10-741 Meridian Information Technology PoliciesCITY OF MERIDIAN RESOLUTION NO. l~ ' 7~~
BY THE CITY COUNCIL: BIRD, HOAGLUN, ROUNTREE, ZAREMBA
A RESOLUTION ADOPTING THE INFORMATION TECHNOLOGY POLICIES
FOR THE CITY OF MERIDIAN; AND PROVIDING AN EFFECTIVE DATE.
WHEREAS, on August 10, 2010, the City Council of Meridian received a report from
the Information Technology Department regarding the draft City of Meridian Information
Technology Policies; and
WHEREAS, after receiving said report, the City Council directed that the City of
Meridian Information Technology Policies be brought forward in Resolution form to establish
Information Technology Policies for the City of Meridian.
NOW THEREFORE, BE IT RESOLVED BY THE MAYOR AND CITY
COUNCIL OF THE CITY OF MERIDIAN CITY, IDAHO:
Section 1. That the City of Meridian Information Technology Policies be adopted, a
copy of which is attached to this Resolution and incorporated herein by this reference.
Section 2. That this Resolution shall be in full force and effect immediately upon its
adoption and approval. ' /
ADOPTED by the City Council of City of Meridian, Idaho this f7 day of
2010. ,~
APPROVED b the Mayor of the City of Meridian, Idaho, this ~T day of
Y
2010.
APPROVED:
/j~ ~ ~~
l~~~~~ ~ -C GC.~~
TAMMY E WEERD, MAYOR
ATTEST: \\\``\~~ ~~~~~,~~~/',,,,.
,~'~ ~' oaf rFO y ~';
JAYCE . HOLMAN, CITY CLERK SEAL
~ ,~o~' ~_
~'% '9 ~~T iS'~ ~ ~\`.
%, ~ P .
RESOLUTION FOR CITY OF MERIDIAN INFORMATIb~1A~y~~Y ~1~'i~S - I OF I
/~~~~/~tittri tt~~~~~~~\`\
Information
Technology
Policies
September, 2010
Table of Contents
Application Development Policy ......................................................................................... l
Computer Deployment Policy .............................................................................................2
Computer Hardware Replacement Policy ...........................................................................3
Database Policy ...................................................................................................................4
E-Mail Policy .......................................................................................................................6
Enterprise Application Policy ..............................................................................................8
Internet Access Policy .........................................................................................................9
Loaner Pool Policy ............................................................................................................10
Network Security Policy .................................................................................................... l l
Personal Equipment Policy ................................................................................................12
Printer Policy .....................................................................................................................13
Resource Access Policy .....................................................................................................14
Software Selection Policy ..................................................................................................15
Technology Procurement Policy ........................................................................................16
User Account Policy ..........................................................................................................17
VPN Policy ........................................................................................................................18
Application Development Policy
Scope:
The City of Meridian utilizes a centralized IT Department model. This model is
designed to standardize the service, support and costs of meeting the technology needs
for the City of Meridian. This policy addresses application development needs of the
City of Meridian.
Policy:
Application Development is the process of writing software to meet a business need
rather than purchasing a developed solution. A list of currently supported software
solutions used by the City of Meridian can be found in the Supported Software
Standard.
Application development is the sole responsibility of the Information Technology
Department. Departments requiring custom solutions must go through the IT
Department. Departments are prohibited from contracting, purchasing or developing
software without the express approval of the IT Department.
Departments may use Microsoft Access to develop small applications, provided the
departments follow the City's naming and coding standards.
Information Technology Policies
Computer Deployment Policy
Scope:
To plan for the replacement and deployment of computer hardware.
Policy:
One of the costs associated with deploying new hardware is employee labor. Every
time a computer is deployed it takes considerable staff time to back-up employee files,
move settings and configurations to the new machine and then to test it to ensure every
thing works as expected. We will limit a machine rotation to a maximum of one
rotation per new machine. That is, if employee A has a machine eligible for
replacement, and the department wants the new machine to go to Employee B, whose
machine is not up for replacement, this will be allowed. Employee B will get the new
machine, Employee A will get employee B's machine, and Employee A's machine will
be disposed. What is not allowed is for an additional rotation of machines; i.e. C-->B--
>A.
Information Technology Policies
Computer Hardware Replacement Policy
Scope:
To plan for the replacement and acquisition of computer hardware.
Policy:
The City has millions of dollars invested in technology. Much of this technology quickly
becomes obsolete due to improvements with technology and software. In order for the
City to operate efficiently, this policy outlines the plan for replacing equipment.
