Information Technology Policy Manual 2022

IT POLICY MANUA L FY 20 2 1 - 20 2 2

INFORMATION TECHNOLOGY DEPARTMENT PREPARED BY

IT Department’s policies in one cohesive reference

Information Technology Department’s PolicyManual July 1, 202 1 – June 30, 202 2 City of Greensboro, NC

This manual has been created to consolidate all of the IT Department’s policies into one cohesive reference. This manual will be reviewed annually and posted to our IT Department website.

T ABLE OF C ONTENTS

DOCUMENT INFORMATION

6

ACCEPTABLE USE POLICY PURPOSE ……………………………………………………………………………………………………………………………………. .7 SCOPE …………………………………………………………………………………………………………………………………….……7 ROLES AND RESPONSIBILITIES …………………………………………………………………………………………….……7 POLICY …………………………………………………………………………………………………………………………………….…. 8 SOCIAL MEDIA………………………………………………………………………………………………………………..…………12 ENFORCEMENT ………………………………………………………………………………………………………………………… 13 COMPLIANCE ……………………………………………………………………………………………………………………………. 13 EXCEPTIONS ……………………………………………………………………………………………………………………………. .14 BACK-UP AND RETENTION POLICY PURPOSE………………………………………………………………………………………………………………………………….. .15 SCOPE ……………………………………………………………………………………………………………………………………….. 15 POLICY……………………………………………………………………………………………………………………………………... .15 ROLES AND RESPONSIBILITIES ………………………………………………………………………………………………………... 15 ENFORCEMENT ………………………………………………………………………………………………………………………… 16 COMPLIANCE ………………………………………………………………………………………………………………………..…..16 CELL PHONE POLICY PURPOSE …………………………………………………………………………………………………………………………………… 17 SCOPE ……………………………………………………………………………………………………………………………………….. 17 COMPLIANCE ……………………………………………………………………………………………………………………………. 18 POLICY…………………………………………………………………………………………………………………………………….. ..17 ROLES AND RESPONSIBILITIES ……………………………………………………………………………………………………….. .17 ENFORCEMENT ……………………………………………………………………………………………………………………….. .18 CELL PHONE/PHONE STIPEND REQUEST FORM ……………………………………………………………………. ..19

1 | P a g e

CHANGE MANAGEMENT POLICY PURPOSE ………………………………………………………………………………………………………………………………... ..20 DEFINITIONS ……………………………………………………………………………………………………………………………. 22 ROLES AND RESPONSIBILITIES …………………………………………………………………………………………………………23 ENFORCEMENT …………………………………………………………………………………………………………………………25 COMPLIANCE …………………………………………………………………………………………………………………………….25 SCOPE ………………………………………………………………………………………………………………………………………. .20 DISASTER RECOVERY POLICY PURPOSE ………………………………………………………………………………………………………………………………….. 26 SCOPE ……………………………………………………………………………………………………………………………………….2 6 ROLES AND RESPONSIBILITIES ……………………………………………………………………………………………………..... 26 COMMUNICATION ………………………………………………………………………………………………………………….... 27 POST MORTEM ACTIVITIES AND MITIGATION ………………………………………………………………………… 27 ENFORCEMENT ……………………………………………………………………………………………………………………….. 27 COMPLIANCE …………………………………………………………………………………………………………………………… 27 EMAIL RETENTION AND DISPOSITION POLICY PURPOSE ………………………………………………………………………………………………………………………………… ... 28 SCOPE ……………………………………………………………………………………………………………………………………….. 29 POLICY …………………………………………………………………………………………………………………………………..…. 29 POLICY SUSPENSION …………………………………………………………………………………………………………..……. 32 NON-COMPLIANCE ……………………………………………………………………………………………………………..……. 32 RETENTION SCHEDULE …………………………………………………………………………………………………………….3 3 FILE ACCESS GUIDELINES PURPOSE………………………………………………………………………………………………………………………………….. 3 4 GENERAL GUIDELINES……………………………………………………………………………………………………………. 3 4 IPAD MANAGEMENT POLICY PURPOSE …………………………………………………………………………………………………………………………………. ..3 5 SCOPE ………………………………………………………………………………………………………………………………………. .36 DEFINITIONS …………………………………………………………………………………………………………………………… .36 POLICY/ROLES AND RESPONSIBILITIES ………………………………………………………………………………… 36 ENFORCEMENT ……………………………………………………………………………………………………………………… ...3 7 COMPLIANCE ………………………………………………………………………………………………………………………… ....3 7

