APPENDIX III. INFORMATION TECHNOLOGY RESOURCES (IT RESOURCES) POLICY
Department Heads and immediate supervisors of all Town employees are responsible for ensuring appropriate enforcement of this policy and related standards on Town IT Resources within their areas of responsibility. The formal Security Policy/Procedure Exception Form must be filed and approved by each employee's immediate supervisor or department head and shall be filed in the employee's personnel file.
Violations of this policy or any other Town policy or regulation may result in the revocation or limitation of IT Resource privileges as well as other disciplinary actions, including, but not limited to termination of employment, and referral of the matter to external authorities.
Controlled access to IT Resources is essential for the Town to ensure that it may provide continued and uninterrupted service to the residents of St. John, and to preserve public records and information. This policy describes a comprehensive approach to Authentication and Authorization that can support current needs for electronic access and accommodate future services and technologies by employing standardized mechanisms for Identification, Authentication, and Authorization.
This policy is guided by the following objectives:
1. To ensure that the Town can, without limitation, operate and maintain its IT Resources;
2. To ensure that the Town can, without limitation, protect the security and functionality of Town IT Resources and the data stored on those resources;
3. To protect the Town's other property, rights, and resources;
4. To preserve the integrity and reputation of the Town;
5. To safeguard the privacy, property, rights, and data of users of Town IT Resources;
6. To protect and preserve public records pursuant to state law;
7. To comply with applicable existing federal, state, and local laws; and
8. To comply with existing Town policies, standards, guidelines, and procedures.
General Mission Statement
The Town strives to provide and maintain access for its employees to local, national and international sources of information and to provide an atmosphere that encourages sharing of knowledge, the creative process and collaborative effort to achieve the Town's public service missions. Access to the information system facilities at the Town is a privilege, not a right, and must be treated as such by all users of these systems. The smooth operation of Town IT Resources requires proper conduct by all users. All users must act honestly and responsibly. All users must respect the rights of other information system users, respect the integrity of the physical facilities and controls, and comply with all pertinent license and contractual agreements related to Town's IT Resources. All users shall act in accordance with these responsibilities, as well as applicable local, state and federal laws and regulations. Failure to conduct oneself in compliance with this Policy may result in denial of access to the Town's IT Resources and/or other appropriate disciplinary action.
Scope:
The Computer and Network Acceptable Use Policy applies to:
1. All authorized users of the Town of St. John including but not limited to all employees, consultants, contractors, vendors, interns, volunteers and other workers at the Town of St. John from third party entities;
2. All computer and network resources leased, owned, or managed by the Town of St. John and its contractors and consultants; and
3. All electronic communications records in the possession of the Town of St. John authorized users.
Information Classified as Public Records
Information created, maintained or obtained through any Town operated office or by any Town employee is a Public Record. Such records also include the notes and other customary documents prepared by any Town employee in the performance of their position and that position's responsibilities, regardless of the medium in which the record is created and/or stored.
Information communicated through Town electronic equipment, including computers and mobile electronic devices, are also Public Records. No Public Record may be altered, deleted, destroyed or removed from the system in which it is kept, unless in accordance with state law and any department's specific policies and procedures pertaining to same. If an employee seeks to alter, delete, destroy or remove a public record, prior written authorization must be obtained from the employee's immediate supervisor and/or Department Head. If the Public Record pertains to communication between the employee and their immediate supervisor and/or Department Head, written authorization to alter, delete, destroy or remove the communication must be authorized by the Clerk-Treasurer and/or Town Manager.
Definitions
For purposes of this Policy, as presently stated and as may be amended from time to time, the following definitions shall apply:
1. Authentication means the process through which a user proves his or her identify by providing sufficient User Credentials.
2. Authorization means the process of determining which services, privileges, and resources an authenticated user is entitled to access.
3. Electronic communications shall mean and include the use of any Town IT Resources in the communicating or posting of information or material by way of electronic mail (hereinafter e-mail), bulletin boards, World Wide Web (Internet), or other such electronic tools and/or messaging systems.
