Information Technology General Use and Practices Procedure

Purpose statement

This procedure defines the standards and guidelines for the acceptable use of information technology resources. The areas covered include, access and security, internet and electronic mail (email) use, the use of software, hardware and all related devices, and examples of unacceptable uses of personal accounts.

Scope

This procedure applies to all users including town employees (including but not limited to full-time, part-time, students, volunteers, temporary and interns), elected officials, and any individual representing or acting on behalf of the town in any manner, with authorized access to and who use town provided information technology (IT) resources.

IT resources for the purpose of this procedure include, but are not limited to; voicemail, telephones, internet, intranet and email system(s); electronic data transmission equipment and devices, software and hardware, portable media, storage devices, network(s), point of sale equipment, radios and other audio-voice communication equipment and video systems.

Procedure

1. Access and security

The confidentiality and integrity of data stored will be protected by access controls to ensure that only authorized users have access. This access will be restricted to only those capabilities that are appropriate to each user’s job duties.

Directors must notify the I.S. department (I.S.) immediately, of terminations, extended absences, transfers or re-assignments of employees, so that access privileges can be modified or revoked.

To ensure high standards of security and protect corporate information, users must adhere to the User Security Settings and System Configuration procedure.

2. Compliance with applicable laws, regulations and corporate policies

Information technology resources must be used in compliance with applicable laws or regulations, professional standards, software licensing agreements and Corporate Policies and procedures including but not limited to Respectful Conduct Policy and Codes of Conduct.

3. Freedom of information and protection of privacy

Information technology resources are to be used in a manner consistent with the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) and applicable Corporate Policies and Procedures. Voicemail, pictures, videos and email messages are considered to be matter of corporate record under the provisions of MFIPPA and must be saved and stored for reference. I.S. maintains secured copies of all emails to fulfil these legislated email retention requirements, but staff should maintain copies of pertinent voicemail messages, pictures and video files and have them securely stored with their other electronic files. IS+S has the ability to convert voicemail messages to an electronic file, such as mp3, to facilitate ease in storage. Users, uncertain which messages to save, should consult with their supervisor.

4. Ownership

Anything stored or resident on the town systems and all information technology resources acquired and managed by the IS department remain property of the town.  Additionally, all equipment provided by the town remains the property of the Town of Oakville, and at the end of its useful life, must be returned to the IS department for proper disposal.

5. Personal use

Occasional or incidental personal use of information technology resources is permitted within reasonable limits, provided it does not conflict with business use or time, or  impact negatively on other users or on the information technology resources, or adversely affect an individual’s performance of work duties and responsibilities. Users are responsible for exercising good judgment regarding the reasonableness of personal use. The systems and resources furnished by the town remain the property of the town. Therefore all users are responsible for their actions while using any town resource or network. The town reserves the right to view, change or modify files located anywhere on the network for the purpose of support, best practices, improvements or when issues arise. Any person in violation of Human Rights laws, or Corporate Policies and procedures is subject to disciplinary action.

Personal time is defined as a maximum 60-minute period in increments of 10-minutes that users can search and use the Internet for personal reasons in recognition that computers may be used at lunch and breaks. This personal time is a privilege and should be used ethically and responsibly. I.S. may need to modify the use of personal time based on technical constraints and changes in organizational decisions. At no time will Personal Use extend to the usage of Town of Oakville equipment for personal gain or profit or for personal business use.

6. Monitoring

The town respects the privacy of users, however the town reserves the right to monitor all town information technology to ensure proper working order, appropriate use by employees and security of the corporate data without user consent. The town may delete, intercept or block any traffic on its networks, to prevent spam, pornography, hate related material, or illegal use of town property and violation of town policy and procedure.

7. Preserving assets

Town information technology resources are valuable assets and users of such are expected to exercise reasonable care to prevent abuse to, theft of, or excessive wear of town information technology resources.

8. Internet access

Access to internet is provided to users to facilitate town business. It is a breach of the Use of Information Technology Resources Procedure to access websites that contain any form of material of a nature that is pornographic, obscene, hateful, offensive; or other objectionable materials.

Information may be downloaded from the internet for town business purposes; such information includes reports, spreadsheets, presentations, information files, etc. from other institutions and government agencies that may be useful to the town. The use of audio or video streams from the town’s intranet or internet sites is permitted for business use only. Use of audio or video streams and the use of audio/video communication tools for topics not related to the interest of the town are prohibited and should be limited to business use with prior consent from the IS+S department. Examples of audio/video communication tools may include media video sites such as YouTube, iTunes radio and satellite radio streaming, Skype, iChat, VOIP Buster etc.

Executable software (programs) may not be downloaded, and will not be available for installation. If software is required, a request to the I.S department via the Help Desk, should be made in order to ensure licenses are available.

The I.S. department will monitor internet use and block access to some web sites that pose system risks and are not in compliance with the Information Technology General Use and Practices Policy and Procedure.

9. Email

The town’s email service is provided to communicate messages and attach electronic files for electronic distribution via the internet and intranet for town business purposes.

Users shall conduct email messaging in the same manner as they would other business correspondence, being mindful of the fact that email transmissions over the internet are not secure and may be intercepted and disclosed to third parties.

Generally, information which is sensitive or confidential in nature (such as personal information about individuals, employee performance or other human resource issues, information regarding issues to be discussed in closed door sessions, etc.) should not be sent via email, but where required, should be marked confidential.

