The URL can be used to link to this page

RESO 24-068 - Adopting Information Technology Criminal Justice Information PoliciesRESOLUTION NO. 24-068 RESOLUTION FOR ADOPTION OF INFORMATION TECHNOLOGY CRIMINAL JUSTICE INFORMATION POLICIES WHEREAS, the City of Golden Valley is committed to safeguarding Criminal Justice Information (CJI) and ensuring compliance with the Criminal Justice Information Services (CJIS) security rules; and WHEREAS, the City’s Information Technology division is responsible for the creation, implementation, and enforcement of policies designed to protect sensitive information, mitigate risks, and ensure the integrity and confidentiality of CJI; and WHEREAS, the City of Golden Valley is required by the Bureau of Criminal Apprehension (BCA) to implement specific policies and plans to enhance its security framework: NOW, THEREFORE, BE IT RESOLVED that the City Council for the City of Golden Valley adopts the following policies attached hereto as: • Exhibit A, Access Control Policy • Exhibit B, Media Protection Policy • Exhibit C, Physical and Environmental Protection Policy • Exhibit D, Security Incident Response Plan Adopted by the City Council of Golden Valley, Minnesota this 6th day of November 2024. _____________________________ Roslyn Harmon, Mayor ATTEST: _____________________________ Theresa Schyma, City Clerk Docusign Envelope ID: 06FAD29C-CA38-471C-A773-CDA030EFAE0D Exhibit A O FFICIAL C ITY P OLICY C ITY OF G OLDEN V ALLEY General Informa�on Policy Title: Informa�on Technology Access Control Policy Department: Administra�ve Services, Informa�on Technology Division Policy Owner (job �tle): Informa�on Technology Manager Policy ID: Council Approval Date: Resolu�on Number: Effec�ve Date: ☒New ☐ Updated Policy Overview Policy Descrip�on: The City of Golden Valley (City) Informa�on Technology (IT) Division is required by the Minnesota Bureau of Criminal Apprehension (BCA) to implement an access control policy for all City systems that contain Criminal Jus�ce Informa�on (CJI). Purpose & Scope: To ensure that access controls are implemented and in compliance with IT security policies, standards, and procedures. This policy applies to all City departments and users of City resources and assets, including but not limited to City full and part �me employees, contractors, vendors, and third-party service providers. Defini�ons: Related Documents, Materials & Resources: • IT Physical and Environmental Protec�on Policy • IT Media Protec�on Policy • IT Security Incident Response Policy Policy Account Management To ensure proper account management, the City shall: 1. Iden�fy and assign the following types of informa�on system accounts to users to support organiza�onal missions and business func�ons: individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. 2. Assign account managers. 3. Require condi�ons for group and role membership. 4. Specify authorized users of the informa�on system, group and role membership, and access authoriza�ons (i.e., privileges) and other atributes (as required) for each account. 5. Require approvals by City personnel with account management responsibili�es for requests to create accounts. 6. Create, enable, modify, disable, and remove informa�on system accounts in accordance with approved procedures. Docusign Envelope ID: 06FAD29C-CA38-471C-A773-CDA030EFAE0D 7. Monitor the use of accounts. 8. Require account managers to no�fy IT staff when accounts are no longer required, when users are terminated or transferred, and when individual informa�on system usage or need-to-know changes. 9. Authorize access to the system based on: a. A valid access authoriza�on b. Intended system usage 10. Review accounts for compliance with account management requirements at least annually. 11. Establish and implement a process for changing shared or group account authen�cators (if deployed) when individuals are removed from the group. 12. Align account management processes with personnel termina�on and transfer processes. 13. Support the management of system accounts using automated mechanisms including email, phone, and text no�fica�ons. 14. Automa�cally remove temporary and emergency accounts within 72 hours. 15. Disable accounts within one (1) week when the accounts: a. Have expired. b. Are no longer associated with a user or individual. c. Are in viola�on of organiza�onal policy. d. Have been inac�ve for 90 calendar days. 16. Automa�cally audit account crea�on, modifica�on, enabling, disabling, and removal ac�ons. 17. Require that users log out when a work period has been completed. 18. Disable accounts of individuals within 30 minutes of discovery of direct threats to the confiden�ality, integrity, or availability of CJI. 19. Enforce and verify access controls during employee onboarding and o�oarding. Access Enforcement To ensure proper access enforcement, the City shall: 1. Enforce approved authoriza�ons for logical access to informa�on and system resources in accordance with applicable access control policies. 