4. Identification means the process of establishing User Credentials in order to access and use Town IT Resources.
5. IT resources means all tangible and intangible computing and network assets, included but not limited to, hardware, software, wireless access, network bandwidth, mobile devices, printers, and paper, provided by or for the use of Town employees and personnel by the Town; these resources may be leased or owned by the Town.
6. Obscene shall mean material or matter that:
(a) An average person applying contemporary community standards would find the material, taken as a whole, predominantly appeals to the prurient interest or a shameful or morbid interest in nudity, sex, or excretion; and
(b) The material depicts or describes, in a patently offensive way, sexual conduct specifically set out in prevailing local, state or federal law; and
(c) The material, taken as a whole, lacks serious business value.
7. Public record means information that is created, stored and/or maintained by the Town that is classified as a public record under applicable law and cannot be destroyed and/or removed without prior authorization pursuant to the provisions in this personnel policy and state law.
8. Restricted information means information protected due to protective statutes, policies, or regulations.
9. Sensitive information means information protected due to proprietary, ethical, or privacy considerations. This classification applies even though there may not be a direct statutory, regulatory, or common-law basis for requiring this protection.
10. UID means a unique and persistent identifier assigned to an individual employee.
11. User shall mean and include any employee or other person to whom the Town has provided access to its IT Resources, or any person who has contact with Town IT Resources.
12. User credential means information used to access Town IT Resources. This type of information includes, but is not limited to, usernames, passwords, tokens, smartcards, biometric data, and digital certificates.
Unacceptable Uses of Town IT Resources
Unacceptable use of Town IT Resources includes, but is not necessarily limited to, the following:
1. Attempting to modify, remove or interface with information system equipment, software or peripherals without proper authorization from duly designated and appropriate Town Officials;
2. Accessing, without proper authorization, information system hardware, software, information or networks to which the Town belongs, regardless of whether such access takes place on or off of Town property or premises;
3. Use of authorization mechanisms of another user to gain access to the Town's IT Resources;
4. Providing personal authorization mechanisms to another user to provide that user with access to resources that he/she is not permitted to access. It shall be the responsibility of each user to make every reasonable effort to prevent another person from obtaining his/her authorization mechanisms without permission from duly designated and appropriate Town Officials;
5. Taking actions which interfere with the access of others to IT Resources;
6. Circumventing log on or other applicable security measures;
7. Using IT Resources for any illegal or unauthorized purpose;
8. Personal use of IT Resources or electronic communications for activities unrelated to the business operations of the Town and the specific job duties of the user;
9. Sending any fraudulent electronic communication;
10. Violating any software license or copyright, including installation, copying or redistributing copyrighted software, without the written authorization of the software owner and permission of duly designated and appropriate Town officials;
11. No employee shall bring onto Town premises and/or install and/or utilize any computer software not owned or purchased by the Town without the prior written approval of the Town Manager and IT Director. No evaluation, freeware, shareware, or any other type of software shall be loaded without prior approval of the Town Manager and the Town Council;
12. Disclosing proprietary or confidential information without the express authorization of duly designated and appropriate Town Officials;
13. Accessing other users' information or files without permission of duly designated and appropriate Town officials;
14. Forging, fraudulently altering or falsifying, or otherwise misusing Town or non-Town information system records;
15. Knowingly launching a computer worm, computer virus or other rogue program;
16. Downloading or posting illegal or damaging material into Town IT Resources;
17. Transporting illegal or damaging material across a Town information network;
18. Accessing, downloading, printing, storing, forwarding, transmitting or distributing material that is indecent, obscene, discriminatory, malicious, intimidating, hostile, harassing, threatening, contains racial slurs, or offensively addresses someone's age, sexual orientation, religion, national origin or disability;
19. Use of Town IT Resources for any partisan political purpose;
20. Violating any state or federal law or regulation in connection with use of any information system;
21. Altering or otherwise changing user authorization mechanisms (i.e., passwords) without the express permission of duly designated and appropriate Town Officials;
22. Port scanning or security scanning is expressly prohibited;
23. Executing any form of network monitoring which will intercept data not intended for the authorized user's host, unless this activity is part of the employee's normal job/duty;
24. Security software (i.e., firewalls, anti-virus, anti-spyware, etc.) shall not be removed or disabled for any reason; and
25. No equipment should ever be connected to the Town's network and/or communication infrastructure without the approval of the IT Director and/or Town Manager.
