(a)
- (1) Reasonable care must be taken to ensure that county records are protected from accidental or mischievous modification or deletion.
- (2) Security shall be provided in tiered layers to facilitate protection of the data without sacrificing efficiency in the regular operations of the office.
(b) Office environment.
(1)
- (A) Public and private areas of the office shall be designated and clearly delineated by use of walls, doors, counters, furniture arrangement, and signs as necessary.
- (B) This should allow the public to easily identify and avoid entering into nonpublic areas and the staff to easily observe any violations.
- (2) Computer equipment shall be arranged to prevent observation of sensitive information by persons in the designated public area or areas.
- (3) If the public is to directly access the county computer system, separate equipment shall be provided in a designated public area.
- (4) In such cases, public users should have a password that limits their access to those applications, resources, functions, and information designated for public use.
(5)
- (A) The public should never be allowed to introduce media (floppy disks, USB memory card, portable devices, etc.) to any county computer.
- (B) Computers provided for public use should have media interfaces removed or disabled to prevent the potential for system damage that could arise from foreign media.
(6) No one shall:
- (A) Connect with or otherwise use any county computer, modem, network, or other computing resource without proper authorization; or
- (B) Assist in, encourage, or conceal any unauthorized use or attempted unauthorized use of any county:
(i) Computer;
(ii) Modem;
(iii) Network; or
- (iv) Computing resource.
- (c) Desktop.
- (1) Each computer workstation in use by the county for accessing county records shall be secured using password protection as described herein.
- (2) Access to each computer should be limited by desktop security to allow only those applications, controls, functions, and resources that are applicable to the user and for which the user has permission of the office holder.
(3)
- (A) After a significant period of user input inactivity, the desktop shall be blanked and locked.
(B) Returning the desktop to interactive operation shall require reentry of the security password.
- (d) Network.
- (1) Access to the county network shall be limited to authorized users and defined network/internet connections.
- (2) The system administrator shall maintain a list of all approved connections and connection methods.
- (3) A password as described herein shall be required in order for any user to gain access to the network.
(4) Network access and other privileges shall be limited by network security to allow only those applications, controls, and resources which:
- (A) Are applicable to the user; and
- (B) The user has permission of the office holder or system administrator.
- (5) The system administrator shall maintain a list of all approved users and their assigned privileges and access levels.
- (6) Network access and privileges shall be assigned in a manner consistent with the designated role of the elected official or employee.
(7)
- (A) The use of wireless networks is not encouraged.
- (B) If a wireless network is employed in the county computer system, it must conform to a high standard of security and reliability.
- (C) Secure wireless networks are typified by customized and suppressed broadcast SSID, 128-bit WEP encryption, and VPN configurations to eliminate rogue access points.
(8) Physical security for the network should include the following for fileservers and workstations where applicable:
- (A) Lock the case to prevent unauthorized removal of drives;
- (B) Lock fileserver racks to prevent unauthorized access to the drives for removable media;
- (C) Maintain servers and network equipment in a locked room to prevent unauthorized access;
- (D) Disable the removable media drives via the BIOS; and
- (E) Password protect the BIOS to prevent unauthorized access.
(e) Internet.
- (1) Internet access may be provided by the county to elected officials and staff members to serve the interests of the county.
(2) Specific internet privileges:
- (A) Shall be governed by user ID and password; and
- (B) May be limited by county policy or the relevant elected official.
(3)
- (A) The use of email and instant messaging services may be provided by the county for business purposes.
- (B) These services are not a job perk and not for private, personal use.
- (4) An elected official may grant limited personal use of emails in the interest of reducing the need for staff members to be away from county duties.
(5) Users are forbidden from using the county’s computer system for:
- (A) Chain letters;
- (B) Charitable endeavors;
- (C) Private business activities;
- (D) Political activities; or
- (E) Amusement/entertainment purposes.
(6)
- (A) Email messages generated or received on the county system are considered public property and subject to the Freedom of Information Act of 1967, Arkansas Code § 25-19-101 et seq.
- (B) They may be viewed by others including the system supervisor and should not be considered private.
- (7) Downloading information to a county computer is allowable only for business purposes and may be regulated by the system administrator by policy or electronic control.
