The URL can be used to link to this page

Home My WebLink AboutF02.0 Voice and Data �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 1 of 30 I. COMPUTER SOFTWARE & HARDWARE PROCEDURE A. Software Library IT shall maintain a register of all City of Grapevine software, and keep a library of software licenses and installation media. This library register shall at a minimum contain the following: • Date of Purchase • Vendor Name • Location of each installation (department or cost center) • Work Station Identification Number (WSID) of the unit on which the software is installed. • Position and/or Title of user • Existence and location of backup copies • Software product's serial number and original software • Installation media B. Employee Responsibilities 1. Education Department Heads are responsible for maintaining the education of their employees in accordance with this software policy and budget accordingly to ensure appropriate levels of user training knowledge with the standard PC software products and departmental applications. 2. Duplication of Software a. City of Grapevine employees may not duplicate any licensed software or related documentation purchased by the City, unless the City is expressly authorized to do so by agreement with the licensor. b. Intentional and willful unauthorized duplication of software may subject employee and/or the City of Grapevine to both civil and/or criminal penalties under the United States Copyright Act. c. Intentional and willful unauthorized duplication of software shall be Revised: 9/15/2020 �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 2 of 30 considered an act of serious misconduct subjecting the employee to disciplinary action. 3. Distribution of Software a. City of Grapevine employees shall not give software to any person outside the City of Grapevine organization (e.g. clients, contractor and customers). b. City of Grapevine employees may use software only, in accordance with applicable license agreements. 4. Development of Software a. Software and work products (documents, databases, spreadsheets, etc.) developed by City employees for City projects on City or personal equipment, remain the property of the City of Grapevine. Such software and/or work products are for the exclusive use of the City, or City contractors. b. Such software and/or work products cannot be sold or given to anyone, except in accordance with state law, without written consent from the user's Department Head and the Director of IT, or the City Manager. c. City of Grapevine employees shall not use City equipment and/or software during or after City business hours for non-work related purposes or development of software not related to City projects, unless approved by the Department Head. All the voice and data resources represent a significant City asset. It is intended that this asset be used for City and related civic and professional activities only. 5. Virus Protection a. Virus protection is a critical issue on all computing equipment. Virus protection software will be installed on all workstations. It is; however, the user who is the first line of defense against a computer virus. The user must not intentionally disable the virus scanning software for any reason. If for some reason the user believes the virus software is not Revised: 9/15/2020 �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 3 of 30 functioning properly, the user shall immediately contact IT with this information. 6. Home Computers a. The City of Grapevine's computers are City assets and must be kept free of illegal software copies and viruses. Except as noted; only software acquired through City purchasing procedures may be used on City computers. Employees may not bring software from outside and load it on City computers unless specifically authorized by the IT Department. b. City-owned software or data cannot be taken home and loaded on an employee's personal computer. All City business conducted away from the City offices will be conducted via Remote VPN and Remote desktop to a City computer where the needed applications and data will reside. No City software applications or City data is to reside on any computers outside of the City network. See Section VIX Remote Access and Section X Mobile Computing and Mobile Storage Devices. 7. Hardware Security a. Phone and Computer equipment shall not be relocated from its assigned station without the prior knowledge and approval of the IT department. b. Unauthorized opening of phone and computer case; addition of hardware; removal of hardware; or otherwise modifying the computer the phone and computer hardware components, is strictly prohibited. c. Most voice data infrastructure equipment is located in secured areas; however, some equipment is in user accessible areas. This equipment is not to be tampered with by non-IT employees and non-IT authorized contractors. Furthermore, if anyone is seen tampering with any voice and data infrastructure equipment in any manner, that action shall be immediately reported to the Supervisor on duty, and the IT Department. Revised: 9/15/2020 �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 4 of 30 d. No personally owned computer equipment shall be brought to the City facilities, nor connected to the network at the City. C. Software Acquisition 1. Purchasing a. The City uses only commercially available and open source software. Some customization of commercial software by the software vendor is allowed. The only in-house or totally custom development done in the City is for Web sites. b. In all software purchases, the City's established purchase procedures shall be followed. 