2 | P a g e

IT OPERATIONS POLICY PURPOSE ……………………………………………………………………………………………………… .. ………………………… 3 8 SCOPE …………………………………………………………………………………………………………… .. …………………… . ….. 39 DEFINITIONS ………………………………………………………………………………………………… .. …………… . …………. 39 ROLES AND RESPONSIBILITIES ………………………………………………………………………..………….………….. 40 POLICY ………………………………………………………………………………………………………………..……….………..…. 40 ENFORCEMENT …………………………………………………………………………………………………..…………………… . 4 2 COMPLIANCE ………………………………………………………………………………………………………..…………………..4 2 EXCEPTIONS …………………………………………………………………………………………………………..…………………4 2 IT LOANER DEVICE RENTAL AND RETURN POLICY PURPOSE ………………………………………………………………………………………………………………………………….. 4 3 SCOPE ……………………………………………………………………………………………………………………………………….. 44 DEFINITIONS……………………………………………………………………………………………………………………………. 44 ROLES AND RESPONSIBILITIES ………………………………………………………………………………………………………..4 4 ENFORCEMENT AND COMPLIANCE ………………………………………………………………………………………… 44 CURRENT FEE SCHEDULE FOR RENTAL EQUIPMENT ……………………………………………….……………. 4 4 LOST/STOLEN LEASED EQUIPMENT POLICY PURPOSE ………………………………………………………………………………………………………………………………….. 4 5 SCOPE ………………………………………………………………………………………………………………………………………. 4 5 DEFINITIONS ……………………………………………………………………………………………………………………………. 4 5 ENFORCEMENT ………………………………………………………………………………………………………………………… 4 6 COMPLIANCE ……………………………………………………………………………………………………………………………. 4 6 ROLES AND RESPONSIBILITIES ……………………………………………………………………………………………….. 4 5 MONITORING EMPLOYEES USE OF ELECTRONICS RESOURCES GUIDELINES PURPOSE ………………………………………………………………………………………………………………………………….. 4 7 SCOPE ……………………………………………………………………………………………………………………………………….. 4 7 DEFINITIONS ……………………………………………………………………………………………………………………………. 4 7 GUIDELINES …………………………………………………………………………………………………………………………………….. 4 7 ONE CONNECT POLICY PURPOSE ………………………………………………………………………………………………………………………… .. ……… 4 8 SCOPE ……………………………………………………………………………………………………………………………………….. 4 8 DEFINITIONS ……………………………………………………………………………………………………………………………. 4 8 POLICY/ROLES AND RESPONSIBILITIES ………………………………………………………………………………….. 4 9 E XCEPTIONS…………………………………………………………………………………………………………………………….. 49 ENFORCEMENT………………………………………………………………………………………………………………………... 49 COMPLIANCE……………………………………………………………………………………………………………………………. 49 ONE CONNECT POLICY EXCEPTION REQUEST FORM ………………………………………………………………. 5 0

