The URL can be used to link to this page

Home My WebLink About08.E- Information Technology RESOLUTION (ID #2001) DOC ID: 2001 B CITY OF SAN BERNARDINO—REQUEST FOR COUNCIL ACTION Information/Report From: Lea Deesing M/CC Meeting Date: 03/18/2013 Prepared by: Lea Deesing, (909) 384-5947 Dept: Information Technology Ward(s): All Subject: Resolution of the Mayor and Common Council of the City of San Bernardino Adopting a Technology Use Policy. (At Meeting of January 22, 2013, Item Continued to February 19, 2013; Item Continued to March 4,2013; Item Continued to March 18, 2013.) Current Business Registration Certificate: Not Applicable Financial Impact: Upon adoption of the proposed Technology Use Policy,the City expects to save approximately $6,000 per year due to a reduction in off-site tape storage requirements. Motion: Table the matter. Synopsis of Previous Council Action: i No previous council action has been taken. This policy replaces Department/Director Letter Number 70, dated August 14,2000, entitled, "Internet Access,E-Mail Usage, and RAS (Remote Access Service) Policy." Background: This Technology Use Policy will provide employees updated guidelines for the appropriate use of all technology resources provided by the City. These resources include computers, servers, printers, scanners, software, Internet, Intranet, land-line phones,mobile phones, smart phones, and all other technology-related items. The current policy is in the form of a Department/Director Letter(DDL) dated August 14,2000, is incomplete and outdated, and does not require written acknowledgement and agreement of terms and conditions. The new policy is much more comprehensive and covers existing and emerging technologies such as employee use of social media and"bring your own device" (BYOD). In order to use the City's technology resources, all City employees, consultants, interns, volunteers, and elected and appointed officials will be required to sign and agree to the terms contained within the Technology Use Policy. Staff will complete implementation of this policy within one year of its approval. City Attorney Review: Suimortinz Documents: Reso -Technology Use Policy (DOC) Attachment"A" -Technology Use Policy (DOCX) Updated:3/12/2013 by Linda Sutherland B Packet Pg. 210 MN 1 RESOLUTION NO. 2 RESOLUTION OF THE MAYOR AND COMMON COUNCIL OF THE CITY OF SAN BERNARDINO ADOPTING A TECHNOLOGY USE POLICY. 3 4 BE IT RESOLVED BY THE MAYOR AND COMMON COUNCIL OF THE CITY OF 5 SAN BERNARDINO AS FOLLOWS: 6 7 SECTION 1. That the Mayor and Common Council hereby adopt a Technology Use d N 8 Policy, a copy of which is attached hereto marked Attachment"A", and incorporated herein in T O O 9 as though fully set forth at length. r 10 SECTION 2. That staff is directed to begin implementation of the Technology Use 11 Policy and complete implementation within one year of the passage of this Resolution. N 12 13 0 N 14 15 6 16 N 17 O 18 g U 19 v 20 N d 21 C d 22 /// E t U 23 24 25 26 27 28 Packet Pg.211 1 RESOLUTION OF THE MAYOR AND COMMON COUNCIL OF THE CITY OF 2 SAN BERNARDINO ADOPTING A TECHNOLOGY USE POLICY. 3 I HEREBY CERTIFY that the foregoing Resolution was duly adopted by the Mayor and 4 Common Council of the City of San Bernardino at a meeting 5 6 thereof,held on the_day of 2013,by the following vote,to wit: U_ O 7 Council Members: AYES NAYS ABSTAIN ABSENT m N 8 MARQUEZ o 9 c JENKINS s 10 11 VALDIVIA 0 0 12 SHORETT 13 KELLEY o N 14 JOHNSON 15 MCCAMMACK o 16 N 17 ,, Q) 18 Georgeann Hanna, City Clerk o c r 19 The foregoing resolution is hereby approved this day of 2013. F 20 N d 21 Patrick J. Morris,Mayor 22 City of San Bernardino s U 23 Approved as to form: a 24 JAMES F. PENMAN, City Attorney 25 26 By: 27 28 PacketPg. 212 t CITY OF SAN BERNARDINO Technology Use Policy Number:Replaces DDL 70 Dated 5-14-00 Subject:Technology Use Created:November 16,2011 ARTICLE 1. TABLE OF • ArticleII. Purpose...............................................................................................................................................................2 Article III. General Operating Procedures...........................................................................................................................2 ArticleIV. Access..................................................................................................................................................................2 Section 4.01 Network and Internet Access...............................................................................2 T U Section4.02 Email Access.........................................................................................................2 0 Section 4.03 Remote Access& BYOD(Bring Your Own Device 223 a ArticleV. Use ......................................................................................................................................................................3 Section 5.01 Appropriate Use...............................................................................................334 (a) Internet Use........................................................................................................................................................4 0 0 (a) Incidental Use......................................................................................................................................................4 r (b) Email Use&Guidelines.......................................................................................................................................4 