2. Budgeting a. Computer hardware and/or software acquisition, along with any necessary training should be included at budget time. Contact the IT Department for pricing through approved vendors. IT will also provide pricing for technical support and installation fees, if applicable. Software purchases will be charged to the department's appropriate cost center. 3. Approval a. All software purchases and outsourced application arrangements must be approved by IT. b. For departments with a technical services division the Technical Services manager can approve software that will be installed on desktop computers only. Software purchases that will be installed on a file server, all outsourced applications (ASP) arrangements requiring a signed contract, Office, groupware, and messaging software must be approved by Information Technology. c. All New software installed on any computer must be registered with Revised: 9/15/2020 �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 5 of 30 IT. This includes each new instance of an operating system installed on a server or virtual server and any software or operating system that is moved from one device to another. d. The IT Department will not provide support for software that has not been approved by IT prior to purchasing. 4. Registration a. When registering software with the vendor and when installing software the software must be registered in the name of the City and the department in which it will be used. Software shall not be registered in an individual user's name. All software installation media and licensing documents must be registered and stored at the IT office. 5. Installation a. All software must be installed by IT personnel or the technical services staff in departments that have technical services staff. b. Vendors providing hardware with pre-installed software must also provide installation media and licensing documents where applicable. c. Contractors with the City of Grapevine using computer programs for completion of contracted projects must provide all applicable computer data in a form compatible with City hardware/software specifications. d. Original installation media and licenses are kept at the Information Technology office. 6. Auditing a. The IT Department will conduct an annual audit of all City computers to ensure that the City remains in compliance with all software licenses. Surprise or spot audits may be conducted at anytime. During any of these audits, the I.T. personnel will search for Revised: 9/15/2020 �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 6 of 30 computer viruses and unauthorized software, eliminating any that may be found. Discrepancies will be reported to the Director of IT, and the appropriate Department Head. Employees shall cooperate when an audit is conducted. II. MAJOR SOFTWARE PACKAGE ACQUISITION A. PURPOSE To define a consistent methodology in selecting major application vendor software packages. This policy is in addition to all purchasing and acquisition guidelines as outlined in the City of Grapevine's Administrative Policy Manual. All purchases must meet City purchasing guidelines. B. POLICY AND AUTHORITY 1. All software purchases and outsourcing arrangements will be coordinated through IT and commercially available software products will be used. 2. To purchase software products, department heads must identify a specific need for the product. User departments are responsible for justification and identification of potential savings, increased efficiencies, and benefits to the citizens of Grapevine. Purchase price and all other expenses associated with the software system are budgeted by the requesting department. Other expenses may include, travel (site visits), training (user and I.T. staff), and software support fees (maintenance). C. Software Acquisition 1. Vendor software packages should provide the City and users with the highest percentage of identified needs. The city will not ignore the practicality of software integration. At times it will be more practical to acquire a package that provides a slightly lower percentage of needs, but is closely integrated with existing and other required systems. Revised: 9/15/2020 �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 7 of 30 2. Acquired packages will be the best available, without regard to computer hardware. Computer hardware must be a "mainstream" product from an established computer manufacturer. Preference will be given to vendors achieving all policy criteria and whose software is compatible with existing City computer equipment. D. Vendor Requirements 1. Vendor software packages should be acquired from a vendor with an established history of: • Successfully supplying this type of application to municipalities of similar size and sophistication. • Providing updates and major releases of the package that will operate without modification. • Providing on-going, responsive, effective, technical and/or user support and training. • Interaction with an established "user group" and proof that the vendor listens and effectively responds to the "group." 2. The City may elect, on a negotiated basis, to be an "alpha" or "beta" test site. This would be in isolated cases, and if on the judgement of management, it found to be of benefit to the City. 3. Packages acquired will be based upon vendor history of providing new releases to ensure the City will benefit from technological changes or trends. 