Full Text
City of Marysville Technology Policies Introduction The Use of City Resources policy is found in the Personnel Rules book and is given to every employee. Additionally, anytime a person logs in to any City computer they receive a security warning. Included in the security warning is a clause stating: “Use of the system indicates you have read and understand the City of Marysville’s policies and procedures regarding the use of City resources, including those policies found on the City’s Intranet.” A link to additional policies and procedures is prominently placed in the upper left hand corner of the City’s main Intranet page. Anytime an employee opens an Internet browser session, they are automatically directed to this page. The following policies are Adobe printed from the policies found on the City’s Intranet and are formatted for a web browser. If you would like an HTML version of these documents please contact the Information Services Department. Worth Norton Information Services Manger City of Marysville 1049 State Avenue, Marysville WA 98270 Desk: [PHONE REDACTED] Fax: [PHONE REDACTED] [EMAIL REDACTED] 1 ---PAGE BREAK--- City of Marysville Technical Policies and Procedures The following policies and procedures are meant to supplement the City's Personnel Policies. These policies and procedures apply to all City employees, elected, and appointed officials. The following procedures are required by multiple governing agencies including the State Auditor's Office, The Secretary of State's Office, the Administrative Office of the Courts, the Washington State Patrol, FBI's Criminal Justice Information Services Division, and the Washington Cities Insurance Authority. 1.00 Use of City Resources Policy Additional Technology Policies and Procedures 1.01 Password Procedures 1.02 Communication and Internet Use Procedures Social Media Use Policy Facebook Use Policy Twitter Use Policy 1.03 Software and Local Administration Procedures 1.04 Electronic Media Destruction Procedures 1.05 Electronic Document Retention Procedures I.S. Dept. Specific Policies and Procedures 1.11 Network and Remote Access Procedures 1.21 Industrial Control Systems Procedures 2 ---PAGE BREAK--- Back to Policies and Procedures Table of Contents USE OF CITY RESOURCES Use of City Property Employees shall not request or permit the use of City owned vehicles, equipment, materials, or property for personal convenience or profit, except when such services are available to the public generally or are provided as City policy for the use of those employees in the conduct of official business. Computer Systems and Electronic Communications This policy applies to all City employees, elected, and appointed officials. Computers, telephones, fax, copy machines, all associated software and peripheral devices, and any other City equipment provided for employee use are the property of the City and are intended solely for use in conducting official City business. All messages sent, received, or stored on the email system, all records of Internet use, and all software installed on computers are the property of the City and may be reviewed, audited, intercepted, accessed, or disclosed by the Mayor or designee without employee authorization. Employees may use some City equipment for VERY LIMITED personal use, provided that it is done on employees’ own time, does not violate any law or City policy, such as harassment or solicitation, and is not used for commercial, religious, charitable, or political activities. Also, this use must not interfere with employees’ job performance, disrupt or distract themselves or coworkers from the conduct of City business, and it must not result in additional cost or liability to the City. Use of City time and resources may be allowed for approved participation in professional organizations related to the employee’s official position, upon approval by the CAO. All outgoing messages which do not reflect the official position of the City must include the following disclaimer: “The opinions expressed here are my own and do not necessarily represent those of the City of Marysville.” Internet access is limited to employees who have received prior approval from the CAO or designee. Resources of any kind for which there is a fee, including all Internet sites, must not be accessed or downloaded without prior approval of department directors. Space on public access databases (such as home pages on the World Wide Web) shall not be created without prior approval of the CAO or designee. Employees not involved in the maintenance or operation of the voicemail and email systems are prohibited from retrieving or reading any voicemail or email sent to other employees without a direct request from the intended recipient. All electronic records, including information sent via email or posted on the Internet reflects on the City, is public property, and must be retained according to the City’s retention schedule and disclosed pursuant to the state’s Public Records Act. To ensure compliance, old or unneeded emails, such as informal messages with no retention value (meetings notices, reminders, telephone messages, and informal notes), should be deleted frequently; email that needs to be retained should be copied into a personal folder on the City’s computer network. 3 ---PAGE BREAK--- All email communications must comply with City standards and policies as well as laws such as copyright protection. Exercise due caution when sending confidential or sensitive information electronically. Employees must protect all system user identifications and passwords, along with voicemail PIN numbers and email account passwords, at all times. Individual passwords must not be printed or stored online. Individual passwords must not be shared with others, and users are prohibited from accessing any City computer system using another user’s account or password. Networked computer systems can easily spread computer viruses, and it is every employee’s responsibility to exercise due caution to minimize the risk of viruses. Since email attachments are a common source of viruses, only those received from expected and known business sources may be opened. No external computer files may be downloaded without being properly scanned for viruses. The City purchases licensed software for employee use for City business. All software must be installed by authorized employees per license agreement. Employees are prohibited from making a copy of software for personal use. Employees are responsible for taking adequate measures to prevent damage, theft, or loss of City equipment. Laptop computers, in particular, are subject to damage, theft, or loss when removed from City offices. Use of the City’s information or data systems from a personal or company-owned computer through company-owned connections is subject to this policy, too. Use of personal computers to perform city business through non-city owned connections is also subject to the provisions of this policy and the provisions of the state’s Public Records Act and records retention schedule. Employees who abuse City equipment and computing resources are subject to disciplinary action. If these resources are used for purposes that violate federal or state laws, employees may be held legally accountable. City employees who