   Files containing personally identifiable information are kept in secure file cabinets except when an employee is working on the file.
   (E)   Employees are not to leave sensitive papers out on their desks when they are away from their workstations.
   (F)   Employees log off their computers when leaving their work areas.
   (G)   Any sensitive information shipped will be shipped using a shipping service that allows tracking of the delivering this information.
   (H)   Visitors who must enter areas where sensitive files are kept must be escorted by an employee of the utilities.
   (I)   No visitor will be given any entry codes or allowed unescorted access to the office.
   (J)   Access to sensitive information will be controlled using “strong” passwords.  Employees will choose passwords with a mix of letters, numbers, and characters.  User names and passwords will be different.  Passwords will be changed at least monthly.
   (K)   Passwords will not be shared or posted near workstations.
   (L)   Password-activated screen savers will be used to lock employee computers after a period of inactivity.
   (M)   When installing new software, immediately change vendor-supplied default passwords to a more secure strong password.
   (N)   Sensitive information will not be sent on private or public networks unless it is password protected.
   (O)   Sensitive information that is stored on computer network or portable storage devices used by employees will be password protected.
   (P)   Personal identifying information will not be sent by email transmissions.
   (Q)   Anti-virus and anti-spyware programs will be run on individual computers and on servers daily.
   (R)   When credit card data is received or transmitted, secure connections will be used.
   (S)   The use of laptops is restricted to those employees who need them to perform their jobs.
      (1)   Laptops are stored in a secure place.
      (2)   Laptop users will not store sensitive information on their laptops.
      (3)   Employees never leave a laptop visible in a car, at a hotel luggage stand, or packed in checked luggage.  If a laptop must be left in a vehicle, it is locked in a trunk.
   (T)   The computer network will have a firewall where your network connects to the internet.
   (U)   Any wireless network in use is secured.
   (V)   Maintain central log files of security-related information to monitor activity on their network.  (Automatically done on server).
   (W)   Server will monitor incoming and outgoing traffic for signs of a data breach.
   (X)   Breach response plan: bring down the internet, turn off DSL and audit security log.
   (Y)   Check references or do background checks before hiring employees who will have access to sensitive data.
   (Z)   New employees sign an agreement to follow their company’s confidentiality and security standards for handling sensitive data.
   (AA)   Access to customer’s personal identity information is limited to employees with a “need to know”.
   (BB)   Procedures exist for making sure that workers who leave employment or transfer to another part of the company no longer have access to sensitive information.
   (CC)   Implement a regular schedule of employee training.
   (DD)   Employees will be alert to attempts at phone phishing.  (Do not answer questions.)
   (EE)   Employees are required to notify the Utility Office Manager or the Clerk-Treasurer immediately if there is a potential security breach, such as a lost or stolen laptop.
   (FF)   Service providers notify the employee of any security incidents they experience, even if the incidents may not have led to an actual compromise of  data.
   (GG)   Employees who violate security policy are subjected to discipline, up to, and including, dismissal.
   (HH)   Paper records will be shredded before being placed into the trash.
      (1)   Paper shredders will be available in each department.
      (2)   Any data storage media will be disposed of by shredding, punching holes in, or incineration.
(Ord. 09-19, passed 8-24-2009)