HomeMy WebLinkAboutAdministrative Order 2010-02, Adoption of the City of Bozeman Information Technology Use Policy ADMINISTRATIVE ORDER NO. 2010 -02
Adoption of the City of Bozeman Information Technology Use Policy
It is hereby ordered the City of Bozeman Information Technology Use Policy is hereby adopted. This
administrative order supersedes prior administrative order 2009 -09. This order is effective January 19,
2010. `Q
DATED this 1 't day of January, 2010
yajj
Chris Kukulski, City Manager
,s od 13°Z*
Department of Information Technology
i
City of Bozeman, Montana
Information Technology Use Policy
Information Technology (IT) is a critical mechanism for operations and business communications at the City of
Bozeman (City).
The purpose of this policy is to outline appropriate and inappropriate use of the City's IT Systems and Services
in order to improve efficiencies and minimize disruptions to services and activities, as well as comply with
applicable policies and laws. All Department Heads, supervisors, employees, and officials with access to the
City's network are required to comply with this Policy. Failure to comply may result in the privilege of access to
the City's IT being revoked. See Section 10.
Scope
This policy applies to all internet, hardware, software applications, cell phone /smart phone devices and Email
systems owned by the City, all Internet and Email account users/holders at the City (temporary, permanent and
intern), all organizational Email and Internet records.
This policy is broken down into sections for ease of use:
Section 1) Account Activation/Termination;
Section 2) Password Construction Guidelines;
Section 3) Email Expectations;
Section 4) Internet Expectations;
Section 5) Appropriate Inappropriate use of all IT Systems and Service;
Section 6) Cell Phone smart phone;
Section 7) Monitoring and Confidentiality;
Section 8) Reporting Misuse;
Section 9) Disclaimer;
Section 10) Failure to Comply;
Page 1
Section 1
Account Activation/Termination
1.0 Internet and email access at the City is controlled through individual accounts and passwords. Each user
of the City's Internet and Email system shall read and sign a copy of this IT Use Policy prior to receiving any
password, internet, and email access. It is the responsibility of the employee to protect the confidentiality of their
accounts and password information. Standalone computers and programs will have individual profiles to keep
the integrity of the individual's usernames and password confidential. If multiple profiles are needed for
standalone computers, please contact the IT Department.
1.1 Password, Internet and Email accounts may be granted to third party non employees on a case -by -case
basis. Possible non employees that may be eligible for access include:
City Board members
Contractors
Internships (paid non paid)
Volunteers
Designated others
Applications for these temporary accounts must be submitted in writing to the Director of IT. All terms,
conditions, and restrictions governing password, internet, and email use must be in a written and signed
agreement approved by the Director of IT.
1.2 Passwords, internet, phone use, and email access will be terminated when the employee or third party
terminates their association with the City, unless other arrangements are made.
1.3 The City is under no obligation to store or forward personal contents of an individual's Email
inbox/outbox after the term of their association has ceased. All correspondences are the property of the City and
will be stored according to the City's records retention policy.
Section 2
Password Construction Guidelines
2.0 Passwords are used to access any number of City systems, including the network, email, the internet, and
voicemail. Weak passwords are easily cracked, and place the entire system at risk. Therefore, strong passwords
are required. Try to create a password that is also easy to remember.
Passwords must be changed every 180 days.
Old passwords cannot be re -used for a period of 36 months.
Users will be notified 2 weeks in advance of password expiration date. At this time, users will be
prompted to select a new password.
Passwords will not be shared with others.
All passwords must conform to the guidelines outlined below.
Passwords should not be based on well -known or easily accessible personal information.
Page 2
Passwords must contain at least 8 characters.
Passwords must contain at least 1 uppercase letters (e.g. A) and 1 lowercase letter (e.g. a).
Passwords must contain at least 1 numerical character (e.g. 6).
Passwords must contain at least 1 special characters (e.g.
Section 3
Email Expectations
3.0 Official communications are often delivered via email. As a result, employees of the City with Email
accounts are expected to check their email in a consistent and timely manner so that they are aware of important
organizational announcements and updates, as well for fulfilling business and role oriented tasks.
3.1 Email users are responsible for mailbox management, including organization, size management and
periodic cleaning. If a user subscribes to a mailing list, he or she must be aware of how to remove him/her from
the list, and is responsible for doing so in the event that their current email address changes.
3.2 Email users must have an accurate and detailed description of the subject of the email in the subject line.
Email users should refrain from changing subjects /topics during an email chain. If a new subject is to be
discussed a new chain must be created. All users must have a signature block consisting of their name, title and
contact information. The IT Department will stamp each email with the approved compliance language per
MCA for all email users.
3.3 As City of Bozeman emails are used primarily for official communication, employees and officials
must recognize emails are generally considered public records and subject to the Montana Open Records Act.