d (c) Social Media Use.................................................................................................................................................5 .. (d) Electronic Information Sharing...........................................................................................................................5 0 (e) Employee Forum Posts on Intranet Site .............................................................................................................6 Section 5.02 Inappropriate Use.................................................................................................6 ArticleVI. Privacy.................................................................................................................................................................7 0 Article VII. Records Retention and Backups.................................................................................................................778 y Section 7.01 Records Retention............................................................................................778 Section7.02 Email Retention....................................................................................................8 T Section 7.03 Other Electronic File and Data Retention.............................................................8 u Section 7.04 File and Email Backups.....................................................................................884 y0 1. Backup Purpose.......................................................................................................................................................9 a) 2. Backup Retention Cycle..........................................................................................................................................9 � Article VIII. City Land-Line Phones, Mobile Phones, Smart Phones,and Pagers...............................................................9 0' 0 Section 8.01 City-Land-Line Phones..........................................................................................9 c Section 8.02 City-Issued Mobile&Smart Phones..............................................................993A Section8.03 Pagers.................................................................................................................10 ArticleIX. Software............................................................................................................................................................11 ArticleX. Security..............................................................................................................................................................11 Q Section 10.01 Security Permissions and Access........................................................................11 Section 10.02 Passwords.................................................................................................. 1132 E r (a) Password Changing Requirements ...................................................................................................................12 QM (b) Password Guidelines.........................................................................................................................................12 4 (c) Password Protection Standards................................................................................................................121213 (d) Passphrases.................................................................................................................................................. 13 E ArticleX1. Accountability...................................................................................................................................................13 Section 11.01 Executive Management......................................................................................13 x Section 11.02 Information Technology Department....................................................... 134334 Q ArticleXII. Agreement............................................................................................................................ ...................14 Section 12.01 Technology Use Agreement...............................................................................14 Technology Use Policy 1 Packet Pg. 213 CITY OF SAN BERNARDINO Technology Use Policy This policy will provide guidelines for the appropriate use of all technology resources provided by the City of San Bernardino("City"). Technology resources include computers,servers,printers,scanners, digital cameras,software,Internet,Intranet, land-line phones, mobile phones,Smart Phones,pagers,and all other technology-related items provided by the City. T O The use of all technology resources by City employees,consultants,volunteers,interns,and/or and appointed officials(collectively a "Users")shall only be for purposes related to the individual's specific job duties or assignments. Technology resources are intended d N to enhance the City's communications and operational capabilities and to be used in support of the City's Mission Statement. n Im T 0 O O C L The Department Head,or her/his designee,shall authorize access to technology resources via a CRM system request,for Users in y F her/his department. Access to technology resources shall be granted based on the requirements of the job duties and assignments of each User. Users must sign the attached Technology Use Agreement which shall be maintained in