Policy revised on: 07/12/2023
If you have questions or concerns about this policy, please contact the ISD Help Desk at 650-363-4108
This policy outlines the proper use of Information Technology resources connected, owned, or operated by the County of San Mateo. Effective implementation and adherence to this policy will help protect the integrity of the County's network and minimize unauthorized access to the County’s computing resources.
Effective security is a team effort involving the participation and support of all employees, contractors, consultants, temporary and other workers at County offices, collectively known as Workforce Members, and affiliate who deals with County information and/or information systems.
The policy applies to all Workforce Members. The policy applies to all computer equipment and related devices owned or operated by San Mateo County or any device logically or physically connected to the County computing environment. It includes all software, hardware and any constituent component of any computing device as it pertains to the entirety of the County computing environment.
Due to the rapidly changing nature of technology and its impact on the workplace the Chief Information Officer (CIO) or designee will review this policy annually and recommend any necessary changes to the County Executive. The CIO or designee is responsible for maintaining documentation of all variances to this policy and reporting variances to the County Executive annually. All requests for deviation from this policy must be stated in an exception waiver that includes risk mitigation and is approved by the CIO or their designee. The Department Head will bear all responsibility for the mitigation of all risks and negative outcomes associated with the exception waiver.
It is the responsibility of all County departments to ensure that their Workforce Members are familiar with this policy. It is the responsibility of every computer user to conduct their activities accordingly. Use of any County information systems constitutes consent to this policy.
- Other County Policies
Complimentary policies may exist that address specific areas of information security including policies on Internet use, Email, vendor-contractor access, and portable computing. Departments may also have internal policies that address information security that may be more restrictive than this policy. These policies are cumulative and in the event of conflict, the policies providing the County with the greatest level of security apply.
Policy User Responsibility and Acceptable Use
The purpose of this section is to outline the acceptable uses of the County's computer equipment and detail some of the prohibited and inappropriate uses. Inappropriate use exposes the County to risks including virus attacks, compromise of network systems and services, and legal issues. The acceptable and inappropriate use listed below do not encompass all situations, but instead, attempts to provide a framework to encourage anyone accessing or using County systems and devices to use common sense and good judgement.
- Privacy of Personal Data
While the County desires to provide a reasonable level of privacy for all users of the computing environment, Workforce Members should be aware that all data on County systems is the property of the County. Workforce Members have no right or expectation of privacy of information stored on County information systems. The County reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
Personal devices used to conduct County business or access County resources may be subject to discovery and qualify as a public record under the California Public Records Act, California Government Code Section 6250, et seq. and may also be subject to discovery of electronically stored information pursuant to State and Federal Rules of Civil Procedure.
- User Responsibility
A. Workforce Members are responsible for always protecting all County Information Technology (IT) assets including, but not limited to, keeping them physically and logically secured and under their control to prevent theft and inappropriate access or use.
B. County computing assets, including laptops and mobile devices, are issued to Workforce Members, and are intended to be used only by that Workforce Member unless authorized and approved by the Information Services Department (ISD) and department IT in the form of an exception waiver prior to its use.
C. Workforce Members are responsible for protecting any information used or stored in their San Mateo County accounts or equipment and any information within their area of work responsibility.
D. Workforce Members are responsible for reporting any security breaches, suspicious activities, or unusual requests of information when they become aware of them to the ISD Service Desk or by opening a Service Desk ticket, their supervisors, or the department’s IT staff.
E. All documents and other data created or maintained by Workforce Members should be saved on network drives or approved cloud storage, rather than local drives, unless directed differently by the department’s IT staff or as required by government regulation.
- Under no circumstances should documents and data be stored in Workforce Member’s private storage devices.
F. All unsolicited Email should be treated with suspicion; particularly Email received from the Internet. If the Workforce Member is unsure of the authenticity and integrity of an Email, it should be referred to their department IT staff or ISD through the Service Desk or by opening a Service Desk ticket.