learn of any misuse of software or related documentation within the organization shall immediately notify their immediate supervisors or department directors. Questions or issues which arise from this policy should be directed to the Finance Director or CAO. Use of Telephones and Wireless Handheld Communications Devices Personal use of the City’s telephone system and wireless handheld devices is prohibited. Personal calls should be billed directly to the employee’s home phone or personal credit card, with the exception of calls necessitated by unanticipated overtime or an emergency. City‐Owned Wireless Handheld Communications Devices The City requires employees to use its cellular telephones and other wireless handheld communications devices safely while conducting City business. Employees who are issued such devices are expected to limit use of them while driving a City vehicle. Regardless of the circumstances, employees are strongly encouraged to pull off to the side of the road and safely stop the vehicle before placing or accepting a call. Employees are prohibited from 4 ---PAGE BREAK--- placing themselves or others at risk to fulfill business needs. If it is imperative to accept a call while driving, employees must use a hands-free device per state law. In positions that require regular driving and answering business calls, the City may provide hands-free equipment, if feasible. Employees are prohibited from sending or receiving text messages via wireless handheld communications devices while operating a motor vehicle or performing a task. Personal Wireless Handheld Communications Devices Excessive personal calls and text messaging during the workday, regardless of the communications device used, can interfere with employee productivity and be distracting to others. The City encourages a reasonable standard of limiting personal use of personal wireless handheld devices to rest breaks and meal times. Employees are expected to keep their personal wireless handheld devices off or in silent mode during work hours. Flexibility will be provided in circumstances demanding immediate attention. Employees are prohibited from using personal wireless devices while operating a City vehicle. The City is not liable for the loss of personal wireless devices brought into the workplace. 5 ---PAGE BREAK--- Back to Policies and Procedures Table of Contents Information Services Department Policy 1.01 Password Use Procedure Revision: 1.6 April 25, 2012 Purpose: The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change. Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in a compromise of the City of Marysville's entire network. As such, all City of Marysville employees (including contractors and vendors with access to City of Marysville systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. Policy: 1. Scope The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any City of Marysville facility, has access to the City of Marysville network, or stores any non-public City of Marysville information. 2. General Password Policy A. All user-level passwords email, web, desktop computer, etc.) must be changed at least every three months. B. User accounts that have system-level privileges granted through group memberships or programs such as "pseudo" must have a unique password from all other accounts held by that user. C. Passwords must not be inserted into email messages or other forms of electronic communication. D. All user-level and system-level passwords must conform to the "Strong" password guidelines described below. E. A user's last 10 passwords may not be reused. F. All system-level passwords will be changed immediately upon termination of Information Services administration staff. G. Initially assigned passwords are unique and only valid for one use and then must be changed. 3. Password Construction Guidelines Passwords are used for various purposes at the City of Marysville. Some of the more common uses include: user level accounts, web accounts, email accounts, screen saver protection, voicemail password, and local router logins. Since few systems have support 6 ---PAGE BREAK--- for one-time tokens dynamic passwords which are only used once), everyone should be aware of how to select strong passwords. Strong passwords have the following characteristics: Are at least eight alphanumeric characters long. Contain both upper and lower case characters a-z, A-Z) Have digits and punctuation characters as well as letters e.g.: 0-9 Is not a word in any language, slang, dialect, jargon, etc. Are not based on personal information, names of family, etc. Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation. Note: Do not use either of the above examples as passwords! Poor, weak passwords have the following characteristics: The password contains less than eight characters The password is a word found in a dictionary (English or foreign) The password is a common usage word such as: Names of family, pets, friends, co-workers, fantasy characters, etc. Computer terms and names, commands, sites, companies, hardware, software. Proper names like "City of Marysville", "Snohomish", "Washington" or any derivation. Birthdays and other personal information such as addresses and phone numbers. Word or number patterns like aaabbb, qwerty, 123321, etc. Any of the above spelled backwards. Any of the above preceded or followed by a digit secret1, 1secret) 4. Password Protection Standards Do not use the same password for City of Marysville accounts as for other non-City of Marysville access personal ISP account, option trading, benefits, etc.). Where possible, don't use the same password for various City of Marysville access needs. For example, select one password for the Engineering systems and a separate password for IT systems. Do not share City of Marysville passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential City of Marysville information. 7 ---PAGE BREAK--- Don't reveal a password over the phone to ANYONE Don't reveal a password in an email message Don't reveal a password to the boss Don't talk about a password in front of others Don't hint at the format of a password "my family name") Don't reveal a password on questionnaires or security forms Don't share a password with family members Don't reveal a password to co-workers while on vacation If someone demands a password, refer them to this document or have them call someone in the Information Services Department. The use of another employee's password on any City-owned computer system is prohibited. If you inadvertently find or receive another employee's password you should inform the employee immediately so they can change their password. Do not use the "Remember Password" feature of applications Outlook, Internet Explorer). Again, do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system (including Palm Pilots or similar devices) without Change passwords at least once every three months. The previous 10 passwords may not be reused. If an account or password is suspected to have been compromised, report the incident to Information Services and have your password changed. 