TO: Indian River County Board of County Commissioners
THROUGH: John Titkanich, County Administrator
FROM: Erik Harvey, Information Technology Director
Racheal Miller, Senior Information Technology Security Analyst
DATE: October 21, 2025
SUBJECT: IT Policies/Acceptable Use Policy Revision
__________________________________________________________________
BACKGROUND
The County currently maintains a set of twenty-one (21) information security policies. The first twenty (20) policies were originally developed by referencing the National Institute of Standards and Technology (NIST) Special Publication 800-53 security and privacy control framework. While this framework provided a structured starting point, the resulting policies were largely copied without sufficient tailoring to the County’s environment.
ANALYSIS
The first twenty (20) policies contain overly technical language that is difficult for staff to read and apply, are structured for compliance with federal systems rather than the County’s operational requirements, and require significant revisions to ensure they are usable, understandable, and effective. Staff have determined that attempting to revise these policies individually would be inefficient as they need substantial updates to improve clarity and align with County practices.
It is in the County’s best interest to remove these policies and develop new, targeted policies as needed. This approach will ensure that future policies are better aligned with current operational needs, are easier for staff to understand and follow, and support a more agile and effective information security program.
Because the Acceptable Use Policy (AM-1200.21) includes references to these policies, it must be revised to remove those references and clearly reflect its role as the County’s primary IT policy within the Administrative Policy Manual.
BUDGETARY IMPACT
There is no funding requirement associated with the revision of this policy. However, proper implementation and sustainment of this policy may result in future requests for additional funding.
PREVIOUS BOARD ACTIONS
Information Technology Policies (AM-1200.01 - 1200.21) were originally approved by the Board on January 31, 2023. The Acceptable Use Policy was last revised and approved by the Board on April 22, 2025.
POTENTIAL FUTURE BOARD ACTIONS
Periodically, revisions and additions to Information Technology policies will be made to address emerging threats, technological advancements, and regulatory changes.
STRATEGIC PLAN ALIGNMENT
N/A
OTHER PLAN ALIGNMENT
N/A
STAFF RECOMMENDATION
Recommended Action
Staff recommend the Board approve the removal of IT policies AM-1200.01 through AM-1200.20 and the renumbering and revision of the Acceptable Use Policy (previously AM-1200.21, now AM-1200.1) to designate it as the County’s primary IT policy and eliminate references to retired policies.