The URL can be used to link to this page

Home My WebLink AboutItem 05bMemorandum To: Mayor Little Council Members From: Danny Barth, IS Manager Copy: Steven Mielke, City Administrator Cindi Joosten, HR Manager Dennis Feller, Finance Director Date: June 21, 2013 Subject: Information Systems Policy Review City of Lakeville Information Systems The City has an Information Systems Policy which needs to be updated. The proposed policy is designed and written using accepted best practices and industry standards for computer technology. The purpose of the Information Systems Policy is to set standards and maintain appropriate security to protect the City from: o Business interruption o Unauthorized or inappropriate access o Maintain reliable access to data necessary for staff duties This policy also provides guidance and standards which maintain compliance with: o Federal and State regulations o Policy compliance o PCI standards The most significant changes include: o Addition of Smart devices / technologies o Retention of electronic mail set at 365 days Much of the policy changes are format related. The redlined version of the policy is not included in the council packet because it is burdensome to read and created more confusion than benefit, in staffs opinion. if council concurs, the policy will be included with the July council meeting agenda for approval. Mandatory staff training sessions will be conducted in the coming months. Staff recommendation: Approval of Information Systems Policy. CITY OF LAKEVILLE POLICY MANUAL SECTION 2 INFORMATION SYSTEMS POLICY INFORMATION SYSTEMS 1.00 Information Systems Policy Introduction 1.01 Pu rpose The purpose of the City of Lakeville I5 Policy is to set standards to protect the City's IS systems from business interruption, unauthorized or inappropriate access, and maintain appropriate security. The policy is to be adhered to by all users (regular, part-time, and temporary employees, vendors, consultants, volunteers, interns, and others) who have access to or use the City of Lakeville IS systems both on and off City property. IS systems include, but are not limited to, computers, e-mail, Internet, printers, software, telephone, voice mail, and others. 1.02 Auditing The City of Lakeville reserves the right to monitor and audit use of its IS systems at any time without user's consent. An audit may result in the removal of hardware and /or software not compliant with this policy. 1.03 Reporting Users should notify their immediate supervisor, the IS Manager, the Human Resources Manager, the City Administrator or any member of management upon learning of violations of this policy. 1.04 Expectation of Privacy As a government agency, the City is subject to public disclosure laws. All files and documents, including personal messages and Internet logs, are owned by the City and may be subject to open records requests under law. Users should have no expectation of privacy. 1.05 Violation of Policy Violations of this policy will be addressed consistent with the City's Personnel Policies. 2.00 Information Systems Use 2.01 Purpose Inform and provide direction to all users regarding appropriate usage and management of the City's I5 systems and resources. All users must be authorized to use City IS systems through user's department head, supervisor, or IS. 2.02 Hardware and Software Acquisition The IS Manager must approve all hardware and software prior to acquisition to ensure consistency with the design and architecture of the City's IS network. Users are prohibited from installing, downloading, or acquiring hardware and software, including product demonstrations, without prior approval from the I5 Manager. Software applications not required for official City business is strictly prohibited from installation on the City's IS Network. 2.03 Installation, Downloads, and Configuration No user will be allowed to manipulate hardware and software standard configurations. The IS department must always be contacted for hardware and software support. No user should change the computer setup or configuration files. Customizing a computer should be limited to items including City -owned software such as wallpaper, screen savers, icons, toolbars and colors. Users are prohibited from downloading or installing any software, including personal, through the Internet, e-mail, and /or vendor demonstrations without prior approval from the IS department. 2.04 Licensing a. To ensure license compliancy all software must be purchased by and licensed to the City. b. Development: Any software programs, i.e., custom designed Microsoft Access databases, developed for use by the City, become the property of the City. Software programs may not be sold or distributed without prior approval. c. Home: City -owned software may not be loaded on non -City owned equipment unless there is prior approval of department head and IS Manager. d. Copyright Laws: City users are required to abide by software and documentation copyright laws and licensing agreements. If there is any question about the legality of the software and documentation, it should be directed to the IS Manager. At no time should any users make copies of City -owned software and documentation. To prove legal ownership of software, the City must have the original media and manuals stored on City property. The IS Manager will periodically check for software that may be in violation of the above policy. 