the User's personnel file. c N The"Technology Use Agreement"confirms that the User has read and understands the City's Technology Use Policy.In the event of an amendment to this document,each User will be required to review the revised document and sign a new"Technology Use o Agreement"(to be placed in the individual's personnel file). Failure to sign the City's"Technology Use Agreement"may lead to the y suspension of the User's access to technology resources. K SECTION 4.01 THE DEPARTMENT HEAD, OR HER/HIS DESIGNEE, SHALL NOTIFY THE IT DIVISION VIA A 2 CRM SYSTEM REQUEST WHEN A USER'S ACCESS TO TECHNOLOGY RESOURCES IS NO LONGER ao APPROPRIATE FOR ANY REASON.NETWORK AND INTERNET ACCESS m N T Network and internet access includes,but is not limited to,the assignment of a network login ID and password and the assignment p to specific network groups and applications. c L v The Department Head may authorize restricted network and internet access as necessary via a CRM request Q c d s U SECTION 4.02 EMAIL ACCESS Q Email accounts shall be issued to all City employees and appointed officials upon hire or appointment.When necessary,the Department Head,or his/her designee,may authorize an email account to be issued to consultants,volunteers and interns. E L U R Q SECTION 4.03 REMOTE ACCESS & BYOD (BRING YOUR OWN DEVICE) Technology Use Policy 2 Packet Pg. 214 CITY OF SAN BERNARDINO Technology Use Policy The Department Head,or her/his designee,may authorize specific remote access,as herein described,and/or Users to connect their personally-owned devices to City servers, networks,emails or other technology resources,for Users who require communications from the field or from home as part of their regularjob duties. Users shall not,under any other circumstance,attach personally-owned computers,laptops,tablets,or other device directly to the City's network via a network cable or other access point. This entire policy,including but not limited to rules on privacy,apply to City data accessed by any remote access method described T herein. There are several remote access options available.For any of these options, Users are responsible for ensuring their devices u are secure by maintaining the appropriate security and anti-virus software on such devices. Users are personally responsible to keep a° that software up-to-date at their own expense. rn T Remote Options Available: tM 0 0 • The City uses standard remote access software,such as GoToMyPC,for secure connection to the City's network,giving the M User similar access that they would have when operating their City desktop computer.Remote access accounts are F administered by the IT Division. (There is a cost associated with this option which will be charged to the User's department.) 0 0 • City email access can be made available via a web browser using an access method called "Outlook Web Access'(OWA). Instructions for using OWA to access City email can be obtained from the IT Division.(There may be a cost associated with this option which will be charged to the User's department.) c 0 • City email access can be made available via a City-owned or personally-owned Smartphone, using the phone's built-in email IX setup application. Instructions setting up such access can be obtained from the IT Division.(There may be a cost associated T with this option which will be charged to the Users department.) u 0 a • Virtual Private Network(VPN)access may be made available to Users with a specific justification for such access. a 7 Once the remote access account is set up by the IT Division,remote access connections can be made via the City's free public 0 wireless access point,another public access point,or private home access point. p c L The City is not responsible for maintenance or repair of personally-owned devices used for remote access. 0 Additionally, personal wireless access points or"hot spots" must not be connected to the City's network due to the extreme security Q risks such devices present. ARTICLE V. USE c d L V W The improper use of technology resources can undermine the confidence residents have for the City and its staff.As such,failure to Q adhere to these policies will be viewed as serious and any offending individual covered by this document shall be subject to the y appropriate disciplinary action. E L U A SECTION 5.01 APPROPRIATE USE Q Professional standards of conduct shall be used to determine what is appropriate and acceptable use of technology resources. Technology resources are provided for the purpose of enabling Users to perform their designated job duties. Uses of City Technology Use Policy 3 CITY OF SAN BERNARDINO Technology Use Policy technology resources shall be restricted to work-related purposes and are provided for the purpose of conducting City business.See the following"Incidental Usage'exception. (A) INTERNET USE Use of the Internet is not private or confidential and is subject to monitoring and logging by the City's IT Division. Internet logging files are temporary,transitory files and are recycled every 2 weeks. T 0 When using the Internet,exercise extreme caution when downloading files,programs,or attachments.No programs or executable r0 files may be downloaded without permission from the IT Division.Programs often make changes to desktop systems which conflict H with other City software.Therefore,no software,free or otherwise,may be installed on City desktops without permission from the T d) IT Division. 