Prohibited Activities and Inappropriate Uses of Information Technology
The following activities are prohibited except when necessary to fulfill legitimate job functions. However, in all instances when these activities are performed as part of a job function, an exception waiver may be required and approved by ISD prior to performing any of the following:
A. Creating security breaches including, but not limited to, unauthorized access, alteration, destruction, removal and/or disclosure of data, information, equipment, software, or systems.
B. Creating disruptions of network communication including, but not limited to, packet spoofing, denial of service, and forged routing information.
C. Port scanning, security scanning, network sniffing or Simple Network Management Protocol (SNMP) monitoring unless authorized by the CIO. Port scanning within assigned department network segments is authorized for only department IT staff.
D. Circumventing Workforce Member authentication or security of any workstation, terminal device, or account.
E. Deliberate over-extension of the resources of a system or interference with the processing of a system.
F. Installing software on County computers that is not authorized by ISD including any freeware.
G. Adding unauthorized hardware devices that may compromise the integrity of the network, including, but not limited to, personal tablets, smartphones, switches, and unauthorized wireless access points.
H. Downloading, installing, or running any programs or services that provide ongoing communications with the Internet which have not been approved by the CIO or designee, including but not limited to instant messengers, screen savers, peer to peer communications, and all streaming media.
I. Using County computers and resources for commercial purposes, personal gain, political campaigns, or activities that are not compatible with County government.
J. Using a county computing asset to generate, send, request, receive or archive material in any form, i.e., text, graphics, etc., which contains offensive language or is harassing in nature.
K. Disclosing or requesting disclosure of confidential passwords, personal identification numbers and/or access devices or information for accessing accounts, equipment, and telephone voice mail.
L. Using VPN or other remote access methods to access the County’s computing environment from any restricted or known malicious nation states without prior authorization from the CIO.
M. Any use that violates Local, State, or Federal laws.
All devices, including computers, laptops, printers, telephones, mobile devices, removable devices including USB flash drives as well as County systems that would include, but not limited to, servers, network, internet, and voicemail. These assets are the property of the County and must be used in accordance with policies, standards, and guidelines. Workforce Members may not install devices, whether purchased by the County or personally owned, that have not been formally authorized and approved by ISD.
A. All workstations connected to the County network, whether owned by the County or other entity, must be continually executing approved virus-scanning software, with a current virus database, configured using setting published by the CIO or designee.
B. All workstations capable of time-initiated security activity, such as password protected screen savers or automatic log off should have the security function enabled.
- Workstations must be locked when the workspace is not occupied or is unattended.
C. Workforce Member authorities, permissions, and rights should, at all times, be set at the minimum required to accomplish the Workforce Member's job function.
- Administrator privileges should be reserved and restricted to functions and persons requiring those rights.
D. Additional security protocols may be applied as directed by ISD in compliance with County policy, security best practices, and/or Local, State, or Federal laws.
- Security protocols may also be applied to specific departments as directed by California’s Secretary of State, EI-ISAC, DHS, or DOJ.
Portable Computers and Portable Computing Devices
Portable computers, including laptops and tablets, pose an increased security risk to the County due to their mobile characteristics. All portable devices that contain or otherwise access the County computing environment are subject to all policies herein.
A. No Workforce Member may use a portable device which is their personal property or some entity other than the County for County business purposes or a purpose that supports County business without the authorization of their Department Head or designee.
- Personal devices used for County business may be subject to discovery; that is, the device may be requested as evidence in legal processes and proceedings.
B. No Workforce Member may download to, upload to, or maintain on a portable device, County information considered to be sensitive without the authorization of the department head or designee. County information is defined as sensitive if it considered by the County to be confidential or may be damaging to the County, its employees, customers, or clients.
- If sensitive information has been approved to reside on portable devices, the data must be encrypted.
C. Workforce Members assigned County-owned portable devices are responsible for the security of these devices, all associated equipment, and all data stored in the devices when they are taken to locations outside of County facilities.
- The loss or theft of a portable computer of computing device must be immediately reported to ISD Service Desk or opening a Service Desk ticket.
D. All Workforce Members using portable devices, whether County-issued or personal devices, must adhere to the County’s Mobile Device/BYOD Policy.
- Anti-virus must be installed and patched to the current level.
