The URL can be used to link to this page

Home My WebLink AboutAdministrative Order No. 2009-09 Adoption of Information Technology Use Policy ti v~ �r ADMINISTRATIVE ORDER NO. 2009 -09 Adoption of the City of Bozeman Information Technology Use Policy It is hereby ordered the City of Bozeman Information Technology Use Policy is hereby adopted. This administrative order supersedes prior administrative orders 2007 -06A and 1999 -01. This order is effective November 23, 2009. DATED this Z day of November, 2009 Chris Kukulski, City Manager f Department of Information Technology y City of Bozeman, Montana �CO. Information Technology Use Policy Information Technology (IT) is a critical mechanism for operations and business communications at the City of Bozeman (City). The purpose of this policy is to outline appropriate and inappropriate use of the City's IT Systems and Services in order to improve efficiencies and minimize disruptions to services and activities, as well as comply with applicable policies and laws. All Department Heads, supervisors, employees, and officials with access to the City's network are required to comply with this Policy. Failure to comply may result in the privilege of access to the City's IT being revoked. See Section 10. Scope This policy applies to all internet, hardware, software applications, cell phone /smart phone devices and Email systems owned by the City, all Internet and Email account users/holders at the City (temporary, permanent and intern), all organizational Email and Internet records. This policy is broken down into sections for ease of use: Section 1) Account Activation/Termination; Section 2) Password Construction Guidelines; Section 3) Email Expectations; Section 4) Internet Expectations; Section 5) Appropriate Inappropriate use of all IT Systems and Service; Section 6) Cell Phone smart phone; Section 7) Monitoring and Confidentiality; Section 8) Reporting Misuse; Section 9) Disclaimer; Section 10) Failure to Comply; Page 1 Section 1 Account Activation/Term!nation 1.0 Internet and email access at the City is controlled through individual accounts and passwords. Each user of the City's Internet and Email system shall read and sign a copy of this IT Use Policy prior to receiving any password, internet, and email access. It is the responsibility of the employee to protect the confidentiality of their accounts and password information. Standalone computers and programs will have individual profiles to keep the integrity of the individual's usernames and password confidential. If multiple profiles are needed for standalone computers, please contact the IT Department. 1.1 Password, Internet and Email accounts may be granted to third party non employees on a case -by -case basis. Possible non employees that may be eligible for access include: City Board members Contractors Internships (paid non paid) Volunteers Designated others Applications for these temporary accounts must be submitted in writing to the Director of 1T. All terms, conditions, and restrictions governing password, internet, and email use must be in a written and signed agreement approved by the Director of IT. 1.2 Passwords, internet, phone use, and email access will be terminated when the employee or third party terminates their association with the City, unless other arrangements are made. 1.3 The City is under no obligation to store or forward personal contents of an individual's Email inbox/outbox after the term of their association has ceased. All correspondences are the property of the City and will be stored according to the City's records retention policy. Section 2 Password Construction Guidelines 2.0 Passwords are used to access any number of City systems, including the network, email, the internet, and voicemail. Weak passwords are easily cracked, and place the entire system at risk. Therefore, strong passwords are required. Try to create a password that is also easy to remember. Passwords must be changed every 180 days. Old passwords cannot be re -used for a period of 36 months. Users will be notified 2 weeks in advance of password expiration date. At this time, users will be prompted to select a new password. Passwords will not be shared with others. All passwords must conform to the guidelines outlined below. Passwords should not be based on well -known or easily accessible personal information. Page 2 Passwords must contain at least 8 characters. Passwords must contain at least 1 uppercase letters (e.g. A) and I lowercase letter (e.g. a). Passwords must contain at least 1 numerical character (e.g. 4). Passwords trust contain at least 1 special characters (e.g. Section 3 Email Expectations 3.0 Official communications are often delivered via email. As a result, employees of the City with Email accounts are expected to check their email in a consistent and timely manner so that they are aware of important organizational announcements and updates, as well for fulfilling business and role- oriented tasks. 