The URL can be used to link to this page

10-741 Meridian Information Technology PoliciesCITY OF MERIDIAN RESOLUTION NO. l~ ' 7~~ BY THE CITY COUNCIL: BIRD, HOAGLUN, ROUNTREE, ZAREMBA A RESOLUTION ADOPTING THE INFORMATION TECHNOLOGY POLICIES FOR THE CITY OF MERIDIAN; AND PROVIDING AN EFFECTIVE DATE. WHEREAS, on August 10, 2010, the City Council of Meridian received a report from the Information Technology Department regarding the draft City of Meridian Information Technology Policies; and WHEREAS, after receiving said report, the City Council directed that the City of Meridian Information Technology Policies be brought forward in Resolution form to establish Information Technology Policies for the City of Meridian. NOW THEREFORE, BE IT RESOLVED BY THE MAYOR AND CITY COUNCIL OF THE CITY OF MERIDIAN CITY, IDAHO: Section 1. That the City of Meridian Information Technology Policies be adopted, a copy of which is attached to this Resolution and incorporated herein by this reference. Section 2. That this Resolution shall be in full force and effect immediately upon its adoption and approval. ' / ADOPTED by the City Council of City of Meridian, Idaho this f7 day of 2010. ,~ APPROVED b the Mayor of the City of Meridian, Idaho, this ~T day of Y 2010. APPROVED: /j~ ~ ~~ l~~~~~ ~ -C GC.~~ TAMMY E WEERD, MAYOR ATTEST: \\\``\~~ ~~~~~,~~~/',,,,. ,~'~ ~' oaf rFO y ~'; JAYCE . HOLMAN, CITY CLERK SEAL ~ ,~o~' ~_ ~'% '9 ~~T iS'~ ~ ~\`. %, ~ P . RESOLUTION FOR CITY OF MERIDIAN INFORMATIb~1A~y~~Y ~1~'i~S - I OF I /~~~~/~tittri tt~~~~~~~\`\ Information Technology Policies September, 2010 Table of Contents Application Development Policy ......................................................................................... l Computer Deployment Policy .............................................................................................2 Computer Hardware Replacement Policy ...........................................................................3 Database Policy ...................................................................................................................4 E-Mail Policy .......................................................................................................................6 Enterprise Application Policy ..............................................................................................8 Internet Access Policy .........................................................................................................9 Loaner Pool Policy ............................................................................................................10 Network Security Policy .................................................................................................... l l Personal Equipment Policy ................................................................................................12 Printer Policy .....................................................................................................................13 Resource Access Policy .....................................................................................................14 Software Selection Policy ..................................................................................................15 Technology Procurement Policy ........................................................................................16 User Account Policy ..........................................................................................................17 VPN Policy ........................................................................................................................18 Application Development Policy Scope: The City of Meridian utilizes a centralized IT Department model. This model is designed to standardize the service, support and costs of meeting the technology needs for the City of Meridian. This policy addresses application development needs of the City of Meridian. Policy: Application Development is the process of writing software to meet a business need rather than purchasing a developed solution. A list of currently supported software solutions used by the City of Meridian can be found in the Supported Software Standard. Application development is the sole responsibility of the Information Technology Department. Departments requiring custom solutions must go through the IT Department. Departments are prohibited from contracting, purchasing or developing software without the express approval of the IT Department. Departments may use Microsoft Access to develop small applications, provided the departments follow the City's naming and coding standards. Information Technology Policies Computer Deployment Policy Scope: To plan for the replacement and deployment of computer hardware. Policy: One of the costs associated with deploying new hardware is employee labor. Every time a computer is deployed it takes considerable staff time to back-up employee files, move settings and configurations to the new machine and then to test it to ensure every thing works as expected. We will limit a machine rotation to a maximum of one rotation per new machine. That is, if employee A has a machine eligible for replacement, and the department wants the new machine to go to Employee B, whose machine is not up for replacement, this will be allowed. Employee B will get the new machine, Employee A will get employee B's machine, and Employee A's machine will be disposed. What is not allowed is for an additional rotation of machines; i.e. C-->B-- >A. Information Technology Policies Computer Hardware Replacement Policy Scope: To plan for the replacement and acquisition of computer hardware. Policy: The City has millions of dollars invested in technology. Much of this technology quickly becomes obsolete due to improvements with technology and software. In order for the City to operate efficiently, this policy outlines the plan for replacing equipment. The following schedule is used to replace hardware. All equipment will be