E. Additional security protocols may be applied as directed by ISD in compliance with County policy, security best practices and/or Local, State, or Federal laws. Security protocols may also be applied to specific departments as directed by California’s Secretary of State, EI-ISAC, DHS, or DOJ.
F. All portable devices taken out of the country must have encryption enabled and the Workforce Member must be in compliance with Administrative Memo E-17, County Employees must perform work in the State of California. If remote access is to be used, prior authorization must be provided by ISD with the understanding that ISD may deny remote access based on that country’s restrictions.
Mobile devices, such as cellular phones and tablets, used to transact County business, whether County-issued or personally owned devices, are covered under Mobile Technology Use Policy, Administrative Memo B-19.
A. A. It is the responsibility of the Workforce Member who uses mobile device to access County resources or conduct County business to ensure that the device be protected by strong access control and to employ reasonable physical security measures to prevent theft or loss. The loss or theft of a mobile device must be immediately reported to ISD Service Desk or opening a Service Desk ticket.
B. Mobile devices, regardless of County-issued or personally owned devices, used to access County resources or conduct County business must be enrolled in the County’s Mobile Device Management (MDM) system.
C. Personal devices must be approved by the department head and the Workforce Member must acknowledge adherence to the County’s Mobile Technology Use Policy, Administrative Memo B-19.
D. Under no circumstances may County data be transferred to or stored on any mobile device unless required for business purposes with prior written approval from the CIO. All data must be encrypted.
E. Additional security protocols may be applied as directed by ISD in compliance with County policy, security best practices and/or Local, State, or laws. Security policies may also be applied for specific departments as directed by California’s Secretary of State, EI-ISAC, DHS, or DOJ.
F. As with portal devices taken out of California or the country, Workforce Members who use mobile device(s) to conduct County business must be in compliance with Administrative Memo E-17, County Employees Must Perform Work in the State of California.
G. Workforce Members who utilize texting as part of their job function must use their department’s approved secure texting platform. Under no circumstances should information containing Health Insurance Portability and Accountability Act (HIPAA), Protected Health Information (PHI), or Personal Identifiable Information (PII) be sent unencrypted or in clear text.
Removable media, such as USB flash drives, external hard drives, etc. may only be used when required in the performance of the Workforce Member’s role and with the approval of the department manager.
Under no circumstances should such removable media be used:
- to introduce malware or other unauthorized software into the County environment,
- to insert any unknown removable device that is found unattended into a County device. Unknown devices should be given to the department IT staff or ISD for further disposal, and/or
- to transfer County data, including sensitive data, without prior approval of the department manager. This includes the use of mobile devices as a removable media to transfer or store any County data. If removable media is authorized for use, data must be encrypted, and once transfer has been completed, the device must be wiped. Workforce Members must take reasonable measures to secure the removable media and may not be shared with unauthorized users.
All software, whether purchased, leased, shareware or freeware, academic versions, cloud-hosted software solutions, with a few exceptions, are protected by copyright laws and licensing agreement for use, distribution, and reproduction. Any installation of unlicensed software may be in violation of copyright protections as well as introduce malware to the County’s network.
A. Only County-owned software may be installed on County devices by authorized personnel.
- Each software instance is required to have a license.
- All software installed must have regular updates applied to address security deficiencies.
- Open-source software (freeware, shareware, etc.) is not supported.
B. Commercial software not acquired through the County’s procurement process may not be installed on any County system.
C. Workforce members may not install personally owned software on any County-owned devices.
Maintaining the confidentiality, integrity, and availability of the County’s data is paramount to the County.
A. All Workforce Members are responsible for the protection of County data and must take reasonable precautions in its protection against loss, theft, or mishandling.
B. Data, classified based on sensitivity, must be safeguarded, and handled appropriately in accordance with Local, State, or Federal laws and/or requirements as well as department-specific policies. Workforce Members may not view, copy, alter, destroy, transfer such data without authorized permission and may only access the data in connection with their duties.
C. Workforce Members are required to follow County policies in the data removal process and procedures to permanently erase data from devices when these devices are no longer required.