No Expectation of Privacy
The Town of St. John owns and operates all technology equipment utilized for the conduct of the Town's business. The maintenance, operation, and security of information system resources require the Town to monitor and access its IT Resources. The Town will monitor all communications made using its IT Resources, including, but not limited to, electronic mail communications. Employees have no expectation of privacy regarding the use of and access to Town IT Resources. The Town, at all times, reserves the right to enter, search and inspect the electronic mail and computer files of any employee, without advance notice, for business purposes. Employee consent with the Town's right to enter, search and inspect its computer systems shall be a condition of employment. In the event of suspected abuse of information system resources or suspected violations of this or other policies of the Town or suspected violations of law, the Town may:
1. Access all user information and files necessary to investigate the suspected abuse or violation;
2. Make any information and/or files available in any resultant or related grievance or disciplinary proceeding, to law enforcement agencies, or to courts or other governmental bodies; and
3. Suspend the user's access to information system resources pending the outcome of the investigation or any resultant proceeding.
Access Control. Identification, Authentication, and Authorization are controls that facilitate access to and protect Town IT Resources and data. Access to nonpublic IT Resources will be achieved by unique User Credentials and will require Authentication. The Town will assign User Identification and Credentials for Identification and Authentication (UID) purposes to each employee with a need to access Town IT Resources. Authorization for Town IT Resources depends on the individual's job responsibilities and need to access specific electronic information maintained by Town IT Resources. In all cases, only the minimum privileges necessary to complete required tasks are assigned to that individual employee. Privileges assigned to each employee will be reviewed on a periodic basis and modified or revoked upon a change in position and/or employment status with the Town.
No Unencrypted Authentication. Unencrypted Authentication and Authorization mechanisms are only as secure as the network they use. Traffic across the network may be surreptitiously monitored, rendering these Authentication and Authorization mechanisms vulnerable to compromise. Therefore, all Town IT Resources must use only encrypted Authentication and Authorization mechanisms unless otherwise authorized by the Town Manager and/or IT Resource Manager.
Email. In order to ensure transparency and accurate record-keeping under applicable law, employees are required to use their Town-issued email accounts for all electronic communication related to official Town business.
Use of E-mail for Town Business. An official Town e-mail or gmail account shall be considered an official means for communicating Town business, and may in some cases be the sole means of communication. Users are expected to read, and shall be presumed to have received and read, all official Town e-mail messages sent to their official Town e-mail account. Because the contents of such e-mails are subject to state laws governing public records, employees will need to exercise judgment in sending content that may be deemed confidential and/or sensitive. Furthermore, e-mail transmissions may not be secure, and contents that are expected to remain confidential should not be communicated via e-mail.
The author of any business e-mail messages assumes responsibility for assuring that messages do not violate any Town policies, regulations, or procedures. Disclaimers of confidentiality included in e-mail messages do not protect the sender if confidential information is shared or disclosed inappropriately.
E-Mail Retention and Disposal
Any e-mail sent from an employee's Town-issued email/gmail account may be considered a public record under the Indiana Public Records Act (IC 5-14-3) and may be subject to disclosure.1 E-mail correspondence and associated documents sent as attachments may be considered official Town records, and, as such, may need to be retained as public records. It is the responsibility of the Town employee engaged in the e-mail communication to determine the required retention period, to comply with applicable state law, and Town policies and procedures regarding record retention, and to preserve these e-mail records either electronically or in printed form with all of the associated header and transmission information.
E-mail stored on official Town systems shall generally be preserved on that system and/or pursuant to other policies and/or procedures of the Town or Department governing the saving and archiving of email, as amended from time to time. Log files associated with e-mail messages which provide a record of actual e-mail transactions, but not the e-mail content, shall also be preserved.
Users may not configure their official Town e-mail account to forward e-mail to an external e-mail address, unless written authorization is obtained from that employee's immediate supervisor or Department Head.
