The ISERs board approved revised cybersecurity and physical‑security policies at its meeting, adopting changes that standardize enforcement language, extend the policy review cycle and tighten third‑party access controls.

The changes consolidate the information security policy set, align practices with the National Institute of Standards and Technology (NIST) framework and add enforcement language stating that failure to follow policies may result in disciplinary action “in accordance with federal and state statutes as well as any Imperial County ordinance and policies and ISER specific policy.” The board voted to approve the set of updates after staff and outside consultants presented the revisions and answered trustee questions.

The revisions were developed by an ad hoc bylaws and governance committee and consultant firm Linea Secure. Consultant Jake Long told trustees the original policies were tailored in 2022 “to ISER's environment” and that the updates were mainly to standardize language, improve readability and align with best practices. He said one recommended change is to remove operational security details from the public website so those controls are not “advertised” to outside parties; the documents would remain available via public‑records requests.

The board also adopted specific changes to the access‑control and authentication policies. The access‑control update requires that contractors and third‑party vendors with system access undergo an approval and monitoring process equivalent to ISER staff and that access be limited to the privileges and time frames necessary for the engagement. Jake Long noted that annual reviews of system access remain required, but that systems containing “highly sensitive or privileged data” — for example the pension administration system — may require more frequent reviews and that the retirement administrator may require quarterly or semiannual reviews for such systems.

On authentication, the board approved changing the password‑length guidance for systems that use multifactor authentication (MFA). The policy had relaxed the 15‑character requirement to 8 when MFA was enabled; consultants recommended increasing that minimum to 12 characters for systems protected by MFA and the board directed staff to incorporate that change into the final policy package.

Other related policies covered in the package include configuration management, contingency planning, personnel security, physical environment protection, security assessments and incident response. Consultants said those policies received mainly formatting and clarity updates but no material changes beyond the common items described above.

Trustees asked whether trustee email and other ISER‑managed systems are covered; consultants and the retirement administrator confirmed that the policies apply to systems managed by ISERs, including the retirement administrator’s email system and the pension administration system. Consultants said the policies intentionally do not list each system by name to avoid frequent churn when systems change.

The board approved the policies with the changes presented; staff will produce the final policy documents for distribution and will follow the new three‑year routine review cycle, with interim reviews as needed after major system changes or security incidents.