Policy Reference


Category IT  Security and Control
Approval Date  
Scope ITS Personnel

 

Purpose

This policy provides proactive guidelines  to  protect the City network from potential malicious attacks.  Policies and procedures will be written to identify threats, vulnerabilities and risks.  



Policy

  1. The City  will develop, disseminate, and review: 1) a formal security and internal control framework policy that addresses purpose, scope, RACI info, and compliance; and 2) formal procedures to facilitate implementing the policy.  
  2. The IT  security policy will have an annual process to identify threats, vulnerabilities, and risks.
  3. The IT  security policy and procedures  will be reviewed when the environment changes, or at least annually, and then document and distribute the updated policies and procedures.
  4. IT Management  will ensure that the security framework contains procedures for continuous monitoring for security alerts and security information. In   addition, the security framework will include  procedures for timely security incident, response,  escalation and for continuous user account and authentication management.


Compliance

  1. The organization must develop, publish, maintain, and distribute a security policy and must address all of the PCI DSS requirements. § 12.1, § 12.1.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2  
  2. Ensure that the organization maintains a list of all wireless devices and personnel authorized to use the devices. § 4.6.1.C, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009
  3. The organization must ensure the security policy contains procedures for identifying threats and vulnerabilities through an annual risk assessment. 12.1.2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2
  4. The organization should develop a security policy for all mobile handheld devices. The security poicy should include required safeguards; cover the full lifecycle of the device; state any restrictions on personal use, such as storing contacts, music, and photos; and state implications on what could occur if a device that contains personal information is lost, stolen, damaged, or erased remotely. Pg ES-2, § 4.2.1, Guidelines on Cell Phone and PDA Security, NIST Special Publication 800-124, October 2008