Mayor Megan Barry Executive Order Number 034

THE METROPOLITAN GOVERNMENT OF NASHVILLE AND DAVIDSON COUNTY

MEGAN BARRY, MAYOR

Subject: Establishes the Information Security governance structure for the Metropolitan Government.

I, Megan Barry, Mayor of the Metropolitan Government of Nashville and Davidson County, by virtue of the power and authority vested in me, do hereby find, direct and order the following:

Section I –Information Security Advisory Board

There is hereby established the Information Security Advisory Board (ISAB), which has as its mission the provision of advice to the Metropolitan Government regarding information security management standards and best practices for the preservation of the confidentiality, integrity and availability of electronic and non-electronic information of the public, Metropolitan Government employees and third party users, and the Metropolitan Government itself.

1. Functions of the ISAB

1. The ISAB will provide advice to the Metropolitan Government concerning information security management standards and best practices including:
2. quantitative and qualitative methodologies and tools for assessing and treating security risks;
3. organizational frameworks to manage information security internally and externally, and to keep up with evolving and changing information security management trends and requirements;
4. processes and procedures to manage information assets, including identification of information assets and responsibility for maintenance of controls for those assets;
5. methods of assigning security roles and responsibilities to employees, contractors and third party users of Metropolitan Government information assets;
6. physical and environmental security controls for Metropolitan Government facilities, equipment (i.e., hardware, cabling, supporting utilities, and the like), as well as secure disposal of equipment and devices containing sensitive information;
7. procedures and responsibilities for communications and operations management, including processes for change management, third party service delivery management, protection against malicious and mobile code, back-ups, network security management, exchange of information with organizations outside of Metro, electronic commerce and on-line transactions, and monitoring of Metropolitan Government systems;
8. policies and procedures to control access to information by system users, including password use, network and operating system access, application and information access, and mobile computing and teleworking;
9. security requirements for information systems acquisition, development and maintenance, including operating systems, infrastructure, business applications, off-the-shelf products, services, and user-developed applications, and policy for the use of cryptographic controls;
10. formal event reporting and escalation procedures for information security incident management;
11. the information security aspects of business continuity management; and
12. compliance with laws, regulations, contractual obligations, and other Metropolitan Government security requirements, and information systems audit requirements.

2. Membership

The ISAB shall have seven (7) voting members and six (6) non-voting ex officio members.

1. The seven (7) voting members of the ISAB will consist of non-Metropolitan Government information security management experts who have expertise in some or all of the following areas: access control systems/methods, applications/systems development, business continuity/disaster recovery, computer forensics, encryption, law/investigations, network security, physical security, records management, security architecture, security management practices, telecommunications security, and/or other security fields. They will be selected and appointed by the Mayor.
2. The regular term of the seven (7) voting members of the board shall be two (2) years.
3. The six (6) non-voting ex officio members of the ISAB will consist of the Chief Operating Officer, the Director of Information Technology Services, the Director of Law, the Director of Finance, the Director of General Services, and the Director of Human Resources.
4. All ex-officio members shall be able to select designees to appear at meetings of the ISAB.
5. The Mayor shall designate a voting member of the ISAB to serve as its Chair (Chair).
6. The Mayor shall designate a voting member of the ISAB to serve as the Vice-Chair and exercise all functions of the Chair when the Chair is unavailable.

3. Meetings

1. The ISAB shall hold regular meetings not less than once per quarter. The regular meetings will be held at a date, time and place to be determined by the Chair.
2. Special meetings may be called by the Chair or by request of three (3) permanent voting members, as necessary.
3. A quorum shall consist of four (4) voting members.
4. The ISAB shall submit meeting minutes, including recommendations to the Mayor.
5. The ISAB members shall be notified of the need for them to keep any sensitive information obtained during the ISAB’s meetings confidential and the appointed members shall serve subject to their willingness to sign confidentiality agreements relating to same.

Section II - Information Security Management Training

I. Understanding the importance of individual responsibility and accountability for information security management is paramount to achieving the Metropolitan Government of Nashville and Davidson County’s (Metropolitan Government) information security management goals.

II. General information security awareness training and targeted, specific, training are important elements in information security management.

III. Information security awareness training needs to be continuously improved and reinforced.

IV. The training of all Metropolitan Government employees with access to Metropolitan Government information technology and security management in information security awareness is imperative in order to help protect the confidentiality, integrity and appropriate level of availability of the electronic and non-electronic information of the Metropolitan Government. The Metropolitan Government further strives to implement training or other equivalent security measures with regard to third party users (including, but not limited to, consultants, contractors, interns and temporaries, or employees of any entity connected to Metro systems) with access to Metropolitan Government information technology and security management.