4. Vendor source code will be made available. At a minimum, the City requires vendor to place source code in escrow to protect the City's investment. E. Other Issues 1. Modifications to packages will be minimized. When necessary, they will be made in such a way that will not affect the standard packages and any vendor provided updates. Modifications to the standard package will be requested of and conducted by, the vendor. Revised: 9/15/2020 �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 8 of 30 2. Training will be emphasized. Users and IT personnel will receive specific oriented training. 3. IT is the primary integrator when the vendor does not integrate software. F. Software Implementation 1. Vendor is to provide consulting services as required to ensure proper understanding of alternative procedures during implementation. 2. Vendor is to provide software project management and give direction to City's project team, which includes users, I.T. staff, and vendor staff members. III. OUTSOURCED APPLICATIONS A. PURPOSE This procedure describes information security requirements for third-party IT service organizations that engage with the City of Grapevine. A third-party IT service organization is defined as a technology that manages and delivers application capabilities to multiple entities from a data center across a wide area network (WAN) or the Internet, such as application service providers (ASPs), hosting service organizations (HSSOs), and software as a service (SAAS). B. Scope This policy applies to any use of third-party IT service organizations by City of Grapevine, independent of where hosted. C. PROCEDURE 1. Requirements of Project-Requesting Department/Division Revised: 9/15/2020 �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 9 of 30 a. The project requesting department/division must first contact the IT director for assistance in planning any third party outsourcing arrangement. IT will work closely with the requesting department/division to make sure the arrangement meets our qualifications. Further in the process all contractual agreements will need to be reviewed by IT and the City attorney. Some of the things that will be considered during this engagement process are: b. The information to be hosted by an ASP must fall under the "minimal" or "more sensitive" categories. Information that falls under the "most sensitive" category may not be outsourced to an ASP. Some date that is never appropriate to outsource includes Payroll, Personnel, and Police records. HIPPA records can be outsourced only if all data transfers are encrypted and the organization meets our security requirements. Refer to the Information Sensitivity Policy for additional details. c. If the ASP provides confidential information to City of Grapevine, the project-requesting department/division is responsible for ensuring that any obligations of confidentiality are satisfied. This includes information contained in the ASP's application. 2. Requirements of the Application Service Provider a. IT has created an associated document entitled ASP Security Standards that sets forth the minimum security requirements for ASP's. The ASP must demonstrate compliance with these standards in order to be considered for use. b. The ASP engagement process includes an evaluation of security requirements. The ASP Security Standards can be provided to ASPs that are either being considered for use by City of Grapevine, or have already been selected for use. c. Management may request additional security measures are implemented in addition to the measures stated in the ASP Revised: 9/15/2020 �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 10 of 30 Security Standards document, depending on the nature of the project. Management may change the requirements overtime, and the ASP is expected to comply with these changes. d. ASPs that do not meet these requirements may not be used for City of Grapevine projects and processing. e. A vendor is to provide conversion methodology, programming, and implementation with user and IT assistance. f. An application and Data Escrow Arrangement that the City IT Director and City Attorney agree to must be in place. g. An exit plan that the City IT Director and City Attorney agree to must be stated in the contract. IV. USER ACCOUNTS PURPOSE The purpose of the User Accounts Policy is to provide uniformity throughout the City in the creation of user accounts for new-hires, and removal or"lock-out" of user accounts at termination or during a disciplinary action. A. Definition 1 . A "user" is a person (employee)who has been entrusted with access to the City of Grapevine Computer Network. At time of employment, the Department Head will request the creation of a "new user account." Each user in the City is assigned a unique user account giving them access to those areas within the network that have been designed to facilitate their job duties. This system has been designed to provide a secure network environment that is functional for all users. 2. Each user is responsible for the contents and use of their individual "user account." Some features of a "user account" are assigned automatically, some must be created, and others are optional. These features assign Revised: 9/15/2020 �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 11 of 30 certain restrictions, privileges, and rights to the user. 3. Access to all City network resources is granted on a "Least Privilege" basis. B. Procedure 1. User Account - Creation a) When a new employee is hired, the Supervisor submits a"new User Request Form" on the Intranet at least three days in advance of the new user's start date. This form is located on the City Intranet under Computer & Phone Request". Select "New User Setup". b) Upon receipt of the: New User Request" form IT Department creates a user account for the individual, and notifies the requestor of the assigned login name and temporary password for this new account. 