Title:
title
Approve and authorize the Chairman to execute a Resolution amending the Seminole County Administrative Code by revising section 26.5 (Information Security and Artificial Intelligence Policy); and providing an effective date. Countywide (Stephen Koontz, Assistant County Manager)
end
Division:
division
Administrative Services
body
Authorized By:
Stephen Koontz, Assistant County Manager
Contact/Phone Number:
Joe Alcala/407-665-1111
Background:
Purpose (Section A) Updated
The section now provides a clear explanation of the Policy's role in establishing security standards and procedures, highlights the importance of managing IT risks, and places greater emphasis on protecting County IT resources to ensure their availability, confidentiality, and integrity. Repeated or unclear language has been removed for clarity.
Scope (Section B) Revised
Key changes include using more inclusive wording about who the policy applies to, specifying that anyone (including Constitutional Office Employees) with access to County IT systems is covered, and refining the definition of "Users" while eliminating fragmented language.
General Provisions (Section C) Added
Major updates have addressed governance and oversight by officially designating the CIO as Chief Information Security Officer (CISO) and clarifying the responsibilities of the Information Security Division Manager (ISDM). County devices must be used solely for County business, and any intellectual property created from County data is owned by the County. Procurement processes now require an IT Request Form and CIO approval before technology solutions are solicited, and mandatory reporting of incidents via email has been added.
Artificial Intelligence (Section D) Added
A new major section covers acceptable uses, noting that only AI platforms approved by the CIO may be used and requiring compliance with contract terms for third-party data use. Publicly posted AI-generated content must disclose AI use. Users are responsible for checking AI outputs for errors or missing information, and it is prohibited to input confidential or protected data (such as PII, HIPAA, or credit card information) into AI tools, with training features disabled where possible.
Training (Section E)_Revised and Reorganized
Cybersecurity training requirements now align with Florida Statutes (Section 282.3185), with training to be completed within 30 days of hiring and annually thereafter. The update highlights that everyone across the County shares responsibility for cybersecurity awareness.
Non-Compliance (Section F) Revised
Consequences for violating the policy are clearly explained. Violations may result in loss of access, disciplinary action, or legal measures for severe cases.
Requested Action:
Staff requests the Board approve and authorize the Chairman to execute a Resolution amending the Seminole County Administrative Code by revising section 26.5 (Information Security/Data Access Policy); and providing an effective date.