Officials and employees are authorized to use email for personal use in limited amounts as a convenience to the
employee or official. When an employee or official uses email for personal use, however, because emails are
generally considered public records, the employee or official specifically recognizes any privacy interests in the
contents, the sender, or the recipients of an email is greatly reduced. Employees or officials wishing to maintain
privacy in their email communications are encouraged to use a personal email account for those communications.
3.4 Email users also understand emails may be searched for and reviewed during litigation where the City
of Bozeman, its employees, officials, or agencies are a party. Emails that may contain private information may be
released during the course of litigation without notice to the holder of the account. Emails that may violate this
policy may be forwarded to the employee's department head for review in compliance with Sections 7 and 10,
below.
Section 4
Internet Expectations
4.0 Appropriate and inappropriate use of the City's internet resources, including the world wide web,
extranet, intranet, FTP (File Transfer Protocol), and IM (Instant Messaging) shall be used as outlined in this
policy. The City makes the internet available for officials and employees as a tool to facilitate the effective
operation of City government. As such, any employee using the internet for limited personal use specifically
recognizes any privacy interests in the contents or search histories are greatly reduced. Employees or officials
wishing to maintain privacy in their internet use are encouraged to use a personal network.
Page 3
4.1 The social networking policy portion applies to all employees, contractors, City boards and City elected
officials. Any material presented online in reference to the City by any employee is the responsibility of the
poster. We encourage all communication be made in an identifying manner, to establish credibility. Along with
clear identification, employees must state that any opinion is theirs individually and not a form of official
communication from the City. Employees are prohibited from posting, transmitting and /or disseminating any
photographs, video or audio recordings, likenesses or images of department logos, emblems, uniforms, badges,
patches, marked vehicles, equipment, or other materials that specifically identifies the City on any personal or
social networking website or web page, without the permission of the Department Head.
4.2 The City recognizes the expanding business uses and applications of social networking sites and
wishes to take advantage of these technologies. Concurrently, we recognize the need to ensure the public
that City employees are making efficient use of their time while on the job, and focus on tasks at hand
without unnecessary interruptions. For these reasons, City employee use of social networking sites will be
limited to their Department's registered account on specific sites, as created by the IT Department.
4.3 Department Heads must approve the creation of registered accounts on social networking sites, and
Department Heads are responsible for ensuring that employee time spent on these sites is appropriate and
work related.
The City's Police Detective Division will be granted expanded access to social networking sites by the IT
Department, per approval of the Police Chief and IT Director.
This policy includes (but is not limited to) the following specific technologies:
Personal blogs
Linkedin
Twitter
Facebook
MySpace
Personal Web sites
Digg
Use of these services is subject to the conditions shown but, not limited to in section 5.
Section 5
Appropriate Use for all IT Systems
5.0 Individuals at the City should use these systems to further the goals and objectives of the organization.
5.1 Activities that are encouraged include:
communicating with fellow employees, business partners of the City, and public constituents
within the context of an individual's assigned responsibilities;
Page 4
acquiring or sharing information necessary or related to the performance of an individual's
assigned responsibilities; and
participating in educational or professional development activities.
Inappropriate Use for all IT Systems
5.2 The City's IT systems and services shall not be used for purposes that could be reasonably expected to
cause excessive strain on systems. Individual email and internet use will not interfere with others' use of the
City's email and internet system and services. All technology use at the City will comply with all applicable
laws, MCA 45 -6 -311, City Charter 2.01.030 2.01.060, City policies to include the City's Sexual Harassment
Policy, City's Employee Handbook, found in Appendix D.
5.3 In addition to the expectations included in Sections 3.3 and 4.0, above, the following activities are
deemed inappropriate uses of City IT systems and services and are prohibited:
Use of IT Systems for illegal or unlawful purposes, including copyright infringement, obscenity,
libel, slander, fraud, defamation, plagiarism, harassment, intimidation, forgery, impersonation,
soliciting for illegal schemes, and computer tampering (e.g. spreading of computer viruses);
Use of IT Systems in any way that violates the City's policies, rules, or administrative orders;
Viewing, copying, altering, or deletion of email and internet accounts or files belonging to the
City or another individual without authorized permission. This includes any individuals leaving
their current positions with the City;
Disabling of protective services or software without IT authorization;
Sending of unreasonably large email attachments. The total size of an individual email message
sent (including attachment) should be 25MB or less;
Opening email attachments from unknown or unsigned sources. Attachments are the primary
source of computer viruses and should be treated with utmost caution;
Sharing email and internet account passwords with another person, or attempting to obtain another
person's email and internet account password. Email and internet accounts are only to be used by
the registered user; and
Excessive personal use of the City's IT Systems. The City allows limited personal use of email for
communication with family and friends, independent learning, and public service provided it does
not interfere with staff productivity, pre -empt any business activity or consume more than a
minimal amount of resources. The City prohibits personal use of its email systems and services for
unsolicited mass mailings, non -City commercial activity, political campaigning, dissemination of
chain letters and use by non employees.
