Mayor Freddie O'Connell Executive Order Number 037

The Metropolitan Government of Nashville and Davidson County

Freddie O'Connell, Mayor

Executive Order 37

Subject: Establishes the Information Security Governance Structure for the Metropolitan Government.

I, Freddie O’Connell, Mayor of the Metropolitan Government of Nashville and Davidson County, by virtue of the power and authority vested in me, do hereby find, direct, and order the following:

I. Maintaining the confidentiality, integrity, and availability of information, information technology, and critical operational processes in a manner meeting the Metropolitan Government's legal, regulatory and ethical responsibilities on behalf of its citizens is of paramount importance to the Metropolitan Government.

II. The heads of all Metropolitan Government departments, agencies and commissions, as business owners, shall be responsible for information security within their organizations, including the protection of the information collected, stored and processed and the information systems used within their organization.

III. The Director of Information Technology Services shall develop, disseminate, review, and update an Information Security Management Program (“Program”) consisting of policies, procedures, plans, standards, guidelines, and controls that shall aid departments, agencies, and boards in meeting their information security obligations.

IV. Metropolitan Government employees shall have individual responsibility and accountability for achieving the Metropolitan Government of Nashville and Davidson County’s (Metropolitan Government) information security management goals.

V. Information Security Management Policy and Steering Committee

1. The Metropolitan Government of Nashville and Davidson County (“Metropolitan Government”) is required to maintain the confidentiality, integrity, and appropriate level of availability of information and information systems, and high standards of information security; and
2. There is a further need to have a Metropolitan Government’s Information Security Management Policy (ISM Policy) to address the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction now and in the future as changes occur; and
3. The Director of Information Technology Services has recommended an ISM Policy based on the needs of the Metropolitan Government; and
4. That ISM Policy (Metropolitan Government’s Information Security Management Policy), is now ordered and established by this Executive Order and shall continue to be in effect until modified by a subsequent Executive Order; and
5. There is hereby created an Information Security Steering Committee (Steering Committee) to review and advise the Director of Information Technology Services on government information security policies, standards, and practices for the Metropolitan Government.

The functions, membership and meetings shall be as follows:

A. FUNCTIONS

1. Recommending to the Director of Information Technology Services alterations or changes to minimum security requirements for information and information systems of Metropolitan Government departments, agencies, and boards.
2. Recommending to the Director of Information Technology Services information security standards and practices for Metropolitan Government departments, agencies, and boards.
3. Recommending to the Director of Information Technology Services methods and content for improving information security awareness.
4. Recommending to the Director of Information Technology Services performance measures to determine the effectiveness of Metropolitan Government policies, procedures, plans, standards, guidelines, and controls designed to meet or exceed the objectives identified in the ISM Policy, and reporting on those measures, if applicable.
5. Reviewing as requested by the Director of Information Technology Services and then recommending to the Director of Information Technology Services whether the ISM Policy would be violated by or should be waived for an individual, department, or group requesting an exception.

B. MEMBERSHIP

1. The Steering Committee shall have nine (9) permanent voting members and four (4) revolving voting members.
2. The nine (9) permanent members of the Steering Committee shall be officials of the Metropolitan Government, as follows:
   • The Director of Information Technology Services
   • The Chief of Police
   • The Sheriff
   • The Director of Justice Integration Services
   • The Director of Law
   • The Director of Finance
   • The Director of Schools
   • The Director of General Services
   • The Director of Human Resources
3. Four (4) revolving members of the Steering Committee shall be officials or employees of the Metropolitan Government, each from a different department, not including those listed above, selected by the Mayor. The term of these four members shall be at minimum two (2) years and each shall serve until their replacement is appointed by the Mayor.
4. All members shall be able to select designees to appear and vote at meetings of the Steering Committee.
5. The Steering Committee shall elect one of its members to serve as its Chair and another to serve as its Vice-Chair.
6. The Metropolitan Auditor shall serve as an ex-officio, nonvoting member of the Steering Committee.

C. MEETINGS

1. The Steering Committee shall hold meetings once a month or on request of the Director of Information Technology Services or the Mayor.
2. A quorum shall consist of seven (7) voting members.
3. The Steering Committee shall make such bylaws as it deems necessary.
4. The Steering Committee shall submit recommendations to the Director of Information Technology Services.
5. The Steering Committee shall hold at least one meeting annually to be attended by the Directors of the Steering Committee departments, the Mayor and an invited representative of the Metropolitan Council. Content of the meeting shall include program overview, risks, incidents and state of information security awareness efforts.

VI. Acceptable Use of Information Technology Assets Policy

1. The Metropolitan Government maintains an Acceptable Use of Information Technology Assets Policy in order to help maintain the confidentiality, integrity and appropriate level of availability of the Metropolitan Government’s information assets and to provide direction to employees and third-party users (as applicable) who use such assets. These assets consist of the Metropolitan Government’s electronic devices, communication and information systems, including, but not limited to, electronic communications such as email and Internet access services. Such devices, systems and services are the Metropolitan Government’s if they are owned, leased or licensed by the Metropolitan Government and provided to its employees and third-party users (as applicable) for their use while at work (“Information Technology Assets”).
2. Tennessee Code Annotated § 10-7-512 requires the Metropolitan Government to adopt a written policy governing e-mail monitoring.
3. The Acceptable Use of Information Technology Assets Policy (the “Policy”) fulfills both of the objectives stated above and shall apply to all employees and third-party users (as applicable).
4. Commencing on the effective date subscribed below, the heads of all Metropolitan Government departments, agencies and commissions shall likewise distribute the Policy to current and future third party users, including, but not limited to, consultants, contractors, interns and temporaries, or employees or third party users of any entity connected to Metro systems, who use Information Technology Assets of the Metropolitan Government to access information of the Metropolitan Government, and who have not yet received it and acknowledged their receipt of it. All such employees and third party users (as applicable) shall execute the acknowledgement that is attached to the Policy to certify that they have received and are familiar with the Policy, unless they have already done so, and will provide this acknowledgement to their HR contact, if an employee, or to their Metropolitan Government point of contact, if a third party user.
5. Commencing on the effective date subscribed below, the heads of all Metropolitan Government departments, agencies and commissions shall distribute the Policy to any of their current employees who have not yet received it and signed the acknowledgment and to any future employees and assure that their employees execute the acknowledgement.
6. Commencing on the effective date subscribed below, the heads of all Metropolitan Government departments, agencies and commissions shall have signed the acknowledgement.