V. Training and Awareness Program

The Department of Human Resources and the Department of Information Technology Services, shall identify information security management training requirements, develop curriculum, implement thorough institutional training systems, and improve curriculum and requirements to adjust to changing threat models, vulnerabilities, risks, and identified gaps and deficiencies. Specifically, they will:

1. Maintain, in a central location, a comprehensive set of all of the Metropolitan Government’s information security management policies and procedures;
2. develop and maintain a process to communicate new information security management program information, including, but not limited to, security items of interest and ongoing reminders;
3. define the level of information security awareness training required for each job/role description and include the level of information security awareness training required in personnel job/role descriptions and responsibilities;
4. prepare any needed supplemental or replacement programs on information security awareness training, in addition to implementing existing programs, and continue presenting and planning to present these programs to all Metropolitan Government employees and third party users (as applicable) according to the level of security required in personnel job/role descriptions and responsibilities. In addition,
   1. these programs will address the requirements for appropriate training for each job/role, as reflected in applicable policies and procedures;
   2. training objectives and content must be aligned with the jobs/roles and responsibilities of the trainees to maintain a targeted and focused training effort;
   3. where practical, training must use real world examples to clearly illustrate learning principles and illuminate situations that may be encountered by trainees; and
   4. training content and completion shall be documented and maintained on file in the Department of Human Resources;
5. review, as necessary, but at least annually, the content of required training courses to promote the use of best practices for information security management. This will enable training objectives to reflect changes in needs, policies, and technologies, as well as external requirements, such as federal and state laws and contractual obligations; and
6. assure accountability in information security management during pre-employment, as applicable (including, but not limited to, background screenings); employment (including, but not limited to, during transfers or promotions and during any disciplinary process); and post-employment (including, but not limited to, the removal of access rights).

VI. Employee and Third Party User Training

All Metropolitan Government employees (and third party users, as applicable) are required to complete the information security awareness training that shall be conducted under the direction of the Metropolitan Department of Human Resources. In addition,

1. all new employees (and third party users, as applicable) must attend or complete an approved information security awareness training class prior to, or at least within thirty (30) days of, being granted access to the Metropolitan Government’s information assets;
2. all employees (and third party users, as applicable) must sign an acknowledgement stating they have read and understand the Metropolitan Government’s requirements regarding information security policies and procedures;
3. all employees (and third party users, as applicable) must be provided with sufficient training and supporting reference materials to allow them to properly protect the Metropolitan Government’s information assets;
4. all employees (and third party users, as applicable) must attend or complete information security compliance refresher training at a minimum of every two years, as is determined necessary by the Department of Human Resources, that reinforces security concepts, practices, and responsibilities and addresses any new information security issues that may arise; and
5. all employees (and third party users, as applicable) must be aware of their responsibilities to protect the Metropolitan Government’s information assets and be adequately trained to fulfill those responsibilities.

VII. Persons Covered

This Section of this Executive Order shall apply to all Metropolitan Government employees (and third party users, as applicable) except: employees and users of the Nashville Electric Service, the Metropolitan Nashville Airport Authority, the Metropolitan Hospital Authority, and the Metropolitan Development and Housing Agency. I hereby request that the Nashville Electric Service, the Metropolitan Nashville Airport Authority, the Metropolitan Hospital Authority, and the Metropolitan Development and Housing Agency develop a similar training program and require that the employees and users under their authority receive information security awareness training.

VIII. Departmental Responsibility

The heads of all Metropolitan Government departments, agencies and commissions are responsible for ensuring compliance with this Executive Order. Each employee of the Metropolitan Government who acts in a supervisory capacity is responsible for overseeing compliance with this Executive Order by those employees in his or her line of authority, and by third party users in her or her line of authority, as applicable.

IX. Implementation Schedule

The Department of Human Resources shall be responsible for providing this training to each new Metropolitan Government employee and third party user, as applicable.