2. User Account - Activation The IT Department creates the user account with a temporary password. This new user I.D. (login), along with its temporary password is sent to the Supervisor. The new employee logs in with the new user I.D. and the temporary password. At this time, the Network prompts the user for an immediate password change. The user must change the password at this point. When this is accomplished, the new account will be fully activated. 3. User Training Software application training for employees is the responsibility of each individual Department. The IT Department is focused on providing a reliable network environment and not on the application training of Revised: 9/15/2020 �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 12 of 30 employees. IT Personnel are available should an application malfunction; however user training should be sought through a suitable training center. 4. User Account - Deactivation At the normal termination of employment the Supervisor must submit a "Computer & Phone Request" on the City Intranet. Using a "Problem Type" of "Network Issues" and "Sub Problem Type" of "Delete User Account". IT Department deactivates the user's account for 60 days before deleting the account. IT also copies the user's home directory to the Supervisor's home directory. For disciplinary termination or upon disciplinary suspension, or other circumstances such as an internal investigation, it is the responsibility of the Department Head, his designee or the Personnel Director to immediately notify the Director of IT or Assistant Director of IT that a specific user account needs to be deactivated. The IT Directory orAssistant Director immediately deactivates the specified user's accounts, preventing any authorized access. Upon termination, the user's home directory is copied to the Supervisor's home directory. 5. User Account — Reactivation User accounts that have been de-activated for disciplinary reasons may only be reactivated by a request from the Department Directory or Personnel Director. VI. PASSWORD SECURITY PURPOSE Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of City of Grapevine's entire network. As such, all City of Grapevine employees (including contractors and vendors with access to City of Grapevine systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. A. PROCEDURE 1. Passwords Revised: 9/15/2020 �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 13 of 30 A password is required to access or login to the network. Each user account must have a password. For security reasons, temporary passwords are issued to activate an account. During the initial login the employee sets their first personal password. Accidental or intentional release of password information exposes the network to a potential security breach. The basic security measures for passwords used in the City of Grapevine are as follows: a) The minimum password length is eight characters. Anything less will not allow the user to login. b) The login name and the password must be typed correctly during the login process. The user will be allowed three opportunities to type the information correctly. If the information is not typed correctly, the account will be deactivated. Contact the IT Department for re-activation. c) Passwords must be changed every 120 days. The system notifies the user when the password requires changing. d) Passwords must be unique. That is, the password must be different from the previous passwords selected by the user. The password and login name shall not be the same. e) A user account will be allowed six "grace Iogins." That is, after the password has expired, it can be used six more times before the user account is disabled. At the prompt, the user must change their password. f) Passwords must not be shared, published, posted, or otherwise transmitted. It is the responsibility of each user to protect their password. Failure to comply may result in disciplinary action. No supervisor or Department Head shall request or require an employee to disclose the password of the employee. g) Requests for password change by the IT staff will only be Revised: 9/15/2020 CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 14 of 30 honored from the account holder. The Director of IT must authorize requests for password change by any other individual. h) During a scheduled absence a user is not to share his account credential with another user. The user that is scheduled to be absent must have their Supervisor contact IT to make arrangements for access to the absent user's resources by another user. Revised: 9/15/2020 �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 15 of 30 VII. E-MAIL PURPOSE The purpose of this policy is to provide guidance to employees of the City of Grapevine concerning their responsibilities with respect to the proper use of the City's e-mail system. A. Procedure 1 . Email — Transfer Information a) All material transmitted or received via e-mail shall be considered City property. b) Email should never be considered a secure method of information transfer. c) Users are accountable for the content of all messages sent or solicited via email. Transmission or receptions of vulgar, profane, pornographic, racially or gender insensitive material is strictly prohibited. Any violation (City