(A) Definition. PERSONAL INFORMATION means an individual’s first name or first initial and last name; personal mark; or unique biometric or genetic print or image, in combination with one or more of the following data elements:
(1) An account number, credit card number or debit card number that, in combination with any required security code, access code or password, would permit access to an account;
(2) A Social Security number;
(3) A taxpayer identification number that incorporates a Social Security number;
(4) A driver’s license number, state identification card number or other individual identification number issued by any agency;
(5) A passport number or other identification number issued by the United States government; or
(6) Individually identifiable health information as defined in 45 C.F.R. § 160.103, except for education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. § 1232g, 34 C.F.R. Part 99.
(B) Policy overview.
(1) The purpose of this policy is to minimize the risk of disclosing personal information and setting practical guidelines for effectively responding to security incidents. This policy sets forth the procedures and practices pursuant to KRS 61.932. In addition, this policy requires appropriate measures to protect information stored on media, both digital and non-digital, during the entire term of its use, until its destruction.
(2) Non-digital media containing personal information shall be physically controlled and securely stored in a manner meant to ensure that the media cannot be accessed by unauthorized individuals. This may require storing media in locked containers such as cabinets, drawers, rooms or similar locations if unauthorized individuals have unescorted access to areas where personal information is stored. If personal information is stored in an electronic format, it shall be protected from access by unauthorized individuals. Such information must be protected by software that prevents unauthorized access. If personal information is transmitted via e-mail or other electronic means, it must be sent using appropriate encryption mechanisms.
(3) All personal information shall remain secure and, when applicable, non-digital media shall be appropriately disposed. Non-digital media containing personal information must be properly stored and secured from view by unauthorized persons.
(C) Point of contact. The Judge/Executive shall designate a point of contact (“POC”). The POC shall serve the following functions:
(1) Maintain the adopted information security policy and be familiar with its requirements;
(2) Ensure that employees and others with access to personal information are aware of and understand the information security policy;
(3) Serve as contact for inquiries from other agencies regarding its information security policy and any incidents;
(4) Be responsible for ensuring compliance with the information security policy; and
(5) Be responsible for responding to any incidents.
(D) Security software.
(1) Security software used to protect personal information must provide user identification, authentication, data access controls, integrity and audit controls.
(2) Security software should be adequately tested to confirm functionality and to ensure that it is minimally disruptive to all associated operating systems, communications, applications and other associated software systems. Contractual provisions must also ensure that the supplier’s software, by design or configuration, will not introduce any security exposures.
(3) The level of protection afforded by security software should be commensurate with the sensitivity of the data. For example, if data resides in a database that is deemed highly confidential, stringent access controls to the database should be employed. The level of protection along with the methods to implement that protection should be addressed before any personal information is stored on a device.
(4) Systems, networks and application software used to process personal information must adhere to the highest level of protection reasonably practical. Intrusion detection and prevention software shall be used.
(E) Encryption. Information stored on digital media shall be encrypted in accordance with contemporary standards.
(F) Access control. Only authorized individuals are permitted access to media containing personal information. In addition to controlling physical access, user authentication should provide audit access information. Any access must comply with applicable regulatory requirements.
(G) Portable computing devices.
(1) This policy prohibits the unnecessary placement (download or input) of personal information on portable computing devices. However, users who in the course of business must place personal information on portable computing devices must be aware of the risks involved and impact to the affected person/entities in the event of actual or suspected loss or disclosure of personal information. If personal information is placed on a portable computing device, reasonable efforts must be taken, including physical controls and encryption, to protect the information from unauthorized access.
(2) Additionally, each person using the portable computing device must sign the county e-mail and internet user agreement form indicating acceptance of the information and acknowledging his or her understanding of the responsibility to protect the information. In the event the portable computing device is lost or stolen, the user should be able to accurately recreate the personal information and must be able to provide notification to all affected persons/entities.
(3) When it is determined that personal information must be placed on a portable computing device, every effort should be taken to minimize the amount of information required. If possible, information should be abbreviated to limit exposure (e.g., last four digits of the Social Security number).
(H) Physical security procedures.
(1) This policy section is to ensure that its information resources are protected by physical security measures that address physical tampering, damage, theft or unauthorized physical access. Access to restricted areas containing information technology resources or other sources of personal information shall be limited to authorized personnel only.