3.1 Email users are responsible for mailbox management, including organization, size management and periodic cleaning. If a user subscribes to a mailing list, he or she must be aware of how to remove him /her from the list, and is responsible for doing so in the event that their current email address changes. 3.2 Email users must have an accurate and detailed description of the subject of the email in the subject line. Email users should refrain from changing subjects /topics during an email chain. If a new subject is to be discussed a new chain must be created. All users must have a signature block consisting of their name, title and contact information. The IT Department will stamp each email with the approved compliance language per MCA for all email users. 3.3 As City of Bozeman emails are used primarily for official communication, employees and officials must recognize emails are generally considered public records and subject to the Montana Open Records Act. Officials and employees are authorized to use email for personal use in limited amounts as a convenience to the employee or official. When an employee or official uses email for personal use, however, because emails are generally considered public records, the employee or official specifically recognizes any privacy interests in the contents, the sender, or the recipients of an email is greatly reduced. Employees or officials wishing to maintain privacy in their email communications are encouraged to use a personal email account for those communications. Section 4 Internet Expectations 4.0 Appropriate and inappropriate use of the City's internet resources, including the world wide web, extranet, intranet, FTP (File Transfer Protocol), and IM (Instant Messaging) shall be used as outlined in this policy. The City makes the internet available for officials and employees as a tool to facilitate the effective operation of City government. As such, any employee using the internet for limited personal use specifically recognizes any privacy interests in the contents or search histories are greatly reduced. Employees or officials wishing to maintain privacy in their internet use are encouraged to use a personal network. 4.1 The social networking policy portion applies to all employees, contractors, City boards and City elected officials. Any material presented online in reference to the City by any employee is the responsibility of the poster. We encourage all communication be made in an identifying manner, to establish credibility. Along with clear identification, employees must state that any opinion is theirs individually and not a form of official communication from the City. Employees are prohibited from posting, transmitting and /or disseminating any photographs, video or audio recordings, likenesses or images of department logos, emblems, uniforms, badges, Page 3 patches, marked vehicles, equipment, or other materials that specifically identifies the City on any personal or social networking website or web page, without the permission of the Department Head. 4.2 The City recognizes the expanding business uses and applications of social networking sites and wishes to take advantage of these technologies. Concurrently, we recognize the need to ensure the public that City employees are making efficient use of their time while on the job, and focus on tasks at hand without unnecessary interruptions. For these reasons, City employee use of social networking sites will be limited to their Department's registered account on specific sites, as created by the IT Department. 4.3 Department Heads must approve the creation of registered accounts on social networking sites, and Department Heads are responsible for ensuring that employee time spent on these sites is appropriate and work related. The City's Police Detective Division will be granted expanded access to social networking sites by the IT Department, per approval of the Police Chief and IT Director. This policy includes (but is not limited to) the following specific technologies: Personal blogs Linkedin Twitter Facebook MySpace Personal Web sites Digg Use of these services is subject to the conditions shown but, not limited to in section 5. Section 5 Appropriate Use for all IT Systems 5.0 Individuals at the City should use these systems to further the goals and objectives of the organization. 5.1 Activities that are encouraged include: communicating with fellow employees, business partners of the City, and public constituents within the context of an individual's assigned responsibilities; acquiring or sharing information necessary or related to the performance of an individual's assigned responsibilities; and participating in educational or professional development activities. Page 4 Inappropriate Use for all IT Systems 5.2 The City's IT systems and services shall not be used for purposes that could be reasonably expected to cause excessive strain on systems. Individual email and internet use will not interfere with others' use of the City's email and internet system and services. All technology use at the City will comply with all applicable laws, MCA 45 -6 -311, City Charter 2.01.030 2.01.060, City policies to include the City's Sexual Harassment Policy, City's Employee Handbook, found in Appendix D. 5.3 In