replaced on this schedule. However, if a particular lot of equipment is problematic it may be necessary to replace equipment outside of the normal replacement cycle. Servers: 4 years or as needed Desktops and laptops: 5 years or as needed Printers and Projectors: 7 years or as needed When replacing hardware, the IT Department will re-use equipment in areas where it makes sense. Department's will not be allowed to retain replaced equipment; it will be at the sole discretion of the IT Department to re-use disposed equipment as they see fit. Replaced equipment will be disposed following City Asset Disposal policy. Once equipment has been funded for replacement, this equipment is ineligible for future replacement. If the City must re-use previously replaced equipment, the department must submit a new budget enhancement to receive funding to replace the asset a second time. All efforts should be made to plan for expansions of services and all resources required. Money will be spent as budgeted. Any savings between actual and budgeted amounts may be used to replace equipment which is broken or otherwise non-functional, rather than requesting a budget amendment. Budget savings will not be used to purchase additional equipment, without the approval of the Mayor. Information Technology Policies Database Policy Scope: Databases are structured collections of records. The records stored within the databases come from multiple sources, and are foundational to the continued operation of the City. This policy addresses issues related to database management, operations and security. Since the databases hold key information, it is imperative that this information is safeguarded to reduce the possibility of corruption, data loss and operational inefficiencies. Policy: This policy addresses database management, operations and security. For our purposes, management encompasses all aspects related to the creation, deletion, modification and storing of databases. Operations relates to the types, structure and use of databases. Security is control over access, permissions and use. This policy does not apply to using Microsoft Access for simple data analysis. Management: All databases developed by city staff or contractors must follow City's naming standards. These standards are found on the Intranet under the IT Department-Documentation. The only exception to this requirement is if the database is a Microsoft Access database and used by a single individual for data manipulation and analysis. Access to create or modify databases within our Microsoft SQL Server Environment is restricted to IT Staff. Departments may use tools within the Integrated Development Environments (IDEs), to manage their data, but must stay in compliance with City policy and standards. Operations: The City utilizes Microsoft SQL (MSSQL) for our primary database server infrastructure. In all cases, applications which use Microsoft SQL Server should be preferred over those which use another technology. MSSQL typically allows for easier integration and reporting of applications than do other alternatives. In no way does this limit the City to exclusively use only MSSQL. Rather, MSSQL should be used unless there is a compelling reason to go with another solution (i.e. sole source type application, price, etc). Reporting: The city will maintain a "Reporting" instance of Microsoft SQL Server. This reporting instance is used as a replica of the live data to provide "read-only" access Information Technology Policies 4 for reporting purposes. This will allow staff access to historical information to create meaningful reports for management. Access to the reporting instance is authorized by mutual approval of the Department Director and IT Manager. Security: Maintaining auditable records is critical to data integrity. It is the primary responsibility of the IT Systems Administrator to manage database security. The City operates using the "least-privilege security model". Per this model, employees will be granted rights sufficient to access the resources necessary to do their job. Access to "live" data using database management tools will be limited to IT Staff. Information Technology Policies 5 E-Mail Policy Scope: E-mail has become the predominant method of communication. Our reliance on a-mail is such that without this communication it would be challenging to conduct day-to-day business. This policy addresses appropriate use, access, retention and archival of e-mail. This policy operates in conjunction with City Policy 6.2.3. Electronic Mail. Policy: Access: All City Employees are given access to an e-mail account when they begin their employment. Access is granted through the process of the HR Department notifying the IT Department of the start of employment of a new hire. Administrative employees a-mail will be retained within the e-mail archive and will not have a quota set on their mailbox size. Non-administrative staff, may have their e-mail archived, if requested by their Department Director, otherwise it will be left to the discretion of the IT Manager. Non-administrative employees are those employees who operate in positions that are minimally dependent on use of the City's computer network. Examples of these positions are Parks Maintenance workers, Waste Water Plant works and Fire Fighters. Non-administrative employees will be given an a-mail storage quota large enough to maintain routine communications. This quota will be set by the IT Department Manager. Volunteers: Volunteers are individuals who work with the City to provide services to the city without receiving a monetary payment. Occasionally volunteers will require an e-mail account to perform their tasks. By default volunteers will not be given a city e-mail account. If an a-mail account is required, the Department Director must submit a request through the case management system. The request must include the first and last name of the individual, and the period for which the a-mail account will be required. If