Resolution 06-1143RESOLUTION 1N.O. 06-1143
A RESOLUTION OF THE CITY OF LONGWOOD,
FLORIDA ESTABLISIIVIG INFORMATION
TECHNOLOGY POLICIES AND PROCEDURES;
PROVIDING FOR AN EFFECTIVE DATE.
WHEREAS, Information Technology encompasses many facets of daily business
within the City; and
WHEREAS, the City desires to establish a uniform set of policies and procedures
.regarding the use of all Information Technology; and
WHEREAS, these policies and procedures will establish centralized management
for all Information Technology and provide for appropriate discipline.
NOW, THEREFORE, BE IT RESOLVED that the City Conimission of the
City of Longwood do hereby adopt the following Information Technology Policies and
Procedures:
Section 1. Governance.
1.1 Policy
To provide cost effective-compu;ting tools to the employees of the City in
order to facilitate their ability to effectively and efficiently serve the
customers and residents of the City of Longwood. This policy shall apply
to all personnel that use a City owned computer, or access the City system
through the use of a private computer, or access the City system through
the use of a portable handheld device, whether City owned or privately
owned.
1.2 Management
The City Administrator shall implement, manage, and enforce the
Governance Policy.
Section 2. Computer Hardware.
2.1 Policy
All computer hardware purchased for use within the City, whether on. the
network or not, shall be specified and approved by the Computer Services
Division (CSD), and may be charged to the using department/division and
installed by the CSD.
2.2 Purpose/Description
Having CSD review and install computer hardware will ensure the
hardware purchased will conform to City technical standards, meet
Resolution No. 06-1143
Page 2 of 12
computer security requirements and interface properly with other
computerized equipment in the City.
2.3 Enforcement
The Purchasing Division will reject. all requests for computer hardware
that has not been reviewed and approved by CSD. Airy computer hardware
found to be in use without CSD approval will be disconnected
immediately and confiscated. The incident will be reported to the
violator's Department Head and the City Administrator and may result in
disciplinary action up to and including termination.
2.4 Responsibilities
Computer Services Division
CSD will specify, review and approve and install all computer hardware.
CSD will maintain and periodically. inventory all hardware within the City
to confrnn policy enforcement and to provide for verification of fixed
asset tracking for insurance purposes.
Purchasing Division — Ensure -,,hat the CSD reviews and approves all
requests for computer hardware.
End -Users — Work with CSD to determine hardware needs and to develop
an appropriate annual budget.
Section 3. Computer Software.
3.1 Pol[icy
It is the policy of the City to adapt or modify the existing operating and
application software to meet the present and future needs of the user
department/division. If the existing system cannot be modified; then
packaged software that integrates with the existing system will always be
preferred. Custom software shall', be discouraged.
3.2 Purpose/Description
CSD shall review, approve and install computer software to ensure the
software purchased will conform to City technical standards, meet
computer security requirements and will interface properly with other
computerized hardware and/or software within the City as required.
3.3 Software Acquisition
All packaged software will be: purchased with software maintenance
agreements that will be maintained by the CSD. Acquiring packaged
software to satisfy functional application needs is a joint responsibility
between the CSD and the using department, with final authority for
acquisition with the CSD. The using department is responsible to ensure
the packaged software obtained will meet their functional needs. CSD will
ensure the packaged software can technically operate in the City's
Resolution No. 06-1143
Page 3 of 12
environment and provide cost: and budget infonnation into the decision
making process.
If either the existing system caiuiot be modified or packaged software
cannot be purchased to meet the functional application needs of the using
department/division in the sole opinion of the CSD; then with the approval
of the City Administrator, the C;31) will purchase the appropriate custom
software. Such software must. meet the same technical requirements as
packaged software.
3.4 Software Responsibilities
The CSD is responsible for ensuring the maintenance of software products
to include applying patches, upgrades and fixes. CSD will ensure the
software is operational. The using department is responsible for functional
training and understanding how the system functionally operates to satisfy
the business need.