The following schedule is used to replace hardware. All equipment will be replaced on
this schedule. However, if a particular lot of equipment is problematic it may be
necessary to replace equipment outside of the normal replacement cycle.
Servers: 4 years or as needed
Desktops and laptops: 5 years or as needed
Printers and Projectors: 7 years or as needed
When replacing hardware, the IT Department will re-use equipment in areas where it
makes sense. Department's will not be allowed to retain replaced equipment; it will be at
the sole discretion of the IT Department to re-use disposed equipment as they see fit.
Replaced equipment will be disposed following City Asset Disposal policy. Once
equipment has been funded for replacement, this equipment is ineligible for future
replacement. If the City must re-use previously replaced equipment, the department must
submit a new budget enhancement to receive funding to replace the asset a second time.
All efforts should be made to plan for expansions of services and all resources required.
Money will be spent as budgeted. Any savings between actual and budgeted amounts
may be used to replace equipment which is broken or otherwise non-functional, rather
than requesting a budget amendment. Budget savings will not be used to purchase
additional equipment, without the approval of the Mayor.
Information Technology Policies
Database Policy
Scope:
Databases are structured collections of records. The records stored within the databases
come from multiple sources, and are foundational to the continued operation of the City.
This policy addresses issues related to database management, operations and security.
Since the databases hold key information, it is imperative that this information is
safeguarded to reduce the possibility of corruption, data loss and operational
inefficiencies.
Policy:
This policy addresses database management, operations and security. For our purposes,
management encompasses all aspects related to the creation, deletion, modification and
storing of databases. Operations relates to the types, structure and use of databases.
Security is control over access, permissions and use.
This policy does not apply to using Microsoft Access for simple data analysis.
Management:
All databases developed by city staff or contractors must follow City's naming
standards. These standards are found on the Intranet under the IT
Department-Documentation. The only exception to this requirement is if the database
is a Microsoft Access database and used by a single individual for data manipulation
and analysis.
Access to create or modify databases within our Microsoft SQL Server Environment is
restricted to IT Staff. Departments may use tools within the Integrated Development
Environments (IDEs), to manage their data, but must stay in compliance with City
policy and standards.
Operations:
The City utilizes Microsoft SQL (MSSQL) for our primary database server
infrastructure. In all cases, applications which use Microsoft SQL Server should be
preferred over those which use another technology. MSSQL typically allows for easier
integration and reporting of applications than do other alternatives. In no way does this
limit the City to exclusively use only MSSQL. Rather, MSSQL should be used unless
there is a compelling reason to go with another solution (i.e. sole source type
application, price, etc).
Reporting: The city will maintain a "Reporting" instance of Microsoft SQL Server.
This reporting instance is used as a replica of the live data to provide "read-only" access
Information Technology Policies 4
for reporting purposes. This will allow staff access to historical information to create
meaningful reports for management. Access to the reporting instance is authorized by
mutual approval of the Department Director and IT Manager.
Security:
Maintaining auditable records is critical to data integrity. It is the primary
responsibility of the IT Systems Administrator to manage database security. The City
operates using the "least-privilege security model". Per this model, employees will be
granted rights sufficient to access the resources necessary to do their job. Access to
"live" data using database management tools will be limited to IT Staff.
Information Technology Policies 5
E-Mail Policy
Scope:
E-mail has become the predominant method of communication. Our reliance on a-mail
is such that without this communication it would be challenging to conduct day-to-day
business. This policy addresses appropriate use, access, retention and archival of e-mail.
This policy operates in conjunction with City Policy 6.2.3. Electronic Mail.
Policy:
Access:
All City Employees are given access to an e-mail account when they begin their
employment. Access is granted through the process of the HR Department notifying the
IT Department of the start of employment of a new hire.
Administrative employees a-mail will be retained within the e-mail archive and will not
have a quota set on their mailbox size. Non-administrative staff, may have their e-mail
archived, if requested by their Department Director, otherwise it will be left to the
discretion of the IT Manager.
Non-administrative employees are those employees who operate in positions that are
minimally dependent on use of the City's computer network. Examples of these
positions are Parks Maintenance workers, Waste Water Plant works and Fire Fighters.
Non-administrative employees will be given an a-mail storage quota large enough to
maintain routine communications. This quota will be set by the IT Department
Manager.
Volunteers:
Volunteers are individuals who work with the City to provide services to the city
without receiving a monetary payment. Occasionally volunteers will require an e-mail
account to perform their tasks.
