Resolution 05-08 - Computer Security and Use Policy

A. "access" means to program, execute programs on, intercept, instruct, communicate with, store data in, retrieve data from or otherwise make use of any computer resources, including data or programs of a computer, computer system, computer network or database;

B. "computer" includes an electronic, magnetic, optical or other high-speed data processing device or system performing logical, arithmetic or storage functions and includes any property, data storage facility or communications facility directly related to or operating in conjunction with such device or system. The term does not include an automated typewriter or typesetter or a single display machine in and of itself, designed and used solely within itself for word processing, or a portable hand-held calculator, or any other device which might contain components similar to those in computers but in which the components have the sole function of controlling the device for the single purpose for which the device is intended;

C. "computer network or system" means the interconnection of communication lines and circuits with a computer or a complex consisting of two or more interconnected computers;

D. "computer program" means a series of instructions or statements, in a form acceptable to a computer, which permits the functioning of a computer system in a manner designed to provide appropriate products from a computer system;

E. "computer property" includes a financial instrument, data, databases, computer software, computer programs, documents associated with computer systems and computer programs, or copies, whether tangible or intangible, and data while in transit;

F. "computer service" includes computer time, the use of the computer system, computer network, computer programs or data prepared for computer use, data contained within a computer network and data processing and other functions performed, in whole or in part, by the use of computers, computer systems, computer networks or computer software;

G. "computer software" means a set of computer programs, procedures and associated documentation concerned with the operation and function of a computer system;

H. "computer system" means a set of related or interconnected computer equipment, devices and software;

I. "data" means a representation of information, knowledge, facts, concepts or instructions which are prepared and are intended for use in a computer, computer system or computer network;

J. "database" means any data or other information classified, processed, transmitted, received, retrieved, originated, switched, stored, manifested, measured, detected, recorded, reproduced, handled or utilized by a computer, computer system, computer network or computer software; and

The Town’s centrally managed computer information systems provide access to computer applications and data critical to the Town’s business functions. Access to these applications and data Information Systems Office (ISO) managed through the use of computer accounts and passwords. This policy is designed to ensure accuracy, and integrity of applications and data and the security and safeguarding of system to include software and their applications, data, hardware and identify any misuse.

This policy covers all aspects of computer account setup, management, usage, security, internet use and deactivation. Responsibilities are outlined for the Information Systems Office (ISO), the account-holder, other users, and department heads.

Not all information, data, and applications are considered public information. This policy requires all users to go through the Town’s Legal Office to ensure that information is not disclosed to unauthorized viewers or requestors. It is the account holder’s (employee’s) responsibility to bring to their supervisor or department heads attention questions about whether information needs to be protected from unauthorized access and report it to the Town Legal Office or the ISO.

At the request of their manager, an employee may be authorized to use an account on one or more the computer systems. The manager must request this access stating the application and specific functions required for the employee. Requests should be received by the Information System Services Office (ISSO) office at least two days prior to the employees need for access. There shall only be one person per account. This provides a more accurate accounting of who actually logged in. One account per employee lets the account-holder take "ownership of their account.

Accounts may be requested in writing or by e-mail using the ISO "Help Request" form, but will require the manager or department head to provide a signed copy of the Account Holder and Computer User Responsibilities form authorizing the account. A sample form is included in Appendix A. This form must be used for any new account authorization including new hires, job changes, or any other change requiring different system access.

The Information Systems Administrator shall be responsible for naming accounts and conventions. e.g. The first initial and last name of each account.

Each account requires a password to be used. The password must be at least eight (8) characters long and not be a word commonly found in the dictionary. Since the password is the only thing keeping others from accessing your account, it is important the password be something that no one else can guess easily. For example, it should not be a name of a family member, pet, or anything else that is commonly associated with the account-holder. You shall adhered to the following:

Maintaining the security of your account is a serious matter. In addition to safeguarding the Town information, which we are responsible for, we must enforce strict computer security to be in compliance with State Law and Town policy. Sharing of passwords or other security breaches regarding accounts and passwords will subject the employee to disciplinary action up to and including termination from employment.

New employees should have a basic level of training. Prior to receiving access to the system the employee will be required to complete basic level training provided by ISO and achieve a basic level of proficiency. Training shall cover the following areas:

The applications available on the computer systems support critical Town business functions. These applications control data and processes necessary for the continued operation of the related Town business functions. Because of the Town’s dependence on these applications, there are certain responsibilities necessary to safeguard the Town’s investment.