2. Provide automated or manual processes to enable individuals to have access to elements of their personally iden�fiable informa�on. Informa�on Flow Enforcement To ensure compliant informa�on flow enforcement, the City’s IT staff shall enforce approved authoriza�ons for controlling the flow of informa�on within the system and between connected systems by preven�ng CJI from being transmited unencrypted across the public network, blocking outside traffic that claims to be from within the agency, and not passing any web requests to the public network that are not from the agency-controlled or internal boundary protec�on devices. Separa�on of Du�es To ensure proper separa�on of du�es, the City shall: 1. Iden�fy and document separa�on of du�es based on specific du�es, opera�ons, or informa�on systems, as necessary, to mi�gate risk to CJI. 2. Define system access authoriza�ons to support separa�on of du�es. Least Privilege To reduce risk, improve system stability, increase produc�vity, strengthen cybersecurity and improve compliance, the City shall: Docusign Envelope ID: 06FAD29C-CA38-471C-A773-CDA030EFAE0D 1. Employ the principle of least privilege, allowing only authorized accesses for users (or processes ac�ng on behalf of users) that are necessary to accomplish assigned City tasks. 2. Provide restricted access to authorized personnel by using: a. Established system accounts with configured access authoriza�ons (i.e., permissions, privileges) that: i. set events to be audited ii. set intrusion detec�on parameters, and other security func�ons; and b. Role based security-relevant informa�on in hardware, so�ware, and firmware. 3. Require that users of system accounts (or roles) with access to privileged security func�ons or security-relevant informa�on (e.g., audit logs) use non-privileged accounts or roles when accessing non-security func�ons. 4. Restrict privileged accounts on the system to privileged users. 5. Review annually the privileges assigned to non-privileged and privileged users to validate the need for such privileges. 6. Reassign or remove privileges, if necessary, to correctly reflect organiza�onal mission and business needs. 7. Log the execu�on of privileged func�ons. 8. Prevent non-privileged users from execu�ng privileged func�ons. Unsuccessful Logon Atempts To limit the risk of unauthorized access, the City shall ensure that the informa�on system: 1. Enforces a limit of consecu�ve invalid logon atempts by a user during a 15-minute �me period. 2. Automa�cally locks the account or node un�l released by an administrator when the maximum number of unsuccessful atempts is exceeded System Use No�fica�on The City shall ensure that the informa�on system: 1. Displays to users an approved system-use no�fica�on message or banner before gran�ng access to the system that provides privacy and security no�ces consistent with applicable state and federal laws, direc�ves, policies, regula�ons, standards, and guidance and states informing that: a. Users are accessing a restricted informa�on system. b. Informa�on system usage may be monitored, recorded, and subject to audit. c. Unauthorized use of the informa�on system is prohibited and subject to criminal and civil penal�es. d. Use of the informa�on system indicates consent to monitoring and recording. 2. Retains the no�fica�on message or banner on the screen un�l users acknowledge the usage condi�ons and take explicit ac�ons to log on to or further access the informa�on system. 3. For publicly accessible systems, ensure that the informa�on system: a. Displays system use informa�on consistent with applicable laws, execu�ve orders, direc�ves, regula�ons, policies, standards, and guidelines, before gran�ng further access. b. Displays references, if any, to monitoring, recording, or audi�ng that are consistent with privacy accommoda�ons for such systems that generally prohibit those ac�vi�es. c. Includes a descrip�on of the authorized uses of the system. Device Lock To limit the risk of unauthorized access the City shall: 1. Ini�ate a session lock a�er a maximum of 30 minutes of inac�vity or upon receiving a request from a user. 2. Retain the session lock un�l the user reestablishes access using established iden�fica�on and authen�ca�on procedures. 3. Conceal, via the session lock, informa�on previously visible on the display with a publicly viewable image. Docusign Envelope ID: 06FAD29C-CA38-471C-A773-CDA030EFAE0D Session Termina�on The City shall ensure the informa�on system automa�cally terminates a user session a�er a user has been logged out. Permited Ac�ons Without Iden�fica�on or Authen�ca�on The City shall: 1. Iden�fy user ac�ons that can be performed on the informa�on system without iden�fica�on or authen�ca�on consistent with City of Golden Valley missions and business func�ons. 2. Document and provide suppor�ng ra�onale in the security plan for the informa�on system user ac�ons not requiring iden�fica�on or authen�ca�on. Remote Access To ensure secure remote access, the City shall: 1. Establish and document usage restric�ons, configura�on/connec�on requirements, and implementa�on guidance for each type of remote access allowed. 