Cyber Security Policy Manual

scheduling any necessary regular internal and external communications relevant to the City of Greensboro’s ISMS.

The City of Greensboro communicates its cyber security program documents to their employees and users via the Citynet SharePoint site. The Cyber Security Team communicates rules and gu idelines for using the City of Greensboro’s network and IT resources to all employees. On monthly basis, the Cyber Security Team also communicates cyber security advisories to all employees to increase employees’ awareness about threats and cyber -attacks and help protect systems and information. When deemed necessary, the Cyber Security Team engages with the Communications department to communicate issues and concerns related to the City of Greensboro’s ISMS to residents and vendors. The City of Greensboro Council and Management Team follows the guidelines defined in the City Council and Staff Communications Guidelines to establish and help foster effective communications between Council members, management team and employees. I NTERNAL A UDIT The City of Greensboro will undergo an internal audit to provide information on whether the information security management system conforms to the City of Greensboro’s information security requirements and the international standard’s requirements as defined in Clauses 4-10 and Annex controls of ISO27001:2022. Internal audits are conducted on an annual basis by an external cyber security firm to ensure objectivity and the impartiality of the audit process. The Cyber Security firm will use an Audit Checklist document which contains the audit criteria and audit requirements, interview the City’s Cyber Security personnel and review all security policies, processes and technologies to ensure the effectiveness of the information security controls. The audit results will be documented in an audit report and communicated to all stakeholders. All identified non-conformities will be addressed and mitigated in timely manner. M ANAGEMENT R EVIEW The Cyber Security Team will provide semi-annual updates to management in the form of a cyber security report that includes the following aspects of the information security management system: 1. The status of actions from previous monthly reports 2. Changes in external and internal issues that are relevant to the information security management system 3. Nonconformities and corrective action plans 4. Monitoring and measurement results 5. Audit results

Cyber Security Policy Manual

42