3 | P a g e

OPEN DATA POLICY PURPOSE ………………………………………………………………………………………………………………………………….. 5 1 DEFINITIONS……………………………………………………………………………………………………………………………. 5 2 ENFORCEMENT ………………………………………………………………………………………………………………………… 56 ROLES AND RESPONSIBILITIES………………………………………………………………………………………………. .5 4 GOVERNANCE …………………………………………………………………………………………………………………………... 5 5 PC SECURE CONFIGURATION STANDARDS PURPOSE ………………………………………………………………………………………………………………………………..…5 7 SCOPE …………………………………………………………………………………………………………………………………… . …. 5 7 ROLES AND RESPONSIBILITIES ……………………………………………………………………………………………….. 5 7 STANDARDS ……………………………………………………………………………………………………………………………… 5 7 PRINTER POLICY PURPOSE ……………………………………………………………………………………………………………………………… .. … 58 SCOPE ……………………………………………………………………………………………………………………………………….. 58 DEFINITIONS ……………………………………………………………………………………………………………………………. 5 8 ENFORCEMENT ………………………………………………………………………………………………………………………… 58 COMPLIANCE ……………………………………………………………………………………………………………………………. 58 ROLES AND RESPONSIBILITIES ……………………………………………………………………………………………….. 58 PRINTER SECURE CONFIGURATION STANDARDS PURPOSE ………………………………………………………………………………………………………………………………….. 61 SCOPE ………………………………………………………………………………………………………………………………………. 61 STANDARDS ……………………………………………………………………………………………………………………………… 6 1 ROLES AND RESPONSIBILITIES ……………………………………………………………………………………………….. 6 1 SERVER SECURE CONFIGURATION STANDARDS PURPOSE ………………………………………………………………………………………………………………………………….. 6 2 SCOPE ………………………………………………………………………………………………………………………………………. 6 2 STANDARDS ……………………………………………………………………………………………………………………………… 6 2 ROLES AND RESPONSIBILITIES ……………………………………………………………………………………………….. 6 2 SURPLUS POLICY PURPOSE ………………………………………………………………………………………………………………………………….. 6 3 DEFINITIONS ……………………………………………………………………………………………………………………………. 6 3 ENFORCEMENT ………………………………………………………………………………………………………………………… 6 3 COMPLIANCE ……………………………………………………………………………………………………………………………. 6 3 SCOPE ……………………………………………………………………………………………………………………………………….. 6 3 ROLES AND RESPONSIBILITIES ……………………………………………………………………………………………….. 6 3 SURVEILLANCE CAMERA MONITORING AND AUDITING POLICY PURPOSE ………………………………………………………………………………………………………………………………..… 6 4 SCOPE ……………………………………………………………………………………………………………………………………….. 6 4 DEFINITIONS ……………………………………………………………………………………………………………………………. 6 4 ENFORCEMENT ………………………………………………………………………………………………………………………… 6 6 COMPLIANCE ……………………………………………………………………………………………………………………………. 6 6 ROLES AND RESPONSIBILITIES ……………………………………………………………………………………………… ..6 6

4 | P a g e

TECHNOLOGY REFRESH POLICY PURPOSE ………………………………………………………………………………………………………………… .. ……………… 6 7 SCOPE ……………………………………………………………………………………………………………………………………….. 6 7 DEFINITIONS ……………………………………………………………………………………………………………………………. 6 7 ROLES AND RESPONSIBILITIES …………………………………………………………………………………… .. ………… 6 7 ENFORCEMENT ………………………………………………………………………………………………………………………… 6 8 COMPLIANCE ……………………………………………………………………………………………………………………………. 6 8 THIRD PARTY ACCESS POLICY PURPOSE ……………………………………………………………………………………………………………………………… .. … 6 9 SCOPE ……………………………………………………………………………………………………………………………………….. 6 9 COMPLIANCE ……………………………………………………………………………………………………………………………. 70 ACKNOWLEDGEMENT ……………………………………………………………………………………………………………… 7 4 POLICY …………………………………………………………………………………………………………………………………… ... 6 9 ATTACHMENT 1: TH IRD PARTY CONNECTION REQUEST………………………………………………………… 7 5 TIER II POL ICY PURPOSE ………………………………………………………………………………………………………………………………….. 7 8 DEFINITIONS …………………………………………………………………………………………………………………………… 7 8 DEPARTMENT RESPONSIBILITIES …………………………………………………………………………………………… 7 9 ENFORCEMENT ………………………………………………………………………………………………………………………… 80 COMPLIANCE ……………………………………………………………………………………………………………………………. 79 APPENDIX A: TIER II DEPARTMENT REQUEST ………………………………………………………………………… 8 2 APPENDIX B: APPROVED CERTIFICATIONS ……………………………………………………………………………… 8 5 ROLES AND RESPONSIBILITIES ……………………………………………………………………………………………….. 7 9

5 | P a g e

INFORMATION TECHNOLOGY ACCEPTABLE USE POLICY City of Greensboro, NC Cyber Security Division D OCUMENT I NFORMATION

Policy Name: Information Technology Acceptable Use Policy Document Reference Number: GSO-ITAUP-002 Version : 2.0 Effective from : 8/25/2021 Document Change History and Revision Control Version Sections Revised Description of Revision

Changed By

Date

Initial Document Creation and updates version 1.0 to 1.4 Updated with Legal statutes for return of equipment and responsibility to review document annually

