IT Policies Manual FY 2024-2025

Docusign Envelope ID: CE02E790-7159-459B-9F50-C807BADBC958

• Ensure that semi-annual backup and recovery tests are conducted and all identified issues are mitigated • Ensure that monthly internal and external vulnerability assessments are conducted against systems and applications, and the results are analyzed and communicated for remediation • Ensuring that security patches have been deployed to systems and applications • Perform quarterly firewall reviews to identify and mitigate configuration weaknesses that may allow unauthorized access into systems and applications • Perform annual software compliance checks to ensure that all software installed on endpoints is licensed for the use • Perform regular reviews of domain and system admin access to ensure that appropriate rights have been assigned to proper individuals • Perform monthly secure configuration reviews to ensure that systems and applications adhere to secure configuration standards • Perform monthly reviews of change requests to ensure compliance to policy and procedure • Perform weekly reviews of incidents to ensure that corrective and preventative measure are documented and implemented • Perform regular incident exercise to improve incident response process • Perform annual disaster recovery exercise to improve disaster recovery processes Compliance deficiencies must be analyzed, documented, and immediately communicated to the individuals responsible for the function or activity to ensure that corrective actions are implemented to mitigate the deficiency. ENFORCEMENT Any violation of this policy may lead to corrective action, up to and including dismissal from employment. The corrective action will depend upon the violation and be subject to the discretion of the employee’s supervisor/manager in accordance with Personnel Policy H -1 Corrective Action. Note: Some departments use Discipline without Punishment as an alternative to H-1. The Police Department has its own corrective action process. COMPLIANCE It is the responsibility of City of Greensboro employees, contractors and consultants to ensure that the policy described in this document is followed. Employees, contractors and consultants must understand that protecting confidential information is a critical part of the City’s security strategy. The Cyber Security Team is authorized to limit access for employees, contractors and consultants that do not comply with this policy. EXCEPTIONS Requests for exceptions to this policy may be granted for systems or applications that have adequate security controls implemented. The security controls must provide good protection against Malware, cyber-attacks and other forms of threats. Requests must be submitted in writing to the Cyber Security Team for review and approval and must include the following details: 1. Purpose for requesting the exception. 2. The risk to the City if the system or application becomes compromised. 3. Mitigation controls that have been implemented to protect the system or application. 4. End date for the exception.

23