0 0 c (Ij INCIDENTAL USE Incidental and occasional personal use of the Internet on City equipment is permitted only with the consent of the User's Department Head and as long as such use does not interfere with the User's ability to fully and adequately accomplish her/his job N duties and assignments.The User is responsible for his/her actions while accessing the City's computer network and the Internet and,as such,is expected to use sound judgment with respect to their use. 0 N (B) EMAIL USE & GUIDELINES 0 C� j; Users shall not transmit the City's confidential information/data or sensitive information via unsecured email,unless expressly �� authorized by the Departmental Head. o a v Users shall not utilize the City email system for the advertising of personal items or services. N >\ Users shall not read another person's email without authorization from that person or unless directed to do so by the City Manager, 0 or her/his designee.When sending or receiving email,the following guidelines apply: s U 1. Carefully select the recipients to receive an email.Send only to those that need the information. 2. Regularly check,open, read,delete and/or respond promptly if necessary to email. 4 c 3. When using email,extreme care must be exercised when downloading attachments,which are scanned E automatically prior to delivery. Note that some attachments may be blocked if it is suspected that they contain a virus or other malware. 10 Q 4. Be cautious when opening unsolicited email from any source,particularly an unrecognized source. c m E 5. Questions regarding email and the Internet should be addressed to the City's IT Division staff. m 6. Messages may have a "blind copy"designated by the sender,allowing individuals other than those to whom the a message is sent,to receive a copy of such without letting the recipient know about the additional copy.This feature should be used carefully and sparingly. A blind copy recipient using the"Reply All"feature will include the original recipient and expose themselves as the blind copy recipient.It is more appropriate to send the bcc recipient a separate email so that such Technology Use Policy 4 Packet Pg. 216 CITY OF SAN BERNARDINO Technology Use Policy exposure does not occur. 7. Some attachments are disallowed by the City's email system,such as".exe"files. 8. Email attachments will not be processed if they exceed the City's email system attachment size limit. 9. Email should not be sent under someone else's name or computer except as properly delegated through auditable email security permissions. T U 10. All electronic communications must be courteous,respectful,professional and business-like. o a 0 11. Electronic media may not be appropriate for the transmission of sensitive information.Where electronic media is j appropriate for sensitive material,it must be transmitted securely. >. M 0 0 (C) SOCIAL MEDIA GUIDELINES z U d The City will use social media sites as one means of communicating with citizens and businesses.Such use shall follow the same ~ protocols and procedures as the City's Internet and Intranet Website and Social Media Policies. The City has several official social o media sites which are maintained by designated City staff. Maintenance of the City's social media sites is currently restricted to the City Managers office and designated IT staff.See the"City of San Bernardino Social Media Policy"for more information regarding 7 maintenance of the City's social media sites. c 0 Many City staff members have personal social media sites in which they participate.When participating in any social media on a a0i Qpersonal basis,Users must not represent themselves as a spokesperson for the City. IX T U There are guidelines for what City-related information can and/or should be posted on a personal site of a City employee: o a d 1. Any information deemed confidential by the City must not be posted on a personal site under any circumstance. T 2. Be aware that you may be perceived as representing the City by someone reading your site information. As such,any o images, posts,or comments,related to the City or City business,could be construed to reflect the organization's views. c You are encouraged to distinguish them as your own and not the City's. v d F 3. Be aware that copyright laws apply to all online posts,so give proper attribution to avoid potential lawsuits. a 4. You may not use the City seal or logo in any form. -� d E s (D) ELECTRONIC INFORMATION SHARING A Any request to supply electronic information to outside agencies including but not limited to other agencies,entities or individuals shall be handled in accordance Departmental policies for providing such information. It is the responsibility of each department to determine the confidentiality level of information.It is the responsibility of each department to work,in conjunction with the City E U Manager,the Department Heads,the City Attorney,and/or the IT Division to determine the appropriateness of any request for ;g information. Q Technology Use Policy 5 Packet Pg. 217 CITY OF SAN BERNARDINO Technology Use Policy Electronic information sharing includes, but is not limited to,the electronic transmission of information,from any technology resource using any technology media.This can include,but is not limited to,diskettes,CD-ROM,DVD,tapes,disk drives,USB/Flash drives,File Transfer Protocol(FTP),or email attachments. Approved information sharing that would require additional cost to the outside agency,due to City processing or programming costs, must be approved by a