Full Text
Page 1 of 11 CITY OF LARAMIE Policy Title: Information Technology Policy Policy Number: 2012-3 Page 1 of 11 Policy Type: Administrative Regulation I. Purpose This policy is to establish guidelines for computer use and security by City of Laramie employees. II. Policy Statement Violation of this City of Laramie Information Technology policy may result in disciplinary action up to and including termination. III. Applicability This policy is applicable to all City of Laramie employees. Fire department employees covered by the collective bargaining agreement with firefighters local 946 IAFF and the City of Laramie are exempt from those provisions of this policy that are in conflict with the agreement. IV. Policy: Computer Support The IT Division administers and maintains all of the systems throughout the city network. IT Division is responsible to track/audit licenses and inventory all computer systems to ensure system compliance. All Computer hardware and peripheral purchases such as computer desktops, laptops, tablets, servers, monitors, scanners, printers, etc.) must be approved by the IT Division Manager prior to purchasing. IT will review hardware for proper operating system versions, compatibility with existing systems, additional licensing costs that may be required to support the new hardware, etc. Support of systems that have not been purchased by the IT Division or with consultation of the IT Division Manager will not be available. Such systems will not be allowed to connect to the city network or access other city computer resources. A work order database will be used to log and track computer, network, and phone issues. The primary method to report issues to the IT Division is through the web at http://trackit/TrackItWeb/SelfService/login or through email by sending an email detailing the issue to [EMAIL REDACTED] Work orders should be submitted prior to service being performed, and with as much notice as possible. If due to computer problems a user cannot access the work order site or email they may call the Information Effective date: July 1, 2018 Responsible Department Head: All Department Heads Approval Authority: City Manager Policy Contact: City Manager’s Office [PHONE REDACTED] Next Revision Date: Annually as needed ---PAGE BREAK--- Page 2 of 11 Technology Help Desk at 721.5219. Support will be administered as soon as possible by an IT Division Staff Member. Normal IT support hours are from 8am – 5pm Monday through Friday. IT maintains a dedicated phone number for after-hours IT emergencies 721-5272. This number is to be used if there is a true emergency that requires IT staff to respond outside of normal business hours. Where possible, a supervisor should assess the situation and if determined to be an emergency the supervisor should call 721.5272. This will ring the mobile phone of the IT staff member assigned to respond to after-hours emergencies. If there is no answer leave a message and an IT staff member will get back to you within 1 hour. V. Policy: Physical Security of Computer Assets Users will ensure that all computer assets (computers, monitors, laptops, tablets, printers, etc.) that are assigned to, checked out, or regularly used by them are maintained and used in a manner consistent with their function and such that the possibility of damage and/or loss is minimized. Computer equipment (excluding portable devices), will not be removed from city premises without the prior written authorization of the Information Technology Division Manager. Users will not modify city computer equipment in any manner including but not limited to changing the amount of memory in the computer, adding graphics or other add-in cards. Users may plug in flash drives, cameras, memory cards, and other peripheral devices for the purpose of transferring documents or files for City of Laramie work. This section shall not apply to City Information Technology Division personnel while performing their assigned duties. Whenever possible all portable computing equipment (laptop computers, tablets, etc.) will be maintained under the direct supervision of the user that they are issued to. The equipment must never be left unattended in locations such as airports and hotel lobbies. When the equipment must be left unsupervised, it must be made as inconspicuous as possible (i.e. do not leave the computer sitting on the seat of an unattended vehicle). Wherever practical, the computer shall be secured. Computer and electronic equipment are generally delicate and shall be treated accordingly. Damage to or loss of computer electronic equipment caused by negligence and/or violation of this policy may result in the responsible party being charged for the repair or replacement costs. VI. Policy: Installation and use of Software Without the prior written authorization of the Information Technology Division Manager, users shall not: 1) Acquire or purchase software for the city. 2) install any software on city owned computer equipment. 3) install city owned software on any non-city owned computer equipment. 4) provide copies of city owned or licensed software to anyone. 5) provide city owned licensing keys, unlock codes, online account passwords, etc. to anyone. 