The URL can be used to link to this page

Home My WebLink About13.F.5. Adoption of City IT Policy-Res. No. 6432 City of Shakopee /3.1! s: Memorandum TO: Mayor and City Council . Mark McNeill, City Administrator FROM: Kris Wilson, Assistant to the City Administrator SUBJECT: Adoption of City IT Policy DATE: June 2, 2006 Introduction The Council is asked to adopt the attached Information Technology (IT) Policy governing the use of City IT systems, including computers, e-mail, . Internet access, printers and phones, Background The attached policy is closely based on a policy template developed by LOGIS with input from its member cities, Former IT Coordinator Kim Henke was involved in the development of the policy template. Current IT Coordinator Carrie Duckett and the City's department heads have reviewed the template and made modest changes so that it conforms to Shakopee's structure and priorities. If adopted, the attached policy would apply to all users of the City's IT systems, including regular, part-time, and temporary employees, vendors, consultants, volunteers, and interns. The policy is intended to set standards that protect the City' s IT systems. from interruption, unauthorized or inappropriate access and security threats. It would replace the City's existing Email Use and Internet Use Policies, which are out-of-date and less comprehensive. The new policy addresses not only email and internet use but also use of all hardware and software, including several explicitly prohibited uses; security issues such as logins, passwords and virus protection; and the relationship between IT and the Data Privacy Act and records retention policies, If adopted, all City employees will receive a copy of the new policy and will be required to sign the acknowledgement on the final page. New employees will be provided with the policy at the time of hire, Relationship to Vision Adoption of the attached IT Policy will help ensure the security of the City's IT systems and the effective and efficient delivery of services through technology, thereby contributing to a vibrant, resilient and stable city (Goal D), Requested Action Ifit concurs, the Council should offer RESOULTION NO. 6432, A RESOLUTION ADOPTING AN INFORMATION TECHNOLOGY POLICY FOR THE CITY OF SHAKOPEE, MINNESOTA, and move its adoption. f;.;bW~ s Wilson ... .. . Assistant to the City Administrator I RESOLUTION NO. 6432 A RESOLUTION ADOPTING AN INFORMATION TECHNOLOGY POLICY FOR THE CITY OF SHAKOPEE, MINNESOTA. WHEREAS, the City Council adopted Resolution No, 5351 on April 18, 2000, adopting an E-Mail Use Policy and an Internet Use Policy for the City of Shako pee; and WHEREAS, the rapidly changing word of information technology and its use in the workplace environment have made those policies outdated; and WHEREAS, the attached Information Technology Policy was developed to protect the the City's IT systems from inappropriate access or use, security threats and business interruptions, NOW THEREFORE, BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF SHAKOPEE, MINNESOTA, that the attached Information Technology Policy is hereby adopted for use by the City of Shakopee and all users of its IT systems, BE IT FURTHER RESOLVED, that Resolution No. 5351 is hereby repealed in its entirety, Adopted in regular session, this 6th day of June, 2006, Mayor of the City of Shakopee ATTEST: City Clerk City of Shakopee . Information Technology Policy Adopted XX, 2006 f City of Shakopee Information Technology Policy I. Introduction A. PU,rpose ............... ,,'..... II.. II ...... ,_... II......... .,... i,'.. .,.. .,.. ,',............... ........... 1,1 .... .,.. ........ 1 s.- "Auditing .......... ,",.... 1'1... II.... II.. ....... II......... .,...... ..... II' ...... .... ,",...... ,.,. II....... '.'..... II. .'....... 1 C~ Reporting.......................... II ....... II........ II........ II..... II.. II....... II... ......... I......... II.......... 1 D, Expectation of Privacy........ ............,............,.......,.."..... ............. ............,............, 1 E, Violation of Policy.............. ...... .............,..,...............................".....................,.... 1 II. Information Technology Use A. Hardware and Software Acquisition .......",......~.....".........,...,.....,...........................2 B, Installation, Downloads, and Configuration ,...."..................................................... 2 C. Licensing...... ......,... ....... .,....... .................... ...... ....... ...... .,........ II..... ...'.......-............. ......, .2 D. Data Management and Protection "..........,..,..".....................,..,.......................,....3 E. Portable Information Systems....".".........,..,.........,.....,...,.....,............................... 3 F. Personal Digital Assistants (PDA) .."..,....",.,...."...,...."....,...,."..,..,.."...."........,...",4 G. Electronic Mail (e-mail) ...,....,.."..."................"....".,......".........,........................... 4 H, Internet".......,.."....,..,....,.........,...........,..,...........,....................,..............,....,....,. 4 I. Prohibited Use ...............,........,......,..............,."..,.........,....,.,..,.",.......,................ 5 J. Personal Use....."............................,.........",..",.....".....",..,...""..,......,........,....... 5 III. Information Technology Security A. Logins and Passwords...,..""......,......."......",..."............"............ ........,..,..,.,........ 7 B. Physical Security, ,....,......,...,....,.,.....,....,..........."