ISO will be responsible for maintaining the hardware and software required for each application. This will be accomplished through the following:

All data will be backed up regularly and stored offsite to minimize loss in the case of equipment or software failure. Specific backup procedures and schedules are included in the IS Data Retention Policy.

b. Business contingency plans will be developed in conjunction with the Town personnel responsible for each application. This will expedite the ability of the Town to restore its business functions in the event of a significant outage.

Access to application is give on an as-needed basis. Unauthorized access to an application could cause damage to the application and or data or other legal liabilities. The account-holder is responsible for their own account, and what goes on, in and is disseminated from the account. The account-holder shall guard their account from break-in, or any unauthorized use by protecting their password. No one can find out what their password is unless they give it out. The account-holder shall secure their account from physical access while they are "logged-on" for their own use.

a. Always lock your terminal or workstation, or log out of your account when you leave your desk for more than a few minutes.

d. Screen savers and their passwords shall be disabled when a work request is submitted or ISO will have to disable the password.

Allowing anyone else access to your account is a serious security breach and will subject the account-holder to disciplinary action up to and including termination from employment.

In the process of using most applications, the account-holder will create various reports and data files. The account-holder must take responsibility for deleting these reports and data files in a timely manner.

The resources available for data storage are limited and therefore must be managed closely. In the event the free space available to an application is too small, existing data could be corrupted due to the resulting system error the free space available to applications is monitored on a regular basis by the ISO. It is the account-holders responsibility to ensure they are not wasting data storage space by storing non-necessary files.

Department Heads shall be responsible for requesting appropriate account access for their employees. Departments to determine access that is no longer necessary and can be removed should periodically monitor account access. Department heads shall support and enforce the security of accounts and password practices.

Town of Taos hardware, data systems, applications, Internet access, e-mail and other computing technologies, and resources are for official business only. There is no expectation of privacy in the use of Town IS technologies and resources. Each employees computer hardware and all software programs and associated data and data links will be subject to waste, fraud, and abuse audits by the assigned Town personnel or independent contractors at any time. Any such violations of NNMSA 1978, §§30-45-1thru 30-45-7 may result in criminal prosecution and employment sanctions up to and including termination of employment. Any violation of this policy could result in employment sanction up to and including termination.

The Town of Taos has established a policy of access and disclosure of electronic mail (e-mail) messages created, sent or received by Town employees using the Town electronic mail system. Use of the Town e-mail system must adhere to the same security procedures outlined in this document and included in the Town of Taos Account-holder and Computer User Responsibility form. There are specific requirements and guidelines that apply to the use of e-mail. The Town intends that all personnel shall adhere to the policies set forth below, but reserves the right to change these policies at any time, with appropriate notice to the employees, as may be required under the circumstances.

The Town maintains an electronic mail system, which is provided by the Town to assist in the conduct of business within the Town. The use of the electronic mail system is reserved solely for the conduct of business at the Town.

The electronic mail system hardware and software is Town property. All messages composed, sent, or received on the electronic mail system are, and remain the property of the Town. They are not the private property of any employee and there is no privacy interest entitlement.

The electronic mail system may not be used to solicit or forward commercial ventures, religious, or political causes, collective bargaining unit communications, outside organizations, or other non-job-related solicitations. Forwarding of chain-mail is prohibited. (Chain-mail is considered a virus and not conducive to work efficiency.)

The electronic mail system is not to be used to create any offensive or disruptive messages.

The electronic mail system shall not be used to send (upload) or receive (download) copyrighted materials, trade secrets, proprietary financial information, or similar materials without prior authorization form an employee’s supervisor or department head.

The Town reserves and intends to exercise the right to review, audit, intercept, access, and disclose any messages created, received or sent over the electronic mail system. The only authorized use of the Town’s electronic email system is for legitimate business purposes. The contents of electronic mail property obtained for legitimate business purposes, may be disclosed within the Town without the permission of the employee. Any unauthorized uses may be used against the employee in due process hearing as evidence of misuse or other violations of this policy.

The use of e-mail is an accepted method of communication with the Town and therefore the account-holder is expected to read and respond to e-mail in a timely fashion, at least daily.

The confidentiality of any message should not be assumed. Even when a message is erased, the message may still retrievable and readable. The use of passwords for security does not guarantee confidentiality or privacy.

Notwithstanding the Town’s right to retrieve and read any electronic mail messages, such messages should be treated as confidential by other employees and accessed only by the intended recipient. Provisions may be made for designated employees to read and respond to e-mail for another employee in special circumstances without violating this policy. Any exception to this policy must receive prior approval from the Town Manager.