6) Contract hosted IT or software services (SAAS) from outside vendors. Users will not engage in any acts of software piracy. The Information Technology Division shall ensure that all software installed or utilized on city machines is properly licensed. To ensure that all software is licensed properly all city computers will be subjected to computer audits. ---PAGE BREAK--- Page 3 of 11 Users and departments shall consult with the IT Division prior to acquiring or purchasing any software. This will allow IT to make sure that the software will work on the city’s computers and servers, and that we can be compliant with licensing. This includes contracting software as a service (SAAS) from vendors. The IT Division’s responsibility concerning software, including software as a service (SASS), is to maintain a stable network and server environment to ensure users can successfully launch and connect to their software. Departments will maintain support contracts for any specialized software regularly in use by the department. As part of maintaining city servers and desktops IT will help install and update software as provided by the software support contracts. If IT agrees to help administer software, IT will require and maintain administrative access within the software. IT staff may help trouble-shoot software issues, but support for more complex issues will be sought from the software vendor by the department with the consultation of IT to ensure proper and secure access to city computer resources. Departments are responsible for their own software training. VII. Policy: Ownership of Information, Data, and Software DEFINITIONS Information: knowledge, in any form, that has value to the City of Laramie. Data: any computer information, including, but not limited to, information that has been entered into a computer, stored in a computer, or retrieved from a computer. Examples would include spreadsheet and database entries. Software: computer operating systems and programs. POLICY All information and data generated or gathered by a user, in the course of their employment and/or utilizing city owned assets, shall be the exclusive property of the City of Laramie. No information or data shall be transferred to, given to, or loaned to any other organization or outside individual except for those instances where it is in the approved course of business for the City of Laramie or with the express written authorization of an authorized department manager. All software purchased by, licensed by, or created by the City of Laramie is the exclusive property of the City of Laramie and may not be transferred to, given to, or loaned to any other organization or outside individual without the express written authorization of the Information Technology Division Manager. VIII. Policy: Personal use of Computer Hardware and Software Users may utilize city owned hardware and software for personal use within the following guidelines: • Such use must be purely personal and may not be for any commercial purpose. • Such use must not be during ordinary work time unless approved by your supervisor. • Such use must comply with all laws and regulations • Such use must not interfere with the city's needs or operation • Such use must not include: • Political activity • Pornography • Sexist Material ---PAGE BREAK--- Page 4 of 11 • Racist Material • Any illegal act • Any other behavior deemed inappropriate Examples of allowable use: • Typing homework assignments for college classes or adult education classes. • Writing a newsletter for a charitable or non-profit organization. • Using a spreadsheet to track an intramural sports league. IX. Policy: Access to Computer Information and Hardware All computer related resources under the control of the City of Laramie exist for the furtherance of the City of Laramie business pursuits. The City of Laramie City Manager, Assistant City Manager, Human Resources Director and Information Technology Division Manager may inspect or monitor any city owned, leased, or controlled computer, computer device, tablet, cell phone, network, computer facility, or storage device at any time for any reason. This includes the inspection of email (incoming, outgoing, or stored) and the monitoring of internet usage. The City of Laramie may divulge any information found during such inspections or monitoring to any party it deems appropriate; subject to statutory requirements. To ensure that all hardware is compliant to Information Technology Division specifications all city computers will be subjected to computer audits. Users should lock their computer or log off when they are away from their desks. Information Technology will manage computer settings to ensure electrical savings when computers are not in use. This may include turning off monitors and entering power saving modes. The use of the labeling of an email or document as private, the deletion of an email or document, or any other such process or action, shall not diminish the city's rights in any manner. Only city authorized may be utilized. All keys must be on file with the Information Technology Division Manager prior to their utilization. An exception is made for passwords to password managers that employees use to manage their city and other passwords; unless the password manager is the only source of critical city information. All mobile devices and laptops that are capable will have Bitlocker enabled and the recovery key stored by IT. Users will not bring their personal computers to work nor connect them into the city network without express permission from their department head, and approval of the City IT Manager. If a user connects a personal computer to the city network they give up the expectation of privacy on that computer while connected to the city network. Users may bring and connect their mobile phones to the city network for access to email and the internet. Other access into the city network with a mobile phone requires express permissions from the employee’s department head and approval of the City IT Manager. ---PAGE BREAK--- Page 5 of 11 As approved by department heads users may establish a remote VPN or DirectAccess connection to the city network for the purpose of accessing information to perform tasks from a remote location relating to the users work assignments. Devices used to access city data including email shall be protected by password, access code, or pin number. 