Policy, Penal Code, or Civil Statute) may subject the employee to immediate disciplinary action, up to and including termination of employment. No disciplinary action taken by the City of Grapevine precludes enforcement of any penal or civil process. d) No personally identifiable information, HIPPA information or any other sensitive information extracted from any city database is to be sent anywhere via email without special arrangements made with IT, proper encryption and a signed agreement with the receiving party. e) The GroupWise System is not to be used for mass mailings. You must use an email system intended for mass mailings or an outsourced service for mass mailings. Please check with IT for assistance. Revised: 9/15/2020 1�1E- T E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 16 of 30 Revised: 9/15/2020 �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 17 of 30 2. Email — Usage Guidelines: a) Obtain proper access to and documentation of email by contacting Information Technology. b) By default a new GroupWise account does not have a password. It is highly recommended that all users ass a password to their GroupWise account. GroupWise web access requires a password. c) Treat email with the same privacy and confidentiality as regular City of Grapevine mail. d) Use email for conducting City of Grapevine business only. Light usage for correspondence with family and friends is permitted. e) Use proper and professional language, which another individual would not find obscene, harassing, or profane. f) Do not use the City's email system for personal business usage such as personal banking correspondence. g) Do not use your City email account when registering for newsletters and when signing up for any thing personal. h) Target message only to appropriate individuals. 1) Exercise caution regarding the content of email, as messages may be forwarded to persons other than the intended recipient. j) Delete or purge older or sensitive email messages in a timely manner. k) Notify department or division management of improper or undesirable use of the email system. Whenever possible, a hard copy of the message should be produced. All complaints will be handed as discreetly as possible. Revised: 9/15/2020 �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 18 of 30 1) Outside personal email account accessed through a Web browser are to be used minimally with extreme discretion and only with permission from supervision. m) Refrain from forwarding internal email messages to or through email systems outside City of Grapevine. n) Proxy access email should not be sent out on behalf of the actual user unless a disclaimer is included. V. INTERNET ACCESS PURPOSE The purpose of this policy is to provide guidance to employees of the City of Grapevine concerning their responsibilities with respect to the proper use of the Internet. PROCEDURE A. Internet Access -- Usage Internet access provided by the City to employees is to be used only for conducting City business. Any other use may be grounds for disciplinary action, up to and including termination of employment. B. Internet Transfer of Information 1 . All material transmitted or received over the Internet shall be considered City property. 2. Using City logos for anything other than official City Business is prohibited. Revised: 9/15/2020 �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 19 of 30 VIII. RISK ASSESSMENT Purpose To empower IT or outside contractors to perform periodic information security risk assessments (RAs) for the purpose of determining areas of vulnerability and to initiate appropriate remediation. A. Scope Risk Assessments (RA) can be conducted on any entity within the City of Grapevine. RAs can be conducted on any information system, including applications, servers and networks, and any process or procedures or procedure by which these systems are administered and/or maintained. B. Description The execution, development, and implementation of any needed remediation as a result of an RA are the joint responsibility of IT and the department responsible for the systems area being assessed. Employees are expected to cooperate fully with any RA being conducted on systems for which they are held accountable. Employees are further expected to work with Information Technology in the development and execution of a remediation plan. VIX. REMOTE ACCESS Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or SSL Virtual Private Network (VPN) connections to the City of Grapevine City network. A. Scope This policy applies to all City of Grapevine employees, contractors, temporaries, and other workers, including all personnel affiliated with third parties using VPNs to access the City of Grapevine network. This policy applies to implementations of VPN directed through an IPSec or SSL Concentrator. Revised: 9/15/2020 �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 20 of 30 B. Description Approved City of Grapevine employees and authorized third parties (vendors, contractors, etc) may use the benefits of VPNs, which are a "user managed" service. This means that the user is responsible for selecting an Internet service provider (ISP), coordinating installation, installing any required software, and paying associated fees. Any City employee needing VPN access needs a department director request to IT, sign an EMPLOYEE REMOTE ACCESS AGREEMENT. All third parties needing VPN access must go through and engagement process and sign a THIRD PARTY CONNECTION AGREEMENT. The Police Department manages their own VPN concentrator; therefore, the Police