TO: Indian River County Board of County Commissioners
THROUGH: John Titkanich, County Administrator
FROM: Racheal Miller, Cyber Security Technician
DATE: April 22, 2025
SUBJECT: Information Technology Acceptable Use Policy Revision
_________________________________________________________________________________________
BACKGROUND
The Information Technology (IT) Department proposed the Board adopt revisions to Indian River County's Acceptable Use Policy to address evolving cybersecurity threats and operational best practices. As the technology landscape advances, the ways in which employees, contractors, and other stakeholders interact with County information systems must be clearly defined to ensure security, efficiency, and compliance.
ANALYSIS
The IT Department has identified a critical gap in the Acceptable Use Policy related to removable media. While the existing policy requires formal approval by the IT Department before using removable media, end users can bypass this requirement, and in the process increasing the attack surface of County information systems and exposing the County to unnecessary risks.
To appropriately address this issue, the IT Department has tested and is prepared to implement a solution that will ensure compliance by preventing the use of unauthorized USB devices. Implementing a solution that will only permit IT-approved removable media for use will aid in reducing opportunities and minimizing risks to our information systems.
Staff has identified and are addressing a requirement for encryption on approved removable media. To further enhance data security, the revised policy will now mandate encryption, when feasible, on all authorized USB drives and external storage devices. To obtain compliance with this update, the IT Department will begin utilizing software to enforce the Acceptable Use Policy and will provide centralized control over removable media, prevent unauthorized access, and reduce the risk of data breaches. These measures align with cybersecurity best practices and strengthen the County’s data protection strategy.
BUDGETARY IMPACT
There is no funding requirement associated with the revision of this policy.
PREVIOUS BOARD ACTIONS
The Acceptable Use Policy was originally approved by the Board on January 31, 2023, and was last revised and approved by the Board on August 20, 2024.
POTENTIAL FUTURE BOARD ACTIONS
Periodically the IT Department reviews the County's IT and Acceptable Use policies, and as appropriate will propose revisions to policies to address emerging threats, technological advancements, and regulatory changes
STRATEGIC PLAN ALIGNMENT
Governance
OTHER PLAN ALIGNMENT
N/A
STAFF RECOMMENDATION
Staff recommends that the Board approve the revisions to the Acceptable Use Policy (AM-1200.21) and replace the existing Acceptable Use Policy in the Administrative Policy Manual.
ATTACHMENTS
1. AM-1200.21 - Acceptable Use Policy