addition to the expectations included in Sections 3.3 and 4.0, above, the following activities are deemed inappropriate uses of City IT systems and services and are prohibited: Use of IT Systems for illegal or unlawful purposes, including copyright infringement, obscenity, libel, slander, fraud, defamation, plagiarism, harassment, intimidation, forgery, impersonation, soliciting for illegal schemes, and computer tampering (e.g. spreading of computer viruses); Use of IT Systems in any way that violates the City's policies, rules, or administrative orders; Viewing, copying, altering, or deletion of email and internet accounts or files belonging to the City or another individual without authorized permission. This includes any individuals leaving their current positions with the City; Disabling of protective services or software without IT authorization; Sending of unreasonably large email attachments. The total size of an individual email message sent (including attachment) should be 25MB or less; Opening email attachments from unknown or unsigned sources. Attachments are the primary source of computer viruses and should be treated with utmost caution; Sharing email and internet account passwords with another person, or attempting to obtain another person's email and internet account password. Email and internet accounts are only to be used by the registered user; and Excessive personal use of the City's IT Systems. The City allows limited personal use of email for communication with family and friends, independent learning, and public service provided it does not interfere with staff productivity, pre -empt any business activity or consume more than a minimal amount of resources. The City prohibits personal use of its email systems and services for unsolicited mass mailings, non -City commercial activity, political campaigning, dissemination of chain letters and use by non- employees. Section 6 Cell Phone Smartphone 6,0 It is in the best interest of the City to enable authorized employees to carry cell phones and smart phones. Doing so increases the efficiency and safety of City operations. These employees are authorized and required to carry a city provided devices. The City benefits by: Page 5 redundancy of communication capabilities; when land -lines fail, key employees are already carrying cell phones with data service. This can be critical for saving lives and resources in public safety and public works emergencies; enables the contact of key employees 24 hours /day, 7 days /week; enables employees to complete work and correspondence while away from their desks, during the customary work day, nights, weekends, and holidays; and enables employees to complete work and correspondence from home, after the customary work day has ended. 6.1 Service Agreements The City will provide a service agreement sufficient to cover all City business related communication (calls, data, text.) The IT Department is responsible for enrolling individual accounts in the appropriate service plan after consultation with the appropriate Department Head. The IT Department will conduct a review of all service agreements every six months. They will make changes to agreements to ensure that accounts are not "over" or "under" subscribed for City related activity at that time. It is the Department Head's responsibility to identify any unauthorized charges or calls on the accounts that operate for the benefit of their departments and report them to the IT Department in a timely fashion. No Department Head or other employee may independently contract for City cell phone /smart phone service on their own. 6.2 Monthly Billing On a monthly basis, Department Heads are responsible for reviewing and approving their respective departments' bills. 6.3 Personal Use City- provided devices will only be issued when it is in the best interest of the City to do so. Employees who are assigned to carry a city provided phone or data device may use the device for limited personal use. Annually, employees must declare the amount of personal phone call usage incurred for the purpose of complying with IRS regulation for taxable fringe benefits. Designated employees must sign and submit a completed "Employee Declaration of Personal Cell Phone Usage" form to the City Accounting Department prior to issuance of a City- provided device. When an employee or official uses a cell phone /Smartphone for personal use the employee or official must recognize data stored on these systems may be considered public records. As such, the employee or official specifically recognizes any privacy interests in the contents, the sender, or the recipients of any data transferred via a device is greatly reduced. This includes text messages or other messaging. The City will seek to protect the privacy of any communications using these devices for use subject to the Employee Declaration of Personal Cell Phone Usage. As such, employees wishing to maintain complete privacy in their communications are encouraged to use a personal device for those communications. The Finance Department will conduct a review of personal use declarations every 6 months. They will sample employee accounts and review for actual personal use versus declared personal use. Employees may be asked to modify their declaration when discrepancies are found. 