IT policies define the Board’s expectations for appropriate user behavior, describe the tools and procedures used to help protect data and IT systems, assign key responsibilities and explain the consequences of policy violations. The governing board should provide oversight and leadership by adopting IT policies that take into account people, processes and technology; communicating the policies to all computer users; and ensuring there are procedures in place to monitor compliance with policies.

Your unique computing environment should dictate the content and number of policies necessary. A small entity with uncomplicated, modest computing resources may only need a few policies to cover relevant issues adequately. Larger entities with complex systems may need several policies to convey management’s expectations and ensure effective operation. While IT policies will not guarantee the safety of your IT system, a lack of appropriate policies significantly increases the risk that data, hardware and software systems may be lost, damaged or compromised by unauthorized or inappropriate access and use.

At a minimum, IT policies should include: 

• Breach Notification – New York State Technology Law (State Technology Law) requires municipalities and other local agencies to have a breach notification policy or local law.² Such policy or local law must require that notification be given to certain individuals when there is a breach of the security of the system as it relates to private information. If you fail to adopt an information breach notification policy and private information is compromised, or is reasonably believed to be compromised, officials and employees may not understand or be prepared to fulfill their legal obligation to notify affected individuals.
• Data Security and Privacy – New York State Education Law (State Education Law) and the Commissioner’s Regulations (Regulations) require educational agencies to have a data security and privacy policy that aligns with the National Institute for Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity.³ Such policy must also address the data privacy protections in Section 2-d of the State Education Law, including requiring that every use and disclosure of student, teacher or principal⁴ personally identifiable information (PII) benefits the student, teacher or principal and prohibiting student, teacher or principal PII from being included in public reports or other documents.⁵
• Online Banking – Before a local government or school begins processing financial transactions online, it should have a comprehensive policy that addresses online banking activities. The policy should identify what online banking activities are allowed; who is authorized to prepare, approve and process online transactions; who is responsible for recording online transactions; who is responsible for reviewing and reconciling transactions and how often such reviews and reconciliations should occur, and what procedures should be followed when responding to potentially fraudulent activity.
• Internet, Email and Computer Use – This policy should describe what constitutes appropriate and inappropriate use of IT resources, along with your expectations concerning personal use of IT equipment and user privacy (e.g., management reserves the right to examine email, personal file directories, web access history and other information stored on local government or school computers, at any time and without notice). It should also describe the consequences for policy violations (e.g., an employee found to have violated the policy may be subject to disciplinary action, up to and including termination of employment).

Other key topics that you should consider covering in IT policies include but are not limited to:

• Password Security – This should establish expectations for IT administrators configuring password settings and for users selecting passwords. It should communicate current industry standards for password security, and define any requirements related to, for example, password comparisons and/or changes, invalid password attempt thresholds and password encryption.
• Mobile Devices – This should identify any mobile devices⁶ explicitly authorized or prohibited from containing or accessing your information resources. It should define the devices covered (e.g., local government or school owned or personally owned), procedures for reporting lost or stolen devices, the process used for gaining approval before connecting new devices to the system and other user responsibilities.
• Wireless Security – This should specify whether or not users are allowed to connect local government or school devices to public wireless networks (e.g., at hotels or cafes) and personally owned devices to the local government’s or school’s wireless network. If public wireless network access is allowed, any required security controls, such as virtual private network connections, should be clearly defined. It should also indicate who is covered by the policy (e.g., all employees, contractors, consultants, temporary and other workers) and describe the consequences of violating the policy.

² Pursuant to Section 208, notification is required to be given to certain individuals when there is a “breach of the security of the system” as it relates to “private information.” “Breach of the security of the system” is generally defined as meaning unauthorized acquisition of computer data which compromises the security, confidentiality or integrity of personal information maintained by the entity. “Private information” is defined as personal information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted or encrypted with an encryption key that has also been acquired: (1) Social Security number; (2) driver’s license number or non-driver identification card number; or (3) account number, credit or debit card number, in combination with any required security code, access code, or password which would permit access to an individual’s financial account.

³ Education Law Section 2-d(5)(c); 8 NYCRR 121.5(b)

⁴ 8 NYCRR 121.5(c)(1)

⁵ 8 NYCRR 121.5(c)(2)

⁶ Mobile devices include, but are not limited to, laptops, tablets, smartphones, USB (universal serial bus) flash drives and memory cards.

The Information Technology Governance LGMG can be downloaded at https://www.osc.ny.gov/files/local-government/publications/pdf/information-technology-governance.pdf