Policy Reference

Category Computer and User Operations
Approval Date 01-29-2010
Scope All Personnel

Purpose

Computer Resources are provided by the City for the purpose of supporting City operational goals and serving as an aid in allowing employees to fulfill job duties and assignments. Use which is not consistent with the stated purpose and intent of the computer resources, or as defined as inappropriate within City IT polices and procedures, is prohibited.

Policy

  1. The City's computers and related resources (See "Computer Resources" defined) are to be used for City related business. Incidental personal use of the City's computer resources or telephone time must be reasonable and not cost the City in either employee time or actual expense as determined by the appropriate Department Director. These times are generally during breaks, lunch or after hours when authorized. (406.2)
  2. Users are prohibited from using the City's computer resources for personal or private financial benefit. (406.2)
  3. Use should be consistent with common sense, common decency, and civility. (406.2)
  4. All computing resources shall be used for the general business and purpose of the City organization, unless otherwise approved. (406.4.2)
  5. City computer resources shall not be used to harass or otherwise threaten another user/employee. This includes but is not limited to insulting, sexist, racist, obscene, sexually suggestive comments, and jokes or comments related to sex, gender, race, national origin, religion, age, or disability. (406.4.3)
  6. Users shall not use computer resources to infringe the copyright or other intellectual property rights of third parties. (406.4.9)
  7. Users shall not use the City Internet to access obscene, objectionable or otherwise improper material. The City reserves the right to block access from the City network to inappropriate sites if necessary. The City recognizes that users may connect accidentally to an inappropriate site. In this event, the user should immediately disconnect from the site and notify the supervisor. The City reserves the right to monitor internet use. (406.7.5) (see Monitoring and Reporting Policies).
  8. Employees with Internet access may not use the Internet to download images, video or audio (including streaming media) unless there is an explicit business-related use for the material. (*406.7.8)
  9. Voice mail greetings should be kept current or general in nature. Voice mail messages (incoming and outgoing) should be business like and professional. (401.9.5)
  10. Computer Resources utilized at the City must comply with approved standards.   The use of non approved computer resources (software, hardware, applications, devices, etc) is prohibited unless a formal exception has been provided and approved by ITS and the appropriate Department Director.  

Compliance

  1. Users should be prohibited from using applications or the network for non-work-related reasons. User guidelines for business and personal use should exist and should include the proper usage of e-mail, instant messages, Voice over IP (VoIP) , wireless access, and the Internet. SM1.2.7(a), SM1.2.7(b), CB3.4.4(a), CB3.4.4(b), CI5.2.4(a), CI5.2.4(b), NW4.2.4(a), NW4.2.4(b), SD2.2.4(a), SD2.2.4(b), UE1.2.6(a), UE1.2.6(b), UE5.2.2(a), UE5.2.2(c), UE5.3.2(a), UE5.3.2(c), UE5.4.3(a), UE5.4.3(c), UE5.5.2(a), UE5.5.2(c), UE5.5.3(b), UE5.5.3(d), UE5.6.2(a), UE5.6.2(c), The Standard of Good Practice for Information Security
  2. The organization must ensure the usage policies contain all acceptable uses the technology can be used for and what locations the technology can be used from.   Review the usage policy to verify it contains a list of all acceptable uses and locations for the technology. § 12.3.5, § 12.3.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2
  3. The organization must ensure usage policies have been developed for critical employee-facing technologies. § 12.3.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2
  4. The organization must ensure the usage policies contain a list of company-approved products. Review the usage policy to verify it contains a list of company approved products. § 12.3.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2
  5. An organization will establish a list of company-approved products. For example, if a wireless Access Point (AP) needs to be replaced, substituting it with a non-sanctioned AP is not acceptable. § 4.6.1.F, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009