3rd party remote access to the city network or computers shall only be granted when approved by the Information Technology Division Manager. The city will restrict to only pre-approved IP addresses from the 3rd party. The city may require certain contracts, agreements, etc from the 3rd party company. Any city contract with a vendor or consultant who may provide data processing services to the city or otherwise have access to or store city data shall include wording that encompasses cyber-related risks that include theft, loss or misuse of data, release of private information and responsibility for costs, fines and penalties that the entity might incur. • A confidentiality agreement should be included in this type of contract that includes language that requires the vendor/consultant to acknowledge that will receive or have access to private information; that private information is not owned by the vendor/consultant; that they have no ability to sell or otherwise misuse that private information and that they will have safeguards in place to protect that information. • Require that the vendor notify the entity of a breach even if no data was lost. • Require that data be backed up in a secure fashion and that entity have access to backups. • Require minimum response and recovery time for vendors or consultants, including colocation, cloud services, managed dedicated servers, programmers and other IT Professionals add a requirement for IT (sometimes called Technology) Professional Liability insurance that encompasses all of the duties and obligations that are the subject of the consulting agreement X. Policy: Electronic Mail DEFINITIONS Email system: all means of sending and receiving electronic mail (email), including internal email and External email Incidental use: occasional personal use, outside of normal work hours, non-commercial, at negligible cost to the city, and not interfering with the city's needs or operation POLICY This policy shall apply to anyone having access to the City of Laramie's email systems. The City of Laramie's email system is intended to further the business purposes of the City of Laramie; incidental personal use of the email system is permissible. All email created, sent, or received via the City of Laramie's computers, networks, and/or email systems is the property of the City of Laramie. The City of Laramie will maintain an archive of all electronic mail communications sent or received through city email servers for a period meeting the requirements of Wyoming Statutes. The City of Laramie City Manager, Assistant City Manager, Human Resources Director and Information Technology Division Manager have the right to monitor and/or review, at any time; any email created, sent, or received via the City of Laramie's computers, networks, and/or email systems and may reveal the ---PAGE BREAK--- Page 6 of 11 contents of such email to any party that it deems appropriate. The use of the labeling of an email as private, the deletion of an email, or any other such process or action, shall not diminish the city's rights in any manner. The City of Laramie will disclose email to any party that it may be required to by law or regulation. Messages relating to or in support of illegal activities will be reported to the appropriate authorities. Only city authorized may be utilized. All keys must be on file with the Information Technology Division Manager prior to their utilization. All emails that are addressed to any person(s) outside of the City of Laramie will clearly identify the sender (user) by full name and official title. The user's telephone number will also be included. All incidental non- business email should contain the following statement: "This is a personal email. Any opinions, statements, advice, or recommendations contained in this email are my own and do not reflect those of the City of Laramie." Each user is responsible for ensuring that their use of the City of Laramie's email system is consistent with this policy, any other applicable City policy, and appropriate business practices. Emails shall not contain pornography, sexist remarks, racist remarks, defamatory remarks, obscene remarks, anything of a commercial nature not pertaining to the City of Laramie's business, anything of a political nature, or any other inappropriate remarks. Further, the email system shall not be used for any purpose in violation of law or regulation. Excluding incidental use, the City of Laramie's email system will not be utilized by users for any commercial or non-commercial activity that is not in furtherance of City business. The prohibited activity includes solicitation for charitable contributions and sales of products from one user to another. "Chain Letter" emails will not be created or forwarded. Messages not work related sent to all users must have the expressed prior authorization of Department Head, Information Technology Division Manager, City Manager or Assistant City Manager. Users will carefully review all email prior to sending it to ensure that their meaning is clear and not subject to interpretation. Humor and sarcasm can be easily misinterpreted in an email and should be avoided. Email messages should be composed in a professional manner. Comments that would be inappropriate in memorandums and letters are equally inappropriate in emails. Electronic communications are to be treated with same care as conventional written communication. Users shall carefully review incoming messages to identify suspicious emails, phishing scams, or potential viruses. If a user in unsure about an emails legitimacy they may contact the city IT Division for help in identifying potential threats. Potential spam may be forwarded to [EMAIL REDACTED] for review. Spam and other harmful messages should be deleted. If a user believes they may have opened a document or clicked on a link in a suspicious email they shall immediately report the incident of the IT Division. If a user sends an email message from an email account other than their city account related to city business the user shall include their city email as one of the recipients of the email to ensure the city has a copy of the communication. If a user is sending information in an email that is relating to employee health, employee discipline, about a personnel matter, about city land contract negotiations, etc. The user shall include the term Confidential in ---PAGE BREAK--- Page 7 of 11 the subject line of the email. This will allow the city to easily identify confidential information when performing a records request. Users will not utilize or access email accounts belonging to any other user unless approved by