3.00 Data Management and Protection 3.01 Under the provisions of the Minnesota Data Practices Act, all data stored on computer media owned, leased or rented by the City is considered to be owned by the City and for the most part is non - private /public, including information stored on local hard drives. Data is subject to the Minnesota Data Practices Act and its use and dissemination is consistent with the data classification under the Minnesota Data Practices Act. This data is also subject to review and investigation at the discretion of the City Administrator, department heads, IS Manager, and /or law enforcement. The City Clerk should be contacted with questions regarding the classification of public and private data. 3.02 Data Ownership: All information developed or introduced to a City technology system by a user in conjunction with employment with the City is the property of the City. 3.03 Data Storage: All City data must be saved to a network drive on a City server. Users are responsible for deleting outdated files that are no longer needed for the compliancy of the City Records Retention Schedule; this includes data files and e-mail messages. The City Clerk should be contacted with questions regarding the Minnesota General Records Retention Schedule for Cities. 3.04 Data back -up: The IS department backs up all data stored on the file servers. Workstation hard drives or any other devices are not backed up. 3.05 Portable files: To facilitate off -site work, users may copy appropriate files to and from diskettes /CDs including word processing, spreadsheets, and presentation graphic files. No other files or information may be copied to or from the City computers. A current copy of the portable file(s) must be maintained on the City server. 3.06 Password protection: If any software product that the City has purchased has the option to have files password protected, the password must always be shared with the appropriate management personnel and /or the I5 Manager. 4.00 Portable Information Systems 4.01 Portable personal computer(s), digital cameras, projectors, and other City owned portable equipment can be used for City business, outside of City facilities. When users check out portable equipment they are expected to provide appropriate "common sense" protection against theft, accidental breakage, environmental damage and other risks. Desktop computers and attached devices are not to be removed from City buildings. The user is responsible for the backup of or loss of any data stored on the standalone or portable computer. IS staff is available to assist in the development of procedures for disaster recovery of portable units. 5.00 Electronic Mail (e -mail) 5.01 The City e-mail system is a tool to be used for matters directly related to the business activities of the City and as a means to provide services that are efficient, accurate, timely and complete. E -mail messages are subject to regulation under the Minnesota Data Practices Act. The contents of the message determine whether a message is public or non - public /private. E -mail is intended as a medium of communication, not for information storage; therefore, e-mail should not be used for the storage or maintenance of official City records or other City information. Users may receive inappropriate and unsolicited e-mail messages. Any such messages should be reported immediately to the IS department. 5.02 Inappropriate non - business use of the City e-mail system includes, but is not limited to; the transmission of non- business audio, graphic or movie files (to include streaming audio and video, MP3, Jpg, Tif, Gif, Mpg, AVI etc.); games; jokes; instant messaging; content of an offensive or pornographic nature; copyrighted material and large data files not directly related to City of Lakeville business. These items must not be sent or accepted as e-mail attachments. These types of files can be large and affect the network or computer performance or carry viruses. 5.03 All e-mail messages will automatically be deleted from the system 365 days after receipt. 5.04 All a -mail messages should be deleted from the electronic mail system within 30 days of receipt. If retention of any message is warranted beyond that period, the message should be moved to a permanent storage area such as a department file directory on a City server. 5.05 The City retains the right to use management software to eliminate the delivery of junk e -mail (SPAM), including e-mails that contain profanity. 6.00 Internet 6.01 The Internet is available to users for research, education, and communications directly related to the mission, charter, or work tasks of the City. Users must honor copyright laws regarding protected commercial software or intellectual property. Users of the Internet should minimize unnecessary network traffic that might interfere with the ability of others to make effective use of this shared network resource. Use of the Internet through City computers is a privilege, not a right, which may be revoked at any time for abusive conduct. Users are responsible for adhering to City standards when browsing the Internet. Failure to adhere puts the City and the individual at risk for legal or financial liabilities, potential embarrassment and other consequences. 6.02 The City retains the right to use management software to monitor end user activity. This software may monitor and limit Internet activity in order to ensure the most efficient use of the valuable resource. 