3.5 Enforcement
The Purchasing Division will reject all requests for computer software that
does not have review and approval from CSD. Any computer software
found to be m use without CSD or City Administrator approval will be
removed immediately and con.Fscated. The incident will be reported to the
violator's Department/division Head and the City Administrator and may
result in disciplinary action up to and including termination.
3.6 Responsibilities
Using Department — Work with CSD to determine functional software
requirements. After purchase„ the end -user is responsible for
understanding the functional aspects of their software and providing
adequate end -user training on its use.
Computer Services Division — Work with end -users in the acquisition
process. Maintain the software in an operational state. Provide for
upgrading of the software in cooperation with the end -user as new releases
are issued.
Purchasing Division — Ensure that all requests for computer software are
reviewed and approved by the CSD or the City Administrator.
Department/Division Heads — Ensure enforcement of the policies through
disciplinary actions if necessary for those violating the policy.
Section 4. Email.
4.1 Policy '
As a productivity enhancement tool, the city encourages the business use of
email. Email access will be granted to all City employees with computer
technology capable of executing the programs unless specifically denied by
�- " the employee's Department Head or the City Administrator.
Resolution No. 06)-1143
Page 4 of 12
4.1 Purpose/Description
The purpose of this policy is to clearly define the acceptable use of the
City's email system and what actions are prohibited.
4.3 Ownership of the Email System
The City's email systems belong to the City of Longwood and the contents
of any email conninunication axe accessible at all times by the City for any
business related or other purpose. These systems may be accessed at
anytime, with or without advance notice. Although an employee may have
a personal password, the City, without the employee's knowledge or
consent, can access email on the City's email system whether business
related or personal. Nothing i,n or on the email system should be
considered confidential.
4.3 Acceptable Use
Use of the City's email system is intended for City related business. Al.l
employees are to use email as they would .any other type of official City
communications tool. When any email is transmitted, both the reader and
sender should consider if the communication falls within ethical
guidelines. No communication should contain confidential information.
Communication by email is encouraged when it results in the most
efficient and/or effective means of communication.
Incidental and occasional personal use of the email systems is permitted
by the City employees but these email messages will be treated the same
as other business related email massages.
The following are guidelines when using the City's email system for
personal use:
O Personal incoming or outgoing email must be kept to a minimum
so that it does not consume more than a trivial amount of system
resources
o Personal incoming or outgoing email must not interfere with an
employees work during. working hours
44 Prohibited Uses
® Charitable or fundraising campaigns unless specifically approved
in advance by the City .Administrator
m Email. may not be used for soliciting or proselytizing for
cormnercial ventures, job. searches, chain letters, religious or
personal causes or outside organizations or other similar, non -job -
related solicitations
Resolution No. 06-1143
Page 5 of 12
® Employees may .not use the City's email system in any way that
maybe seen as insulting, disruptive, or offensive by other persons,
or harmful to morale. Examples of forbidden transmissions
include, but are not J mited to, sexually -explicit messages,
gambling, cartoons, or jokes; unwelcome propositions or love
letters; ethnic or racial slurs; or any other message that can be
construed to be harassment or disparagement of others based on
their sex, race, sexual orientation, age, position with the City,
national origin, religious or political beliefs
® Use of email to send copies of documents in violation. of copyright
laws
m Use of the email system to compromise the integrity of the City or
its business in any way
® Use of email to offer for sale non -City related items
a Use of email for political campaign
4.5 Retention of Email
Computer Services Division provides backup of email intended for public
records purposes, system restoration and long tern storage.
4.6 Enforcement
The CSD will provide for the; enforcement of these policies through the
use of monitoring technology and report violations to the
Department/Division Head of the offending employee and the City
Administrator for disciplinary ac,, on up to and including termination.
4.7 Responsibilities
Departmental Supervisors - Supervisors are responsible for ongoing
enforcement of this policy for employees under their control.