By default volunteers will not be given a city e-mail account. If an a-mail account is
required, the Department Director must submit a request through the case management
system. The request must include the first and last name of the individual, and the
period for which the a-mail account will be required. If the ending date is not known,
that should be identified in the request. It is the responsibility of the Department
Director to ensure that volunteers are aware and follow City policy as to the use of
electronic mail. It is also the responsibility of the Department Director to notify the IT
Department when the volunteer discontinues their service to the city. Notification
should be done using the Case Management system.
Information Technology Policies 6
Volunteers will be provided a mailbox quota as determined by the IT Department.
Volunteers will not have their e-mail archived, unless specifically requested by the
Department Director.
Employee Separations:
When an employee terminates their employment with the City of Meridian, the HR
Department is responsible for notifying the IT Department. Once the employee
terminates, the IT Department will notify the Department Director or Managing
supervisor of the terminated staff to determine the disposition of the e-mail.
The IT department is willing to create a temporary file for the Supervisor to allow them
to review the e-mail of the departed employee. For employees whose mail is retained in
the a-mail archive, it will continue to be retained until the disposition date as identified
in the City's Record Retention policy.
The Supervisor or Director may request an a-mail forward and/or out of office message
be placed on the a-mail account of the departed employee. Forwards and messages will
be kept on the account for a maximum of two weeks.
Acceptable Use:
Employees are not to use personal a-mail accounts to conduct City Business. The City
applies rules to ensure these sites are blocked during regular business hours.
Employee e-mail should be used to conduct City Business.
Users of City a-mail accounts are not to use personal slogans, backgrounds, emoticons,
images or any other item not endorsed by the City of Meridian.
Employees are not to use a-mail for the purpose of soliciting personal business, fund
raising, campaigning or other reasons not related to conducting City business.
Employees must have the approval of their Department Director prior to sending out an
e-mail city-wide.
Violation of Policy:
If the IT Department determines that an employee has used their a-mail account
inappropriately, the IT Department may disable that user's a-mail account while an
investigation takes place.
Information Technology Policies
Enterprise Application Policy
Scope:
Enterprise Applications are software products designed to integrate computer systems
that support the operation of business units. These systems are designed to increase
internal coordination of work and cooperation across an enterprise. These products
facilitate the integration of core business operations and processes, including
accounting, finance, human resources, building services, code enforcement, inspections
development services, parks, water and wastewater management.
Policy:
This policy sets minimum standards which must be met when purchasing software.
Whenever possible these standards should be followed, unless circumstances are such
that it is not feasible. In these instances, approval to deviate from these standards is
granted by mutual approval of the IT Manager and Department Director (if applicable).
Database uses Microsoft SQL Server
Web Server must support IIS
Installed on a Microsoft Windows Server
Other optional, but preferred features:
Microsoft Active Direction integration
Optimized to work in a Virtual Environment
Information Technology Policies g
Internet Access Policy
Scope:
Applies to all Internet access from City networks and using City-owned equipment.
Policy:
The City reserves the right to filter, monitor and/or block Internet access to any
device or person utilizing the City's network.
1) Internet access maybe "filtered".
2) Access shall be limited or blocked based upon categories or protocols.
3) Employees are limited to using ports required to access web pages (i.e., port http/80
& https/443).
4) Employees are prohibited from using tools which allow remote control of other
pc's. GoToMyPC, LogMeIn, pcTELECOMMUTE, etc.
5) Employees are prohibited from using proxy servers, web sites or tools designed to
circumvent security.
6) Employees are prohibited from granting remote control of their computer to others
without prior written authorization from the IT Department.
Violation of this policy may result in disciplinary action, including but not limited to
loss of access, suspension and termination.
This is addressed further in City Policy 6.2.4.
Information Technology Policies
Loaner Pool Policy
Scope:
The IT Department will be the repository for acity-wide pool of laptops, projectors and
mobile air-cards. This policy addresses minimum quantities of available equipment for
check-out, procedure for reserving available equipment and disposition/replacement.
The goal of using a loaner pool is to minimize the need for departments to individually
purchase and maintain their own pool of loaner equipment by the City centralizing and
sharing a pool city-wide.
Policy:
The IT Department is responsible for maintaining the loaner pool of equipment.
Equipment will be available for check out by any City employee as long as the
equipment will be used for City business and in compliance with City Policy.
Equipment maybe checked out for up to one week by submitting a request through the
Case Management system. Request for use will be provided on a first-come, first-
servedbasis.
If a need arises where the equipment may be needed for longer than one week, that
request must be made by the Department Director and include an explanation as to the
need.
Disposal of Equipment:
In order to ensure equipment in the loaner pool remains functional for a large variety of
needs, equipment will be replaced as needed and may not comply with the standard
replacement policy.