Technical services division handles all Police and Fire user VPN accounts. The requesting user needs permission from the Police Technical services division and signs the EMPLOYEE REMOTE ACCESS AGREEMENT, turning it in to the Police Technical services division. X. MOBILE COMPUTING AND MOBILE STORAGE DEVISES Purpose The purpose of this policy is to establish an authorized method for controlling mobile computing and storage devices that contain or access information resources at the City of Grapevine. With advances in computer technology, mobile computing and storage devices have become useful tools to meet the business needs at the City of Grapevine. These devises are especially susceptible to loss, theft, hacking, and can be used anywhere. As mobile computing becomes more widely used, it is necessary to address security to protect information resources at the City. A. Scope This policy includes City of Grapevine employees, consultants, vendors, contractors, students, and others who use mobile computing and storage devices on the network at the City. Revised: 9/15/2020 �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 21 of 30 B. Description 1 . It is the policy of the City of Grapevine IT that mobile computing and storage devices containing or accessing the information resources at the City of Grapevine must be approved prior to connecting to the network at the City. This pertains to all devices connecting to the City's network, regardless of ownership. Mobile computing and storage devices include, but are not limited to: • Laptop computers • Personal digital assistants (PDAs) • Plug-ins • Universal serial bus (USB) port devices • Compact discs (CDs) • Digital versatile discs (DVDs) • Flash drives • Modems • Handheld wireless devices • Wireless networking cards • Smart phone • PC tablets 2. And any other existing or future mobile computing or storage device, either personally owned or City owned, that may connect to or access the information systems at the City of Grapevine. 3. Mobile computing and storage devices are easily lost or stolen, presenting a high risk for unauthorized access and introduction of malicious software to the network at the City of Grapevine. These risks must be mitigated to acceptable levels. C. Sensitive Data City of Grapevine information that is considered sensitive may not ever be copied to any mobile computing or mobile storage device for any reason. Sensitive information includes but not limited to any personal account information that is useable for identity purposes, all information that falls under thejurisdiction of the Revised: 9/15/2020 �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 22 of 30 HIPPA regulations, all Police information that falls under the jurisdiction of Texas DPS and federal criminal justice information regulations. When necessary remote access to sensitive data will be done through a VPN tunnel and remote desktop techniques where the data never leaves the City network. Sensitive data is never to reside on a mobile computing or mobile storage device under any circumstances. D. Passwords and System Information User Password information is not allowed to be copied to any mobile computing or mobile storage device. E. Database Information Unless written approval has been obtained from the IT Director, databases or portions thereof, which reside on the network at the City, must not be copied to mobile computing or mobile storage devices. F. Virus Protection All laptop computers must have a current Virus scanning engine and current pattern file before ever connecting up to the City of Grapevine network. This includes direct connections and VPN connections. G, Loss or Theft Reporting Any loss or stolen mobile computing or mobile storage devices should be reported to IT immediately. Please include an inventory of any significant data that was residing on the device. H. Using WIFI Personal laptop computers are not to be connected to City of Public WIFI in City buildings. I. Return of City Equipment (Property) Any city employee with a City paid mobile device (cellular or PDA, laptop, tablet, Revised: 9/15/2020 �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 23 of 30 etc) leaving the City must turn in all such related equipment to their respective City supervisor. Those desiring to keep their City paid cellular telephone number may keep it provided that they fill out the City's Transfer of Financial Responsibility form from the IT department. Public Safety employees desiring to keep their City paid cellular telephone number may keep it provided that they fill out the City's Transfer of Financial Responsibility form from the Police Technical Services. XI. THIRD PARTY NETWORK CONNECTIONS A. Purpose This document describes the policy under which third-party organization connect to City of Grapevine networks for the purpose of transacting business related to City of Grapevine. B. Scope Connections between third parties that require access to non-public City of Grapevine resources fall under this policy, regardless of whether a telephone circuit (e.g., frame relay or ISDN) or VPN technology is used for the connection. Connectivity to third parties, such as the Internet service providers (ISPs) that provide Internet access for City of Grapevine or to the public switched telephone network do NOT fall under this policy. C. Description 1 . Pre-Requisites for Third Party Connection Request Form When a need arises for a third party connection to the City of Grapevine the Department/Division representing the third party needing access must fill out a Third Party connection request and present it to the IT director. 