Information Technology Policies and Standards

Title
Sensitive Data
Type
Policy
Category
General
Status
Approved
Approved
01/09/2013
Revised
12/14/2011
To Be Reviewed
01/09/2018
Scope
This policy applies to all City of Albuquerque employees, contractors, consultants, vendors, temporary employees, volunteers, and other workers at the City to include personnel affiliated with third parties doing business with the City.
Policy
I. Purpose:
    i. The purpose of this policy is to protect City of Albuquerque sensitive data from unauthorized disclosure and inappropriate use. All individuals who access the City of Albuquerque’s computing environment have a responsibility to safeguard sensitive data. This policy establishes the rules by which sensitive data will be managed and used.
II. Scope:
    i. This policy applies to all City of Albuquerque employees, contractors, consultants, vendors, temporary employees, volunteers, and other workers at the City to include personnel affiliated with third parties doing business with the City.
III. Policy:
    i. It is the responsibility of each individual with access to sensitive data to safeguard this data. The following practices to safeguard sensitive data will be strictly followed:
      1. Sensitive data will only be stored in secure City managed databases and secure network drives. Sensitive data will not be stored on unsecured, shared network drives.
      2. Sensitive data will not be transferred to a non-approved third party.
      3. Sensitive data will not be stored on personal computer hard drives, USB drives, or mobile devices that are not secured and safeguarded.
      4. Access to sensitive data stored in City databases and servers will be restricted to only those individuals with an official need to access the data.
      5. Any accidental disclosure or suspected misuse of sensitive data will be reported immediately to the individual’s immediate supervisor.
IV. Definition of Sensitive Data:
    i. Personally Identifiable Information (PII). PII includes information associated with an individual employee that, misused, might enable assumption of that individual's identity “identity theft” to compromise that person's personal or financial security.
    ii. PII data includes (but is not limited to) any data considered protected data under a federal, state, city statute, or promulgated regulation.
    iii. Examples of sensitive data include, but are not limited to;
      1. Personal identification information such as:
        a. Social Security Numbers,
        b. Personal identification numbers which may be used other than Social Security Number,
        c. Employee home address,
        d. Employee home telephone number,
      2. Information protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA),
      3. Information protected by the Family Educational Rights and Privacy Act (FERPA),
      4. Information protected by the Payment Card Industry Data Security Standard (PCI DSS),
      5. Information protected by the Federal Information Security Management Act (FISMA),
      6. Credit card account numbers, expiration dates, and card verification values (CVV)
      7. Bank account numbers (City, employee, vendor, etc.),
      8. Computer system IDs and/or passwords.
    iv. Strategic Information. This includes any data that is considered strategic to the City of Albuquerque and if compromised would provide an exploit to compromise security. Examples of strategic data include, but are not limited to;
      1. Telecom and Network diagrams,
      2. Infrastructure layouts,
      3. Server names and IP addresses.
    v. Neither this policy nor any part of this policy shall be construed to override federal, state, or City statutes and regulations on public information.
V. Enforcement
    i. Violation of this policy is subject to loss of privileges and/or disciplinary action. The City IT Services Division will work with all departments (including internal and external Audit) and others to enforce this policy.
VI. Questions

Any questions regarding this policy, or sensitive data should be directed to the ITSD Service Desk.

Rationale
The purpose of this policy is to protect City of Albuquerque sensitive data from unauthorized disclosure and inappropriate use. All individuals who access the City of Albuquerque’s computing environment have a responsibility to safeguard sensitive data. This policy establishes the rules by which sensitive data will be managed and used.

Contact: Brian A. Osterloh, (505) 768-2922