- News
- Events
- Winter Storm Event 2023
-
- Deferred Compensation
- Employee Assistance Program
- eForms
- Email Services
- Benefits
- Employee Self Service
- Lactation Accommodation Request Form
- Dimensions System
- VHR Program
- Employee Safety and Health
- Staying Connected
- Kaiser Occ Health
- Flexible Spending Account
- Disaster Worker
- Trainings
- Drug-Free Workplace
-
- Preface
- 1-1 Advisory Bodies Roles and Relationships
- 1-2 Providing County Support of Grant Applications from Outside Agencies
- 2-1 Policy for Submitting Agenda Items
- 2-2 Departmental Representation at BOS Meetings
- 2-3 Policy for Board Chambers Security
- 3-1 Policy for Appropriation Transfers
- 3-2 Travel and Meal Reimbursements
- 3-3 Interdepartmental Billings for Services Policy
- 3-4 Policy for Memberships to Professional Associations & Organizations – Use of Public Funds
- 4-1 Performance Evaluations
- 4-2 Policy for Position Allocation List
- 4-3 Position Reclassifications
- 4-4 EEO Policy
- 4-5 Departmental/Internal Reorganizations
- 4-6 Policy for Hiring/Retaining Personnel Services in EMP or Ind. Contractor Status - See Civil Service Rules
- 4-7 Policy for Flexible Merit Increases
- 4-8 Advanced Salary Step Appointments
- 4-9 Policy for Relocation Incentives
- 4-10 Medical Leave Policy
- 4-11 Preemployment Preplacement Screening Policy
- 4-12 COVID-19 Vaccination and Testing Policy
- 4-13 Telework Policy
- 4-14 Lactation Policy
- 5-1 Vehicle Use
- 5-2 Policy for Capital Project and Asset Responsibility
- 5-3 Public Art Policy
- 6-1 Records Retention Storage Destruction Policy
- 6-2 Incompatible Activities Policy
- 6-3 TTrD Policy
- 6-4 Safety Management Policy
- 6-5 Identity Theft Prevention Program
- 7-1 Purchasing Policy
- 7-2 Real Property Acquisition and Management Policy
- 8-1 Investigations of Alleged Inappropriate Activities
- 8-2 Reasonable Suspicion Policy
- 8-3 Safety and Security for County Employees
- 8-4 Policy for Receipt and Distribution of Tickets or Passes
- 9-1 Official Use of Social Media Sites Policy
- 9-2 IT Use and Security Policy
- 9-3 Website Accessibility Policy
- 9-4 Information Technology Professionals Policy
- 9-5 Information Technology Governance Policy
- 9-6 Information Technology Artificial Intelligence (AI) Policy
- Employee & Volunteer Engagement & Recognition (EVER)
- Combined Fund Drive
- Website Accessibility Assistance
- Back to Administrative Policy Manual
9-2 Information Technology Use and Security Policy Manual - Appendix A: Guidelines
Return to IT Use and Security Policy Manual Table of Contents
Approved by: Board of Supervisors of the County of Sonoma (“County”), and the Boards of Directors of the Northern Sonoma County Air Pollution Control District, the Russian River County Sanitation District, Sonoma Valley County Sanitation District, Occidental County Sanitation District, South Park County Sanitation District, and the Board of Directors of the Sonoma County Agricultural Preservation and Open Space District (collectively referred to hereinafter as “Special Districts”), and the Sonoma County Water Agency (“Agency”), and the Board of Commissioners of the Sonoma County Community Development Commission (“Commission”). The County, Special Districts, Agency and Commission are collectively referred to herein as “Local Agencies” or singularly as “Local Agency.”
Read next: Appendix B – Information Security Laws and Standards
What's on this Page
- Data Classification
These Guidelines provide examples to assign the appropriate data classification.
The Data Classification policy of this manual directs Local Agencies to identify and classify Local Agency data.
Confidential (highest level of sensitivity)
Description
Information protected from use and/or disclosure by law, regulation or standard, and for which heightened security measures are required.
Data Breach notification requirements
Yes. Notification required for unencrypted data. Mandated reporting and notification are not required for encrypted data.
Reputational Risk
High
Disclosure Requirements
Confidential data must not be disclosed without proper prior consent from the Data Owner and/or County Counsel. To prevent inappropriate disclosure; removal, redaction, de-identification or masking of Confidential data may be required.
Common Data Elements (not all-inclusive)
Personal Information as defined by California Civil Code Section 1798.82:
- Social Security Number
- Driver’s license number
- California Identification (ID) number
- Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
- Medical information, including any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
- Health insurance information
Cardholder Information
Credit card number/primary account number and one or more of the following:
- Cardholder name
- Security Code
- Expiration date
Peace Officer Bill of Rights (California Government Code 3300-3313)
A peace officer’s:
- Personnel records
- Home address
- Phone number
- Date of birth
- Photograph
Restricted (moderate level of sensitivity)
Description
Information maintained that requires special precautions to protect from unauthorized use, access, disclosure, modification, loss, or deletion
Data Breach Notification Requirements
No data breach notification requirements for Restricted data.
Reputational Risk
Medium
Disclosure Requirements
Restricted data must not be made available for general public access without the consent of the Data Owner and/or County Counsel. To prevent inappropriate disclosure; removal, redaction, or masking of Restricted data may be required.
Common Data Elements (not all-inclusive)
Network/Systems Data
- Event logs
- Risk assessments
- Disaster recovery plans
- Configurations
Employee Data
- Employee ID numbers
- Employee applications
Public (low level of sensitivity)
Description
Information that is available for general access without review by the Data Owner and/or County Counsel.
Data Breach notification requirements
No data breach notification requirements for Public data.
Reputational Risk
Low
Disclosure Requirements
Subject to Local Agency policies, Public data may be disclosed without review by the Data Owner or County Counsel
Common Data Elements (not all-inclusive)
Business Data
- Job postings
- Board Agendas and Meeting Minutes
- Maps
- Budget
- Administrative Policies
Employment Data
- Salary
- Job Classification
- Memorandum of Understanding