5. Application and System Development Standards Application developers must ensure their programs contain the following security precautions. Applications... A. should support authentication of individual users, not groups. B. should not store passwords in clear text or in any easily reversible form. C. should provide for some sort of role management, such that one user can take over the functions of another without having to know the other's password. D. should support TACACS+ , RADIUS and/or X.509 with LDAP security retrieval, wherever possible. Where SNMP is used, the community strings must be defined as something other than the standard defaults of "public," "private" and "system" and must be different from the passwords used to log in interactively. A keyed hash must be used where available 8 ---PAGE BREAK--- 6. Elevated User Accounts for Domain and Server Administration All administration, maintenance, or updates to active directory or any domain resource must be done with an "Elevated User Account" A. All users who have requirements to make any changes to Active Directory or domain resources must be assigned a second "Elevated User Account". B. Elevated accounts should not be used for administration on local PCs and should only be used for RDP sessions to servers. C. Domain and server access for elevated accounts must follow the principle of least privilege. D. In addition to standard password policies, all elevated accounts must have a minimum 12 character password. E. Passwords for elevated user account may not be stored anywhere on any type of media, other than the grey matter between the user's ears. 7. Password Resets A. Password resets must be done with an elevated administrative user account. B. The identity of the requestor must be verified. Familiarity, visual or audio Identification ID card City issued cell phone Secret Last four of the SSN City LD pin C. Assigned passwords are unique and only valid for one use. 9 ---PAGE BREAK--- Back to Policies and Procedures Table of Contents Information Services Department Policy 1.02 Communication and Internet Use Procedures Revision: 1.0 May 10, 2012 Purpose: This policy is meant to further define the existing electronic communications and Internet use policies found in the City's Personnel Rules. The purpose of this policy is to set policies for the use of the Internet and communication applications including but not limited to Browsing, Email, IM, Chat, Blogs, File Transfers, Cloud Applications and Storage. Policy: 1. Scope These policies and procedures apply to all City employees, elected, and appointed officials. 2. General Policy Use of the City's computer system to engage in any communication that violates federal, state, or local laws, codes, and regulations, City policies and procedures is strictly prohibited at all times. Inappropriate uses of City systems includes, but is not limited to: A. Commercial use for an employee’s personal business. Examples include but are not limited to: E-Bay or other auction sites, other jobs or businesses in which the employee is involved. B. Solicitation use that promotes monetary gain for the employee or an employee’s charity. City promoted charitable events are excluded from this type of use. C. Political use, including partisan campaigning or sending political messages. D. Religious use. E. Usage for any type of harassment or discrimination including transmission of obscene or harassing messages to any individual or group because of their sex, race, creed, religion, national origin, sexual orientation or other protected class status. F. Accessing of pornographic, sexually explicit or indecent materials including materials of a bawdy or risqué nature, or that are otherwise unreasonably offensive. G. Usage for any activity that could adversely affect the City of Marysville’s image or reputation. H. Gambling. I. Usage for recreational purposes including the loading of 10 ---PAGE BREAK--- computer games or playing online games. J. Usage which precludes or hampers City network performance such as viewing or listening to streaming audio and/or video. K. Peer to peer file sharing. L. Unauthorized copying of copyrighted material. M. Usage which violates software license agreements. N. Downloading of software unless pre-approved in the Software and Local Administration Procedures. O. Use of an assumed name with intent to obscure the origin of a communication. P. Transmission of sensitive or protected data without the use of Q. Transmission of information to unauthorized persons or organizations. R. Malicious use of the system, including but not limited to hacking, denial of service, and unauthorized access, so as to deprive others of system use or resources. 4. Electronic Communications IM (Instant Messaging), Chat, and Blogs Due to the difficulty in retaining IM, Chat, and Blogs, the use of these types of communication are prohibited for all City business. Email A. Right of Inspection - All messages should be composed with the expectation that they are public. Users shall have no expectation of privacy in e-mail messages. Archived copies of all email are saved for a minimum of 7 years. B. Prohibition of Inappropriate Message Content - Electronic mail should be businesslike, courteous, and civil. All City policies, including all rules of conduct and standards of conduct, apply to email use. C. Forwarding of Electronic Mail - A user forwarding a message, which originates from someone else, may not make changes to that message without clearly disclosing the exact nature of the changes. Messages received from the Legal Department, Court, or private attorneys acting on behalf of the City, its officers or employees, may be privileged communications and therefore, confidential, and these messages shall not be forwarded to non-City persons without the prior approval of the author. D. Mis-Delivered Messages - If an electronic mail message comes to a user by mistake, the user should stop reading as soon as they realize the message was not meant for them, delete it, and notify the sender immediately. E. Use of Non-City Email Accounts - Non-City email accounts (like Gmail, AOL, MSN, or Yahoo) may not be used to conduct City business unless approved in advance by the CAO or the CAO’s delegate and an approved records retention system is put in place to archive all email to and from these 11 ---PAGE BREAK--- accounts. F. Transmission of Protected Data - Protected Data (i.e. HIPPA, CJIS, PCI etc.) must not be sent via electronic mail. Electronic mail messages may be intercepted, viewed, and used for non-approved purposes, especially when corresponding via the Internet. G. Using E-Mail for Mass Mailing - The City's e-mail system is not intended to be used for general mass mailings. The City uses other electronic publications to communicate information that are more efficient and cost effective. If mass email mailings are required, a mass mailing or marketing service must be used. 5. Internet Use A. General Use - Internet access by default is provided to every employee with a City login. By supervisor's request, Internet access may be restricted. All Internet use in logged an monitored for compliance with the City's General Policies. B. Online Storage - Due to records retention issues, the use of online storage services are prohibited for uploading documents from a City computer. Online storage services include but are not limited to: Google Drive, DropBox, Carbonite, etc.. The City offers three alternatives including an FTP site (FileZilla), the City's web site (CivicPlus), and the Clerk's Office records management system (iCompass) C. Streaming Media - All forms of Streaming Media are prohibited on City PCs unless there is a City business need and it is pre-approved by a supervisor. Streaming Media is any type of Internet download that requires constant updating with a source on the Internet. There are many types of streaming media including: Internet radio, music, videos, news and weather updates. D. Research - Upon permission of the CAO or the CAO's delegate, users may be added to the Internet Research Group which has very liberal filters. This will allow the browsing of Social Media and other potentially dangerous sites for research. Users in the Internet Research Group have a higher responsibility to avoid dangerous sites including male-ware, viruses, and phishing schemes. Members of the Internet Research Group are still prohibited from posting to Social Media sites unless approved through the policies found in the Social Media section of this policy. 