(8)
- (A) Using the county computer system to visit nonbusiness websites is not allowed, except to further the interests of the county.
- (B) Access to specific websites may be regulated by the system administrator by policy or electronic control.
- (9) The system administrator may block any website in the interest of preserving the integrity of the county computing system.
(f) Application.
- (1) Computer application programs may be acquired by the county from time to time to facilitate operations of the staff in the creation and application of computerized information.
(2) Computer application programs should be evaluated prior to purchase for:
- (A) Suitability to the task;
- (B) Compliance with state and county laws and rules;
- (C) Compatibility with the county computing system;
- (D) Consistency with county security policies; and
- (E) Other office efficiency and effectiveness considerations.
(3)
- (A) Application programs shall have internally configurable levels of security, allowing designated users to access the features required for their work while preventing access to those not so designated.
- (B) Program security shall be sufficiently detailed as to accommodate multiple tiers of access ranging from the administrative and supervisory level down to the public user.
(4) Program access levels shall be:
- (A) Associated with the user’s login ID; and
- (B) Protected by a password as described herein.
- (5) Data managed by an application program shall be configured and secured to prevent access or modification by any means external to the core application.
(6)
- (A) Application programs shall maintain a log file of changes made to the data.
- (B) This file shall contain sufficient detail to identify the record, date, time, user ID, and nature of the change or changes made.
- (C) The log file shall be readily available to users having administrative privileges.
(7)
- (A) Application providers should provide notification to the county of any changes being made in the program.
- (B) For changes that could alter the application data or a critical function of the program, the notice should occur within five (5) working days of the change.
- (C) For noncritical updates, a thirty-day notice is sufficient.
(g) Passwords.
- (1) A user ID and password shall be required in order to gain access to any computer, network, application, or other resource that is part of the county computer system.
(2) Passwords shall:
- (A) Be governed in all cases except as noted herein;
- (B) Be unique to each user and contain no less than five (5) characters;
- (C) Be changed not less than annually;
- (D) Not be shared or revealed to anyone except the authorized user;
- (E) Not be common words, especially those which relate to the user such as spouse/child/pet name, nickname, hobby, etc.; and
- (F) Govern the specific rights, privileges, and access for each individual user.
(3)
- (A) Access privileges should be revoked and accounts locked for any employee or elected official within thirty (30) days of terminating employment with the county.
- (B) If termination is involuntary, accounts should be locked within two (2) working days.
(4) In keeping with separation of powers, the elected official for a given office may institute a different policy for passwords so long as it:
- (A) Addresses each of the points listed above;
- (B) Is documented in writing; and
- (C) Is made available to each staff member and to the auditors.
(5)
- (A) Users shall log out of their computer whenever they expect to be away from their computer or out of the office for any extended period of time.
- (B) This would include out-of-the-office breaks, lunch, etc.
- (C) Entry of the password shall be required in order to reaccess the system.
- (6) An inactivity time-out, no greater than thirty (30) minutes, shall be used and require entry of the password in order to resume system operation.
(7)
- (A) Failed attempts to access the system with an expired or invalid user ID and password will result in the account being locked by the system.
- (B) The period of time for the lockout shall be set by office policy and is recommended to be not less than thirty (30) minutes.
- (8) A record of failed login attempts should be available to the system administrator on request.
(h) Virus/spam protection.
- (1) Each workstation or other system connected to the county computer network shall employ and maintain up-to-date antivirus and antispam software.
(2)
- (A) Users are discouraged from downloading files from any internet website or opening attachments to emails unless from a known contact.
- (B) The system administrator may block access or remove privileges from users that violate this policy and endanger the function of the system.
(3) Except as required for county business, users are prohibited from copying materials or information to or from the county system using:
- (A) Floppy disc;
- (B) CD;
- (C) DVD;
- (D) Tape;
- (E) USB memory card; or
- (F) Any other medium.
Codification Notes: “BIOS” means basic input/output system. "CD" means compact disc. "DVD" means digital video disc. "ID" means identity. "SSID" means service set identifier. "USB" means universal serial bus. "VPN" means virtual private network. "WEP" means wired equivalent privacy.