2. Security Review All new extranet connectivity will go though a security review with IT. The reviews are to ensure that all access matches the business requirements in a best possible way and that the principle of least access is followed. Revised: 9/15/2020 1�1E- T E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 24 of 30 Revised: 9/15/2020 �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 25 of 30 3. Third-Party Connection Agreement: All new connection requests between third-parties and City of Grapevine require that the third-party and City of Grapevine representatives agree to and sign the Third-Party Agreement. This agreement must be signed by a representative from the third-party who is legally empowered to sign on behalf of the third-party. The signed document must be kept on file with the City Secretary Office. An annual review process will be initiated by IT and a new agreement will be signed annually. D. Establishing Connectivity All connectivity established must be based on the least-access principle, in accordance with the approved business requirements and the security review. In no case will City of Grapevine rely on the third-party to protect City of Grapevine's network resources. E. Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification and are subject to security review by IT. The department responsible for the application being accessed must designate a person to be the point of contact (POC) for the third-party connection. The POC is responsible for keeping information Technology informed of problems and changes in the needs of this third-party. In the event that the POC changes, IT and the third- party must be informed promptly. All changes in personnel accessing our City network must be sent to IT as they occur. Old accounts will be deleted and new ones will be assigned. Third-party users are not permitted to share accounts. F. Terminating Access When access is no longer required, the POC must notify IT which will then terminate the access. IT will conduct an audit of all extranet connections on an annual basis to ensure that all existing connections are still needed and that the access provided meets the needs of the connection. Connections that are found to be depreciated and/or are not longer being used to conduct City of Grapevine business will be terminated immediately. Should a security incident or a finding that a circuit has been Revised: 9/15/2020 �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 26 of 30 depreciated and is no longer being used to conduct City of Grapevine business necessitate a modification of existing permissions or termination of connectivity, IT will notify the POC prior to taking any action. G. Allowed Connection Services The City of Grapevine only allows the following services for outconnectivity to the City network: 1 . Remote office VPN (see VPN access policies) 2. Encrypted FTP to City provided FTP server 3. Remote desktop to approved application servers via VPN Additionally, 4. It is the responsibility of users with VPN privileges to ensure that unauthorized users are not allowed access to City of Grapevine internal networks. 5. VPN use is to be controlled using either a one-time password authentication, such as a token device, or a public/private key system with a strong pass phase. 6. An NAC security audit occurs upon initial connection. If this audit fails the remote user will not be allowed to connect to the Cut network. 7. Dual (split) tunneling is NOT permitted; only one network connection is allowed. When actively connected to the City network, VPNs will force all traffic to and from the PC over the VPN tunnel. 8. VPN gateways will be set-up and managed by City of Grapevine IT. 9. All computers connected to City of Grapevine internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the City standard. This includes personal computers. Revised: 9/15/2020 �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 27 of 30 10. VPN users will be automatically disconnected from City of Grapevine's network after 30 minutes of inactivity. The user must then log in again to reconnect to the network. Pings or other artificial network processes are not to be used to keep the connection open. 11 . Users of computers that are not City of Grapevine-owned equipment must configure the equipment to comply with City of Grapevine's VPN and network policies. 12. Only approved VFPN clients may be used. 13. By using VPN technology with personal equipment, users understand that their machines are a de facto extension of City of Grapevine's network and, as such, are subject to the same rules and regulations that apply to City of Grapevine-owned equipment (i.e., their machines must be configured to comply with security policies. XII. WIRELESS DATA COMMUNICATIONS A. Policy This policy prohibits access to City of Grapevine networks via unsecured wireless communication mechanisms. Only wireless systems installed and configured by IT will be connected to the City of Grapevine's networks. B. Employee Accounts All major city buildings have wireless services provided by IT. This WIFI service has two types of accounts. The first WIFI account is the employee account. This account is intended for all City issued laptops for City employee usage. This account requires a security key to be installed on the laptop by IT and it is the only authorized WIFI connections for City employees to use in City buildings. This account connects up directly to the City private network and is intended for network resource access