Section 6
CeII Phone Smartphone
6.0 It is in the best interest of the City to enable authorized employees to carry cell phones and smart phones.
Doing so increases the efficiency and safety of City operations. These employees are authorized and required to
carry a city provided devices. The City benefits by:
Page 5
redundancy of communication capabilities; when land -lines fail, key employees are already
carrying cell phones with data service. This can be critical for saving lives and resources in public
safety and public works emergencies;
enables the contact of key employees 24 hours /day, 7 days /week;
enables employees to complete work and correspondence while away from their desks, during the
customary work day, nights, weekends, and holidays; and
enables employees to complete work and correspondence from home, after the customary work
day has ended.
6.1 Service Agreements The City will provide a service agreement sufficient to cover all City business
related communication (calls, data, text.) The IT Department is responsible for enrolling individual accounts in
the appropriate service plan after consultation with the appropriate Department Head.
The IT Department will conduct a review of all service agreements every six months. They will make changes to
agreements to ensure that accounts are not "over" or "under" subscribed for City related activity at that time.
It is the Department Head's responsibility to identify any unauthorized charges or calls on the accounts that
operate for the benefit of their departments and report them to the IT Department in a timely fashion.
No Department Head or other employee may independently contract for City cell phone /smart phone service on
their own.
6.2 Monthly Billing On a monthly basis, Department Heads are responsible for reviewing and approving
their respective departments' bills.
6.3 Personal Use City- provided devices will only be issued when it is in the best interest of the City to do
so. Employees who are assigned to carry a city provided phone or data device may use the device for limited
personal use. Annually, employees must declare the amount of personal phone call usage incurred for the
purpose of complying with IRS regulation for taxable fringe benefits. Designated employees must sign and
submit a completed "Employee Declaration of Personal Cell Phone Usage" form to the City Accounting
Department prior to issuance of a City- provided device. When an employee or official uses a cell
phone /Smartphone for personal use the employee or official must recognize data stored on these systems may be
considered public records. As such, the employee or official specifically recognizes any privacy interests in the
contents, the sender, or the recipients of any data transferred via a device is greatly reduced. This includes text
messages or other messaging. The City will seek to protect the privacy of any communications using these
devices for use subject to the Employee Declaration of Personal Cell Phone Usage. As such, employees wishing
to maintain complete privacy in their communications are encouraged to use a personal device for those
communications.
The Finance Department will conduct a review of personal use declarations every 6 months. They will sample
employee accounts and review for actual personal use versus declared personal use. Employees may be asked to
modify their declaration when discrepancies are found.
6.4 Device Purchases Replacements The IT Department will determine when a cell phone /Smartphone
device needs replacement IT will purchase, set -up and service the device. The cost of the new or replaced
device will be charged to the benefitting employee's department.
Page 6
1
Section 7
Monitoring and Confidentiality
7.0 The IT systems and services used at the City are owned by the public. The use of these services by an
employee means the employee understands these services are neither private nor confidential when used for
personal communications. This gives the City the right to monitor any and all email, messaging, or internet
traffic passing through its email and internet system. While the IT Department does not actively read end -user
email or messaging email messages may be inadvertently read by IT staff during the normal course of managing
the email /messaging system.
7.1 In addition, backup copies of email messages and other messaging data may exist, despite end -user
deletion, in compliance with the City's records retention policy. The goals of these backup and archiving
procedures are to ensure system reliability and prevent business data loss.
7.2 If the City discovers, or has good reason to suspect an employee's or official's email or internet activities
do not comply with applicable laws or this policy, the city may retrieve and use any email, messaging and
internet records in any legal or disciplinary action. Only the City Manager may authorize a review of an
official's or employee's email, messaging, or internet records and only a Department Head of the appropriate
department, the City Manager and /or City Attorney, as appropriate, may review an email account or internet
activity. The Department Head requesting the review must submit the request after written approval by the City
Manager to the IT Director. An employee will be notified of such a review for email accounts unless the
employee or official is unavailable prior to the review being conducted. In such a case, the employee or official
shall be notified of the review of their email account as soon as practicable. An employee or official will not be
notified of a review of their internet activity.
7.3 Employees shall use extreme caution when communicating confidential or sensitive information via email
and internet systems. Keep in mind that all email messages sent outside of the City become the property of the
receiver. A good rule is to not communicate anything that you wouldn't feel comfortable being made public.
Demonstrate particular care when using the "Reply" or "Reply to All" command during email correspondence.
Section 8
Reporting Misuse
8.0 Any allegations of misuse should be promptly reported to the IT Department. If you receive an offensive
email, do not forward, delete, or reply to the message. Instead, report it directly to the IT Department via
telephone before taking any additional action.
Page 7