Information Security Management Policies

Information security policies are foundational to an information security program. Metro has adopted the following polices based on industry standards and best practices. Departments or agencies may adopt more stringent policies should circumstances warrant.

Metro continues to evaluate and update existing policies and establish new policies based on an ever-changing environment and new requirements for information security.

Executive Orders

• Mayor Megan Barry Executive Order Number 034

Policies

• Acceptable Use of Information Technology Assets
• Access Control and User Account Management
• Human Resources Security
• Physical and Environmental Security
• External Party Security
• Information Security Incident Management
• Teleworking and Mobile Computing
• Risk Assessment and Treatment
• Cryptographic Controls
• Information Classification
• Information Labeling and Handling
• Inventory and Ownership of Assets
• IT Contingency - Disaster Recovery
• Separation of Development, Test, and Production Environments
• Patch and Vulnerability Management
• Protection Against Malicious Code
• Change Management
• Cyber Threat Intelligence and Information Sharing
• Audit, Monitoring, and Logging

Supporting Documentation

• Metropolitan Government Scope, Background, and Governance Statement for Information Security Policies
• Metropolitan Government Information Security Glossary
• Metropolitan Government Information Security Management Policy

For more information on Metro's information security initiative, please email CISO@nashville.gov

Last updated 3/30/2018.