VII. Information Security Management Training

1. Understanding the importance of individual responsibility and accountability for information security management is paramount to achieving the Metropolitan Government of Nashville and Davidson County’s (Metropolitan Government) information security management goals.
2. General information security awareness training and targeted, specific, training are important elements in information security management.
3. Information security awareness training needs to be continuously improved and reinforced.
4. The training of all Metropolitan Government employees with access to Metropolitan Government information technology and security management in information security awareness is imperative in order to help protect the confidentiality, integrity and appropriate level of availability of the electronic and non-electronic information of the Metropolitan Government. The Metropolitan Government further strives to implement training or other equivalent security measures with regard to third party users (including, but not limited to, consultants, contractors, interns and temporaries, or employees of any entity connected to Metro systems) with access to Metropolitan Government information technology and security management.
5. Training and Awareness Program.
   The Department of Human Resources and the Department of Information Technology Services shall identify information security management training requirements, develop curriculum, implement thorough institutional training systems, and improve curriculum and requirements to adjust to changing threat models, vulnerabilities, risks, and identified gaps and deficiencies. Specifically, they will:
   A. Maintain, in a central location, a comprehensive set of all of the Metropolitan Government’s information security management policies and procedures;
   B. Develop and maintain a process to communicate new information security management program information, including, but not limited to, security items of interest and ongoing reminders;
   C. Define the level of information security awareness training required for each job/role description and include the level of information security awareness training required in personnel job/role descriptions and responsibilities;
   D. Prepare any needed supplemental or replacement programs on information security awareness training, in addition to implementing existing programs, and continue presenting and planning to present these programs to all Metropolitan Government employees and third-party users (as applicable) according to the level of security required in personnel job/role descriptions and responsibilities. In addition,
   1. these programs will address the requirements for appropriate training for each job/role, as reflected in applicable policies and procedures;
   2. training objectives and content must be aligned with the jobs/roles and responsibilities of the trainees to maintain a targeted and focused training effort;
   3. where practical, training must use real world examples to clearly illustrate learning principles and illuminate situations that may be encountered by trainees; and
   4. training content and completion shall be documented and maintained on file in the Department of Human Resources.
   E. Review, as necessary, but at least annually, the content of required training courses to promote the use of best practices for information security management. This will enable training objectives to reflect changes in needs, policies, and technologies, as well as external requirements, such as federal and state laws and contractual obligations; and
   F. Assure accountability in information security management during pre-employment, as applicable (including, but not limited to, background screenings); employment (including, but not limited to, during transfers or promotions and during any disciplinary process); and post-employment (including, but not limited to, the removal of access rights).
6. Employee and Third-Party User Training
   All Metropolitan Government employees (and third-party users, as applicable) are required to complete the information security awareness training that shall be conducted under the direction of the Metropolitan Department of Human Resources. In addition,
   A. all new employees (and third-party users, as applicable) must attend or complete an approved information security awareness training class prior to, or at least within thirty (30) days of, being granted access to the Metropolitan Government’s information assets;
   B. all employees (and third-party users, as applicable) must sign an acknowledgement stating they have read and understand the Metropolitan Government’s requirements regarding information security policies and procedures;
   C. all employees (and third-party users, as applicable) must be provided with sufficient training and supporting reference materials to allow them to properly protect the Metropolitan Government’s information assets;
   D. all employees (and third-party users, as applicable) must attend or complete information security compliance refresher training at a minimum of every two years, as is determined necessary by the Department of Human Resources, that reinforces security concepts, practices, and responsibilities and addresses any new information security issues that may arise; and
   E. all employees (and third-party users, as applicable) must be aware of their responsibilities to protect the Metropolitan Government’s information assets and be adequately trained to fulfill those responsibilities.
7. Persons Covered
   This Section of this Executive Order shall apply to all Metropolitan Government employees (and third-party users, as applicable) except: employees and users of the Nashville Electric Service, the Metropolitan Nashville Airport Authority, the Metropolitan Hospital Authority, and the Metropolitan Development and Housing Agency. I hereby request that the Nashville Electric Service, the Metropolitan Nashville Airport Authority, the Metropolitan Hospital Authority, and the Metropolitan Development and Housing Agency develop a similar training program and require that the employees and users under their authority receive information security awareness training.
8. Departmental Responsibility
   Each employee of the Metropolitan Government who acts in a supervisory capacity is responsible for overseeing compliance with this section by those employees in his or her line of authority, and by third party users in her or her line of authority, as applicable.
   
   The heads of all Metropolitan Government departments, agencies and commissions are responsible for identifying any additional information security training required within their areas to meet any statutory, regulatory or additional compliance requirements and ensuring compliance.
9. Implementation Schedule
   The Department of Human Resources shall be responsible for providing this training to each new Metropolitan Government employee and third-party user, as applicable.

Ordered, Effective and Issued: January 17, 2024

Freddie O’Connell

Metropolitan County Mayor