the ending date is not known, that should be identified in the request. It is the responsibility of the Department Director to ensure that volunteers are aware and follow City policy as to the use of electronic mail. It is also the responsibility of the Department Director to notify the IT Department when the volunteer discontinues their service to the city. Notification should be done using the Case Management system. Information Technology Policies 6 Volunteers will be provided a mailbox quota as determined by the IT Department. Volunteers will not have their e-mail archived, unless specifically requested by the Department Director. Employee Separations: When an employee terminates their employment with the City of Meridian, the HR Department is responsible for notifying the IT Department. Once the employee terminates, the IT Department will notify the Department Director or Managing supervisor of the terminated staff to determine the disposition of the e-mail. The IT department is willing to create a temporary file for the Supervisor to allow them to review the e-mail of the departed employee. For employees whose mail is retained in the a-mail archive, it will continue to be retained until the disposition date as identified in the City's Record Retention policy. The Supervisor or Director may request an a-mail forward and/or out of office message be placed on the a-mail account of the departed employee. Forwards and messages will be kept on the account for a maximum of two weeks. Acceptable Use: Employees are not to use personal a-mail accounts to conduct City Business. The City applies rules to ensure these sites are blocked during regular business hours. Employee e-mail should be used to conduct City Business. Users of City a-mail accounts are not to use personal slogans, backgrounds, emoticons, images or any other item not endorsed by the City of Meridian. Employees are not to use a-mail for the purpose of soliciting personal business, fund raising, campaigning or other reasons not related to conducting City business. Employees must have the approval of their Department Director prior to sending out an e-mail city-wide. Violation of Policy: If the IT Department determines that an employee has used their a-mail account inappropriately, the IT Department may disable that user's a-mail account while an investigation takes place. Information Technology Policies Enterprise Application Policy Scope: Enterprise Applications are software products designed to integrate computer systems that support the operation of business units. These systems are designed to increase internal coordination of work and cooperation across an enterprise. These products facilitate the integration of core business operations and processes, including accounting, finance, human resources, building services, code enforcement, inspections development services, parks, water and wastewater management. Policy: This policy sets minimum standards which must be met when purchasing software. Whenever possible these standards should be followed, unless circumstances are such that it is not feasible. In these instances, approval to deviate from these standards is granted by mutual approval of the IT Manager and Department Director (if applicable). Database uses Microsoft SQL Server Web Server must support IIS Installed on a Microsoft Windows Server Other optional, but preferred features: Microsoft Active Direction integration Optimized to work in a Virtual Environment Information Technology Policies g Internet Access Policy Scope: Applies to all Internet access from City networks and using City-owned equipment. Policy: The City reserves the right to filter, monitor and/or block Internet access to any device or person utilizing the City's network. 1) Internet access maybe "filtered". 2) Access shall be limited or blocked based upon categories or protocols. 3) Employees are limited to using ports required to access web pages (i.e., port http/80 & https/443). 4) Employees are prohibited from using tools which allow remote control of other pc's. GoToMyPC, LogMeIn, pcTELECOMMUTE, etc. 5) Employees are prohibited from using proxy servers, web sites or tools designed to circumvent security. 6) Employees are prohibited from granting remote control of their computer to others without prior written authorization from the IT Department. Violation of this policy may result in disciplinary action, including but not limited to loss of access, suspension and termination. This is addressed further in City Policy 6.2.4. Information Technology Policies Loaner Pool Policy Scope: The IT Department will be the repository for acity-wide pool of laptops, projectors and mobile air-cards. This policy addresses minimum quantities of available equipment for check-out, procedure for reserving available equipment and disposition/replacement. The goal of using a loaner pool is to minimize the need for departments to individually purchase and maintain their own pool of loaner equipment by the City centralizing and sharing a pool city-wide. Policy: The IT Department is responsible for maintaining the loaner pool of equipment. Equipment will be available for check out by any City employee as long as the equipment will be used for City business and in compliance with City Policy. Equipment maybe checked out for up to one week by submitting a request through the Case Management system. Request for use will be provided on a first-come, first- servedbasis. If a need arises where the equipment may be needed for longer than one week, that request must be made by the Department Director and include an explanation as to the need. Disposal of Equipment: In order to ensure equipment in the loaner pool remains functional for a large variety of needs, equipment will be replaced as needed and may not comply with the standard replacement policy. If the frequency of use justifies a department's need to have their own loaner equipment, departments can request to receive equipment from the loaner pool