End -Users — Must be aware of these policies and ensure compliance.
Department/Division Heads — Ensure enforcement of the policies through
disciplinary actions, if necessary; for those violating the policy.
Computer Services Division - Monitor and report violations:
Section 5. Internet.
5.1 Policy
As a productivity enhancement t,,:)ol, the City encourages the business use of
hiternet access. Internet access will be granted to all City employees with
computer technology capable of executing the programs unless specifically
denied by the employee's Departnient/Division Head or the. City
Administrator.
Resolution No. 06-11.43
Page 6 of 12
11_� 5.2 Purpose and Description
The purpose of this policy is to clearly define the acceptable use of the
Internet and what actions are prohibited.
5.2 Acceptable Use
Use of the City's Internet access is intended for City related business. All
employees are to use Internet as ,:hey would any other type of official City
tool. Users should consider ethical guidelines.
Incidental and occasional personal use of the City's Internet system is
permitted by the City employees but will be treated the same as any other
legitimate business access. The following are guidelines when using the
City's email system for personal use:
® Personal usage must be kept to a minimum so that it does not
consume more than a trivial amount of system resources
a Personal usage must not interfere with an employee's work during
working hours
5.3 Prohibited Use
Any use of the hiter net for "moonlighting," job searches, soliciting,
political campaigning or proselytizing for connnercial ventures, gambling,
religious or personal causes or outside organizations, or for other similar
non -job related solicitations is strictly prohibited. Use of the City's
Internet to access any site; or material that is sexually explicit,
pornographic, obscene, can be construed to be harassment or
disparagement of others based on their sex, race, sexual orientation, age,
position or job, national origin, or religious or political beliefs, or has the
potential to cause the City public harm or disrepute is strictly prohibited.
Users are prohibited from instalting any browser plug-in or "enhancement
applications" such as Flash, Real Media, Quick time, Shock Wave,
browser toolbars etc. This includes but is not limited to Pop up Blockers,
Anti Spy Ware programs, Screen Savers, Background Changers or any
other item that is not provided b;y the Computer Services Division as part
of the original system configuration or added by CSD.
5.4 Security and Blocked Access
The CSD will provide for lnternet security that includes, but is not limited
to, firewall protection, specific routing, profiles and passwords. Specific
Web sites that have no legitimate business purpose will be blocked from
access. An audit trail of access to sites will be maintained by the CSD to
investigate possible violation of City policy or breach of security.
Resolution No. 0.6-1143
Page 7 of 12
5.5 Public Representation
No media advertisement, Internet home page, electronic bulletin board
posting, electronic mail message, or any other public representation about
the City of Longwood may be issued unless appropriate management has
granted approval.
5.6 Enforcement
The CSD will monitor Internet access through the use of technology tools.
A weekly report of internet activity for each employee will be provided to
Department/Division Head for monitoring and review of productivity.
Violations will be reported to the Department/Division Head and the City
Administrator for appropriate disciplinary action, up to and including
termination. The Police Chief may be called upon to perform forensic
evaluation of any device to ensure compliance with this policy.
5.7 Responsibilities
Departmental Supervisors — Supervisors are responsible for ongoing
enforcement of this policy for employees under their control.
End -Users — Must be aware of these policies and ensure compliance.
Department/Division Heads = Provide disciplinary action for those
violating the policy.
Computer Services Division - Monitor and report violations..
Section 6. Access to Computer Systems.
6.1 Policy
It is the policy of the City of' Longwood to only grant access to systems
and programs that are required in the performance of an individual's job.
Access will be granted to individuals on a temporary basis when filling in
for someone on vacation, or other leaves of absence. Department Heads
will authorize access to systems and software under their control..
6.2 Purpose/Description
The purpose of this policy is to ensure that individuals only have access to
the software and systems that Ere required to perfornn. their duties. This
minimizes the risk of internal security violations.