their department head. At the discretion of a user’s Department Head / Division Manager, exempt employees may access their city email account remotely via their mobile phone, tablet, or web browser. Such use must be in compliance with all FLSA guidelines. Devices used to access city data including email shall be protected by password, access code, or pin number. Non-exempt employees can only access email remotely with approval from their Department Head / Division Manager and within FLSA rules for overtime. XI. Policy: Internet Usage DEFINITIONS Incidental use: occasional personal use, outside of normal work hours, non-commercial, at negligible cost to the city, and not interfering with the city's needs or operation. POLICY This policy shall apply to anyone utilizing the City of Laramie's Internet access systems. All use of the city’s information systems must be in compliance with all applicable laws and policies (federal, state, and city). The City of Laramie's Internet access is intended to further the business purposes of the City of Laramie; incidental personal use of the Internet access is permissible. All information created, sent, or received via the City of Laramie's computers, networks, Internet access, and/or email systems are the property of the City of Laramie. The City of Laramie reserves the right to monitor, filter, and/or review, at any time, all Internet utilization via the City of Laramie’s Internet access. The City of Laramie further reserves the right to reveal any Internet access related information to any party that it deems appropriate. The use of the labeling of a communication as private, the deletion of a communication, or any other such process or action, shall not diminish the city's rights in any manner. The City of Laramie will disclose Internet access information to any party that it may be required to by law or regulation. Messages relating to or in support of illegal activities will be reported to the appropriate authorities. Excluding incidental use, users will not access any material that is not directly relevant to their assigned duties or education. Users will not post comments or statements on any web page or send any messages to internet newsgroups except in the process of updating an official city web presence, as authorized to do so, such as updating the city website, blog, facebook page, twitter account, etc, or as related to their course of work for the City of Laramie. Users will not enter any Internet chat rooms or chat channels unless related to their work, or approved by their department head or City Manager. Users may stream content while they are working if it is related to their job duties, or if it requires minimal bandwidth and does not slow down or cause any interference with the city’s general business operations. ---PAGE BREAK--- Page 8 of 11 Users will not download software from the Internet unless prior written approval has been obtained from the Information Technology Division Manager. Users shall not disable or otherwise attempt to circumvent the city’s anti-virus software or filtering in any way. Each user is responsible for ensuring that their use of the City of Laramie Internet access is consistent with this policy, any other applicable City policy, and appropriate business practices. Internet sites containing pornography, sexist material, racist material, defamatory material, obscene material, pirated software, or any other inappropriate material shall not be accessed unless it is directly work related. Further, the Internet access system shall not be used for any purpose in violation of law or regulation. Users will not visit any site that might in any way cause damage to the City of Laramie's image or reputation. Users should be aware that much of the material available on the Internet is copyrighted or trademarked. Other than viewing publicly available material, users will not use any material found on the Internet in any manner without first establishing that such use would not be in violation of a copyright or trademark. XII. Policy: Voicemail The word voicemail in this policy refers to any type of equipment or system that records messages from unanswered incoming telephone calls. All voicemail systems and all communications stored therein are the exclusive property of the City of Laramie. The City of Laramie may review stored messages at any time, for any purpose. Users having voicemail will check it regularly. Return and follow up calls should be made The greeting should include the user's name. The caller should also be given an alternative if they need to speak to someone immediately. As an example you could use the follow greeting: This is John Smith. I'm either on the phone or out of my office. At the tone, please leave your name, telephone number and a brief message. I'll return your call as soon as possible. If you are in need of further assistance please dial (alternate extension number). Users who will be out of the office for an extended time should change their greeting to advise callers of this. XIII. Policy: Password Policy OVERVIEW Passwords are an important aspect of computer, phone, and building security. They are our front line of protection. A poorly chosen password may result in the compromise of the City of Laramie’s entire network. As such, all City of Laramie employees are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. SCOPE The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any City of Laramie facility, has ---PAGE BREAK--- Page 9 of 11 access to the City of Laramie network, or stores any City of Laramie information. This includes, but is not limited to building door codes, voicemail passwords, and domain account passwords. POLICY • All system-level passwords root, domain admin, application administration accounts, etc.) should be changed every six months or as needed due to personnel changes. • Dedicated service accounts can keep passwords for longer than 6 months if they use a minimum of 20 characters from 4 or more character sets, and are randomly generated. Service accounts should be granted only the privileges