when it is disposed. This equipment will remain in the possession of the requesting department and will be ineligible for replacement. The procedure for reserving equipment maintained in this pool is located on the Intranet. Information Technology Policies 10 Network Security Policy Scope: This policy addresses the requirements for attaching computers, devices, and other networks to the City's network. Policy: The City maintains a private network, comprised of resources necessary to operate City systems. Only city owned computer equipment has direct access to our private network. Other disparate systems maybe granted limited access to the private network at the discretion of the IT department, depending on the needs of the City. Personal equipment may not be attached to the City's private network. (See Personal Equipment Policy) Limited Internet access is provided at some locations using a guest wireless network. This should be sufficient to allow most visitors to access the resources required while visiting our site. Guest users may also connect their laptops to projectors in "public" conference rooms, without the need to attach to our network. If computer resources are required which are only accessible via the city network, departments may check out a city owned laptop for that purpose. However, only city staff will have the ability to log on and use that equipment. Information Technology Policies 11 Personal Equipment Policy Scope: The policy distinguishes employee owned equipment from City-owned equipment. Policy: Personal equipment is anything which is owned by the employee rather than the City. Personal computer equipment maybe attached to a user's City owned computer for business purposes, however they may not be connected directly to the network. (See Network Security Policy) Personal devices that are permitted include flash drives, pdas, and cell phones. Personal laptops, computers, or devices that provide connectivity to other networks (including the Internet) are not to be connected to City owned computers. Employee owned cell phones, which use the Blackberry service, where such service is reimbursed by the City, may attach to the BES (Blackberry Enterprise Server). Any additional support for the phone should be provided by the cell phone provider. (i.e. Sprint, Verizon, AT&T, Nextel, T-Mobile, etc...) Nothing in this policy shall be construed as requiring the City to provide technical support or assistance to equipment owned by the employee rather than the City. This includes but is not limited to flash drives, mp3 players, smart phones, pdas, laptops, etc. All devices attached to our network are subject to security scans. If you attach a personal device to our network and the device is damaged or the files are deleted, the City is not liable; you attach these devices at your own risk. It is the employees responsibility to ensure that prior to connecting personal equipment to the City's network they have the approval of their Director/Supervisor. Failure to get approval may result in disciplinary action, including and up to termination. Information Technology Policies 12 Printer Policy Scope: This standard applies to any printer, copier ormulti-function device. Amulti-function device is one which provides printing in conjunction with scanning, copying and/or faxing. Policy: Prior to purchasing any printing device you must contact IT to ensure the device under consideration meets the City's standards and can be supported. A complete list of printer standards is found on the Intranet~Information Technology~Documentation~Printer Standards. Information Technology Policies 13 Resource Access Policy Scope: Applies to access to resources on the network which maybe critical, sensitive, or confidential to the continued operation of the City of Meridian. Policy: The IT Department is responsible for ensuring the stability, confidentiality, and reliability of the City's data, systems, and network. The City uses the "Least Privilege Model" for granting user access. This model states that a user is given the minimum access required to do their job. Access is granted and revoked by a request from the Department Director or Supervisor and signed off by the IT Manager. This function may be delegated to other IT Staff as needed to ensure the continuing operation of the organization. Information Technology Policies 14 Software Selection Policy Scope: Software is a general term used to describe an application or program used on a computer. Software represents a considerable expense to the city whether the software is built in house or purchased off the shelf. In addition, the City has already made a considerable investment in existing technologies. This policy identifies the required steps prior to purchasing software or replacing existing software. Policy: This policy defines the software selection process required to purchase software. This policy does not apply to upgrades of existing software. Upgrades refer to software which the city currently owns, and the vendor of the said software is merely adding additional features or functionality in a newer version (i.e. version 6.1 to 7.0). The Software Life Cycle is made up of five phases, Analysis, Design, Implementation, Testing and Maintenance. The Information Technology Department must be included in the Analysis phase of any software project. Software costs go well beyond the initial purchase price. Other costs which must be considered when purchasing software is analysis, design requirements, training, data migration, support and integration with existing technologies and displacement of existing applications. Prior to any web demos or other evaluation processes, the requesting Department is required to complete the Software Selection Form, which is located on the City Intranet. This form is used to identify the need, ensure alternatives have been identified and known deficiencies with the current application documented. In addition, if software will require a budget