Policy Update: 10/22/2018
Vendors/Contractors play an important role in the support of hardware and software management for San Mateo County. They may be required to access, configure, maintain, and provide emergency support for systems. As a result, the vendor/contractor can be exposed to sensitive data or the need to connect to the County’s network may expose the County to unwanted virus or security threats.
The purpose of this policy is to establish rules and responsibilities for the vendors/contractors who require not only physical access but also access to the County’s network and information resources. This policy is intended to minimize potential exposure from damages and to mitigate any liability to the County as a result of unauthorized use.
This policy applies to all vendors/contractors who require access to County facilities as well as access to the County’s network using non-County owned computing devices to perform work on behalf of the County. This policy also applies to all portable computers (laptops) and portable computing devices (devices that have similar hardware and software components used in personal computers such as a tablet PC).
- Only use information and systems for the purpose of the business agreement with County and any information acquired in the course of the agreement shall not be used for personal purposes or divulged to others.
- All contractors and vendors contracting with the County shall provide a list of its employees that require access to the County’s system and data pursuant to the agreement
- The list shall be updated and provided to the Departments and Chief Information Officer (CIO) or his/her designee within 24 hours of staff changes.
- Safeguard all County data by:
- Utilizing data encryption to protect information on computing devices.
- Securing the computing device at all times; especially if the device is left unattended for any length of time.
- Implementing precautions to prevent others from viewing on-screen data in public areas.
- Notifying the County immediately if the mobile device containing County data or used in the performance of County activities is lost or stolen.
- Not downloading, uploading, or maintaining, on a computing device, any information that is considered sensitive without authorization of his/her Project Manager or Department Head or his/her designee.
- Vendor/contractor shall use unique accounts and password management that complies with the County’s Information Technology (IT) Security Policy.
- All passwords and accounts shall be unique to the vendor/contractor and shall not be shared.
- Vendor/Contractor shall take reasonable steps to protect against the installation of unlicensed or malicious software.
- All commercial software installed must have a valid license and that the terms, conditions, and copyright laws shall be strictly followed.
- All County-owned software installed on the computing device must be removed when the vendor/contractor services are terminated.
- Upon termination of work, the vendor/contractor shall return or destroy all County information and data as well as provide written certification of that return or destruction within 24 hours.
- Remote access rules and procedures shall be strictly adhered to.
- Remote access usage must be confined to provide support for County systems; personal use shall be strictly prohibited.
- In the event that a vendor/contractor disposes of a computing device containing County’s confidential information and/or data, the device must be sanitized in such a way that does not allow for the retrieval of data and by Department of Defense (DOD) standards.
- Alternatively, computing devices may be physically destroyed by a method that leaves the device’s data unrecoverable.
- Vendor/contractor understands that its written security protocols for County-related business shall be available for inspection by the County upon request.
- For the period that the computing device is on the County’s network, there is no expectation of privacy with regard to the contents of the device despite the fact that it is a privately-owned equipment.
- Vendors/contractors must wear visible identification and if issued a County cardkey, the cardkey must be visible at all times. Use of another individual’s cardkey is expressly prohibited.
- Vendor/Contractor access to County data center(s) must be authorized and approved in writing by the Chief Information Officer (CIO) or his/her designee.
The vendor/contractor will be responsible for assuring that anti-virus software, with scanning and update services be applied, is installed on its computing device used for County business and that the anti-virus software meets the requirements as set forth in the County’s IT Security Policy and the Virus, Patch, and Vulnerability Management Policy. Vendor must also ensure that all computing devices have operating system security patches installed and are updated on a regular basis.
Additionally, computing devices, such as laptops and/or tablets, must include an approved encryption program with configuration that meets or exceeds the County’s IT Security Policy.
Vendor/Contractor device(s) may connect directly to the County network with express written approval from the CIO or his/her designee. The Vendor/Contractor must verify to the County that the device(s) have been patched, virus protected, and encrypted. Vendors using devices without approved software and encryption will not be permitted to connect to the County’s network.
It is also the responsibility of the vendor/contractor to be familiar with the following policies to ensure its adherence:
- IT Security Policy
- Internet Usage Policy
- Email Policy (if applicable)
- Virus, Patch, and Vulnerability Management Policy
- Data Center Policy
The Director of ISD (CIO) is the policy administrator for information technology resources and will ensure this process is followed. Additionally, Division Directors, Department Heads, and managers are responsible for compliance with County policy within their respective administrative areas.
Those vendors who violate this policy may be subject to contract termination, denial of service, and/or legal penalties, both criminal and civil.
Policy established: November 1, 2004
Policy updated: October 22, 2018