If the frequency of use justifies a department's need to have their own loaner equipment,
departments can request to receive equipment from the loaner pool when it is disposed.
This equipment will remain in the possession of the requesting department and will be
ineligible for replacement.
The procedure for reserving equipment maintained in this pool is located on the Intranet.
Information Technology Policies 10
Network Security Policy
Scope:
This policy addresses the requirements for attaching computers, devices, and other
networks to the City's network.
Policy:
The City maintains a private network, comprised of resources necessary to operate City
systems.
Only city owned computer equipment has direct access to our private network. Other
disparate systems maybe granted limited access to the private network at the discretion
of the IT department, depending on the needs of the City. Personal equipment may not
be attached to the City's private network. (See Personal Equipment Policy)
Limited Internet access is provided at some locations using a guest wireless network.
This should be sufficient to allow most visitors to access the resources required while
visiting our site. Guest users may also connect their laptops to projectors in "public"
conference rooms, without the need to attach to our network.
If computer resources are required which are only accessible via the city network,
departments may check out a city owned laptop for that purpose. However, only city
staff will have the ability to log on and use that equipment.
Information Technology Policies 11
Personal Equipment Policy
Scope:
The policy distinguishes employee owned equipment from City-owned equipment.
Policy:
Personal equipment is anything which is owned by the employee rather than the City.
Personal computer equipment maybe attached to a user's City owned computer for
business purposes, however they may not be connected directly to the network. (See
Network Security Policy) Personal devices that are permitted include flash drives, pdas,
and cell phones. Personal laptops, computers, or devices that provide connectivity to
other networks (including the Internet) are not to be connected to City owned
computers.
Employee owned cell phones, which use the Blackberry service, where such service is
reimbursed by the City, may attach to the BES (Blackberry Enterprise Server). Any
additional support for the phone should be provided by the cell phone provider. (i.e.
Sprint, Verizon, AT&T, Nextel, T-Mobile, etc...)
Nothing in this policy shall be construed as requiring the City to provide technical
support or assistance to equipment owned by the employee rather than the City. This
includes but is not limited to flash drives, mp3 players, smart phones, pdas, laptops, etc.
All devices attached to our network are subject to security scans. If you attach a
personal device to our network and the device is damaged or the files are deleted, the
City is not liable; you attach these devices at your own risk.
It is the employees responsibility to ensure that prior to connecting personal equipment
to the City's network they have the approval of their Director/Supervisor. Failure to get
approval may result in disciplinary action, including and up to termination.
Information Technology Policies 12
Printer Policy
Scope:
This standard applies to any printer, copier ormulti-function device. Amulti-function
device is one which provides printing in conjunction with scanning, copying and/or
faxing.
Policy:
Prior to purchasing any printing device you must contact IT to ensure the device under
consideration meets the City's standards and can be supported.
A complete list of printer standards is found on the Intranet~Information
Technology~Documentation~Printer Standards.
Information Technology Policies 13
Resource Access Policy
Scope:
Applies to access to resources on the network which maybe critical, sensitive, or
confidential to the continued operation of the City of Meridian.
Policy:
The IT Department is responsible for ensuring the stability, confidentiality, and
reliability of the City's data, systems, and network. The City uses the "Least Privilege
Model" for granting user access. This model states that a user is given the minimum
access required to do their job. Access is granted and revoked by a request from the
Department Director or Supervisor and signed off by the IT Manager. This function may
be delegated to other IT Staff as needed to ensure the continuing operation of the
organization.
Information Technology Policies 14
Software Selection Policy
Scope:
Software is a general term used to describe an application or program used on a
computer. Software represents a considerable expense to the city whether the software
is built in house or purchased off the shelf. In addition, the City has already made a
considerable investment in existing technologies. This policy identifies the required
steps prior to purchasing software or replacing existing software.
Policy:
This policy defines the software selection process required to purchase software. This
policy does not apply to upgrades of existing software. Upgrades refer to software
which the city currently owns, and the vendor of the said software is merely adding
additional features or functionality in a newer version (i.e. version 6.1 to 7.0).
The Software Life Cycle is made up of five phases, Analysis, Design, Implementation,
Testing and Maintenance. The Information Technology Department must be included
in the Analysis phase of any software project.
Software costs go well beyond the initial purchase price. Other costs which must be
considered when purchasing software is analysis, design requirements, training, data
migration, support and integration with existing technologies and displacement of
existing applications.
Prior to any web demos or other evaluation processes, the requesting Department is
required to complete the Software Selection Form, which is located on the City Intranet.