Request for Information
Targeted attacks on the County’s information resources often begin with the acquisition of key information through deceit. This information is later used as the cornerstone of technical attacks on the County; therefore, protecting the County from attacks of this nature is the responsibility of every Workforce Member.
A. Workforce Members must not divulge details or instructions regarding passwords, remote access, including external network access points unless the following conditions have been met:
- The requester has been positively identified.
- The requester's authorization to receive the requested information has been verified.
- Providing of the information is within the job responsibilities of the information provider.
B. Internal information not designated as public information is to be shared only within the County or with authorized persons. Prior to releasing any information that is not designated as public over the telephone, the person releasing the information must personally recognize the requester's voice through prior business contact or verify that the call is being made from an internal telephone number that has been assigned to the requester.
Password and Multi-Factor Authentication Management
A. Passwords are the front line of protection for user accounts. As such, all Workforce Members (including vendors with access to County systems) are responsible for taking the appropriate steps to select and secure their passwords.
- Workforce Members may not share password information. Accounts are to be used only by the assigned user. Attempting to obtain another Workforce Member’s account password is strictly prohibited.
- Workforce Members may not use their County password for other services such as personal email, access to cloud storage. Any compromise to these services using the same password as the County password could leave the County vulnerable.
- Password complexity will be enforced and adhere to the County’s Password Policy.
B. Multi-Factor Authentication (MFA) is an added layer of security for identity verification when signing into certain computing assets. This service provides additional methods of authentication.
- MFA is mandatory for access to the County’s network
- Under no circumstances should MFA be circumvented or remain inactivated.
- Under the direction of the CIO, ISD’s Security Division is empowered to require the use of MFA on any computing asset using an ISD approved platform.
Internet access is to provide services, application access, and information to be used to support County business activities and to support job functions. Workforce Members should understand the proper use of this resource and that inappropriate use exposes the County to risks including virus attacks, potential negative publicity, and potential legal concerns. As access to the Internet through the County network is a privilege, it carries the responsibilities of ethical use and good judgement and in accordance with the following requirements:
A. Internet use is for obtaining or providing information regarding County business.
B. Internet use is not intended for purposes that could produce bandwidth saturation. This includes accessing any streaming media sites that do not fulfill legitimate job function such as viewing full episodes of television shows or movies through a subscription service.
C. Illegal activities under Local, State, Federal, or International laws are prohibited.
D. Internet use shall not result in personal gain (i.e., use of the Internet during working hours for outside business activities, including but not limited to posting for sale, personal commercial activities, political activities, etc.).
E. Accessing any on-line gambling, on-line trading, or any non-work-related Internet sites including but not limited to, on-line auctions and gaming sites.
F. Conducting any non-County business activity not listed above for a period of longer than 10 minutes.
G. Social media accounts are permitted for business purposes only and by staff who have received approval from the department manager. Staff representing the County must adhere to the County’s Social Media Policy.
The use of the County’s email system, messaging, and chat is provided to perform regular job duties. The email system is owned by the County and provides the right to monitor email traffic as well as email discovery.
A. Email may not be used for illegal or unlawful purposes including, but not limited to, obscenity, libel, slander, defamation, harassment, intimidation, impersonation, or any activities deemed prohibitive by County policies, or Local, State, Federal laws.
B. Workforce Members may not use accounts that do not belong to them and are prohibited from using email to impersonate others.
C. Workforce Members are prohibited from sending mass unsolicited mailings, chain letters, and competitive commercial activity. Any mass mailings must be pre-approved or is part of the Workforce Member’s job duties.
D. Workforce Members are responsible for mailbox management including its organization and cleaning.
E. Workforce Members must send sensitive information using appropriate protection (encrypted) and only to authorized recipients.
F. Workforce Members must use caution in opening message attachments or click on hyperlinks sent from unknown sources as these are the primary source of malware and social engineering.
- Workforce Members are prohibited from using their County email ID to sign-up for non-County sanctioned cloud applications including storage and non-work-related subscriptions.
- County email may not be forwarded to non-County email accounts.
- Workforce Members are expected to adhere to the County’s Email Policy.