Any employees who discover a violation of this policy shall notify the ISO or the Legal/Human Resources Division.

Any employee who violates this policy or uses the electronic mail system for improper purposes shall be subject to discipline, up to and including termination.

The Town of Taos has established a policy with regard to acceptable access and use of the Internet and it resources. Access to the Internet is provided to the employees for Town business purposes only. Use of the Internet must be adhered to the same security procedures are outlined in this document and included in the Town of Taos Account-holder and Computer User Responsibilities form. There are specific requirements and guidelines that apply to the use of the Internet. The Town intends to honor the policies set forth below, but reserves the right to change them at any time as may be required under the circumstances.

The ISO will provide support for access and use of the Internet on a minimal level and only for those areas under its control. Failure to connect to a remote file server or other Internet-related problems not under the control of the ISO is NOT considered problems, but a characteristic of the Internet environment.

The Internet is an unsecured network. All information sent over the Internet MUST be public information. Employees should consult with their supervisor to determine if information is public or not. Specifically barred from transmission over the Internet is Town proprietary information such as security specifics, copyrighted products, or any information deemed sensitive or confidential.

Employees are encouraged to participate and lead online discussion groups consistent with their professional responsibilities. In their capacities employees represent the Town of Taos and must act in an ethical and professional manner.

The Internet provides a vast array of shareware, freeware, and demo software, data graphics, voice, and video files which may be downloaded. The employee is responsible for any charges incurred from their use of the Internet unless they receive prior authorization form their supervisor. All downloads must be in support of Town mission priorities. Downloads must be made to the C drive on your PC. After each download, employees must scan for viruses prior to using or executing the file. In the event a virus is found the file must be deleted prior to using.

The Town of Taos has acquired Internet monitoring software to control unauthorized use of the Internet by employees. This new software will monitor and record all TCP/IP protocols including HTTP, FTP, Mail, Telnet, and others to alert management of all Internet usage.

The software provides management with monthly reports that show what sites are being accessed in the internet by Town employees, and more important, which employees are accessing those sites. The information is recorded from the minute an employee logs on the internet site, and how long the employee was at the site.

Specific sites that are monitored are music sites, sports and pastimes, social and recreation, adult, entertainment, gambling, news, movies, stock, trading, shopping, games, amusement, chat rooms and any other site not conducive to an efficient work environment. The ISO will provide a copy of the time spent on any of these sites by employees to the Town Manager when requested. Disciplinary action will be taken against employees who misuse official time to access these sites.

All employees will observe etiquette for the internet while accessing the Internet. The user is ultimately responsible for their own action in accessing network services. The use of the network is a privilege, not a right, which may temporarily or permanently be revoked at any time for abusive conduct or misuse. Any abusive conduct or misuse includes, but is not limited to placing unlawful information on a system, the use of abusive or otherwise objectionable language in either public or private message, the sending of messages that are likely to result in the loss of recipient’s work or system, the sending of chain letters or broadcast messages to lists or individuals, and any other types of use which would cause congestion of the networks, or otherwise interfere with the work of others. Permanent revocations can result from disciplinary actions taken by management.

Commit any crime using the Internet or the Town’s computer systems or microcomputers.

Discriminate against any one based on race, color religion, sex, national origin, age and disability.

Employees, who violate these policies cost the Town money, waste scarce resources, tarnish the image of the Town of Taos, and may, violate the law. Employees who have willfully or carelessly violated these policies will have their Internet privileges revoked and face disciplinary action up to and including termination.

Employees suspected of violating the law will have all relevant materials turned over to the Town of Taos Police Department or other appropriate law enforcement agency for further investigation and possible criminal prosecution.

ISO will setup manage and audit all accounts. Access and privileges will be grant based on the supervisor or department head request.

In the event that an employee’s access requirements change, the department head must give written authorization to ISO to grant or remove specific access. In the event the employee changes departments, the previous department must request the employee’s access be canceled.

Any employee on extended leave (longer than two weeks) may have their account disabled, and then enabled when they return. The account-holder or their department head may request this action.

In the event an account-holder is not following the security measures outlined in this policy, as determined by either the ISO manager or the account-holders department head or supervisor, the account will be disabled temporarily and the employee must receive additional training in these areas. If, after training, the account-holder is still not following appropriate security measures, the account will be disabled for an indefinite period of time and the employee recommended to the personnel/ legal office for disciplinary action.