...".,.,....,........"......""..,..,...,..,.. 7 C, Virus Protection...."...,....,.......,..."......,....,.................,........,..............".........,...,.. .8 D. Remote Network Access...........................".................,.........,.."...." ~..."..", ..,...., 8 E. Wireless Access..........., ,...........,....;..,......."......."... ,........,....,....,.,....................... 9 Glossary of Terms Glossary of Terms...,.........................,.......,...........,.........,..."..,.........,."...,.,.,.. ..,.... 10 Information Technology Policy Receipt Information Technology Policy Receipt.....,.,.............,.......,..........,..." ....... ..,...."...... 11 I. Introduction A. Purpose The purpose of this IT Policy is to set standards to protect the City's. IT systems from business interruption, unauthorized or inappropriate access, and maintain appropriate security. The policy is to be adhered by all users (regular, part-time, and temporary employees, vendors, consultants, volunteers, interns, and others) who have access to or use Shakopee's IT systems both on and off City property, IT systems include, but are not limited to, computers, e-mail, Internet, printers, software, telephone, voice mail, and others. B. Auditing The City of Shakopee reserves the right to monitor and audit use of its IT systems at any time without users' consent. An audit may result in the removal of hardware and/or software not compliant with this policy. C. Reporting Users should notify their immediate supervisor, the IT Coordinator, the City Administrator or any member of management upon learning of violations of this policy, D. Expectation of Privacy As a government agency, the City is subject to public disclosure laws. All files and documents, including personal messages and Internet logs, are owned by the City and may be subject to open records requests under law. Users should have no expectation of privacy, E. Violation of Policy Violations. of this policy will be addressed consistent with the City's Personnel Policy. City of Shakopee Information Technology Policy Page 1 II. Information Technology Use A. Hardware and Software Acquisition The IT Coordinator shall pre-approve and complete the purchase of all hardware, software and computer peripherals to be attached to the City's network and/or purchased with City funds. This is intended to ensure consistency with the.design.and architecture of the City's IT network and assist in accurate inventorying and tracking of the City's IT assets, Users are prohibited from installing, downloading, or acquiring hardware and software, including product demonstrations, without prior approval from the IT Coordinator, Software applications not required for official City business are strictly prohibited. B. Installation, Downloads, and Configuration No user will be allowed to manipulate hardware and software standard configurations. The IT . . department must always be contacted for hardware and software support. No user should change the computer setup or configuration files. Employees may customize their desktop settings (wallpaper, screen savers, toolbars, colors, etc.) -but must do so in a manner that maintains a professional work environment. Users are prohibited from downloading, or installing any software including personal software, through the Internet, e- mail, and/or vendor demonstrations without prior approval from the IT department. c. Licensing To ensure license compliancy all software must be purchased by and licensed to the City. Development: Any software 'programs, i.e., custom designed Microsoft Access databases, developed for use by the City becomes the property of the City. Software programs may not be sold or distributed without prior approval. Home: City-owned software may notbe loaded on non-City owned equipment unless there is prior approval offrom the department head and IT Coordinator. Copyright Laws: City users are required to abide by software and documentation copyright laws and licensing agreements, If there is any question about the legality of the software and documentation, it should be directed to the IT Coordinator. At no time should any users make copies of City..owned software and documentation, To prove legal ownership of software, the City must have the original media and manuals stored on City property, The IT Coordinator will periodically check for software that may be in violation of the above policy. City of Shakopee Information Technology Policy Page 2 D. Data Management and Protection Under the provisions of the Minnesota Data Practices Act, all data stored on computer media owned, leased or rented by the City is considered to be owned by the City and for the most part is non-private/public, including information stored on local hard drives, Data is subject to the Minnesota Data Practices Act and its use and dissemination is consistent with the data classification under the Minnesota Data Practices Act. This data. is also subject to review and investigation at the discretion of the City Administrator, department heads, IT Coordinator, and/or law enforcement. The City Clerk should be contacted with questions regarding the classification of public and private data. Data Ownership: All information developed or introduced to a City technology system by a user in conjunction with employment with the City is the property of the City. Data Storage: All City data must be saved to a network drive on a City server. Users are responsibl~ for deleting outdated files that are no longer needed for the compliancy of the City Records Retention Schedule; this includes data