(2) When feasible, information technology equipment should be marked with some form of identification that clearly indicates it is the property of the county. During transport, media shall be protected and controlled outside of secured areas and activities associated with transport of such media restricted to authorized personnel. Tracking methods shall be developed and deployed to ensure media reaches its intended destination.
(I) Types of incidents. Threats to the security of personal information arise in many different ways. Attacks on personal information may arise from:
(1) External/removable media: an attack executed from removable media (e.g., flash drive, CD) or a peripheral device;
(2) Attrition: an attack that employs brute force methods to compromise, degrade or destroy systems, networks or services;
(3) Web: an attack executed from a website or web-based application;
(4) E-mail: an attack executed via an e-mail message or attachment;
(5) Improper usage: any incident resulting from violation of an organization’s acceptable usage policies by an authorized user, excluding the above categories;
(6) Loss or theft of equipment: the loss or theft of a computing device or media used by the organization, such as a laptop or smart phone; and
(7) Other: an attack that does not fit into any of the other categories.
(J) Destruction of records containing personal information.
(1) A media retention schedule shall be defined for all media in accordance with regulatory requirements. The Fiscal Court shall have a document/information retention policy. When records containing personal or confidential information are ready for destruction, they shall destroy the information completely to ensure that the information cannot be recognized or reconstructed. In addition, any personal or confidential data contained on the computer media must be obliterated and/or made indecipherable before disposing of the tape, diskette, CD-ROM, zip disk or other type of medium.
(2) Appropriate methods and equipment must be used to routinely destroy personal or confidential information. One of the following safeguards must be implemented:
(a) Hire a document disposal contractor to dispose of the material. The contractor should be certified by a recognized trade association and should use disk sanitizing software and/or equipment approved by the United States Department of Defense. The company’s information security policies and procedures shall be reviewed and evaluated. Additionally, documents shall be reviewed such as an independent audit of a disposal company’s operations and/or its compliance with nationally recognized standards;
(b) Secure and utilize shredding equipment that performs cross-cut or confetti patterns;
(c) Secure and utilize disk sanitizing or erasing software or equipment approved by the United States Department of Defense;
(d) Incinerator or physical destruction; and
(e) Modify the information to make it unreadable, unusable or indecipherable through any means.
(K) Reporting of incidents involving personal information.
(1) A security breach in which personal information is disclosed to, or obtained by, an unauthorized person must be reported. Notification of the incident must be made in the most prompt and expedient manner after the incident has been discovered. Within 35 days, a letter notifying affected individuals of actual or suspected loss or disclosure of personal information must be sent describing the types of information lost and recommended actions to be taken to mitigate the potential misuse of their information.
(2) When it has been identified that a security breach has occurred in which personal information has been disclosed to, or obtained by, an unauthorized person, within three business days the point of contact shall notify the County Attorney or Commonwealth’s Attorney, State Police, the Auditor of Public Accounts, the Attorney General and the Commissioner of the Department for Local Government and complete form COT-FOT2. The following shall be documented:
(a) Preliminary reporting and description of the incident;
(b) Response, including evidence gathered;
(c) Final assessment and corrective action taken; and
(d) Final reporting.
(3) Incident response procedures can be a reaction to security activities such as:
(a) Unauthorized access to personnel, data or resources;
(b) Denial of service attacks;
(c) Actual or anticipated widespread malware infections;
(d) Data breaches;
(e) Loss/theft of equipment;
(f) Significant disruption of services; and
(g) Significant level of unauthorized scanning activity to or from hosts on the network.
(L) Investigation. Reasonable efforts shall be made to investigate any security breaches in which personal information is disclosed to, or obtained by, an unauthorized person and appropriate corrective action shall be taken.
(M) Disclosure communications. All federal and state laws and policies for information disclosure to media or the public must be followed. In some circumstances, communication about an incident is necessary, such as contacting law enforcement. Employees should use discretion in disclosing information about an incident. Such information includes network information, type of incident, specific infection type (if applicable), number of assets affected, specific detail about applications affected, applications used to employ corrective action/investigate and the like. Within the parameters of the law, minimal disclosure regarding incidents is preferred to prevent unauthorized persons from acquiring sensitive information regarding the incident, security protocols and similar matters, in an effort to avoid additional disruption and financial loss.
(Ord. 4-2014, passed 7-31-2014, § 7.5)