- Workforce Members should remember that email sent from the County’s email accounts reflect the County. Normal standards of professionalism, courtesy, and conduct are expected.
The County’s incident response process is for the efficient remediation of cybersecurity incidents.
A. Workforce Members are to immediately report any suspected cybersecurity incidents through the ISD Service Desk or by opening a Service Desk ticket and their immediate manager, as well as their department IT staff. Incidents include the lost/stolen equipment, suspected malware infection, compromised credentials, and any possible compromises to the County’s system or data.
IT Security Awareness and Training
To ensure all Workforce Members achieve and maintain a basic understanding of information security, including IT security policies, procedures, and acceptable behavior, mandatory online IT security training will be assigned and successfully completed on an annual basis.
A. New hires will be required to take the IT Security Training within 30 days of their hire date.
B. Additional training may be assigned depending on specific job requirements or as required.
To protect the County from social engineering threats, that is, actions used to manipulate Workforce Members to perform or divulge confidential information, periodic tests will be performed to demonstrate what areas of focus will require additional training. These tests may be conducted without alerting Workforce Members as a method to determine risk metrics with appropriate training to mitigate such risks. This process will ensure that all Workforce Members are properly trained in identifying these threats to improve security. No disciplinary actions will be taken solely because of these tests.
This section defines standards for connecting to the County network from computers outside the County network. The standards are designed to minimize the potential exposure to the County from damage that may result from connecting to the County network, or from unauthorized use of County resources. Remote access applies to all Workforce Members and other parties including vendors who connect to the County's network.
Workforce Members and authorized vendors may only access the County network through systems and processes administered or approved by ISD. All other means of remote access must be approved by ISD prior to implementation.
A. Any authorized remote connections to County resources must adhere to the County’s Password Policy and any requirements pertaining to multi-factor authentication (MFA).
B. It is the responsibility of Workforce Members or organizations with remote access privileges to ensure that unauthorized users are not allowed access to the County’s internal networks.
C. All devices connected to the County’s internal networks via approved remote access technology must use an approved firewall and up-to-date anti-virus software, with a current virus database, configured using setting required by ISD. This includes personal computers and third-party connections.
D. At no time may any department, Workforce Members, or vendors download or use any remote access technology not pre-approved by ISD. Any user found to connect to the County’s network using a technology not approved by ISD may be subject to immediate disconnection from the County network.
E. By using any authorized remote access technology with personal equipment, Workforce Members understand and agree that their machines are a de facto extension of the County's network during connection periods, and as such are subject to the same security standards as apply to County-owned equipment.
F. Workforce Members and vendors with remote access privileges must ensure that their remotely connected personal computer or workstation is not connected to any other network at the same time, with the exception of personal networks that are under the complete control of the user. Vendors and other business affiliates who remotely connect to the County while connected to a corporate network must be registered with ISD.
G. Some countries require explicit approval prior to allowing virtual private network (VPN) connection within their jurisdictional boundaries; such connections will not be provided. Furthermore, requests to provide remote access from known malicious entities will not be approved.
Employee Exit/Transfer Procedures
A. Departments must establish Exit procedures so that when a Workforce Member leaves County service and/or transfers to another department or division, a structured exit process is followed.
- This process should include the recovery of all keys, badges and revocation of computer access, including the disabling of all network accounts, system accounts, application accounts, Email accounts, and remote access accounts as well as revocation of voicemail account access.
- Departments should verify the integrity of systems and data turned over by departing Workforce Members prior to their departure.
- Notification must be made to ISD through opening a Service Desk ticket.
B. Department System Administrators should audit user accounts on a regular basis. Accounts of Workforce Members who have left service should be disabled immediately and not more than five days.
- Workforce Members who remain in service should not access accounts of Workforce Members who have left service except when directed by the Department Head.
- Accounts that have been inactive for more than thirty (30) days should be disabled until a final disposition on the account has been determined.
Policy violations will be investigated and may result in disciplinary action up to and including dismissal from County employment, or cancellation of contractual relationship. For violations of patient confidentiality, the procedures of the Patient Confidentiality Sanctions Policy as regulated by HIPAA apply.