7.00 Intranet 7.01 City of Lakeville Intranet is an internal website for use exclusively by users. The site is accessible through web browsers using a City computer; however, the City's firewall makes the site unavailable to people browsing from the Internet outside of the City network. Users are the primary audience for Intranet information. 7.02 The IS department will coordinate with departments to provide tools, training and other assistance so that departments can publish and maintain their department information. Interactive application development, such as web - enabled databases, will be handled through the i5 department's application development process. 8.00 Prohibited Use 8.01 Use of City IS systems is strictly prohibited at all times: a. For illegal activities; b. For profit or commercial activities; c. For any other public office or employment which is incompatible with City employment responsibilities, as determined by the City Administrator; d. For wagering, betting, or selling chances; e. For annoying or harassing other individuals; f. For fund- raising, except for City approved activities; g. For any political or religious activities; h. For unethical activities. 9.00 Personal Use 9.01 The City of Lakeville offers users the privilege of personal use of its technology. Recognizing that users will benefit from practice using technology, personal use is allowed using the guidelines listed below: a. Users must obtain their immediate supervisor's approval prior to personal use of IS systems. b. Only City users are to use the computers and computer related peripherals. c. Personal use is permitted only before and after regular business hours and only when other City business is not to be performed on the systems. d. Users must use their own media (disks, CD's) and paper. No personal files or data are to be stored on the City file servers. e. Users must not use IS systems for items listed above in Prohibited Use. 9.02 E -mail: E -mail may be used for personal correspondence, as long as it does not interfere with the normal duties of the employee and the above guidelines are followed. Using the City Interent e-mail to participate in any kind of non - business related list- serves or broadcast mailing list is prohibited. 9.03 Inappropriate non - business use of e-mail can cause a burden on resources or carry viruses. Examples of this include, but are not limited to: the transmission of non - business audio, graphic or movie files (to include streaming audio and video, MP3, Jpg, Tif, Gif, Mpg, AVI, etc.); games; jokes; instant messaging; content of an offensive or pornographic nature; copyrighted material and large data files not directly related to business. 9.04 Internet: Internet access may be used for personal use as long as it does not interfere with the normal duties of the employee and the above guidelines are followed. 9.05 Inappropriate non - business use includes, but is not limited to: audio, graphic or movie files (to include streaming audio and video, MP3, Jpg, Tif, Gif, Mpg, AVI, etc.); games; jokes; instant messaging; content of an offensive or pornographic nature; copyrighted material and large data files not directly related to LOGIS business. These items must not be downloaded from the Internet. These types of files can be large and affect the network or computer performance or carry viruses. 9.06 Desk telephones: Desk telephones may be used for personal use as long as it does not interfere with the normal duties of the employee and the above guidelines are followed. In the event that an employee needs to make a personal toll call, the preferred method of payment is a personal calling card. If a situation arises where you do not have access to a personal calling card you must notify the Finance department of the date, time and location of where the call was placed. The charge for the call will be the actual charge, plus tax, that would normally be incurred by the City. Payment is due within 7 days after receipt of the long distance bill. 9.07 Cellular telephones: The City does recognize that occasionally users may need to use the City issued cellular telephone for personal use. Users of City -owned cellular phones will be issued, on a monthly basis, a copy of the cellular telephone bill. All personal calls must be reimbursed within 7 days of receiving a copy of the bill. There may be instances when job duties require that users work beyond regular hours or require an overnight stay or the inability to get to a desk telephone. In those instances, users may make nominal personal calls to notify family. The City of Lakeville will view those calls as work related and the City will cover those charges. 9.08 Copiers, Fax Machines, Printers: Users will reimburse the City of Lakeville for personal copies, faxes, and print requests, at the rate listed in the City fee schedule. Personal use fees must be reimbursed within 24 hours from the date the expense was incurred. 10.00 iPad/Tablet Device 10.01 Purpose These guidelines pertain to city employees and Council Members who are issued a device purchased by the city. The purpose of these guidelines is to outline the responsibilities and care required for city- issued iPad or tablet devices. 10.02 The devices are intended to be utilized by staff members and Council Members for the purpose of enhancing meeting workflow, reducing the use of paper agenda packet materials, improving staff efficiency, and improving the timeliness of Council, staff and resident communication. 