Missoula County considers user status to address cyber security

Martin Kidston

(Missoula Current) County employees who are gone for more than three weeks or moved on to another job could be listed as an inactive account user under a proposed new policy.

Missoula County this week discussed the proposed change, saying a policy is needed to address an employee's long-term absence and their ability to access county servers.

“It comes about from a cyber-security standpoint and making sure our systems are as secure as they possibly can be,” said county CAO Chris Lounsbury. “It would temporarily suspend their account so they wouldn't be able to log in until they return, and they'd be reactivated and have to change their password.”

Citing greater threats, the county in recent years has taken steps to tighten cyber-security. In 2020, it created a new chief information officer position to help safeguard the county's digital assets.

Earlier this year, the county also discussed moving to a domain name with a .gov account. The county believes doing so would provide more security to those sending and receiving county emails. The new “inactive” user policy would add another step.

“The policy is pretty simple. It helps cement what's expected of management supervisors when we have an employee leaving either permanently or for a period of time,” said Sam Wolf, a cyber-security engineer with the county. “It's obviously a cyber-security risk if we have accounts that are inactive and not actually being used by a user.”

The county could implement the new policy later this month. And while several controls are already in place, Wolf said they need to be tightened.

“This is a better way to inform supervisors what their responsibility is when they have an employee that's going to be gone for a long time,” she said.