§ 6.105. Information Technology Audit and Risk Assessment Policy
Effective Date: 07/13/04
PURPOSE
___________To establish Audit and Risk Assessment requirements and processes for the purpose of identifying control gaps, threats to, and vulnerabilities within, County Information Assets and associated processes and initiating appropriate remediation.
REFERENCE
___________July 13, 2004, Board Order No. 10 — Board of Supervisors — Information Technology and Security Policies
Board of Supervisors Policy No. 6.100 — Information Security Policy
Board of Supervisors Policy No. 6.101 — Use of County Information Technology Assets (Acceptable Use Agreement) , attached thereto
November 7, 2018, Board Order No. 16
DEFINITIONS
___________All capitalized terms not defined in this policy have the same meaning as set forth in Board of Supervisors Policy No. 6.100 - Information Security Policy and Board of Supervisors Policy No. 6.103 - Computer Security Incident Reporting and Response Policy.
Audit: a systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards.
Risk Assessment: the process of identifying, prioritizing, and estimating risks. This includes determining the extent to which adverse circumstances or events could impact a County. Uses the results of threat and vulnerability assessments to identify risk to organizational operations and evaluates those risks in terms of likelihood of occurrence and impacts if they occur. The product of a risk assessment is a list of estimated potential impacts and unmitigated vulnerabilities. Risk assessment is part of risk management.
POLICY
___________Audits:
The Auditor-Controller (A-C) shall conduct or coordinate an Audit of every County Department's compliance with County Information Security policies, standards and procedures. Audits shall be prioritized and scheduled based on Risk by the A-C.
Risk Assessment:
Risk Assessments are mandatory and encompass information gathering, analysis, and determination of security Threats and Vulnerabilities within County Information Assets, including, without limitation, hardware and software environments, and Information Technology business practices.
Risk Assessments are necessary to analyze and address security Vulnerabilities and Threats to County Information Assets, which may come from any source, including, without limitation, natural disasters, disgruntled Workforce Members, hackers, the Internet, and equipment or service malfunction or breakdown.
Each Department shall periodically conduct and document a Risk Assessments on all County Information Assets, including, without limitation, applications, servers, Networks, and any process or procedure, including those process involving third-party contracts, for which County Information Assets are utilized and maintained. Risk Assessments shall also be performed on each facility that houses County Information Assets.
A Risk Assessment shall include, but may not be limited to:
•
An inventory of County Information Assets;
•
Vulnerability scans of networks, systems, and applications to identify vulnerable systems;
•
Review of County and Departmental policies, standards, and procedures;
•
Review of applicable contracts with third-parties;
•
Review of previous Risk Assessments;
•
Identification and prioritization of Threats to, and Vulnerabilities within, County Information Assets; and
•
Implementation of existing Safeguards to mitigate Threats to, and Vulnerabilities within, County Information Assets and associated processes.
Applicability:
All County Departments and Workforce Members.
Compliance:
County Workforce Members who violate this policy may be subject to appropriate disciplinary action up to and including discharge as well as both civil and criminal penalties. Non-County Workforce Members, including, without limitation, contractors, may be subject to termination of contractual agreements, denial of access to County Information Assets, and other actions as well as both civil and criminal penalties.
Policy Exceptions:
There are no exceptions to this policy.
RESPONSIBLE DEPARTMENT
___________Chief Executive Office
DATE ISSUED/SUNSET DATE
___________Issue Date: July 13, 2004 Sunset Date: July 13, 2008 Review Date: August 25, 2008 Sunset Date: July 13, 2012 Review Date: July 19, 2012 Sunset Date: January 13, 2013 Review Date: June 27, 2013 Sunset Date: September 30, 2013 Review Date: September 18, 2013 Sunset Date: January 30, 2014 Review Date: January 15, 2014 Sunset Date: February 28, 2014 Review Date: February 19, 2014 Sunset Date: March 19, 2014 Review Date: March 19, 2014 Sunset Date: December 31, 2014 Review Date: January 6, 2015 Sunset Date: December 31, 2018 Review Date: November 7, 2018 Sunset Date: December 31, 2021