files ande.,mail messages, The City Clerk should be contacted with questions. regarding the City Records Retention Schedule. Data Back-up: The IT department backs up all data stored on the file servers. Workstation hard drives or any other devices are not backed up. Portable files: To facilitate off-site work, users may copy appropriate files to and from diskettes/CDs including word processing, spreadsheets, and presentation graphic files. No other files or information may be copied to or from the City computers. A current copy of the portable file(s) must be maintained on the City server. Password Protection: If any software product that the City has purchased has the option to have files password protected, the password must always be shared with the appropriate management personnel and/or the IT Coordinator. E. Portable Information Systems Portable personal computer(s), digital cameras, projectors, and other City owned portable equipment can be used for City business, outside of City facilities. When users check out portable equipment they are expected to provide appropriate "common sense" protection against theft, accidental breakage, environmental damage and other risks, Employees found to have been careless with portable equipment shall be responsible for the cost of its repair and/or replacement. Desktop computers and attached devices are not to be removed from City buildings. The user is responsible for the back up of or loss of any data stored on the standalone or portable computer. IT staff is available to assist in the development of procedures for disaster recovery of portable units. City of Shakopee Information Technology Policy Page 3 F. Personal Digital Assistants (PDA) Users acting within the scope of their job responsibilities and with department head approval, may purchase a Personal Digital Assistant (PDA's) from an IT approved and published list of brands and models. IT staff will install approved PDA'son City owned equipment. PDA's purchased with City funds shall remain the property of the City when an individual's term of employment with the City ends. G. Electronic Mail (e-mail) The City e-mail system is a tool to be used for matters directly related tothe business activities of the City and as a means to provide services that are efficient, accurate, timely and complete. E-mail messages are subject to regulation under the Minnesota Data Practices Act, The contents of the message determines whether a message is public or non-public/private. . E-rnailis Il'ltendedas a medium of communication, not for information storage; therefore'~7q1ail$hoLlldnotl:>eiused for the storage or maintenance of official City records' or other City 'information, Users may occasionally receive inappropriate and unsolicited e-mail messages, Anysuch messages should be reported immediately to the IT department. Inappropriate non-business use of the City e-mail system includes, but is not limited to; the transmission of non-business audio, graphic or movie files (to include streaming audio and video, MP3, Jpg, Tif, Gif, Mpg, AVI etc.); games; jokes; instant messaging; content of an offensive or pornographic nature; copyrighted material and large data files not directly related to City business. These items must not be sent or accepted as e-mail attachments. These types of files can be large and affect the network or computer performance or carry viruses, The city's network will be scanned periodically and all unauthorized MP3 files saved on the city's servers will be deleted without notice. Should IT staff detect repeated inappropriate use of the City e-mail system by individual employees, they shall report such use to the appropriate department head, Employees are responsible for ensuring that their email boxes do not exceed the size limit established by the IT Coordinator. The City retains the right to use management software to eliminate the delivery of junk e-mail (SPAM), including e-mails that contain profanity. If retention of any message is warranted beyond that period, the message should be moved to a permanent storage area such as a department file directory on a. City server. H. Internet The Internet is available to users for research, education, and communications directly related to the mission, charter, or work tasks of the City. Users must honor copyright laws regarding protected commercial software or intellectual property. Users of the Internet should minimize unnecessary network traffic that might interfere with the City of Shakopee Information Technology Policy Page 4 ability of others to make effective use of this shared network resource. Use of the Internet through City computers is a privilege, not a right, which may be revoked at any time for abusive conduct. Users are responsible for adhering to City standards when browsing the Internet. Failure to adhere puts the City and the individual at risk for legal or financial liabilities, potential embarrassment and other consequences, The City retains the right to use management software to monitor end user activity. This software may monitor and limit Internet activity in order to ensure the most efficient use of the valuable resource, I. Prohibited Use Use of City ITsystems is strictly prohibited at all times: - For illegal activities; . - For profit or commercial activities; ,- For any other public office or employment which is. incompatible with City employment responsibilities, as determined..by the City Administrator; - Forwagering, betting, or selling chances; - For annoying or harassing other individuals; - For fund-raising, except for City approved