6.4 Device Purchases Replacements The IT Department will determine when a cell phone /Smartphone device needs replacement IT will purchase, set -up and service the device. The cost of the new or replaced device will be charged to the benefitting employee's department. Page 6 Section 7 Monitoring and Confidentiality 7.0 The IT systems and services used at the City are owned by the public. The use of these services by an employee means the employee understands these services are neither private nor confidential when used for personal communications. This gives the City the right to monitor any and all email, messaging, or internet traffic passing through its email and internet system. While the IT Department does not actively read end -user email or messaging email messages may be inadvertently read by IT staff during the normal course of managing the email /messaging system. 7.1 In addition, backup copies of email messages and other messaging data may exist, despite end -user deletion, in compliance with the City's records retention policy. The goals of these backup and archiving procedures are to ensure system reliability and prevent business data loss. 7.2 If the City discovers, or has good reason to suspect activities that do not comply with applicable laws or this policy, email, messaging and internet records may be retrieved and used accordingly in any legal or disciplinary action. Only the City Manager may authorize a review of an official's or employee's email, messaging, or internet records. If so, only a Department Head of the appropriate department, the City Manager and City Attorney, as appropriate, are authorized to review the accounts and only after a request in writing is submitted to the IT Director. In most cases, an employee will be notified of such a review. Notifications may not be possible, however, during an investigation into whether the official or employee is violating this or any other City policy, the employee cannot be contacted, as in the case of employee absence due to vacation. 7.3 Employees shall use extreme caution when communicating confidential or sensitive information via email and internet systems. Keep in mind that all email messages sent outside of the City become the property of the receiver. A good rule is to not communicate anything that you wouldn't feel comfortable being made public. Demonstrate particular care when using the "Reply" or "Reply to All" command during email correspondence. Section 8 Reporting Misuse 8.0 Any allegations of misuse should be promptly reported to the IT Department. If you receive an offensive email, do not forward, delete, or reply to the message. Instead, report it directly to the IT Department via telephone before taking any additional action. Page 7 Section 9 Disclaimer 9.0 The City assumes no liability for direct and /or indirect damages arising from the use of the City's email system and services. Users are solely responsible for the content they disseminate. The City is not responsible for any third -party claim, demand, or damage arising out of use the City's email systems or services. Section 10 Failure to Comply 10.0 Violations of this policy will be treated like other allegations of wrongdoing. Allegations of misconduct will be adjudicated according to established procedures, City policies and the City's Charter. Sanctions for inappropriate use on the City's IT systems and services may include, but are not limited to, one or more of the following: Temporary or permanent revocation of email and/or internet access; Disciplinary action according to applicable City policies; Termination of employment; and/or Legal action according to applicable laws and contractual agreements. Page 8 Recognition and Acceptance of City IT Use Policy I hereby acknowledge I have read and understand the IT Use Policy of the City. I agree to abide by this policy. I understand that if I violate this policy, I may face legal and/or disciplinary action. I ALSO UNDERSTAND THAT ANY PERSONAL USE OF THE CITY'S NETWORK, EMAIL, INTERNET, OR OTHER DEVICES I MAY BE AUTHORIZED TO CONDUCT IS DONE SO WITH THE FULL EXPECTATION AND REALIZATION THAT MY PRIVACY INTERESTS ARE GREATLY REDUCED. I RECOGNIZE THAT IF I WANT TO MAINTAIN CONFIDENTIALITY IN MY PERSONAL USE I WILL NOT USE ANY CITY NETWORK OR DEVICE FOR MY PERSONAL COMMUNICATIONS. I further release and agree to indemnify and hold the City and its officials, trustees, employees, and agents harmless for any loss, damage, expense or liability resulting from any claim, action or demand arising out of or related to the user's intentional misuse or personal use of City owned computer resources and the network, including reasonable attorney fees to include claims without limitation based on trademark or service mark infringement, trade name infringement, copyright infringement, unfair competition, defamation, unlawful discrimination or harassment, and invasion of privacy. Name Signature Date Page 9