In the event that an account is deemed to be a risk to system security or integrity for any reason, as determined by the ISSO manager or the account-holders department head, the account will be disabled for an indefinite period of time, until a determination is made. Examples of account activity that would trigger this action include but are not limited to sharing or accounts, accessing unauthorized functions, and careless operation of authorized functions.

Upon receiving notice of an employee’s termination, ISO must be notified. We will work with the department involved to transfer any important documents or data files to another designated person so that information is not lost. As part of the exit procedures, the employee must return to ISO all equipment previously borrowed from ISO. ISO will deactivate the account and delete all data and reports associated with it.

(Read and sign this statement accepting your computer responsibilities as described as a system and/or a microcomputer user)

1. Use Town of Taos computing resources for official business only. There is no expectation of privacy in the use of the Town of Taos computing resources. Each employee’s computer and all software programs and associated data are subject to waste, fraud, and abuse audits by assigned Town personnel at any time.

2. Access to applications is given on as-needed basis. The account-holder is responsible for their own account and what goes on in it.

3. The account-holder must protect their account form break-in or any unauthorized use by protecting their password. Passwords must be changed every six (6) months, must not be "easily guessed" words, and must not be written and stored in an easily accessible place.

4. While logged in, it is the account-holder’s responsibility to secure their workstation form unauthorized physical access.

5. The Information Systems Office will back all data stored on networked data storage up nightly Monday through Friday. The computer user is responsible for creating and maintaining backups of data on non-networked drives or data that needs to be backed up more frequently than nightly.

6. The account-holder and/or computer user is responsible for removing data files that are no longer needed in order to effectively manage limited storage space.

7. All software shall be used only in accordance with the licensing agreement.

8. Town of Taos employees learning of any misuse of software or related equipment or documentation within the Town’s hardware or system shall notify ISO Administrator or designated alternative immediately.

9. According to the United States Copyright Law, illegal reproduction of software can subject the person responsible to civil liability and result in a judgment of damages up to $100,000.00 per each work copied, and criminal penalties, including fines and imprisonment. The Town employee who makes, acquires, or uses illegal copies of computer software shall be subject to disciplinary action up to and including termination of employment.

10. Privately owned software or software brought from home, is prohibited unless written permission is obtained by the Town Manager and approved by the IS Administrator. If an employee’s department director has determined that privately owned software is necessary for an employee to perform his or her duties, and the Town cannot purchase it, it must still be approved by the IS Administrator before installation into Town hardware. Approval will require: 1. Proof of ownership including the software license, registration, or the original documentation; 2. The disks or CD must be scanned by virus software and found to be virus free; and 3. The software must be compatible, in the IS Administrator’s sole judgment, with existing Town hardware and software.

11. You have the duty to protect all information and applications which are not public record or which is required to be protected by the Town’s Information System Computer Security and Use Policy from unauthorized access both in electronic, floppy disk, CD, and paper media.

12. You must protect computing resources and data by utilizing security products, which protect against virus attacks. In the event a virus is discovered, the computer user must notify ISSO immediately.

13. You must protect monitors, printers, plotters, etc. from unauthorized viewing of data that is not public record or which would require protection under the Town’s Information System Computer Security and Use Policy.

15. All requirements set forth in this form apply equally when using a Town computer in a private setting.

16. While accessing Town systems from a private computer, the account holder is responsible for ensuring the safety and integrity of the Town’s information, data, and applications being accessed.

19. Failure to comply with the requirements outlined in this form will result in loss of computer account privileges, and disciplinary action up to and including termination of employment.

I have read the Town of Taos Account-holder and Computer User Responsibility Form and have been given a copy of the Town’s Information Systems Computer Security and Use Policy and have received training on the Policy. I acknowledge my responsibilities as a account-holder and computer user, and agree to follow and comply with the requirements set out in the Form and in the Town of Taos Information Systems Computer Security and Use Policy. I understand that this document will be kept in my Personnel folder during my employment with the Town.

Account Name________________________ Date___________

Employee Name_______________________ SSN:___________

Employee Signature______________________________________

I validate that the above employee HAS A NEED to access Town of Taos computing resources in the performance of his or her duties and has a NEED-TO-KNOW the information processed by the Town of Taos computing resources related to her or his employment responsibilities.

PASSED AND ADOPTED BY THE TOWN OF TAOS COUNCIL THIS 15^TH DAY OF FEBRUARY 2005 AT THE REGULAR MEETING OF THE COUNCIL.