Department Head,Assistant City Manager,the Police Chief,or the City Manager and may be subject to City reimbursement for such costs on a time and materials basis.The standard rates or fees for such services shall be determined during the Finance Department's fee study process. S. 2 O CL (E) EMPLOYEE FORUM POSTS ON INTRANET SITE w Users with access to the City's Intranet may use the Intranet's"Employee Forum Post"capability to advertise personal items or rn services as Ion as the are not disruptive,offensive to others,harmful to morale,or in violation of the law or City o g y p y policies. O c t SECTION 5.02 INAPPROPRIATE USE' Technology resources must not be used in any manner that violates City rules,policies,or procedures. Use of any technology o resources services,or software provided by the City shall not be disruptive,offensive to others,harmful to morale,or in violation of the law or City policies.Technology resources shall not be used for any illegal, defamatory or harassing purpose.Inappropriate, illegal,or offensive use of technology resources by Users can result in disciplinary action. c 0 .y Users shall not engage in any of the following prohibited activities: m A. Transmittal or broadcast over the City's computer network of anything in violation of any federal,state or local law,ordinance or regulation. 0 d B. Transmittal or broadcast over the City's computer network of any material or communications which includes j potentially offensive material or violates the City's affirmative action,sexual harassment,or violence in the workplace policies,or any other City policy. —0 0 c r C. Transmittal of inappropriate,derogatory,obscene,suggestive,defamatory,or harassing language. 0 m D. Misrepresentation of a Users true identity. Q E. Unauthorized access to any technology system. c 0 E F. Any action intended to accomplish or assist in unauthorized access to computer systems. m G. Unauthorized or improper downloading,accessing or transmittal of copyrighted material. Q c m H. Transmittal of unauthorized broadcast communications or solicitations(such as mass email or phone calls). E S V 10 a In some circumstances,law enforcement may be exempted from some of these restrictions if acting in accordance with assigned duties and authorized by the Chief of Police. Technology Use Policy 6 Packet Pg.218 CITY OF SAN BERNARDINO Technology Use Policy I. Any action causing the City to incur a fee or charge which has no prior authorization. J. Use of a security code or password other than as authorized. K. Disclosing your username or password to anyone for any purpose. L. Compromising the integrity of the City and its business in any manner. M. Distribution of chain letters,spam,or other non-City or illegal communications. 0 N. Promotion of commercial,religious,or other non-City related activities. a d N 0. Giving the impression that an individual is representing,giving opinion,or otherwise making statements on T behalf of the City or any department or division of the City unless appropriately authorized to do so. p 0 c The City may apply filters to systems in an attempt to prevent inappropriate information,such as web sites or spam,from affecting City systems.The City does not guarantee that any such filter,if put in place,will prevent City employees from being impacted by F such annoyances.City staff must use good judgment in deleting inappropriate material that arrives at their desktop. ARTICLE VI. PRIVACY 0 0 N r O .N All technology resources and all the information contained therein are property of the City.No User has an expectation of privacy regarding the information contained in the City's technology resources. T U Any media or communication created using the City's technology resources are considered at all times to be City records and shall a0 be subject to disclosure pursuant to the California Public Records Act.The City shall comply with all lawful requests for information 0 pursuant to the California Public Records Act and any other applicable law or legal investigation. rn The City has the capability to access,monitor,review,copy and/or disclose any electronic data stored on City systems.The City also 0 employs technology to routinely screen electronic communications for such things as viruses or access to inappropriate web sites. a v m The City may make backup copies of electronic files.This means that files may be restored,even if the User believes the files have ~ been deleted. c Investigation or review of email,web activity logs,or any other electronic activity logs shall be limited to appropriate personnel as E authorized by the Police Chief or City Manager or his/her designee. s ARTICLE VII. RECORDS RETENTION U A a AND BACKUPS E t U SECTION 7.01 RECORDS RETENTION Q All correspondence and documents generated or stored on City computers fall under the City's Records Retention Schedule and must be stored according to that policy. Technology Use Policy 7 Packet Pg. 219 CITY OF SAN BERNARDINO Technology Use Policy It is the responsibility of the individual sender, recipient,or the project manager,to follow and apply the retention rules in the City's Records Retention Schedule. SECTION 7.02 EMAIL RETENTION Email messages concerning official City correspondence must be kept for the time period stated in the Records Retention Schedule. T Users shall place such emails in the appropriate long-term storage folder provided as part of the City's email system. u 0 0- Any email that does not concern official City correspondence