6.3 Enforcement
Access authorization documentation will be generated for each individual
indicating what software and/or systems are to be accessed and what
privileges (read, write, etc) are permitted. CSD will ensure that only the
rights and privileges evidenced. by an authorization of the Department
Head to the employee. Annually, CSD will review the rights and
privileges of all individuals and provide a list to departments for
confirmation. Incidents of unauthorized access will be reported to the
Resolution No. 06-1143
Page 8 of 12
violator's Department Head and the City Administrator and may result in
disciplinary action up to and including termination.
6.4 Responsibilities
Computer Sen4ces Division (I�S) Grant rights and privileges for system
access based upon a written authorization document from an authorized
individual. Annually produce a report of all individual access and
privileges and forward to user departments.
Department Heads — Provide written authorization for access
rights/privileges to CSD. Annually review and reconfirin accuracy of
access rights/privileges.
Department_ Heads — Provide disciplinary action for those violating the
policy.
Section 7. Password Security.
7.1 Policy
All City computer systems are protected by user identification (User ID)
and passwords. City computer systems will track history by User ID and.
password.
It is the responsibility of the: user to protect his/her password as they
would any other identification .number such as social security number,
credit card number or other such personal information. It is a violation of
this policy to give your User ID and/or password to any other individual
within or outside the City. It. is a violation of this policy to write the
password down and leave in an easy to find location.
7.2 Purpose/Description
All City computer systems are User I.D and password protected to identify
who is using the system and what rights and privileges they may have
within the system.
7.3 Password Expirations
All passwords will expire on a 90-day basis and must be re-entered. Users
may not reuse a password that was used within the last year (the system
will prevent this). This is required by best practice computer security
standards. Only the City A.drzinistrator has the authority to grant
exceptions.
7.4 Enforcement
CSD will monitor the use of User ID and passwords to ensure only
authorized users are to access the system. Periodically CSD will review
work areas to determine if passwords have been written down and left in
easy to find locations. Violations of this policy will be reported to the
Resolution No. 06-1 143
Page 9 of 12
violator's Department/Division Head and the City Administrator and may
result in disciplinary action up to and including termination.
7.5 Responsibilities
Computer Services Division -- Issue passwords with proper authorization
and track and audit password usage for violations of the policy.
Individual Users — Maintain confidentiality of User ID and passwords.
End -Users — Keep passwords confidential.
Department/Division Heads = Provide disciplinary action for those
violating the policy.
Section 8. Public Records Request.
8.1 Policy
It is the policy of the City of Longwood to direct all computer system
public records requests to the ]Director of Financial Services. The Director
of Financial Services will then process the request through the CSD.
8.2 Purpose/Description
Although much of the information generated by a City'is subject to public
records requests, there are a nurn.ber of exceptions that are provided for in
Chapter 119 of the Florida State, Statutes. Giving out information that is
subject to these exceptions is a s,.rious violation of State law. No end -user
should provide computer information to any individual without first
working with the Director of Financial Services and the CSD.
8.3 Enforcement
Employees are expected to follow the policy. Violations will be reported
to the Department/Division Head and the City Administrator and may
result in disciplinary action up to and including termination.
8.4 Responsibilities
End -Users - Direct public records request: to the Director of Financial
Services.
Director of Financial Services — Receive and process requests.
Department/Division Heads - Provide disciplinary action for those
violating the policy.
Section 9. Instant MessaginZ/Chat Rooms.
9.1 Policy
Installation of any non -Microsoft: based Instant Messaging client software
and all related tools (voice chat, file transfer and sharing, etc) is strictly
prohibited on City computers. CSD will install MSN Messenger for this
purpose if desired, and no other applications are allowed.
Resolution No. 06-1143
Page 10 of 12
9.2 Purpose/Description
The major protocols used for chat or instant messaging use encryption, so
any sensitive topics discussed using messaging tools are transmitted in the
clear. Certain logins protect passwords by using weak encryption methods
that are easily cracked. File transfers and sharing capabilities do not offer
adequate access controls to prevent misuse and unauthorized access, local
file path disclosure, system crashes, and denials of service.