in meetings. C. Guest Accounts The second WIFI account available in major City buildings is the guest account. Revised: 9/15/2020 �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 28 of 30 This account is intended for Non-City employees that are doing business in City buildings. This account does not require a security key and it connects directly to the Internet with no connectivity to the City Private network. This account is not intended for City issued laptops or City employees to use. It is a violation of City policy for a City employee to connect their personal equipment to the City network and a violation of City policy for employees to have unrestricted Internet access. Guest accounts are turned off at City Hall and Service Center.At these facilities the guest account can be turned on for a meeting by a request to IT in advance of the meeting. XIII. EMPLOYEE USEAGE OF PERSONAL SOCIAL MEDIA SITES Purpose This policy defines the use of Face book and other social media sites while working for the City, as well as what can be said about the City on employee personal Face book pages. While the use of social networking tools such as Face book can have important and legitimate benefits to the organization, abuse of such tools can also have a detrimental impact on productivity and can waste valuable City resources. Policy This policy applies to all employee personal Face book pages or other social networking websites. It does not apply to City Face book pages. A. The use of Face book and other social media sites while at work for personal use must be restricted to break periods and lunch time. Avoid using social networking websites such as Face book during normal work time. The City reserves the right to monitor use of social networking websites to check for abuse. B. While the City respects the right of employees to use social networking websites at home, you must not be identified as an employee of the City while using such websites without the prior approval from your supervisor. The following guidelines must be followed to ensure that readers will not view you as a de facto spokesperson for the City: Revised: 9/15/2020 �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 29 of 30 The views expressed on this networking website are mine alone and do not necessarily represent the views of my employer. C. You must not disclose any information that is confidential or proprietary to the City or to any citizen or vendor that has disclosed such information to the City. D. Any communication occurring in a public forum such as those identified previously in this policy must Be respectful to the City, fellow employees, our citizens, and our business partners. E. The City may request at any time that you cease any communication concerning the City on Face book and other social media sites or require you to block access to such communication if the City believes that such action is necessary to ensure compliance with government regulations or other laws. F. Do not use the City's trademarks on any personal communication or reproduce any City material. G. Do not use Face book and other social media sites for communication with fellow employees or Citizens concerning business matters. Such communication must go through normal channels such as email. XIV. SECURITY INCIDENT CONTAINMENT POLICY Purpose This policy concerns the need to contain a known security incident to stop any further damage and/or to keep it from spreading to other network nodes in the City. This policy acknowledges that there are times when IT services need to be temporarily shut down and/or portions of the network need to be temporarily disconnected in order to stop an ongoing security incident or to contain it from spreading further into the City network. Policy This policy applies to all network resources at the City of Grapevine in all City owned buildings and in all departments. Revised: 9/15/2020 �'l3llRl�ll `Y 111CJ- 1' E A S CITY OF GRAPEVINE ADMINISTRATIVE POLICY SUBJECT- VOICE AND DATA SECTION. F NUMBER: 2.0 PREPARED BY- Information Technology EFFECTIVE DATE: 10/01/08 PAGE: 30 of 30 A. Containment — City IT resources engaged in active attacks against other IT resources must be contained immediately. This includes compromised nodes capable of spreading the compromise to other nodes. City IT resources being attached from an outside source must be disconnected from the network immediately. All compromises must be contained as soon as possible. Special consideration regarding service disruption for mission critical applications can be considered when necessary. Containment can be achieved by immediately disconnecting the resource from the network, revoking user access, shutting off VLANS or other means as appropriate. B. Notifications — City Managers office, all department directors and managers in affected departments will be notified prior to or concurrent with a service interruption applied as the result of a security incident containment procedure. Notifications will occur as soon as possible directly by phone, text messages, or email, in that order. C. Authority — IT in its primary responsibility for security of the City network reserves the right to make network containment decisions during a security incident for the ultimate good of the City as a whole. These decisions will be made by the IT director or the IT assistant director. While inconvenient, containment is sometimes necessary to protect the City systems from further damage. All containments never last longer than necessary to resolve the security issue. Revised: 9/15/2020