activities; - For any political or religious activities; - For unethical activities. J. Personal Use The City of Shakopee offers users the privilege of personal use of its technology. ( Recognizing that users will benefit from practice using technology, personal use is allowed using the following guidelines listed below: . Personal use of the basic Microsoft Office suit of programs is permissible, however, personal use of specialized City software, such as PIMS, CAD, etc., must have prior approval of the employee's supervisor, . Employees are responsible for controlling access to the City's hardware, software and peripherals and will be responsible for any damage caused by individuals gaining access through that employee. . Personal use is permitted only before and after regular business hours and only when other City business is not to be performed on the systems, . Users must use their own media (disks, CD's) and paper, No personal files or data are to be stored on the City file servers. . Users must not use IT systems for items listed above in Prohibited Use. City of Shakopee Information Technology Policy Page 5 1) E-mail: E-mail may be used for limited personal correspondence,as long as itdoes not interfere with the normal duties of the employee and does not constitute one of the Prohibited Uses listed above. Using the City e-mail system to distribute information to a non-business related Iistserve or broadcast mailing list is prohibited. Inappropriate non-business use of e-mail can cause a burden on resources or carry viruses, Examples of this includes, but are not limited to: the transmission of non- business audio, graphic or movie files (to include streaming audio and video, MP3, Jpg, Tif, Gif, Mpg, AVI, etc.); games; jokes; instant messaging; content of an offensive or pronographic nature; copyrighted material and large data files not directly related to business. 2) Internet: Internet access may be used for limited personal use as long as it does not interfere with the normal duties of the employee and does not constitute one of the Prohibited Uses listed above. Inappropriate non-business use includes, but is not limited to: audio, graphic or movie files (to include streaming audio and video, MP3, Jpg, Tif, Gif, Mpg, AVI, etc.); games; jokes; instant messaging; content of an offensive or pornographic nature; copyrighted material and large data files not directly related to City business. These items must not be downloaded from the Internet. These types of files can be large and affect the network or computer performance or carry viruses, 3) Desk Telephones: Desk telephones may be used for limited personal use as long as it does not interfere with the normal duties of the employee and does not constitute one of the Prohibited Uses listed above, In the event that an employee needs to make a personal toll call, the preferred method of payment is a personal calling card. If a situation arises where you do not have access to a personal calling card you must notify the finance department of the date, time and location of where the call was placed. The charge for the call will be the actual charge; plus tax, that would normally be incurred by the City. Payment is due within 7 days after receipt of the long distance bill. 4) Cellular Telephones: In those cases where job duties result in an employee having a city-issued cellular telephone and/or city-funded cellular phone service, personal use of that phone or phone service should be kept to a minimum, However, employees may use their city-funded phone service for personal use during specified days and times when minutes are free and unlimited. In no case shall a city-issued telephone or city-funded phone plan be utilized for any of the prohibited uses listed in Section 1. 5) Copiers, Fax Machines, Printers: Users will reimburse the City for personal copies, faxes, and print requests, at the rate listed in the City fee schedule, Personal use fees must be reimbursed within 24 hrs from the date the expense was incurred. City of Shakopee Information Technology Policy Page 6 III. Information Technology Security A. Logins and Passwords All users must use and maintain unique login IDs for computer and network~related access. Login IDs are not to be shared with others, and corresponding passwords must remain confidential. Multi-user or generic login IDs are permissible only in special circumstances approved and maintained by IT. User passwords must adhere to the following requirements: . Have a minimum of at least six alphanumeric characters in length. . Must be changed every 90 days. . Have at least one character from three of the following four categories: upper~ case letters, lower~caseletters,numbers, symbols. (Examples: PasswordS or 3password!) . Have not.been previously used in the last three password rotations. Appropriate network access shall be assigned by the IT department to each user login 10, and users may only log into computers and equipment with their assigned login 10. Passwords are not to be shared with anyone, and will be forced to change periodically, New passwords should not be easily guessed. Anyone forgetting their password, or suspecting that their password's security has been compromised, may contact the IT department to be issued a new one, which must then be changed immediately, B. Physical Security City users are expected to provide reasonable security to their computer workstations and related IT equipment. This includes ensuring that passwords are not written down inaccessible places, removable media must be kept in a secured area, and that confidential