6. Social Media Due to the difficulty in managing Social Media's content and security risks inherent with Social Media, access to Social Media is generally prohibited to City Internet users. The exceptions to this are for viewing only by the Internet Research Group and for publishing City information by either the City Information Officer or the IS Department. Social Media Posting 12 ---PAGE BREAK--- The following policies pertain to the posting to any type of Social Media: Social Media Use Policy Facebook Use Policy Twitter Use Policy 13 ---PAGE BREAK--- 1 City of Marysville Social Media Use Policy Standard Social Media Use Policy City of Marysville – Community Information Office and Information Services Department Purpose: To address the fast-changing landscape of the Internet and the way residents communicate and obtain information online, the City of Marysville and its departments may consider using social media tools to reach a broader audience. The City encourages the use of social media to further the goals of the City and the missions of its departments, where appropriate. The City of Marysville has an overriding interest and expectation in deciding what is "spoken" on behalf of the City on social media sites. This policy establishes guidelines for the use of social media. In May 2011, the City of Marysville, WA joined the social networking websites Facebook® and Twitter® as a means to increase citizen awareness and enhance communication between citizens and the City. Standards have been developed for each website account and are to be used in conjunction with the City Social Media Use Policy herein. General: 1. All City of Marysville social media sites are subject to approval by the Chief Administrative Officer (CAO) prior to activation. 2. City of Marysville social media sites are monitored and maintained by the Community Information Officer (CIO). 3. The City of Marysville's official government website (marysvillewa.gov) will remain the City's primary and predominant internet presence. Social media sites can augment this presence as a means of disseminating information. 4. The best, most appropriate City of Marysville uses of social media tools fall generally into two categories: a. As channels for disseminating time-sensitive information as quickly as possible (example: emergency information). b. As marketing/promotional channels that increase the City's ability to broadcast its messages to the broadest possible audience. 5. Content posted to City of Marysville social media sites shall mirror content available on the City's main website. 6. Content posted to City of Marysville social media sites such as Facebook should contain links directing users back to the City's official websites for in-depth information, forms, documents or online services necessary to conduct business with the City of Marysville. 7. The CIO is responsible for the content and upkeep of social media sites, with other designated administrators authorized by the CAO at such time that there is interest by the City to expand social media options. 8. City of Marysville social media sites shall comply with all appropriate City of Marysville policies and standards, including but not limited to: a. Personnel Policy – Revised Spring 2009 – Use of City Resources – Computer Systems and Electronic Communications b. Online Privacy and Security Policy Any exceptions must be approved by the CIO and subject to review by the Information Services (IS) Manager. 9. City of Marysville social media sites are subject to State of Washington public records laws. Any content maintained in a social media format that is related to City business, including a list 14 ---PAGE BREAK--- 2 of subscribers and posted communication, is a public record. The Department maintaining the site is responsible for responding completely and accurately to any public records request for public records on social media. Content related to City business shall be maintained in an accessible format and so that it can be produced in response to a request (see the City of Marysville Twitter and Facebook standards). Wherever possible, such sites shall clearly indicate that any articles and any other content posted or submitted for posting are subject to public disclosure. Users shall be notified that public disclosure requests must be directed to the relevant departmental public records officer. 10. Washington state law and relevant City of Marysville records retention schedules apply to social media formats and social media content. Unless otherwise addressed in a specific social media standards document, the Department maintaining a site shall preserve records required to be maintained pursuant to a relevant records retention schedule for the required retention period on a City server in a format that preserves the integrity of the original record and is easily accessible. Appropriate retention formats for specific social media tools are detailed in the City of Marysville Twitter and Facebook standards. 11. Users and visitors to social media sites shall be notified that the intended purpose of the site is to serve as a mechanism for communication between City departments and members of the public. City of Marysville social media site articles and comments containing any of the following forms of content shall not be allowed: a. Comments not topically related to the particular social medium article being commented upon; b. Comments in support of or opposition to political campaigns or ballot measures; c. Profane language or content; d. Content that promotes, fosters, or perpetuates discrimination on the basis of race, creed, color, age, religion, gender, marital status, status with regard to public assistance, national origin, physical or mental disability or sexual orientation; e. Sexual content or links to sexual content; f. Solicitations of commerce; g. Conduct or encouragement of illegal activity; h. Information that may tend to compromise the safety or security of the public or public systems; or i. Content that violates a legal ownership interest of any other party. These guidelines must be displayed to users or made available by hyperlink. Any content removed based on these guidelines must be retained, including the time, date and identity of the poster when available (see the City of Marysville Twitter and Facebook standards). 