11.00 City Use 11.01 Issued devices are intended for professional use. The city does not maintain loaner devices, so users will be responsible for conducting meetings without a device in the event of a lost or misplaced device. a. Devices shall be maintained in a suitably charged state during work hours. b. Inappropriate media may not be used as a screensaver or background photo. c. Devices will be secured with a minimum four (4) digit numeric pass code. d. Sound shall be muted at all times unless needed for instructional purposes. e. Personally -owned music, games and apps may only be present on city- issued device when using a personal Apple ID iTunes account. f. In case a device is restored to its original condition, the user is responsible for restoring any personal content. g. City staff is not responsible for backing up personal related content. h. Users may save work locally on the device. It is strongly recommended that users utilize the city - designated online storage technology. i. Information stored on the iPad or tablet device could be classified as public, private, or other data and is governed by the Minnesota Government Data Practices Act (MN Statute Chapter 13) and must be treated accordingly. j. Staff and Council Members should retain information stored on the iPad or tablet device in keeping with city policies and procedures per the Minnesota General Records Retention Schedule for Cities. 12.00 Personal /Home Use 12.01 The iPad or tablet device is a powerful computing tool. City - issued devices may be taken home provided the use is consistent with the Email /Internet portion found in the Personnel Policy Manual. Failure to adhere to the policy shall result in the revocation of such use privilege. a. Users are allowed to connect devices to non -city wireless networks. b. While instruction and advice may be offered, city staff is not responsible for home network use or support. c. It is the policy of the city to maintain the right to access and disclose any and all messages communicated through electronic means when city issued equipment is used. Regardless of the intent of the message (business or personal), any employee involved has no right to privacy, or to the expectation of privacy, concerning the content of any message or the intended destination of any message when using city - issued equipment. 13.00 iPad Care 13.01 Users will be held responsible for the maintenance and care of assigned communication devices. a. Keep batteries charged and ready for use at meetings. b. Clean the view screen with a soft, dry cloth or anti- static cloth as needed. c. Do not lean or place anything on the screen that may cause damage. d. Utilize the protective case at all times. e. When not in use, store in a secure location. Never leave in an unlocked car or any other theft -prone area. f. Immediately report lost, stolen, malfunctioning or damaged devices to the IS division. g. Stolen devices must be reported immediately to the local authorities. h. Consult with IS before connecting or syncing devices to another computer. 14.00 Application Software 14.01 All software applications purchased and installed by city staff must remain on the device in a usable condition and be accessible at all times. Users are responsible for personal software applications and are responsible for installation and backup. a. Software purchased by the city will be done through the city Apple ID (Tunes or similar account. b. Users are allowed to purchase and download personal applications providing they are not profane, obscene or offensive to others. c. The city is not responsible for the Toss of any personal software applications when the device is updated, tested with diagnostic tools or restored to its original state. d. Storage space needed for city applications will take precedence over space used for personal items. 15.00 Mobile Device Management (MDM) Software 15.01 All smart devices connecting to the City e-mail server or containing city purchased applications are required to have City 15 approved mobile device management software installed and maintained to permit remote wipe capabilities in the event the device is lost or stolen. 16.00 Information Systems Security 16.01 Purpose Ensure security; protect, and allow appropriate access to City of Lakeville IS systems and resources. 16.02 Logins and Passwords All users must use and maintain unique IS- issued login IDs for computer and network - related access. Login IDs are not to be shared with others, and corresponding passwords must remain confidential. Multi -user or generic login IDs are permissible only in special circumstances approved and maintained by IS. User passwords must adhere to the following requirements: a. Have a minimum of at least eight alphanumeric characters in length. b. Must be changed every 90 days. c. Have at least one numeric digit as well as letters, for example: jarg0n5 d. Have not been previously used in the last ten password rotations. 16.03 Appropriate network access shall be assigned by the IS division to each user login ID, and users may only log into computers and equipment with their assigned login ID. Passwords are not to be shared with anyone, and will be forced to change periodically. New passwords should not be easily guessed. Anyone forgetting their password, or suspecting that their password's security has been compromised, may contact the IS division to be issued a new one, which must then be changed immediately. 