In addition, similar to the Personal Use section, employees recognize the town’s systems belong to the town and should always exercise good judgment in the workplace. If an employee is in violation of the Human Rights Code or the Corporate Policies and/or procedures they may be subject to disciplinary action.

10. Software, hardware and data use

All software hardware and data (technology resources) acquired for or developed by town users are the property of the town. All such technology resources must be used in compliance with applicable licences, notices, contracts and agreements. Applications and/or data that is subject to licence agreements, may not be reproduced or shared in any form without permission of the vendor.

Technology resources must be acquired from authorized vendors in accordance with the town Purchasing By-law. Technology resource acquisitions shall be centralized within the I.S. department to ensure that all applications conform to corporate technology standards.

All requests for corporate technology resources must be submitted to the I.S. department for review, to determine compatibility with current technology resources, and the standard resource that best accommodates the desired request and approval.

Software installed on user systems will be based on an approved list of applications and requested on the System Access Request form. Non-corporate software will be uninstalled and future user access to install will be restricted. Employees shall not download or attempt to install non-approved applications; examples include (but are not limited to) screensavers, file or photo sharing applications, satellite radio streamers, camera drivers, etc.

Original electronic media will be kept by I.S. department, and only the appropriate copies of software and documentation will be given to authorized users.

11. Unacceptable uses of town information technology resources

In addition to the examples outlined in other sections, examples of unacceptable use of town IT resources include:

Accessing website content that:

• promotes pornography.
• presents demeaning or derogatory portrayals of individuals or groups or contain any message that is likely to cause deep or widespread offence.
• continuous unauthorized media streaming / external web-radio, and web video stations
• using accounts to harass, threaten, embarrass or annoy others or to send material considered obscene, abusive, threatening, libellous or defamatory.

In addition, the following activities represent unacceptable use of website and/or user technologies:

1. soliciting or conducting business for personal gain or profit using Town owned technology or resources.
2. sending chain letters or junk mail (spamming).
3. forwarding inappropriate email, graphic or sound files.
4. misrepresenting the originator of any communication.
5. downloading and running any executable software, i.e. files with the extension .exe or .com without previous approval from IS+S and/or assistance from a member of the IS+S department.
6. using accounts or technology for illegal purposes including the use of pirated or unlicensed software;
7. using accounts or technology to circumvent copyrights, trademarks of other intellectual property rights;
8. installing software that is not supported by and or without the authority of the IS+S department.
9. accessing someone else’s personal account, or providing the means to do so without proper delegated authority.
10. deleting or modifying files belonging to other users without consent.
11. installing or inserting portable media devices such as USB sticks or drives, iPods, MP3 Players and handheld smart phone technologies without a business purpose or use.

12. Lost or stolen equipment

Users will exercise care with town property and will secure equipment when travelling or transporting equipment. Laptops and accessories should not be left in a vehicle. Cell phones and Blackberries are required to use password protection to secure confidential information.

Where and whenever equipment has been lost or stolen, the loss shall be reported immediately to the employees’ manager as well as I.S. This reporting will ensure communication tools or devices can be removed from networks and will mitigate risks that may arise, where issues with compliance may occur or where breaches of confidential information may be impacted.

13. Consequences of non-compliance

Users who fail to comply with the IT General Use and Practices procedure may lose access privileges. Depending upon the severity of the violation, users may be subject to disciplinary action up to and including dismissal.  Illegal violations by any user can and will be reported to the appropriate authorities.

COBIT framework objectives:

• AI 4 – Enable Operation and Use
• AI 4.3 – Knowledge Transfer to End Users
• DS 5 – Ensure Systems Security
• DS 5.5 – Security Testing, Surveillance and Monitoring
• DS 5.10 – Network Security
• DS 5.11 – Exchange of Sensitive Data
• DS 7 – Educate and Train Users

Responsibilities

Users are responsible for:

1. adhering to the IT General Use and Practices Policy and all underlying procedures;
2. all activities on personal accounts;
3. ensuring confidential information is handled appropriately;
4. reporting any known or suspected violations to the immediate supervisor or manager.

Management is responsible for:

1. making employees aware of the IT General Use and Practices Policy and all underlying procedures, and reporting any contraventions of same;
2. ensuring that access rights of employees are issued or revoked in a timely manner when changes are required;
3. ensuring that any town owned hardware/software is returned to the town.

The I.S. department shall in conjunction with other departments, provide leadership, management and control over corporate data application systems and software in order to ensure corporate strategies are supported and that information to manage the town is standardized, consistent and reliable.

The I.S. department is responsible for:

1. establishing hardware, software, video and communications technology standards to ensure a secure and reliable information technology and communications environment.
2. monitoring the use of IT resources to ensure compliance with corporate policy and procedures.
3. providing user manuals and other appropriate user tools for independent study by user departments where appropriate.
4. scheduling training opportunities, on a regular basis, for all standardized applications for all user groups.
5. operating a help desk support service for user inquiries on all standard applications and acting as a consultant for systems design of new products.
6. purchasing and support of all approved desktop, laptop computers or other forms of data processing hardware, software and peripherals.
7. purchasing and support of all approved cell phones, land line phones, voicemail and hand held smart phone technologies.
8. all computer equipment installations, modifications, and relocations.
9. purchasing and supporting of all other approved technologies as covered by the IT General Use and Practices Policy and procedures.