12. The City reserves the right to restrict or remove any content that is deemed in violation of this social media policy or any applicable law. 13. The City will approach the use of social media tools as consistently as possible. 14. All new social media tools proposed for City use will be approved by the IS Manager and CIO. 15. Administration of City of Marysville social media sites. a. The IS Department will maintain a list of social media tools which are approved for use by the CIO and any other staff members authorized by the Chief Administrative Officer. b. The IS Department and CIO will maintain login and password information for the Facebook and Twitter pages. c. The City must be able to immediately edit or remove content from social media sites. 15 ---PAGE BREAK--- 1 City of Marysville Facebook Policy Policy for Marysville Page on Facebook City of Marysville – Community Information Office and Information Services (IS) Department Introduction: Facebook is a social networking site that has grown in popularity, with the fastest-growing segments the 26-34 age group, 35-to-54 year olds, and women over 55. Businesses and governments have joined individuals in using Facebook to promote activities, programs, projects and events. This standard is designed for City departments looking to drive traffic to web pages at marysvillewa.gov and to inform more people about City activities. These standards should be used in conjunction with the City's social media use policy and video posting policy. As Facebook changes these standards may be updated as needed. In May 2011, the City of Marysville, WA joined the social networking website Facebook® as a means to increase citizen awareness and enhance communication between citizens and the City. The City has adopted the following social networking policy as it relates to the City of Marysville’s presence on Facebook. Purpose: The purpose of the Marysville, WA page on Facebook is to present matters relating to emergency information, local events, important updates on the marysvillewa.gov website, and items of general public interest to Marysville residents, businesses, visitors and other interested parties. Policy: 1. Types of information and updates to be added to the Marysville, WA page on Facebook should be in relation to: a. Emergency information received through the emergency management director, chief administrative officer, state or federal weather resources, or other city departments. b. Invitations to the public to attend regular government meetings, such as City Council and Planning Commission meetings. c. Announcements about local city or city affiliate-sponsored events. d. Links to the latest updates on the marysvillewa.gov website, such as: i. City Council agenda and minutes and meeting documents for other boards and commissions. ii. City holiday and closing announcements. iii. Sports registration links. iv. Local attractions. v. Trash schedule changes. vi. Public Transportation route changes. vii. Updates to PDFs on website (ex. Activity guides, press release). e. Photographs may also be uploaded of city buildings, landscape, events and activities. 2. Administrators: a. Administrator(s) for the Marysville, WA page on Facebook have been authorized by the Chief Administrative Officer. The CIO is the primary administrator. b. Administrator(s) will use proper grammar and standard Associated Press (AP) style consistent with all City of Marysville publications, avoiding jargon, bureaucratese and abbreviations. Facebook is more casual than most other communication tools but still represents the City at all times. c. Suggestions for updates should be e-mailed to the current administrator(s). 16 ---PAGE BREAK--- 2 3. Comments from the public: a. The Marysville, WA page on Facebook is open to comments and questions on posts and photos. b. Comments from fans on the wall of the Marysville, WA page on Facebook are turned off and should only be turned on when approved by the page administrator/CIO. c. Once a comment on a post or photo is added, the City reserves the right to delete submissions which contain the following: i. Vulgar language. ii. Personal attacks of any kind. iii. Offensive or disruptive comments. iv. Spam. v. Advertising. vi. Promoting particular services, products, or organizations. vii. Inappropriate links. viii. Advocating illegal activity. ix. Infringement on copyrights or trademarks. x. Violations of City of Marysville policies. d. Comments from fans expressed on the Marysville, WA page on Facebook do not reflect the opinions and positions of the City of Marysville or its officers and employees. 4. Promoting the Marysville, WA page on Facebook: a. Facebook holds a policy in regards to promoting pages outside of Facebook. b. “Use or reference to the Facebook brand should not imply partnership, endorsement or sponsorship unless approved by Facebook Brand Marketing.” i. Ways to refer to the Marysville, WA page on Facebook in other media: 1. Like us on Facebook 2. Find us on Facebook to discover more about Marysville, Washington. 3. Marysville, WA on Facebook. 4. Check out the Marysville, WA page on Facebook. 5. Find us on Facebook. ii. Ways NOT to refer to the Marysville, WA page on Facebook in other media: 1. Check out the Marysville, WA Facebook page. 2. Marysville, WA partners with Facebook in social advertising campaign. 3. Facebook and Marysville, WA commit to serving you better ads. c. Facebook icons: i. “Do not use icons, visuals, logos, etc. taken from the Facebook site.” ii. Facebook offers tools to promote each page on Facebook: 1. Facebook Page Badge: “This Badge can be applied in-store or on location, on the web, and in print collateral.” 2. Ways to use the Facebook Page badge: a. Hyperlink the “Find us on Facebook” badge to the Marysville, WA page on Facebook. b. Hyperlink “Marysville, WA on Facebook” to the Marysville, WA Page on Facebook. 3. Ways to NOT use the Facebook page badge: a. Hyperlinking the “Find us on Facebook” badge to the Facebook log-in page. b. Hyperlinking the word “Facebook” to the Marysville, WA page on Facebook. 5. Applications a. There are thousands of Facebook applications. Common applications can allow users to stream video and music, post photos, and view and subscribe to RSS feeds. While some may be useful to the page’s mission, they can cause clutter and security risks. 17 ---PAGE BREAK--- 3 b. An application should not be used unless it serves a business purpose, adds to the user experience, comes from a trusted source and is approved by the Information Services (IS) Department. c. An application may be removed at any time if there is significant reason to think it is causing a security breach, spreading viruses or for any other reason determined by the IS Department. 6. The Policy for the Marysville, WA page on Facebook is subject to change at any time by city administration, page administrators or the IS (IS) Department. 