2. Authorize remote access to the informa�on system prior to allowing such connec�ons. 3. Ensure that the informa�on system monitors and controls remote access methods. 4. Ensure that the informa�on system implements cryptographic mechanisms to protect the confiden�ality and integrity of remote access sessions. 5. Ensure that the informa�on system routes all remote accesses through authorized and managed network access control points. 6. Authorize the execu�on of privileged commands and access to security-relevant informa�on via remote access only in a format that provides assessable evidence and for the following needs: compelling opera�onal needs. 7. Document the ra�onale for such access in the security plan for the informa�on system. Wireless Access To ensure secure wireless access, the City of Golden Valley shall: 1. Establish usage restric�ons, configura�on/connec�on requirements, and implementa�on guidance for wireless access. 2. Authorize wireless access to the informa�on system prior to allowing such connec�ons. 3. Protect wireless access to the system using authen�ca�on of authorized users and agency-controlled devices, and encryp�on. 4. Disable, when not intended for use, wireless networking capabili�es embedded within system components prior to issuance and deployment. Access Control for Mobile Devices To ensure secure access for mobile devices, he City of Golden Valley shall: 1. Establish configura�on requirements, connec�on requirements, and implementa�on guidance for organiza�on-controlled mobile devices, to include when such devices are outside of controlled areas. 2. Authorize the connec�on of mobile devices to City of Golden Valley systems. 3. Employ full-device encryp�on to protect the confiden�ality and integrity of informa�on on full- and limited- feature opera�ng system mobile devices authorized to process, store, or transmit CJI. Use of External Systems To ensure proper use access from external systems, the City shall: 1. Establish terms and condi�ons, consistent with any trust rela�onships established with other organiza�ons owning, opera�ng, and/or maintaining external informa�on systems, allowing authorized individuals to: a. Access the system from external systems. Docusign Envelope ID: 06FAD29C-CA38-471C-A773-CDA030EFAE0D b. Process, store, or transmit organiza�on-controlled informa�on using external systems. 2. Prohibit the use of personally-owned informa�on systems including mobile devices (i.e., bring your own device [BYOD]) and publicly accessible systems for accessing, processing, storing, or transmi�ng CJI. 3. Permit authorized individuals to use an external system to access the system or to process, store, or transmit City of Golden Valley-controlled informa�on only a�er: a. Verifica�on of the implementa�on of controls on the external system as specified in the City of Golden Valley security and privacy policies and security and privacy plans; or b. Execu�on and reten�on of approved system connec�on or processing agreements with the organiza�onal en�ty hos�ng the external system. 4. Restrict the use of organiza�on-controlled portable storage devices by authorized individuals on external systems. Informa�on Sharing The City of Golden Valley shall: 1. Enable authorized users to determine whether access authoriza�ons assigned to a sharing partner match the informa�on’s access and use restric�ons for as defined in an executed informa�on exchange agreement 2. Employ atribute-based access control or manual processes as defined in informa�on exchange agreements to assist users in making informa�on sharing and collabora�on decisions. Publicly Accessible Content To ensure content is accessible to the public in a manner that complies with all applicable laws, rules and regula�ons, the City shall: 1. Designate individuals authorized to make informa�on publicly accessible. 2. Train authorized individuals to ensure that publicly accessible informa�on does not contain nonpublic informa�on. 3. Review the proposed content of informa�on prior to pos�ng onto the publicly accessible informa�on system to ensure that nonpublic informa�on is not included. 4. Review the content on the publicly accessible informa�on system for nonpublic informa�on quarterly and remove such informa�on, if discovered. Docusign Envelope ID: 06FAD29C-CA38-471C-A773-CDA030EFAE0D Exhibit B O FFICIAL C ITY P OLICY C ITY OF G OLDEN V ALLEY General Informa�on Policy Title: Informa�on Technology Media Protec�on Policy Department: Administra�ve Services, Informa�on Technology Division Policy Owner: Informa�on Technology Manager Policy ID: Council Approval Date: Resolu�on Number: Effec�ve Date: ☐New ☐ Updated Policy Overview Policy Descrip�on: The City of Golden Valley is required by the Bureau of Criminal Apprehension (BCA) to have a Media Protec�on policy for all media that contains criminal jus�ce informa�on (CJI). Purpose & Scope: The purpose of this policy is to establish guidelines for the protec�on of sensi�ve informa�on stored on various media types, both digital and physical. This policy applies to all individuals, including but not limited to employees, contractors, vendors, and third-party service providers that