The Town may monitor the content of electronic mail as a routine procedure. The Town reserves the right to inspect, copy, store, or disclose the contents of electronic mail messages, but will do so only when it believes these actions are appropriate to:
1. Prevent or correct improper use of Town e-mail facilities;
2. Ensure compliance with Town policies, procedures, or regulations;
3. Satisfy a legal obligation; and
4. Ensure the proper operations of Town E-mail facilities or the data network.
Any Town Manager who believes such actions are necessary must first obtain the written approval of their immediate supervisor or Department Head, or if a Department Head, seek approval from the Town Manager.
1Refer to Access to Public Records Policy VIII.A.3 for more information.
Personal Electronic Devices
Electronic devices or services, including all cellular telephones, e-mail devices, and electronic access devices are valuable tools. The primary method for employees to use electronic devices and services for a documented Town business need is for Department In limited situations, Department Heads may authorize the use of Town-owned electronic devices or services for temporary periods, short-term events, and emergency purposes.
A review should be performed at least annually by each department head or designee to affirm continued business need of all electronic devices and/or services, as well as the effectiveness of any selected plan for same. This review may be incorporated as part of Town annual reviews and reminders coordinated by the department head with an employee's immediate supervisor.
When using a personal electronic device for official Town business, users are reminded that they are subject to all Town policies. In particular, users should be mindful of the Town's legal responsibility to preserve public records and handling of data that may be classified as same, as well as other policies and procedures regarding the secure use and transmission of Town data and/or public information.
In limited situations where Department Heads authorize Town-owned electronic devices for official Town business needs; the employee, supervisor, and Department Head, must sign an Employee Agreement for Town-Owned Electronic Device and Services acknowledging the responsibilities of each party as part of the Electronic Devices and Services policy. The departmental account will be billed in accordance with the associated contract(s).
For all Town-owned cell phones, employees and their immediate supervisors or designee will be provided a monthly detailed billing for review. The department will receive monthly billing reports, quarterly reports summarizing activity for each user, and a quarterly exception report. The department will review these quarterly reports with the department head or designee to assure an economical approach for each employee has been demonstrated, and to manage usage.
The department head or designee should verify at least annually the continued business need for these services for their employees and review the selected plan to assure an economical approach has been demonstrated for each user. In the application of this policy, departments or units have the discretion to adopt more restrictive provisions than outlined above.
Town departments may not separately enter into contracts for Town-owned electronic devices and services.
Personal Use of Devices. Town-owned electronic devices are intended for Town business use. These devices may be assigned to an individual employee or maintained within a department for "check-out" purposes. For purposes of this policy, personal use of a Town-provided cell phone of up to 10 minutes per month will be considered "de minimis" and will not require reimbursement to the Town.
For all Town-owned equipment, it is the responsibility of the department head to assure that:
1. Monthly Statements are verified for appropriate use, including "check-out" devices;
2. There is no personal use beyond the de minimis limit; and
3. Follow-up action is taken for inappropriate usage.
The employee's immediate supervisor shall discuss and monitor the use of electronic devices and services by nonexempt staff. Additional time worked may need to be reported for use during nonworking hours, such as during lunch, in the evening, and/or on the weekend; and may include overtime compensation.
Use of Devices while Driving. Use of electronic devices while driving Town vehicles is strongly discouraged. Drivers should pull off the road to a safe location while using an electronic device. The employee must also recognize that any local or state laws governing conduct of the use of certain electronic devices while driving preempt any policies, procedures and guidelines herein and that any violation and fine resulting from use of an electronic device shall be the responsibility of the individual employee. The Town will not reimburse the employee for fines and/or expenses incurred from violation of any local or state laws governing the use of certain electronic devices.
Remote Access (May not be necessary). Remote access to Town IT Resources must be accomplished in a manner that enables employees to carry out official Town business, while preventing unauthorized access and protecting the Town's IT Resources.
Unless specifically designated elsewhere in this Personnel Policy, such as in a job description requiring the employee to have remote access to perform work responsibilities, Remote access to IT Resources is not permitted unless the employee receives express written authorization from their immediate supervisor and/or Department Head.