18 ---PAGE BREAK--- 1 City of Marysville Twitter Policy Policy for Marysville Page on Twitter City of Marysville – Community Information Office and Information Services Department Purpose: To address the fast-changing landscape of the Internet and the way residents communicate and obtain information online, the City of Marysville and its departments may consider using social media tools to reach a broader audience. The City encourages the use of social media to further the goals of the City and the missions of its departments, where appropriate. The City of Marysville has an overriding interest and expectation in deciding what is "spoken" on behalf of the City on social media sites. This policy establishes guidelines for the use of social media. Twitter is a micro blogging tool that allows account holders to tweet up to 140 characters of information to followers. By procuring and maintaining a Twitter accounts, the City of Marysville will communicate information directly to their Twitter followers, alerting them to news and directing them to marysvillewa.gov for more information. These standards should be used in conjunction with the City's Social Media Use Policy. In May 2011, the City of Marysville joined the social networking websites Facebook® and Twitter® as a means to increase citizen awareness and enhance communication between citizens and the City. These standards are to be used in conjunction with the City’s Social Media Use Policy. General: 1. The City of Marysville retains a single Twitter account which is maintained and used by the Community Information Officer (CIO), or other City employees as designated and authorized by the Chief Administrative Officer (CAO). 2. The City’s Twitter bio will read: City of Marysville Comments, list of followers subject to public disclosure (Public Records, Act, RCW Chapter 42.56). If appropriate the following will be added: This site is not monitored frequently. Call 911 for emergencies. 3. Twitter username is WA_Marysville. 4. The City of Marysville Twitter account background is marked by a standardized official City of Marysville logo. 5. The Twitter account shall serve three primary purposes: a. Get emergency information out quickly b. Promote City-sponsored events c. Refer followers to content hosted at marysvillewa.gov 6. Information posted on Twitter shall conform to the City’s social networking policies and procedures. Tweets shall be relevant, timely and informative. 7. Twitter content shall mirror information presented on the City website and other existing information dissemination mechanisms. The CIO and any on-staff “Tweeters” authorized by the CAO shall ensure that information is posted correctly the first time. Twitter does not allow for content editing. 8. The City of Marysville Twitter account is intended as a one-way communications tool only; however, when circumstances require a response, the CIO shall be responsive to those constituents who community via Twitter’s @reply or direct message functions. Communication with followers shall be timely and consistent with existing protocols. 9. The Marysville CIO and IS personnel shall be responsible for archiving Twitter posts. Twitter archives will not be visible to the public, but will be accessible for public document retention purposes and public disclosure in accordance with the Public Records Act. 19 ---PAGE BREAK--- Back to Policies and Procedures Table of Contents Information Services Department Policy 1.03 Software and Local Administration Procedure Revision: 1.3 March 4, 2011 Purpose: This policy outlines the proper approval and installation procedure for software City-owned computer systems. Policy: 1. Definitions Departmental Systems Analyst: Certain City departments may have the need for a Systems Analyst position within their department. Positions recognized as Departmental System include: Associate Engineer II (Engineering Department) Financial Planning Manager GIS Administrator Police Administrative Division Manager Public Information Officer SCADA/Telemetry Administrator Local Administrator (Admin) Rights: Local admin rights are required for the installation of all software. Local admin rights are given to all City computer systems for IS Staff. Local admin rights are given to specific subsets of departmental organizational units for Departmental Systems And local admin rights are given on individual laptops for management staff with laptops. 2. Approval Process Desktop Applications that are not on the preapproved software list and are not department specific specialty software must be approved by the Information Services Department or the Information Services Steering Committee on a case by case basis. The Information Services Advisory Team may request that specific desktop applications be added to the preapproved software list at the quarterly ISAT meeting. Department Specific Specialty Software must be approved by the Department's Director, the Department's System Analyst, and the Information Services Department on a case by case basis. Client Server Applications are approved through the budget process. All client server application budget requests must be reviewed by the Information Services Department prior to submittal 20 ---PAGE BREAK--- for compatibility and hardware needs. 3. Installation Procedure Licensing: No software will be installed on any City Computer System without a license. Installation: Local Administrators may install any of the City's preapproved software packages. Systems may install any department specific specialty software that has been appropriately approved. All other software must be installed by IS staff. 4. Preapproved Desktop Application Software for City Wide Use The following desktop applications have been preapproved for use on City Computer Systems (list does not include client server applications): Microsoft Office 2007 IE 7 Web Expressions 2 Project Visio Visual Studio Streets and Trips Active Sync Adobe Reader X Professional 9 In Design 5 Photoshop 6 Sun Java Google Toolbar (with all update setting turned off) Earth Roxio Creator 9 Nero 8 LView Pro Image Processor Quick Time Player WebEx, GoToAssist, and GoToMeeting Power DVD 7 WinDVD FileZilla 3 WinZip or Zip Genius Sprint Novatel Wireless iDen or Verizon Phonebook Manager The following applications may be approved on a case by case basis usually with certain restrictions. Download location must be verified as a safe site such as http://download.cnet.com: Microsoft NetMeeting Microsoft Desktop Search 21 ---PAGE BREAK--- Windows Sysinternals PC Anywhere Symantec Ghost VNC Viewer (viewer only... not server) MyDefrag LastPass Daemon Tools Lite Infra Recorder MRemote Calendar and Contact Apps from Microsoft, Intellisync, Google, Apple, Palm, Blackberry (Email is not approved) All department specific 5. Applications that are NOT Approved for City Computer Systems Desktop Applications not specifically approved above including: • All beta software • FireFox and Opera • Google Chrome • Apple Safari • Netscape • iTunes • Google Desktop • StockTicker • WebShots • Desktop Dreamscapes • Ace Mega Codec Pack • etc. I.M., Chat and Communication applications not specifically approved above including: • Outlook Express • MSN Messenger • Yahoo Messenger • AIM • Google Talk • Skype • Jabber • Gizmo • ExodusCC • ICQ • etc. Internet Explorer add-ons not specifically approved above including: • WeatherBug • Yahoo Toolbar and Desktop • MyWebSearch • Internet Optimizer • CoolWebSearch • 180SearchAssistant • SaveNow • etc. All Peer2Peer Software not specifically approved above including: • Kazaa • BitTorrent • BitComet • Morpheus • etc. All Proxy and Circumventor Software including: • PC Mesh Anonymous • Smarthide • Private Proxy • Anonymity 4 Proxy • ProxyWay • etc. All Remote Access Software not specifically approved above including: • GoToMyPC • LogMeIn • VNC Server • etc. All Anti-Virus/Spyware and Firewalls not specifically approved above including: • WinFixer • eAcceleration • Ad-killer • 22 ---PAGE BREAK--- SpywareAssassin • eAcceleration • AntiVirus Gold • SpyFirewall • etc. 23 ---PAGE BREAK--- Back to Policies and Procedures Table of Contents Information Services Department Policy 1.04 Electronic Media Destruction Procedure Revision: 1.1 October 21, 2011 Purpose: This policy outlines the proper retention and destruction of all electronic and portable media including but not limited to: Hard Drives, Solid State Drives (SSDs), Tapes (Backups), Flash Memory (Thumb Drives), Diskettes (Floppies and Zips), Optical Disks (CDs and DVDs). Policy: 1. Retention Hard Drives and SSDs: All non-system data on hard drives or SSDs must be retained according to proper retention schedules. Prior to a hard drive or SSD being taken out of service, all retainable documents must be copied to either the replacement hard drive, an SSD, or a shared hard drive on a file server. Once the retainable documents have been removed, hard drives and SSDs are not considered records. Tapes: All tapes are for disaster recovery use only and are not considered records. Portable Electronic Media: Portable medias include Flash Memory (Thumb Drives), Diskettes (Floppies and Zips), Optical Disks (CDs and DVDs). These medias are for transitory use only and are not considered records. Users must maintain an official copy of any records that have a retention schedule on a City PC or server hard drive. 2. Destruction or Disposition Hard Drive Surplus Method: Prior to any PC or server being surplused, hard drives must be properly sanitized. Sanitization may be accomplished with hard drive sanitization software such as WipeDrive. Three random overwrites and verify are required prior to reformatting. Hard Drive Disposal Method: There are two options for disposal of hard drives; They must either be sanitized with hard drive sanitization software such as WipeDrive, or they must be fully degaussed and then physically destroyed by striking the drive spindle with a hammer until the drive creases or the platters shatter. After one of the two previous sanitation methods has been performed, hard drives must then be placed in the IS Department's equipment recycling container. 24 ---PAGE BREAK--- Solid State Drive Disposal Method: SSDs may not be surplused due to the requirements of sanitation. SSDs must be sanitized by using a software application such as Secure Erase to reset the SSD back to the factory defualt of all zeros. The SSD must then be physically broken to insure the flash chip has been damaged. The SSD must then be placed in the IS Department's equipment recycling container. Tape Rotation Method: When a tape reaches the end of it disaster recovery life cycle (tape life cycle retention periods below), it may either be disposed of or overwritten. Tape Disposal Method: All tapes must be fully degaussed prior to disposal and then placed in the IS Department's equipment recycling container. Flash Memory Disposal: Flash memory must be sanitized by using a software application such as Secure Erase to randomly overwrite all data. The flash memory must then be physically broken to insure the flash chip has been damaged. The flash memory must then be placed in the IS Department's equipment recycling container. Diskette Disposal: All diskettes must be fully degaussed prior to disposal and then placed in the IS Department's equipment recycling container. Optical Disk Disposal: All optical disks must be shredded prior to disposal and then may be disposed of in the trash. Tape Type Life Cycle - Retention Length Daily Backup 4 Weeks Month End 6 Months Year End 1 Year System Recovery None - Until New Version is Made 25 ---PAGE BREAK--- Back to Policies and Procedures Table of Contents Information Services Department Policy 1.05 Electronic Document Retention Procedure Revision: 2.1 April 25, 2012 Purpose: This policy outlines the proper retention for all forms of electronic documents. Policy: 1. State of Washington Retention Requirements City employees will adhere to all State of Washington document retention requirements including but not limited to: Chapter 434-662 WAC - Preservation of electronic public records Chapter 40.14 RCW - Preservation and destruction of public records Chapter 42.56 RCW - Public records act The Public Records Act applies to government records, whether written, recorded, taped, or electronically stored, relating to the conduct of government or the performance of governmental functions. The Records Retention Schedule (RCW 40.14.070) sets the length of time required to maintain these documents. 2: Electronic Document Retention Creation: The official record version of an electronic document is typically created by the original author or a subsequent author who edits the original document which creates a new version. The creator or "owner" of electronic documents is considered its custodian. Custodial Responsibilities: It is the custodian's responsibility to insure that official record versions of a document are kept in an approved storage format for the required retention period established in the City and State’s records retention schedules. When an employee leaves their position, the employee’s manager is responsible for designating a new custodian for the records and ensuring that the records are properly identified and transferred to the appropriate place prior to deletion of the departed employee’s accounts. Storage: All official record versions of any electronic document must be stored on a City shared storage device; preferably a shared drive such as the S: drive or U: drive, or a City Clerk's document management system such as FilePro. Official record versions may not be stored on portable media, personal devices, or "Cloud" storage. Examples of "Cloud" storage include but are not limited to: Dropbox, Google Drive, Cabonite, Livedrive, etc.. 26 ---PAGE BREAK--- Disposal: Employees are responsible for reviewing their electronic records periodically and carry out the disposition of those records in accordance with the applicable records retention schedule. 3. Email Retention The City's Information Services Department will maintain copies of every email the City sends or receives for review by the City's Email Retention Administrators. The City's email administrators (custodians) are the City Clerk, Deputy City Clerks and the Information Services Manager. 4. IM (Instant Messaging), Chat, and Blog Retention Due to the difficulty in retaining IM, Chat, and Blogs, the use of these types of communication are prohibited for all City business. 