to access, manage, or store media, including media containing CJI within the City of Golden Valley. Defini�ons: • Criminal Jus�ce Informa�on Systems (CJIS): A division of the FBI that manages and provides access to criminal jus�ce data and informa�on systems, including background checks, criminal histories, and law enforcement databases. • CJI stands for Criminal Jus�ce Informa�on: It refers to data related to the administra�on of criminal jus�ce, including informa�on on individuals involved in the criminal jus�ce system, such as: arrest records, criminal histories, court records, sentencing informa�on, and parole and proba�on details • Digital Media: Content that is created, stored, and distributed in a digital format, including but not limited to text, audio, video, and images that can be accessed on electronic devices like computers, smartphones, and tablets. • Physical Media: Media with a tangible form, which can be either digital or non-digital, including but not limited to DVDs, CDs, printed photos, and books. • Non-Digital Media: Any media that is not electronic, including but not limited to printed books, newspapers, vinyl records, and live performances. • Physically Secure Loca�ons: Physical spaces designed to protect sensi�ve informa�on, assets, or personnel from unauthorized access or threats. These areas typically feature security measures like locks, surveillance cameras, controlled access, and alarms to ensure safety and confiden�ality. • Unassigned City Media Device: a piece of equipment or technology that has not yet been allocated or assigned to a specific person or purpose. Related Documents, Materials & Resources: Docusign Envelope ID: 06FAD29C-CA38-471C-A773-CDA030EFAE0D Policy This Informa�on Technology Media Protec�on Policy covers media classifica�on, access control, handling, disposal, incident repor�ng, and training. The Informa�on Technology (IT) division is Media Classifica�ons The IT division shall maintain an inventory of all media containing criminal jus�ce informa�on (CJI). All media will be classified according to the sensi�vity of informa�on adhering to CJIS standards. Media Access and Use The IT division shall restrict access to all digital and non-digital City-owned media devices to specifically authorized individuals. The IT division shall keep list of all authorized personnel, including their access levels, which shall be reviewed quarterly and during personnel changes. Individuals shall not use unassigned City media devices or digital media devices not owned by the City on any City of Golden Valley owned or controlled systems that store, process, or transmit criminal jus�ce informa�on. Media Storage and Transport The City shall securely store all media within iden�fiable Physically Secure Loca�ons and encrypt CJI on Digital Media. Data shall only be transported by authorized individuals and all such transporta�on shall be documented in a transport log kept by the IT division. Media Sani�za�on All media must be properly disposed of, sani�zed, or otherwise destroyed in adherence to the Minnesota Data Prac�ces Act (MNDPA) and the City reten�on policies. In the event that media becomes inoperable or is no longer needed for inves�gatory or security purposes, it shall be disposed of using the methods outlined below. All disposal, destruc�on and sani�za�on of media shall be accomplished by employing sani�za�on mechanisms with the strength and integrity corresponding with the security category or classifica�on of the data as public, private, confiden�al, and CJIS. Non-Digital Media All Non-Digital Media must be sani�zed using overwrite technology prior to: - Disposing of the media through crosscut shredding or incinera�on, or - Releasing the media to an outside agency or jurisdic�on (unless authorized under MNDPA) Digital Media All digital media must be sani�zed using the degaussing method, prior to disposal or release for reuse by other individuals. Training and Awareness The IT division shall collaborate with City departments to ensure that all personnel with access to CJI have been properly trained on the requirements of this policy. Docusign Envelope ID: 06FAD29C-CA38-471C-A773-CDA030EFAE0D Exhibit C O FFICIAL C ITY P OLICY C ITY OF G OLDEN V ALLEY General Informa�on Policy Title: Informa�on Technology Physical and Environmental Protec�on Policy Department: Administra�ve Services, Informa�on Technology Division Policy Owner: Informa�on Technology Manager Policy ID: Council Approval Date: Resolu�on Number: Effec�ve Date: ☒New ☐ Updated Policy Overview Policy Descrip�on: The Informa�on Technology (IT) division is required by the Bureau of Criminal Apprehension (BCA) to administer and control a physical and environmental protec�on policy for all City assets which may contain criminal jus�ce informa�on (CJI). Purpose & Scope: To ensure that Informa�on Technology (IT) resources are protected through physical and environmental security measures that prevent physical tampering, damage, the�, and unauthorized access. This policy applies to all individuals, including but not limited to employees, contractors, and