INFORMATION SECURITY: A LEGAL AND ETHICAL MANDATE

Information Security’s purpose is to help keep County business flowing. Threats, risks and vulnerabilities to information assets are constantly increasing, and properly addressing these threats is paramount. While the application of information security measures to County business is both a legal and a regulatory mandate, it is also an ethical mandate involving due care and due diligence. Due care refers to steps taken to show that as a County we have taken responsibility to help protect County resources, our constituents and our employees. Due diligence is the care exercised to avoid unnecessary harm to other persons or their property. Failure to practice due care and due diligence equates to legal negligence. It is both a legal and an ethical mandate to ensure that we maintain the public trust by performing due care and due diligence in securing and maintaining the privacy of information belonging to the County and its constituents.

A "SEPARATION OF DUTIES" SECURITY PROGRAM

While we partner with County businesses toward their success and the fulfillment of their business goals, we do not control the IT business nor possess the authority or responsibility for the support and maintenance of the day-to-day production IT environment. IT maintains a “separation of duties” security program that is able not only to advise the County but audit its security as well. While we provide risk assessment and program evaluation for County IT business, the decision to implement our recommendations is ultimately a business risk decision and is executed by County business accordingly. It is the business' role to:

• Review the risks to the County of Monterey from identified security risks and security gaps;
• Accept the risks to the County of Monterey; or
• Execute Information Security's recommendations and/or other mitigation steps in order to reduce the risk to an acceptable level; or
• Transfer the risks.

Examples of "separation of duties" include:

• While we evaluate and often authorize changes, we do not maintain operational security implementations such as firewalls and the execution of security patch management.
• We spend much time teaching County businesses how to properly secure their resources, but the responsibility to do so is theirs. Our focus is on watching for intrusions and responding to security incidents.
• We provide security evaluation and consultation for Information Technology network, system, service and program planning and implementations. The execution of these programs is performed by the operational side of the IT business.
• We regularly audit and review existing County Information Technology networks, systems and services based upon County IT Security Policy and Standards as well as business-applicable laws, regulations and relevant international standards. We provide vulnerability and risk information and recommendations of preventative controls for business implementation in order to further secure County information resources and minimize risk. It is the business’ decision as whether or not to implement these recommendations operationally based upon business priorities and tolerance of risk.