5. Definitions Custodian: A record's custodian is the employee directly responsible for the proper retention of an official record version of an electronic document. Typically the custodian is the original author or a subsequent author who edits the original document which creates a new version. The custodian may also be an employee designated with the responsibility to maintain a previous employee's records. Electronic Documents: Any type of file that can be stored in or on any type of electronic file storage system. Information recorded in a manner that requires a computer or other electronic device to display, interpret, and process it. Types of files include but are not limited to: word processing or text documents, spreadsheets, web pages, images, maps, electronic recordings and videos. Types of file storage systems include but are not limited to: shared storage on City servers, local computer hard drives, diskettes, thumb or flash drives, and tapes that are not specifically used for disaster recovery backups. Official Record Version: The official version of the record is considered the primary copy and is subject to the retention requirements established in the City and State’s records retention schedules. A convenience copy is a secondary copy of a record kept for reference or research purposes. Secondary copies may be disposed of when they are not longer needed. 27 ---PAGE BREAK--- Back to Policies and Procedures Table of Contents Information Services Department Policy 1.11 Network and Remote Access Procedure Revision: 1.1 May 10, 2012 Purpose: Policy: 1. Domain Resource Authentication All users accessing the City network must be authenticated by Active Directory and follow the City's password procedure. By September, 2013, All police employees using a laptop or MDC must use advanced authentication for network access using a GoldKey certificate fob integrated with Active Directory. 2. Remote Network Access The following are the currently approved forms of remote network access for the five main City networks. Additional options may be available for stand alone PCs or servers. A remote desktop solution will be available by April 2013 to replace the Citrix Firebox SSL connectivity for non-City PCs. A. Employee Access 1. Outlook Web Access - Email and shared file access only. 2. Citrix Firebox SSL Connection - Secure VPN for City laptops. Also allowed for use on home PCs limited to Finance management and IS. 3. RadioIP - Secure VPN for City MDCs or laptops. B. Vendor Access 1. WebEx, GoToAssist, GoToMeeting, or iLinc - Sessions must be initiated, monitored, and terminated by a City IS employee or a Departmental Systems Analyst. 2. Citrix Firebox SSL Connection - Limited use for vendors not accessing City servers. 3. Symantec PC Anywhere - Sessions must be initiated, monitored, and terminated by a City IS employee. Dial-up modems are prohibited on the City, Police, and Fire networks. Any PC or server that requires a dial up modem must be placed in a segregated network or DMZ, or be stand-alone. 3. Wireless Wireless access is provided in most City buildings and parking lots. No access This is a technical policy for the City's Information Services Department. It covers network access and design. 28 ---PAGE BREAK--- points other then City managed access points are allowed anywhere on the City's network. Employee Access An employee wireless network will be provided for use by employees using City owned equipment. Access to the employee wireless network will be secured by 802.1x ensuring only City issued equipment and City authenticated employees have access. Guest Access A guest SSID will be broadcast allowing City guests to logon to a segregated network that only provides Internet access. 4. Network Segregation The City network will be segregated into five distinct networks using VLANs, ACLs, and routing. ACLs will be completed by September 2013. The five distinct networks are City, Police, Fire, Telemetry, and Guest. Connections to trusted networks outside of the City, including the State IGN, County IGN, State DOC, and the City of Arlington, must be separated with a firewall. 29 ---PAGE BREAK--- Back to Policies and Procedures Table of Contents Information Services Department Policy 1.21 Industrial Control Systems Security Procedure Revision: 1.0 May 7, 2012 Purpose: Policy: 1. Best Practice It is the policy of the City to follow industry Best Practices, including published recommendations by the manufacturers of automation equipment used by the City. A. United States Computer Emergency Readiness Team (US-Cert) Control Systems Security Program (CSSP) Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program Control Systems Cyber Security: Defense in Depth Strategies, October 2009, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program. B. National Institute of Standards and Technology (NIST) NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security, Final Public Draft September 29, 2008. C. Invensys Wonderware Securing Industrial Control Systems D. Rockwell Automation Securing SCADA and Control Systems 2. Antivirus / Anti-Malware A. All computer systems connected to the City’s SCADA/Telemetry Systems will have software installed and operating per City Standards. B. Files and folders may be exempt from active protection if under the direct instruction of the industrial control software vendor due to irreconcilable and known conflicts. 3. Patch Management A. All computer systems are to be kept patched and up-to-date, which will include: 1. Microsoft Windows, Desktop and Server operating systems Office products (Word, Excel, etc.) This is a technical policy for the City's Information Services Department. It covers SCADA & Telemetry Systems access, operation and design. 30 ---PAGE BREAK--- SQL Databases 2. Wonderware InTouch Historian/InSQL Data Access Server (DAS) and all components/modules 3. Allen-Bradley/Rockwell RSLogix500 RSLinxFactoryTalk 4. Other 3rd Party software Adobe Reader Daemon Tools ESTeem Utilities B. If the software vendor has a procedure for testing 3rd party patches and then publishing compatibility results, installation of these patches can be delayed for a reasonable time. 4. Passwords and Accounts A. All user accounts will be password protected, and all users will have individual accounts. B. Access to all setpoints, controls and alarm acknowledgement will be password protected. C. Each user account will be limited to the features that that user needs access to. D. Access to PLC programs and the ability to upload/download to the processors will be password protected by April 2013. E. Access to the Graphical User Interface (GUI) of control or related network/communication equipment will be password protected Managed Switches or Routers Radio modems. F. Human-Machine Interfaces (HMI), Displays, etc. need not be password protected for the viewing of telemetered data (levels, flows, volumes, pump status, etc.). G. Default accounts will be removed if possible, and all default passwords will be changed. 5. Network Architecture A. Telemetered systems are to be separated from the main City network, and networks of other departments. B. Virtual Private Networks (VPN), Virtual Local Area Networks (VLANS), and physically separate networks shall be used to segregate networks. C. Firewalls will pass only protocols and ports needed for control and monitoring of the control system. D. Access Control shall be used to limit user access from the City’s network into the Control network(s). 6. Physical Access Control All remote sites will have all equipment with controls and/or communication/network equipment within locked cabinets. Buildings shall be locked and employ security systems. 31