vendors, and third-party service providers who have access to IT facili�es and assets. Defini�ons: • Physically Secure Loca�ons: Physical spaces designed to protect sensi�ve informa�on, assets, or personnel from unauthorized access or threats. These areas typically feature security measures like locks, surveillance cameras, controlled access, and alarms to ensure safety and confiden�ality. • Physical Access Devices: allow individuals to gain access to secure areas or systems. This could include items like key cards, access codes, biometric scanners (like fingerprint readers), keys, or other tools that control entry to physical loca�ons or restricted areas. • IT Systems: the en�rety of the technology environment for the City of Golden Valley, including but not limited to hardware, so�ware, networking, security measures, and data management. • Cryptographic Mechanisms: used to secure informa�on by transforming it into a format that is unreadable to unauthorized users. Including encryp�on, decryp�on, hash, digital signatures, and key management. o Encryp�on: The process of conver�ng plaintext into ciphertext using algorithms and keys, making it unreadable without the appropriate decryp�on key. o Decryp�on: The reverse process of encryp�on, conver�ng ciphertext back into plaintext. o Hash Func�ons: Algorithms that generate a fixed-size string (hash) from input data, used to verify data integrity. Hashes are one-way func�ons, meaning they cannot be reversed. o Digital Signatures: A cryptographic technique that uses public key cryptography to verify the authen�city and integrity of a message or document. o Key Management: The process of genera�ng, distribu�ng, and managing cryptographic keys used in encryp�on and decryp�on. Related Documents, Materials & Resources: • IT Access Control Policy • IT Media Protec�on Policy • IT Security Incident Response Policy Docusign Envelope ID: 06FAD29C-CA38-471C-A773-CDA030EFAE0D Policy This Informa�on Technology Physical and Environmental Protec�on Policy aims to protect the City of Golden Valley’s physical assets and ensure a secure environment for IT opera�ons that maintain confiden�ality, integrity, and availability of IT Systems. Physical Access Authoriza�on and Control The IT division shall ensure that servers, networking equipment, and other assets are stored in physically secure loca�ons. The IT division shall enforce physical access authoriza�ons through the following steps. Physical Authorization 1. Develop, approve, and maintain an access list of individuals who are authorized users of the City’s IT Systems (the “Access List”). 2. Issue authoriza�on creden�als for access. 3. Review the Access List annually and when personnel changes occur. 4. Remove individuals from the Access List upon personnel changes and when posi�on responsibili�es no longer require access. Physical Control The City of Golden Valley shall control and prevent unauthorized access to Physically Secure Loca�ons, including the loca�ons of IT Systems, transmission lines and devices, and output devices such as printers, facsimile machines, scanners, monitors, etc. The IT division shall: 1. Designate IT areas as non-public and implement security measures such as keys, locks, combina�ons, biometric readers, placards, card readers, and surveillance equipment. 2. Verify individual access authoriza�ons prior to allowing access to IT Systems. 3. Control ingress (entering) and egress (exi�ng) to Physically Secure Loca�ons using door access control. 4. Escort visitors and control visitor ac�vity in all Physically Secure Loca�ons of the City. 5. Inventory all agency-issued physical access devices annually. 6. Maintain physical access audit logs for City and agency-defined sensi�ve areas. 7. Review access logs, including visitor records quarterly and upon any security-related incidents. 8. Conduct inves�ga�ons including reviewing surveillance upon occurrence of any physical, environmental, or security-related incidents. 9. Change combina�ons and keys when keys are lost, combina�ons are compromised, or when individuals possessing the keys or combina�ons are transferred or terminated. Environmental Controls The IT division shall protect the IT systems, power equipment, transmission lines, and cables from damage through a variety of environmental controls and preparedness. Fire Protection The IT division will work with the Fire Department to ensure that all facili�es are equipped with fire suppression and detec�on systems that are supported by an independent energy source. Fire detec�on systems will ac�vate automa�cally and no�fy organiza�onal personnel with physical and environmental protec�on responsibili�es and police, fire, or emergency medical personnel in the event of a fire. Environmental Damage Prevention Docusign Envelope ID: 06FAD29C-CA38-471C-A773-CDA030EFAE0D The IT division shall consult with building maintenance personnel to con�nually monitor and maintain adequate HVAC levels based on system manufacturer recommenda�ons. To prevent water damage the City shall provide master shutoff or isola�on valves that are accessible, working properly, and