needed to service their function. • It is recommended that users change their passwords periodically. Passwords must be changed when prompted by the system. • All computer passwords should be at least 8 characters long and should contain at least three of the following character sets. Uppercase letters, lowercase letters, numerals, punctuation marks and other special characters such as • Upon employee termination any password known by the former employee must be changed, or the accounts disabled. This includes administrative passwords, user-level passwords, voicemail passwords, and building access codes. • Passwords are to be secured at all times. If they are written down, they must be stored under lock and key. Electronically stored or shared passwords must be in a city approved format. Users should do their best to protect their passwords. Temporary passwords, such as when an account password is reset, may be sent via email with the understanding that they are to be changed immediately by the recipient. • Voicemail passwords may be shared to allow others to check voicemail while a user is absent. • Computer passwords must not be shared with other users. Computer passwords may only be shared with a supervisor if needed to allow City of Laramie work to continue. • If a password is shared with a Supervisor that password should be changed when the employee returns to work. XIV. Policy: LARC Procedures Technical Support for Public Safety will be administered by the City of Laramie IT Division. This support includes all Public Safety software and devices such as mobile data terminals, CAD, Crimes, Jails, Fire, EMS, etc. Dispatch and Records (LARC) will be supported by the City of Laramie IT Division unless it is a County IT related issue, such as access to county servers, shares, infrastructure, etc. County IT will support the Sherriff’s Office, Albany County Detention Center, and County attorney’s office including their computer hardware, operating systems, network access, email, file shares, etc. The City of Laramie IT Division will support their access on the Public Safety systems such as Naviline, IBM iseries access, CAD, HTE, jails software, etc. Anyone accessing public safety systems or data shall conform to all CJIS rules and security practices. No one shall access Public Safety systems or data without the proper background check completed and on file with the appropriate authority. If there are any conflicts between the City of Laramie Information Technology Policy and the CJIS policies users shall conform to the CJIS policy when using computers that have access to public safety data. XV. Policy: GIS Policy Geographic Information System (GIS) software and hardware must be approved by the IT Division. ---PAGE BREAK--- Page 10 of 11 Software GIS Software to be purchased is to be reviewed by City IT/GIS staff. This is required for compatibility, license compliance, integration into GIS datasets, and to ensure data standards are met. Project Work Projects where data is to be generated or collected for input into the City GIS is to be reviewed by City IT/GIS staff to maintain standards of existing GIS datasets. Sub-foot or less is the required level of accuracy for contractors performing field work/data collection for input into the City GIS. Datasets All datasets will be centrally located on the City GIS server. This is required for maintenance, backup, and distribution purposes. Standards/Accuracy City GIS datasets are required to comply with National Map Accuracy Standards for a scale of 1 inch equals 100 feet. All data will be within 1 foot. Distribution Hardcopy maps will be available to the public at a nominal fee. Availability to the public of softcopy maps and datasets will be made on a case by case basis for a nominal fee. The GIS Technician will be responsible for distribution of softcopy maps and datasets unless other personnel are designated by department head and approved by IT Manager Map Components All hardcopy or softcopy maps for public consumption will have the following: Scale Bar Absolute Scale Text North Arrow Disclaimer Revision Date Department Contact Information City Logo Global Positioning System (GPS) Equipment Any misuse or mishandling of GPS which results in the unit not functioning properly is the responsibility of the user. Each person who will be using gps is required to be properly trained on usage and care of the unit by City GIS personnel prior to performing field data collection. Data Security The City of Laramie is under compliance with Homeland Security measures. This includes specific data for Sewer, Water, Gas, and Electric. These datasets will be provided only after receiving approval from the departments associated with the data and not under any other condition. Finance datasets are restricted under privacy laws and are for internal use only. Disclaimer: Maps printed will contain a disclaimer clearly legible on the map. Maps and GIS data distributed in electronic format will contain the disclaimer in a text file and will be included with the data. The disclaimer shall be worded as follows: ---PAGE BREAK--- "The data contained herein was compiled from various sources for the sole use of the City of Laramie. Review of this data for accuracy and any necessary editing has not been completed al this time. Any use of the data by anyone other than the City of Laramie, and its members, is at the sole risk of the user; and by acceptance of this data, the user does hereby hold the City of Laramie, and its members, harmless and without liability from any claims, costs, or damages of any nature against the City of Laramie, including cost of defense arising from improper use of data, or use by other party. Acceptance or use of this data is done without any express or implied warranties. This data is not meant for legal conveyance." XVI. Policy Authority This policy is authorized by the City Manager's Office. For assistance or questions concerning this policy, contact the City Manager's Office. XVII. Related Policies/References • Mobile Device Policy • Social Media policy Dare: t/L Pnge II of II