Section III – Information Security Management Policy and Steering Committee

I. The Metropolitan Government of Nashville and Davidson County (“Metropolitan Government”) is required to maintain the confidentiality, integrity, and appropriate level of availability of information and information systems, and high standards of information security; and

II. Section I of this Executive Order establishes the Information Security Advisory Board (ISAB) (providing advice on information security management standards and best practices); and

III. There is a further need to have a Metropolitan Government’s Information Security Management Policy (ISM Policy) to address the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction now and in the future as changes occur; and

IV. The Director of Information Technology Services (Director) has recommended an ISM Policy based on the needs of the Metropolitan Government and the advice of the ISAB; and

V. That ISM Policy, attached as Exhibit A to this Executive Order, is now ordered and established by this Executive Order and shall continue to be in effect until modified by a subsequent Executive Order; and

VI. There is hereby created an Information Security Steering Committee (Steering Committee) to review and advise the Director on government information security policies, standards, and practices for the Metropolitan Government. The functions, membership and meetings shall be as follows:

A. FUNCTIONS

1. Recommending to the Director alterations or changes to minimum security requirements for information and information systems of Metropolitan Government departments, agencies, and boards.
2. Recommending to the Director information security standards and practices for Metropolitan Government departments, agencies, and boards.
3. Recommending to the Director methods and content for improving information security awareness.
4. Recommending to the Director performance measures to determine the effectiveness of Metropolitan Government policies, procedures, plans, standards, guidelines, and controls designed to meet or exceed the objectives identified in the ISM Policy, and reporting on those measures, if applicable.
5. Reviewing as requested by the Director and then recommending to the Director whether the ISM Policy would be violated by or should be revised for an individual, department, or group requesting an exception.

B. MEMBERSHIP

1. The Steering Committee shall have nine (9) permanent voting members and four (4) revolving voting members.
   1. The nine (9) permanent members of the Steering Committee shall be officials of the Metropolitan Government, as follows:
      • The Director of Information Technology Services
      • The Chief of Police
      • The Sheriff
      • The Director of Justice Integration Services
      • The Director of Law
      • The Director of Finance
      • The Director of Schools
      • The Director of General Services
      • The Director of Human Resources
   2. Four (4) revolving members of the Steering Committee shall be officials or employees of the Metropolitan Government selected by the Mayor. The term of these four members shall be two (2) years and each shall serve until their replacement is appointed by the Mayor.
2. All members shall be able to select designees to appear and vote at meetings of the Steering Committee.
3. The Steering Committee shall elect one of its members to serve as its Chair and another to serve as its Vice-Chair.
4. The Metropolitan Auditor shall serve as an ex-officio, nonvoting member of the Steering Committee.

C. MEETINGS

1. The Steering Committee shall hold meetings no less than once a month or on request of the Director or the Mayor.
2. A quorum shall consist of seven (7) voting members.
3. The Steering Committee shall make such bylaws as it deems necessary.
4. The Steering Committee shall submit recommendations to the Director or the Mayor.

Section IV – Acceptable Use of Information Technology Assets Policy

I. The Metropolitan Government needs an Acceptable Use of Information Technology Assets Policy in order to maintain the confidentiality, integrity and appropriate level of availability of the Metropolitan Government’s information assets and to provide direction to employees and third-party users (as applicable) who use such assets. These assets consist of the Metropolitan Government’s electronic devices, communication and information systems, including, but not limited to, electronic communications such as email and Internet access services. Such devices, systems and services are the Metropolitan Government’s if they are owned, leased or licensed by the Metropolitan Government and provided to its employees and third-party users (as applicable) for their use while at work (“Information Technology Assets”).

II. Tennessee Code Annotated § 10-7-512 requires the Metropolitan Government to adopt a written policy governing e-mail monitoring.

III. The attached Acceptable Use of Information Technology Assets Policy (the “Policy”) fulfills both of the objectives stated above and shall apply to all employees and third-party users (as applicable).

IV. Commencing on the effective date subscribed below, the heads if all Metropolitan Government departments, agencies and commissions shall likewise distribute the Policy to current and future third party users, including, but not limited to, consultants, contractors, interns and temporaries, or employees or third party users of of any entity connected to Metro systems, who use Information Technology Assets of the Metropolitan Government to access information of the Metropolitan Government, and who have not yet received it and acknowledged their receipt of it. All such employees and third party users (as applicable) shall execute the acknowledgement that is attached to the Policy to certify that they have received and are familiar with the Policy, unless they have already done so.

V. Commencing on the effective date subscribed below, the heads of all Metropolitan Government departments, agencies and commissions shall distribute the Policy to any of their current employees who have not yet received it and signed the acknowledgment and to any future employees and assure that their employees execute the acknowledgement.

ORDERED, EFFECTIVE AND ISSUED:

Megan Barry
Metropolitan County Mayor

Date: February 24, 2016