Information Security Policy


The Department of Assets, Information, and Services (AIS) has developed a set of information technology and security policies, in an effort to protect the confidentiality, integrity and availability of the City of Chicago’s information technology data and assets. These policies are the minimum requirements, responsibilities and acceptable behaviors required to establish and maintain a secured technology environment. Individuals using the City’s information technology resources are required to comply with them. They have been developed based on our legal requirements and industry best practices. This set of polices communicates standards and directives to protect and manage the City’s information systems, and supersedes our previous versions of Information Security and Technology Polices.

Members of the Information Technology Service Coordinators (ITSC), AIS senior leadership, Chief Information Security Officer and the Chief Information Officer reviewed and approved the policy set. The polices are applicable to all City of Chicago information technology systems and networks, those entrusted to third parties, City employees and others including but not limited to contractors, vendors and consultants.

Not all departments in the City have the same technological implementations. While the policies reflect current technology and security advances, implemented technologies in some departments may not be of immediate compliance with the policy. Use of such technologies must be reviewed by the Chief Information Security Officer and approved by the Chief Information Officer.

These policies do not foresee any exceptional situations like new legal or regulatory obligations, or emergencies that require actions that might conflict with policy statements. Should that occur, it is the responsibility of the individual who has identified such a situation to report to the Chief Information Security Office.

Click here to view all the City of Chicago Information Security and Technology Policies.

Policy Overview



Policy Responsibilities & Oversight

This policy establishes roles for data security, sets requirements for protecting sensitive data and mission critical systems, and provides an overview of security policy approval and changes to current policy, the security program components required to protect City's systems and data.


Physical and Environmental Security 


Ensures physical and environmental controls exist to protect information assets and systems from unauthorized access and safeguard against environmental threats.


Personnel Security 

Employee and contractor responsibilities for ensuring the security of information technology resources; City of Chicago responsibility for creation and development of an information security awareness, education and training program.


Device Build and Configuration Management

Requires the implementation of an enterprise-wide device build and configuration management controls that include build standards, and an asset inventory of configured devices.


Application Development 

Requires application developers to follow a standardized framework that meets industry best standards for secured application development.


Asset Management

Policy outlines management processes, to track acquisition, deployment, management and disposition of information assets. Contains information classification scheme and guidelines, labeling and handling of confidential and sensitive data.


Access Control

Specifies access controls over the City’s physical and logical information assets; requires unique access identifiers and authentication for information users; defines the minimum requirements for passwords, and requires security controls around all devices providing remote and wireless access.


Network Security 

Ensures specific process and standards for network administration and security management (for external networks, firewalls, wireless access) are in place.


Communications Management 

Information exchange policies and procedures, agreements and information protection throughout the data lifecycle (creation, in transit and at rest).


Operations Management 

Specifies systems operational and management conditions (that include risk assessment and acceptance, patch management, media disposal and system monitoring) to ensure information confidentiality, integrity and availability. 


Information Security Incident Management 

Requires the City of Chicago departments and other parties handling the City's information to have documented pre-planned methods for responding to various incidents, violations and threats and to report their occurrence to the Information Security Office and documented. It defines an Incident Management Team's roles and responsibilities, incident management processes and procedures. 


Business Continuity Management

Requires the city of Chicago departments and other parties handling the City's information to have documented and tested business continuity Office  The business continuity and disaster recovery plans must include processes and controls to protect the business, the life and safety of the workforce and customers and to protect the image, reputation, assets, and resources of the organization.



Ensures compliance with the Information Technology and Security Policy including legal or industry-specific regulatory requirements. Calls for properly planned, documented and monitoring of all system audits.


Third Party Security 

Ensures Vendor safeguards for protecting city information are no less stringent than those defined in the City's Information Technology and Security policies.


Social Media and Internet Postings

Provisions for City employees, contractors, business partners and other third parties for making statements or comments intended to be perceived as official statements by the City, department, or any elected official.


Supporting Information Facts

I Want To