shall not be moved to a long-term storage folder and should be m deleted. However,any email that is not deleted or moved to a long-term or litigation hold folder will be automatically placed in a T permanent archive after 60 days. o 0 It is the responsibility of the User to take the appropriate action to move such email into the designated long-term storage folder. t The following email retention rules are to be understood and followed: A. Users self-determine items for long-term, litigation hold,or deleted items folders; o 0 N_ B. Permanent Archived email will be automatically purged from archive after staying in archive for two years; C C. Items placed by the User into the long-term folder will be automatically purged after ten years however, c N special,longer-term folders can be created upon request; D. Email on Litigation hold will be retained until released by Police Professional Standards Office or City > -- ' Attorneys office; 0 a E. Personal Storage folders(PST files)are prohibited. If found they will be merged into main email system and 0 0 standard archiving rules will then be applied; >, M 0 F. Deleted items will be automatically purged from Users'deleted folders on a nightly basis. S V v F- SECTION 7.03 OTHER ELECTRONIC FILE AND DATA RETENTION Q c Electronic files concerning official City correspondence falling under the rules in the City's Record Retention Schedule, must be kept E for the number of years as stated in the Record Retention Schedule; v m The User shall determine the nature of the electronic file,and retain the file for the required retention period. Q c The Department Head shall determine when a departmental database purge is necessary to comply with the City's Records E Retention Schedule; v m Internet logging files are retained for two weeks. Q SECTION 7.04 FILE AND EMAIL BACKUPS Technology Use Policy 8 Packet log. 220 CITY OF SAN BERNARDINO Technology Use Policy 1. BACKUP PURPOSE Users shall not store data files on a computer's desktop or local drives,as these are not backed up by the IT Division. The City keeps file and email backups for the purpose of restoring in the event of a server failure for disaster recovery purposes only. It is not the intent to use these backups to restore individual mailboxes or files for staff who may have deleted emails or files,or for any other reason unless provided through a court order,subpoena,or an official police investigation. E-mail recovery is built into the Users'desktop software for the purpose of recovering individual email messages in the event that they were accidentally a deleted. Undelete software is also in place for the u:,s:,and t:drives,which would allow the IT Division,for a limited amount of time,to restore accidentally deleted data files stored in these locations. d d N a M O 2. BACKUP RETENTION CYCLE 0 r U The City provides daily backup protection of the certain servers. Daily backups are retained for ten days.Weekly backups are a) rotated off-site.A total of four weekly backups are retained.Monthly backups are full backups made on a specific date and retained 0 off-site for a period of two years.After two years, media will be recycled or retired. 0 0 ARTICLE Vill. N j d LAND-LINE PHONES, • L PHONES, • AND PAGERS T U The City may provide land-lines phones to Users whose job duties require telephone communication during regular business hours. 0 CL Mobile phones,smart phones,and pagers may be assigned to Users whose job duties require communication from the field or from 7 home including after-hours communications,significant out-of-office time,or for on-call requirements. >, rn 0 0 c s v SECTION 8.01 CITY-LAND-LINE PHONES F Users shall reimburse the City for the cost of incidental personal use of land-line phones in any amount over$1.00 per month. Users Q shall bring their phone bill and payment to the designated IT Division staff to process reimbursements. d E L U t6 Q SECTION 8.02 CITY-ISSUED MOBILE & SMART PHONES m Smart Phones are Personal Digital Assistants(e.g.iPhone, Droid,Blackberry)with mobile phone capabilities.Such devices are capable of dynamically synchronizing with the City's email servers for emails,appointments,contacts,and other specialized =° functions which may be necessary for certain job duties. Q A. Department Heads,or other authorizing officials,shall submit email requests for Mobile/Smart Phones to the City Manager,or his/her designee. Technology Use Policy 9 Packet Pg. 221 CITY OF SAN BERNARDINO Technology Use Policy B. The City will provide the initial setup for personal Smart Phones purchased by Users,which are compatible with current City standards for synchronization with network calendars,contacts,and email. C. The Department Head shall authorize issuance of a Smart Phones to Users whose job duties requires a need for remote access to calendars,contacts and/or email. D. Use of mobile and Smart Phones shall be limited to circumstances when standard land—lines phones are not available. T V E. The Department Head,or her/his designee,shall inform the IT Division of a User's impending M termination/separation to ensure such devices are returned to the City upon the User's separation from y the City and/or when such access is no longer warranted. T 0 F. Users of mobile and Smart Phones shall follow all applicable laws regarding the use of such devices o including use while driving. Use of mobile and Smart Phones while driving is prohibited. According to t U California law,use of such devices in moving