known to key personnel. Emergency Opera�ons In the event of an emergency the IT Division has established the following protocols. Emergency Shut Off The IT division shall ensure the City has power-shut off capabili�es including emergency shut-off switches in easily accessible loca�ons for authorized personnel. The shutoff switches are only available to authorized individuals. Emergency Power Supply Provide an uninterrup�ble power supply to facilitate the orderly shutdown of informa�on systems and to transi�on of informa�on systems to an alternate power supply. Emergency Lightning Employ and maintain automa�c emergency ligh�ng for the system that ac�vates in the event of a power outage or disrup�on and that covers emergency exits and evacua�on routes within the facility. Alternate Work Site In the event that the City’s primary Physically Secure Loca�ons become compromised, the IT division shall: a. Assess, determine, and communicate alternate facili�es or loca�ons allowed for use by employees. b. Employ the following security controls at alternate work sites: i. Limit access to the area during CJI processing �mes to only those personnel authorized by the City to access or view CJI. ii. Lock the area, room, or storage container when unatended. iii. Posi�on informa�on system devices and documents containing CJI in such a way as to prevent unauthorized individuals from access and view. iv. Follow strong encryp�on standards by implemen�ng cryptographic mechanisms to protect the confiden�ality and integrity of informa�on. This includes data in transit and data at rest. c. Provide a means for employees to communicate with informa�on security and privacy personnel in case of incidents. Training Prior to gaining access to physically secure loca�ons all employees must review this policy. Employees with authorized access to CJIS must complete the review of this policy annually. Docusign Envelope ID: 06FAD29C-CA38-471C-A773-CDA030EFAE0D Exhibit D O FFICIAL C ITY P OLICY C ITY OF G OLDEN V ALLEY General Informa�on Policy Title: Informa�on Technology Security Incident Response Policy Department: Administra�ve Services, Informa�on Technology Division Policy Owner: Informa�on Technology Manager Policy ID: Council Approval Date: Resolu�on Number: Effec�ve Date: ☒New ☐ Updated Policy Overview Policy Descrip�on: The Informa�on Technology (IT) division is required by the Bureau of Criminal Apprehension (BCA) to implement a policy for managing and responding to computer security incidents. Purpose & Scope: This policy establishes that the IT division will iden�fy, contain, inves�gate, remedy, and respond to all computer security incidents. This policy applies to all employees, contractors, and vendors that have access to IT facili�es and assets. Defini�ons: • Data Breach: Unauthorized access and retrieval of sensi�ve informa�on. • Security Incident: Any event that compromises the confiden�ality, integrity, or availability of informa�on or informa�on systems. Related Documents, Materials & Resources: • IT Access Control Policy • IT Media Protec�on Policy • IT Physical and Environmental Protec�on Policy • IT Security Incident Response Plan Policy Incident Response Plan The IT division shall work with the Police department to implement an IT Incident Response Plan (the “Plan”) to respond to all Security Incidents. The Plan shall include metrics, resources, structure, and a guide. IT staff shall distribute the Plan to all users of systems containing Criminal Jus�ce Informa�on systems (CJIS) data. The Plan shall also be available to anyone with incident handling responsibili�es and kept protected from unauthorized disclosure or modifica�ons. Incident Response Training and Tes�ng The City of Golden Valley shall provide incident response training to users prior to gran�ng access to systems and annually therea�er. Training will include how to iden�fy, respond to, and report a Security Incident. The City shall test the effec�veness of incident response capability annually. Docusign Envelope ID: 06FAD29C-CA38-471C-A773-CDA030EFAE0D Incident Monitoring, Handling, and Repor�ng The IT division is responsible for tracking and documen�ng Security Incidents and for handling reported Security Incidents. All City staff are required to report suspected Security Incidents to IT immediately and no later than one-hour a�er discovery. The IT division shall: 1. No�fy the Bureau of Criminal Apprehension (BCA) Security Officer (ISO) within 24 hours of discovery of a confirmed security incident. 2. Report Security Incident informa�on to providers of affected products and services, and to other organiza�ons involved in the systems or system components related to the Security Incident. 3. Provide system support to end-users. 4. Follow the specific IT Incident Response Plan. 5. Collaborate with the Data Prac�ces Responsible Authority and Compliance Official for all Security Incidents involving data breaches, including but not limited to data involving personally iden�fiable informa�on and data deemed private under applicable laws. Docusign Envelope ID: 06FAD29C-CA38-471C-A773-CDA030EFAE0D