17.00 Physical Security 17.01 City users are expected to provide reasonable security to their computer workstations and related IS equipment. This includes ensuring that passwords are not written down in accessible places, removable media must be kept in a secured area, and that confidential data is not displayed in such a manner that unauthorized personnel can view it. 17.02 All IS equipment is City property and must remain on current premises. Users may not move IS equipment outside of its assigned area without prior approval from the IS department. Designated portable equipment, such as projectors, laptop computers, and digital cameras, may be removed from City buildings only for City business. Portable equipment must be reserved and checked out only to City users. Users are expected to provide appropriate "common sense" protection against theft, breakage, environmental damage, and other risks. 17.03 Users are required to log off computer workstations when absent for an extended time, such as end of day. Users may, however, "lock" their workstation instead when absent for a short period of time, such as during a meeting or over lunch. 18.00 Malware /Virus Protection 18.01 All computer workstations, laptops, and servers must be protected from malware /viruses using up -to -date software. Users may not alter their system's configuration or take other steps to defeat protection devices or systems. All files on removable media must be scanned for malware /viruses prior to installation onto or access from City computer equipment. Any files suspected or known to contain malware /viruses must be immediately reported to the IS department for proper handling. 19.00 Remote Network Access 19.01 Remote access is defined as the ability to connect to a computer or network from a distance, such as from home, hotel, conference, Internet kiosk, etc. Remote access into the City's network, or any City -owned device, may be granted upon meeting the following conditions: a. Business - related purpose approved by requesting department head and IS Manager b. Use of industry standard encryption and /or City supported VPN (Virtual Private Network) technology. c. Authentication and access control will be maintained via the City's domain. Valid network login and passwords are required. d. While remotely connected, nobody but the authorized user may have access to the computer making the connection. e. Remote computer must comply with current anti -virus and security parameters as specified by the IS department. 19.02 All remote users are subject to the rules and regulations set forth in this entire policy for all network users. Users should follow proper data practices protocols as directed by the Minnesota State Statutes. Storing of business related information on a home computer creates an extension of the member's network; thus anything stored on that computer might be subject to public data requests. 20.00 Wireless Access 20.01 Unauthorized wireless access into the City's computer network is strictly prohibited. Wireless access is defined but not limited to, 802.11 (Wi -Fi), Bluetooth, WiMax, and cellular technologies. Users may not attempt to scan, connect to, or install any wireless computing device on City equipment or property. Wireless access must be authorized and configured by the City's IS department. Any authorized wireless access must utilize standards -based encryption, and conform to adopted security practices as governed by LOGIS and /or state and federal government guidelines. 20.02 The City does maintain a "public" wireless connection for the use and benefit of visitors to our facilities. This connection is limited to Internet connection only and security protocols are maintained to prevent public access to the City network. 21.00 Glossary of Terms • Configuration: The way a system is set up or the assortment of components that make up the system. Configuration can refer to either hardware or software or the combination of both. • Downloads: To copy data, usually an entire file, from a main source to a computer device. The term is often used to describe the process of copying a file from an online service or bulletin board service to a computer. Downloading can also refer to copying a file from a network file server to a computer on the network. • Electronic Mail (e- mail): A network application that allows users to exchange messages over communications networks with someone else. • File Server: An enhanced computer with network operating software that is used for file storage, application functionality, and managing network resources. • information Technology / Systems (IT /IS): Managing and processing information. • Information Technology Systems: Includes, but not limited to, computers, printers, software, e-mail, Internet, telephone, voice mail, and others. • Internet: A global network connecting millions of computers. • Intranet: Network base access accessible only within an organization. An Intranet 's Web sites look and act just like any other Web site, but firewall security restricts unauthorized access. • Local Area Network (LAN) — A computer network. • Licensing: Legal compliancy of assets. • PDA's: Personal Digital Assistants (i.e. Palm Pilots). • Software: System software includes the operating system and all utilities that enable the computer to function. Application software includes programs that do real work for users (i.e. word processors, spreadsheets, and database management systems). Portable Equipment: Hardware that is small and lightweight (i.e. laptop computers, hand -held computers, PDA's, projectors, digital cameras). • Users: regular, part-time, and temporary users, vendors, consultants, volunteers, interns, and others.