data is not displayed in such a manner that unauthorized personnel can view it. Users are required to log off computer workstations when absent for an extended time, such as end of day. Users may, however, "lock" their workstation instead when absent for a short period of time, such as during a meeting or over lunch. Computer workstations will automatically lock after 1S minutes of inactivity. All IT equipment is City property and must remain on current premises. Users may not move IT equipment outside of its assigned area without prior approval from the IT department. Designated portable equipment, such as projectors, laptop computers, and digital cameras, may be removed from City buildings only for City business, Portable equipment must be reserved and checked out only to City users. Users are expected to provide appropriate "common sense" protection against theft, breakage, environmental damage, and other risks, City of Shakopee Information Technology Policy Page 7 C. Virus Protection All computer workstations, laptops, and servers will be protected from viruses using up- to-date antivirus software installed system-wide by the IT department Users may not alter their system's configuration or take other steps to defeat virus protection deviceS or systems. All files on removable media must be scanned for vil'uses prior to installation onto or access from City computer equipment. Any files suspected or known to contain viruses must be immediately reported to the IT department for proper handling, D. Remote Network Access Remote access is defined as the ability to connect to a computer or network from a distancel such as from homel hotel, conference, Internet kiosk, etc. Remote access into the City's network,or any City-owned device, may be granted under certain critical circumstances and upon meeting the following conditions: . Business-related purpose approved by requesting department head and IT Coordinator. . Use of industry standard encryption and/or City supported VPN (Virtual Private Network) technology. . Authentication and access control will be maintained via the City's domain. Valid network login and passwords are required. . While remotely connected, nobody but the authorized user may have access.to the computer making the connection. . Remote computer must comply with current anti-virus and security parameters as specified by the IT department. All remote users are subject to the rules and regulations set forth in . this entire policy for all network users, Users should follow proper data practices protocols as directed by the Minnesota State Statutes, Storing of business related information on a home computer creates.an extension of the member's network; thus anything stored on that computer, might be subject to public data requests. City of Shakopee Information Technology Policy Page 8 E. Wireless Access Unauthorized wireless access into the City's computer network is strictly prohibited. Wireless access, is defined but not limited to, 802,11 (Wi-Fi), Bluetooth, WiMax, and cellular technologies. Users may not attempt to scan, connect to, .or install ahy wireless computing device on City equipment or property. Wireless access must be authorized and configured by the City's IT department Any authorized wireless access. must utilize standards-based encryption, and conform to adopted security practices as governed by LOGIS and/or state and federal government guidelines. City of Shakopee Information Technology Policy Page 9 Glossary of Terms Configuration: The way a system is set up or the assortment of components that make up the system. Configuration can refer to either hardware or software or the combination of both. Downloads: To copy data, usually an entire file, from a main source to a computer device. The term is often used to describe the process of copying a file from an online service or bulletin board service to a computer. Downloading can also refer to copying a file from a network file server to a computer on the network. Electronic Mail (e-mail): A network application that allows users to exchange messages over communications networks with someone else. File Server: An enhanced computer with network operating software that is used for file storage, application functionality, and managing network resources. Information Technology (IT): Managing and processing information. Information Technology Systems: Includes, but not limited to, computers, printers, software, e-mail, Internet, telephone, voice mail, and others. Internet: A global network connecting millions of computers, local Area Network (LAN) - A computer network. licensing: Legal compliancy of assets. PDA's: Personal Digital Assistants (i.e. Palm Pilots) Software: System software includes the operating system ,and all utilities that enable the computer to function. Application software includes programs that do real work for . users (i.e. word processors, spreadsheets,and database management systems), Portable Equipment: Hardware that is small and lightweight (i.e. laptop computers, hand-held computers, PDA's, projectors, digital cameras). Users: regular, part-time, and temporary employees, vendors, consultants, volunteers, interns, and others. City of Shakopee Information Technology Policy Page 10 City of Shakopee Information Technology Policy Receipt I have received the City of Shakopee Information Technology Policy and 'understand that it applies to me. I understand that this receipt will be filed with my personnel records. Employee Name (Please PRINT) Signature of Employee Date City of Shakopee Information Technology Policy Page 11