9.3 Enforcement
The CSD will inu-nediately remove and confiscate any software found in
violation of this policy. Incidents will be reported to the violator's
Department/Division Head and the City Administrator and may result in
disciplinary action up to and including termination.
9.4 Responsibilities
End Users — Shall not utilize or install instant message or chat room
software other than MSN as described.
Computer Services Division — Audit, remove and report violations.
Department/Division Heads — Provide disciplinary action for those
violating the policy.
Section 10. ImportinIz External Data.
10.1 Policy
Importing data in t11e form of generic work files for Word, PowerPoint,
Excel, Access, or other installer: applications are permitted on any City
owned computer.
ANY external data, file or prog,= that is not a generic work file must be
reviewed by the CSD PRIOR' to attempting to import or load it onto a
City owned computer. This includes any file that has been sent by any
means, including email.
10.2 Purpose/Description
This policy relates to the importing or copying of any non-standard file,
picture, graphic, logo, or data of any type that does not already reside on
the network or in a computer connected to the network. It may be
imported by means of any phyuical portable media (diskette, CD, Zip
Disk,, etc.). Imports with extensions such as EXE, VBS, PIF, etc. may pose
a significant threat to the Ci.ty`s systems and are not to be imported
without first being reviewed by CSD.
10.3 Enforcement
It is expected that employees wii:l adhere to the policy. Should CSD find
files that have been imported ii7 violation. of this policy, they will be
Resolution No. 06-1143
Page 11 of 12
reported to the Department/Division Head and the City Administrator, and
may result in disciplinary action up to and including termination.
10.4 Responsibilities
End -Users - When necessary, work with CSD to import data files.
Computer Services Division -- Work with employees who have a need to
import data files that have potential hazards.
Department/Division Heads = Provide disciplinary action for those
violating the policy.
Section 11. Data Backup and Recovery.
11.1 Policy
Users of personal computers attached to the City network will keep critical
City data files on the network server. Any data not kept on the file server
is considered non -critical, non -essential and dispensable.
11.2 Purpose/Description
Information is a critical asset to the City and must be appropriately
protected through an established backup and recovery system. Data can
reside either on the main compueer systems, network or on an individuals
local personal computer (PC).
Nightly (Monday through Friday), CSD will back-up the data on all City
servers. Daily, a backup from each server and the maid computers is
rotated to an off -site storage location. Should a disaster occur during the
day and the systems must be restored, infonnationprocessed that day may
be lost and will be the responsibility of the user to re -process.
11.3 Backup Audit Logs
The CSD will maintain a log of all backup tapes, what is on the tapes, the
date of the backup, that the tape was verified to have good information, its
location and a signature of the individual certifying the backup process.
This log will be maintained :in a location accessible to the Director of
Financial Services and shall be audited periodically.
Backup tapes will not be re -used for a period of twelve months, so that
there are 12, full monthly backup tapes at any given point in time.
11.4 Enforcement
It is expected that end -users will adhere to the policy. Should CSD find
critical City data files resident: o;n an employee's personal computer they
will work with the employee to p-at the files on. the main server. Continued
violation of this policy will be reported to the violator's
Department/Division Head and tie City Administrator and may result in
disciplinary action up to and including termination.
Resolution No. 06-1143
Page 12 of 12
11.5 Responsibilities
End- Users — Are responsible for saving critical files on the server so they
may be backed up.
Computer Services Division - Provide for backup of network data and
maintain appropriate logs.
Department/Division Heads = Provide disciplinary action for those
violating the policy.
Section 12. Effective Date. This Resolution sliall become effective immediately upon
its passage and adoption. p
PASSED AND ADOPTED by the City of Longwood, this / ?d y of
\_2006.
--Jol --
.ATTEST.
e � Z�r�
Sarah M. Mirus; City Clerk
Approved as"to form and legality for the use and reliance of the City of Longwood,
Florida, only.