vehicles must be with a hands-free device. N G. The City shall maintain and support of City-owned and issued mobile Smart Phones,only. c N H. The City shall not maintain or provide ongoing support of personally owned mobile or Smart Phones. c I. Misuse of Mobile/Smart Phones may result in the User's Department Head revoking access and/or °- N disciplinary action. a) J. Users shall have no expectation of privacy with regards to data residing on,or being sent to or from their u City-issued Mobile or Smart Phone devices,including but not limited to text messages,or City email sent p to and from a personal Mobile or Smart Phone connected to the City's email systems,even if/when such data is deleted from the device. a m K. Users shall reimburse the City for the cost of incidental personal use of mobile or smart phones in any o amount over$1.00 per month. Users shall bring their phone bill and payment to the IT Division's L Departmental Accounting Technician to process reimbursements. m H a SECTION 8.03 PAGERS v E L A. City-owned pagers will be issued to Users on an as-needed basis at the discretion of the Department R Head. Q B. Pagers issued to Users should be carried,turned on and operational during normal working hours and also m when on-call. E U R C. Unless in an on-call status,pagers should be securely kept at the City when not in use and it is the Q responsibility of the User to keep it secure when it is in their possession. Technology Use Policy 10 PacketPg. 222 CITY OF SAN BERNARDINO Technology Use Policy D. Negligence or willful misconduct causing damage to City property,including pagers,is subject to disciplinary action including,but not limited to,paying for repair or replacement. E. Users shall have no expectation of privacy with regards to data residing,or being sent to or from their City-provided pagers. T ARTICLE IX. SOFTWARE u_ 0 IL Any software used on City systems or equipment must have a valid license.Software and its associated documentation are covered N by Copyright Laws and subject to licensing agreements.Appropriate documentation to substantiate the legitimacy of such licenses T shall be forwarded to and kept on file in the IT Division. cn 0 0 Users shall not use any unauthorized or unlicensed software or other media such as logos,graphics,fonts,photos,songs,etc.,on s City systems. Anti-virus software is installed on all City-owned desktops,laptops,and tablets.Users shall not disable or remove this software. o 0 N C ARTICLE X. SECURITY O M > d SECTION 10.01 SECURITY PERMISSIONS AND ACCESS > l`r 0 The IT Division is responsible for preventing unauthorized access to the City's technology systems and protection of the data stored 0 IL on these systems. d N Users of technology resources must protect City property that is checked out to them or that they access. Users must secure all o equipment when leaving it unattended. p 0 t City information must not be stored on the local drive of any computer, because such data is not backed up. Data must be stored in a0i H the proper network location in order to be safeguarded to prevent unauthorized access,improper changes,and loss.This includes safeguarding the access point to the data.Computers should be located in secure areas and logged off or locked when not in use.No Q confidential City information should be stored on any mobile(notebook/laptop,Smart Phone,USB drive,etc.)device without being a encrypted or password protected. E L V Anyone who is aware of a compromise to the security of the City's network should immediately notify the IT Division. Q The Department Head,or her/his designee,shall determine which Users have access to enterprise and departmental computer c applications. d E s U y .SECTION 10.02 PASSWORDS Q Strong passwords are the key to keeping the City's data and technology resources protected from unauthorized use. Passwords are to be kept confidential and not shared with anyone,including IT Division staff. Lost or forgotten passwords can be reset by the IT Division. Technology Use Policy 11 Packet Pg. 223 CITY OF SAN BERNARDINO Technology Use Policy (A) PASSWORD CHANGING REQUIREMENTS 1. All regular User network passwords(e.g.,email,web,desktop computer,etc.)will be changed at least every six months,more frequently if known threats or breaches indicate. 2. City staff will comply with all Department of Justice(DOJ)requirements for those systems and applications covered by the Criminal Justice Information Services. 3. Passwords must not be typed in email messages or other forms of electronic communication. 4. Standard City user-level accounts are not permitted to re-use the previous five passwords. 5. All user-level and system-level passwords must conform to the guidelines described below. 6. General system access passwords used by IT Division staff system administrators will be changed at least u every 180 days. a d N (B) PASSWORD GUIDELINES T 07 O Passwords are used for various purposes at the City of San Bernardino.Some of the more common uses include:network login c accounts,application accounts,screen saver protection,voicemail password,and local router logins. u d Poor,weak passwords have the following characteristics: a.The password contains less than ten characters. o b.The password is the same as the username. =4 c.The password is a word found in a dictionary(English or foreign). d.The password is a common usage word such as: 0 1. Names of family, pets,friends,co-workers,fantasy characters,etc. w 2. Computer terms and names,commands,sites,companies,hardware,software. 