This form is used to identify the need, ensure alternatives have been identified and
known deficiencies with the current application documented. In addition, if software
will require a budget enhancement, this form must be submitted to the Information
Technology Department for a recommendation, prior to the enhancement going to
Finance or before Council.
Too many times change is requested due to preference rather than a sound business
reason. The City should never change out a software application due to employee
preference. This is especially true when the city currently owns a software package
which serves the purpose. Employees should be trained and required to learn existing
software.
The software selection process and analysis should be commensurate to the cost of the
existing software the city owns and the cost of the new software. That is, if the software
cost $300 the analysis process would be much smaller than if the software cost $30,000.
Information Technology Policies 15
Technology Procurement Policy
Scope:
This policy applies to all City Technology purchases that require integration with
computer systems, applications or technology infrastructure.
Policy:
All technology purchases must conform to IT Standards, and go through an evaluation
process. Only technologies approved by the City Technology Department maybe
purchased. Departments should consult with the IT Department prior to making
technology purchases to ensure compliance.
The following categories (and components thereof) are considered Information
Technology Commodities for procurement purposes:
Computer Peripherals (Keyboards, Mice, Monitors, etc.)
Computers (desktop, laptop, toughbook, PDA, etc.)
Computer Hardware Upgrades (RAM, video cards, optical drives, etc.)
Digital Audio Recorders
Digital cameras and projectors
Digital Video Recorders
Global Positioning System ("GPS") devices
Imaging system document scanning devices
Network multi-function devices (e.g., copiers, scanners)
Networking equipment (e.g., routers, switches, management and access control
devices) and software
Physical security equipment and software
Printers
Proximity Cards Readers
Security Cameras
Servers (replacements or upgrades)
Software Maintenance
Software/Applications
All equipment must meet applicable City standards.
Information Technology Policies 16
User Account Policy
Scope:
This policy addresses the addition and deletion of user accounts.
Policy:
New Hires:
Upon notification from the HR Department, a user account will be created for all new
employees. By default these employees will be given general computer access, which
includes access to the Intranet, Internet, public file shares, timesheet application and e-
mail.
The account will become active on the date the employee begins their employment.
Passwords for new accounts will be provided directly to the employee or employee's
supervisor. The initial password provided will be temporary and must be changed once
the employee logs into the network.
Request for employee access to applications or resources beyond those provided to all
employees must be submitted by the employee's manager/supervisor using the City
Case Management software "New Employee Resource Request" form. Access will be
granted based on the resource owner's approval and per the Application Access Policy.
Employee Separations:
When an employee terminates, IT should be given as much advance notice as possible
to ensure that resources are no longer available when the employee leaves.
Employee accounts will remain in a "disabled" state for a maximum of 30 days, at
which point the account will be deleted from the system. It is the responsibility of the
employee's manager/supervisor to notify IT of any resources which may be required of
the terminated employee. Mainly these are files stored in the user's home drive. For
employees which e-mail is archived, employee e-mail will be retained under the "City
of Meridian's record retention policy."
Under no circumstance will an account remain active after an employee has separated
from the City.
Administrative Leave:
When an employee is placed on administrative leave, the HR department must notify the
IT Department immediately to ensure the account is disabled. The IT Department can
place an "out of office" message on the account, until the leave is complete.
Information Technology Policies 17
VPN Policy
Scope:
Virtual Private Network (VPN) is the primary method used to join to disparate
networks. The way this works is that through the use of software or a hardware
appliance a connection is made that allows these two networks to talk. For security
purposes the VPN tunnel is encrypted to keep the session confidential.
Due to the way a VPN works, it can present a security risk. In order to mitigate the risk,
it is imperative that users with VPN access take the utmost care to ensure everything is
secure. This policy defines the purpose, use, security and privileges for VPN access to
the City's network.
Policy:
Public vs. Private:
A private location is one where the computer is in a secure location (i.e. home), where
only you or someone else known to you has access to that machine. A public location is
one where people not known to you also have access to that same machine (kiosk,
internet cafe, etc.).
When using the VPN from a public location, it is the duty of every user to take steps to
ensure that the security of the City is protected. Users must not share their passwords
(as per the Password Policy) or leave the computer without terminating their session.
When using a machine in an internet kiosk or other location where unknown people
could access the machine, users should clear their internet cache before walking away.
VPN Access Approval:
VPN access is restricted to City Staff. Request to receive VPN access must be
submitted by the requesting Department Manager or Director using the Case
Management system and signed-off by the IT Manager.
Account Expiration:
In order to maintain an active account on the VPN a user must loin at least 2 times in
a 90 day period. Failure to login the minimum number of times during any 90 day
period may result in the account expiring.
Information Technology Policies 18