eLaws | eCases | California Laws | California Code of Regulations | Illinois Courts | Counties & Cities of California | Code of Federal Regulations | United States Code |
 LA County - BOS
 Board Policy
 Chapter 6. Information Technology

  § 6.105. Information Technology Audit and Risk Assessment Policy  

Latest version.

  • Effective Date: 07/13/04

    PURPOSE
    ___________

    To establish Audit and Risk Assessment requirements and processes for the purpose of identifying control gaps, threats to, and vulnerabilities within, County Information Assets and associated processes and initiating appropriate remediation.

    REFERENCE
    ___________

    July 13, 2004, Board Order No. 10 — Board of Supervisors — Information Technology and Security Policies

    Board of Supervisors Policy No. 6.100 — Information Security Policy

    Board of Supervisors Policy No. 6.101 — Use of County Information Technology Assets (Acceptable Use Agreement) , attached thereto

    November 7, 2018, Board Order No. 16

    DEFINITIONS
    ___________

    All capitalized terms not defined in this policy have the same meaning as set forth in Board of Supervisors Policy No. 6.100 - Information Security Policy and Board of Supervisors Policy No. 6.103 - Computer Security Incident Reporting and Response Policy.

    Audit: a systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards.

    Risk Assessment: the process of identifying, prioritizing, and estimating risks. This includes determining the extent to which adverse circumstances or events could impact a County. Uses the results of threat and vulnerability assessments to identify risk to organizational operations and evaluates those risks in terms of likelihood of occurrence and impacts if they occur. The product of a risk assessment is a list of estimated potential impacts and unmitigated vulnerabilities. Risk assessment is part of risk management.

    POLICY
    ___________

    Audits:

    The Auditor-Controller (A-C) shall conduct or coordinate an Audit of every County Department's compliance with County Information Security policies, standards and procedures. Audits shall be prioritized and scheduled based on Risk by the A-C.

    Risk Assessment:

    Risk Assessments are mandatory and encompass information gathering, analysis, and determination of security Threats and Vulnerabilities within County Information Assets, including, without limitation, hardware and software environments, and Information Technology business practices.

    Risk Assessments are necessary to analyze and address security Vulnerabilities and Threats to County Information Assets, which may come from any source, including, without limitation, natural disasters, disgruntled Workforce Members, hackers, the Internet, and equipment or service malfunction or breakdown.

    Each Department shall periodically conduct and document a Risk Assessments on all County Information Assets, including, without limitation, applications, servers, Networks, and any process or procedure, including those process involving third-party contracts, for which County Information Assets are utilized and maintained. Risk Assessments shall also be performed on each facility that houses County Information Assets.

    A Risk Assessment shall include, but may not be limited to:

    An inventory of County Information Assets;

    Vulnerability scans of networks, systems, and applications to identify vulnerable systems;

    Review of County and Departmental policies, standards, and procedures;

    Review of applicable contracts with third-parties;

    Review of previous Risk Assessments;

    Identification and prioritization of Threats to, and Vulnerabilities within, County Information Assets; and

    Implementation of existing Safeguards to mitigate Threats to, and Vulnerabilities within, County Information Assets and associated processes.

    Applicability:

    All County Departments and Workforce Members.

    Compliance:

    County Workforce Members who violate this policy may be subject to appropriate disciplinary action up to and including discharge as well as both civil and criminal penalties. Non-County Workforce Members, including, without limitation, contractors, may be subject to termination of contractual agreements, denial of access to County Information Assets, and other actions as well as both civil and criminal penalties.

    Policy Exceptions:

    There are no exceptions to this policy.

    RESPONSIBLE DEPARTMENT
    ___________

    Chief Executive Office

    DATE ISSUED/SUNSET DATE
    ___________

    Issue Date: July 13, 2004 Sunset Date: July 13, 2008
    Review Date: August 25, 2008 Sunset Date: July 13, 2012
    Review Date: July 19, 2012 Sunset Date: January 13, 2013
    Review Date: June 27, 2013 Sunset Date: September 30, 2013
    Review Date: September 18, 2013 Sunset Date: January 30, 2014
    Review Date: January 15, 2014 Sunset Date: February 28, 2014
    Review Date: February 19, 2014 Sunset Date: March 19, 2014
    Review Date: March 19, 2014 Sunset Date: December 31, 2014
    Review Date: January 6, 2015 Sunset Date: December 31, 2018
    Review Date: November 7, 2018 Sunset Date: December 31, 2021