4) 3. The words"City of San Bernardino"or any derivation. 0: 4. Birthdays and other personal information such as addresses and phone numbers. v V S. Word or number patterns like aaabbb,qwerty,zyxwvuts, 123321,etc. 0 6. Any of the above spelled backwards. a m 7. Any of the above preceded or followed by a digit(e.g.,secretl, lsecret) r Strong passwords have the following characteristics: 0 1. Contain both upper and lower case characters(e.g.,a-z,A-Z) 2. Have digits and punctuation characters as well as letters(e.g.,0-9, !@#$%A&*() 3. =\T[VT<>?,•/) F 4. Are at least ten alphanumeric characters long and is a passphrase(Ohmylstubbedmyt0e). 5. Are not words in any language,slang,dialect,jargon,etc. Q 6. Are not based on personal information,names of family,etc. 7. Are never be written down or stored on-line. E 8. Try to create passwords that can be easily remembered.One way to do this is create a password based on a song title,affirmation,or other phrase. For example,the phrase might be:"This May Be One Way To Remember"and the password could be:"TmBlw2R!"or"Tmb1W>r or some other variation. Q NOTE: Do not use any of these examples as passwords! v E z U (C) PASSWORD PROTECTION STANDARDS M Do not use the same password for City of San Bernardino accounts as for other non-City access e. Q P Y y ( g.,personal ISP account,option trading,benefits,etc.).Where possible,don't use the same password for your various City access needs.Do not share City passwords with anyone,including administrative assistants or secretaries,managers or supervisors,and IT Division staff.All passwords are to be treated as sensitive,confidential City of San Bernardino information.The IT Division can assist you in Technology Use Policy 12 Packet Pg. 224 CITY OF SAN BERNARDINO Technology Use Policy determining the appropriate method for granting access to files and/or email to desired staff.Allowing someone else to login with an account that is not theirs is not appropriate. Here is a list of"Don'ts": 1. Don't reveal a password over the phone to ANYONE,including IT Division staff. 2. Don't reveal a password in an email message. 3. Don't reveal a password to a supervisor or manager. 4. Don't talk about a password in front of others. 5. Don't hint at the format of a password(e.g., "my family name"). 6. Don't reveal a password on questionnaires or security forms. •p 7. Don't share a password with family members. a am 8. Don't reveal a password to co-workers while on vacation. a 7 9. Don't operate a computer logged in under another person's user ID. 0 0 o If someone demands a password,refer them to this document or have them call someone in the IT Division. c t v Again,do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer F system(including Smart Phones or Mobile Phones)without encryption. 0 0 If an account or password is suspected to have been compromised,report the incident to the IT Division and change all passwords. Password cracking or guessing may be performed on a periodic or random basis as an auditing mechanism by IT or its delegates. If a P password is guessed or cracked during one of these scans,the User will be notified and required to change it. o 0 (D) PASSPHRASES 0 Passphrases are sometimes used in lieu of or in addition to a password. Passphrases are longer versions of passwords typically and >, composed of multiple words. Because of this,passphrases are more secure against"dictionary attacks'. A good passphrase is °- relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters.An example of a 0 IL good passphrase: "Cafeteria!Food!!s*Generally*Terrible' a 7 All of the rules above that apply to passwords apply to passphrases. 0 0 ARTICLE XI. ACCOUNTABILITY o c r v m SECTION 11.01 EXECUTIVE MANAGEMENT Q The Department Head,or her/his designee,shall ensure that all new Users sign the City's Technology Use Policy,which shall be forwarded to Human Resources to be placed in the User's personnel file. E t The IT Division Director,in conjunction with Executive Management,is responsible for developing and maintaining technology j? policies,procedures and guidelines. Q c Department Heads are responsible for ensuring that the Technology Use Policy is followed within their departments. W E t U SECTION 11.02 INFORMATION TECHNOLOGY DEPARTMENT IT Division staff whose job duties require access to City systems and information shall not disclose or share any information regarding the City's technology resources except as specifically requested by the department responsible for managing that data and authorized by the City Manager,or his/her designee. Any and all information accessed as part of an IT Division staff person's normal Technology Use Policy 13 �a•.- PacketPg. 225 CITY OF SAN BERNARDINO Technology Use Policy job duties will not be disclosed or shared with anyone outside the Department unless IT Division staff requiring such access must not abuse their access privileges by viewing information without having a specific business reason and authorization to do so. SECTION 12.01 TECHNOLOGY USE AGREEMENT v 0 a I have read and agree to abide by the terms and conditions set forth in the Technology Use Policy. N 7 I understand that not abiding by the terms and conditions contained therein could result in disciplinary action,including dismissal. rn 0 0 C t U d User Name Department F- 0 0 N User Signature Date Signed '- c 0 A : ® .2 T U O a m a a M 0 0 c L U N F- Q c d E L U A Q C d E .G U A Q Technology Use Policy 14 Packet Pg. 226