enhancement, this form must be submitted to the Information Technology Department for a recommendation, prior to the enhancement going to Finance or before Council. Too many times change is requested due to preference rather than a sound business reason. The City should never change out a software application due to employee preference. This is especially true when the city currently owns a software package which serves the purpose. Employees should be trained and required to learn existing software. The software selection process and analysis should be commensurate to the cost of the existing software the city owns and the cost of the new software. That is, if the software cost $300 the analysis process would be much smaller than if the software cost $30,000. Information Technology Policies 15 Technology Procurement Policy Scope: This policy applies to all City Technology purchases that require integration with computer systems, applications or technology infrastructure. Policy: All technology purchases must conform to IT Standards, and go through an evaluation process. Only technologies approved by the City Technology Department maybe purchased. Departments should consult with the IT Department prior to making technology purchases to ensure compliance. The following categories (and components thereof) are considered Information Technology Commodities for procurement purposes: Computer Peripherals (Keyboards, Mice, Monitors, etc.) Computers (desktop, laptop, toughbook, PDA, etc.) Computer Hardware Upgrades (RAM, video cards, optical drives, etc.) Digital Audio Recorders Digital cameras and projectors Digital Video Recorders Global Positioning System ("GPS") devices Imaging system document scanning devices Network multi-function devices (e.g., copiers, scanners) Networking equipment (e.g., routers, switches, management and access control devices) and software Physical security equipment and software Printers Proximity Cards Readers Security Cameras Servers (replacements or upgrades) Software Maintenance Software/Applications All equipment must meet applicable City standards. Information Technology Policies 16 User Account Policy Scope: This policy addresses the addition and deletion of user accounts. Policy: New Hires: Upon notification from the HR Department, a user account will be created for all new employees. By default these employees will be given general computer access, which includes access to the Intranet, Internet, public file shares, timesheet application and e- mail. The account will become active on the date the employee begins their employment. Passwords for new accounts will be provided directly to the employee or employee's supervisor. The initial password provided will be temporary and must be changed once the employee logs into the network. Request for employee access to applications or resources beyond those provided to all employees must be submitted by the employee's manager/supervisor using the City Case Management software "New Employee Resource Request" form. Access will be granted based on the resource owner's approval and per the Application Access Policy. Employee Separations: When an employee terminates, IT should be given as much advance notice as possible to ensure that resources are no longer available when the employee leaves. Employee accounts will remain in a "disabled" state for a maximum of 30 days, at which point the account will be deleted from the system. It is the responsibility of the employee's manager/supervisor to notify IT of any resources which may be required of the terminated employee. Mainly these are files stored in the user's home drive. For employees which e-mail is archived, employee e-mail will be retained under the "City of Meridian's record retention policy." Under no circumstance will an account remain active after an employee has separated from the City. Administrative Leave: When an employee is placed on administrative leave, the HR department must notify the IT Department immediately to ensure the account is disabled. The IT Department can place an "out of office" message on the account, until the leave is complete. Information Technology Policies 17 VPN Policy Scope: Virtual Private Network (VPN) is the primary method used to join to disparate networks. The way this works is that through the use of software or a hardware appliance a connection is made that allows these two networks to talk. For security purposes the VPN tunnel is encrypted to keep the session confidential. Due to the way a VPN works, it can present a security risk. In order to mitigate the risk, it is imperative that users with VPN access take the utmost care to ensure everything is secure. This policy defines the purpose, use, security and privileges for VPN access to the City's network. Policy: Public vs. Private: A private location is one where the computer is in a secure location (i.e. home), where only you or someone else known to you has access to that machine. A public location is one where people not known to you also have access to that same machine (kiosk, internet cafe, etc.). When using the VPN from a public location, it is the duty of every user to take steps to ensure that the security of the City is protected. Users must not share their passwords (as per the Password Policy) or leave the computer without terminating their session. When using a machine in an internet kiosk or other location where unknown people could access the machine, users should clear their internet cache before walking away. VPN Access Approval: VPN access is restricted to City Staff. Request to receive VPN access must be submitted by the requesting Department Manager or Director using the Case Management system and signed-off by the IT Manager. Account Expiration: In order to maintain an active account on the VPN a user must loin at least 2 times in a 90 day period. Failure to login the minimum number of times during any 90 day period may result in the account expiring. Information Technology Policies 18