5/28/2015 to 8/24/2021

Tasha Swann Holsey

1.0

All

2.0

All

Legal/Al Andrews

8/25/2021

Approval Details Reviewed & Approved By Role

Signature

Date

Rodney Roberts

Chief Information Officer

4/11/2022

Tasha Swann Holsey

Cyber Security and Compliance Manager

Tasha Swann Holsey

4/11/2022

6

GSO-ITAUP-002

P URPOSE The purpose of this policy is to define the principles by which City of Greensboro employees, including full-time staff, part-time staff, contractors, consultants, vendors, trainers, temporary staff and the like will adhere to in order to protect the confidentiality, integrity and availability of the City’s systems and information and comply with privacy laws and industry regulations. Protecting systems and information and ensuring compliance with laws and regulations is fundamental to the successful operation of the City. This policy also provides guidelines that anyone employed by the City of Greensboro should consider and must follow at all times (during work hours and after work hours) when posting to their personal social media accounts using a City-owned or personal (privately owned) electronic device and/or equipment. Technology equipment assigned to you as an employee is your responsibility. This includes city cell phones, iPads, tablets, tough books, and computer equipment such as docking stations, monitors, speaker bars, keyboards, mice, laptops, computer cables, etc. Pursuant to N.C.G.S. §95-25.8(a)(2), this advanced written authorization gives the City of Greensboro the authority to make deductions from any final wages to recover the expenses of all lost, damaged, or unreturned equipment issued to the employee upon separation. S COPE This Acceptable Use Policy applies to all users of all information systems that are the property of the City of Greensboro as well as how employees interact with their personal social media accounts. Specifically, it includes: • All employees, whether employed on a full-time or part-time basis by the City ofGreensboro • All contractors and third parties that work on behalf of and are paid directly by the City of Greensboro • All contractors and third parties that work on behalf of the City of Greensboro but are paid directly by an alternate employer • All employees of partners and clients of the City of Greensboro that access the City of Greensboro’s non-public information systems

7

GSO-ITAUP-002

R OLES AND R ESPONSIBILITIES___________________________________________________

Function

Responsibility

1. Define the rules and guidelines outlined in thispolicy 2. Report non-compliance issues to employeemanager and/or HR

Cyber Security Team

Employees, consultants and contractors Adhere to the rules and principles defined in this policy toinclude protecting the confidentiality, integrity and availability of the City’s network, systems, information; employees’ use of social media; and return of City-issued equipment. P OLICY___________________________________________________________________________ General Acceptable Use • The City’s IT resources are for conducting City business. Limited use of City technology, such as occasionally sending a personal email, is permitted if the use does not interfere withyour job requirements or conflict with any City policies or procedures. Use of IT resources for personal gains, or the gains of others, such as performing work for profit is not permitted. • Obey all laws, regulations, and City policies when using IT resources. This includes copyright laws, software-licensing agreements, data privacy and protection laws, and contractual requirements related to intellectual property rights and use of proprietarysoftware products. • Access to City information must be restricted based on an employee’s need to perform their job. Employees are responsible for the information they access and must exercise good judgment in protecting that information from unauthorized access. Employees must not disclose sensitive information, nor attempt to access information for which they are not authorized. • Do not use IT resources, such as Internet, email or messaging services to harass or intimidate another person, receive or transmit sexually oriented material, or any other material that a reasonable person would construe as offensive, inappropriate, or potentially harmful to others. This includes, but is not limited to, bullying those employed by the City of Greensboro, as well as disparaging anyone because of their gender/sex, race,color, age, national origin, ethnicity, sexual orientation, marital status, military status, familial status, religion, mental or physical disability, gender expression, gender identity, genetic information, political affiliation. In addition, see Social Media section on pages 7-8, Personnel Policies H-10 Harassment Free Workplace, and H-1, Appendix List of Expected and Unacceptable Employee Behavior or Performance. • Do not engage in activities that might harm City’s IT resources. This includes, but is not limited to, introducing computer viruses to the network, disrupting services, damagingfiles or making unauthorized changes to software or information. • Use only IT resources that have been approved by the City’s IT Department. This includes third-party services, mobile devices, software, and networks connections. • Do not attempt to circumvent any information security measures that have been implemented

8

GSO-ITAUP-002

to protect the City’s systems and information. This includes, but not limited to, using privileged utilities or hacking/password cracking programs in an attempt to gainunauthorized access to systems or information. • Do not download and/or install software on your system without obtaining properapproval from the IT department first. • Do not leave confidential documents unattended on your desk. Documents containing confidential information must be stored in locked cabinets. Your computer screen must also be locked if your desk is left unattended. • Report security violations or incidents immediately to the IT Service Desk at 373-2322 or by emailing the Cyber Security Team at securityincidents@greensboro-nc.gov A SSIGNED E QUIPMENT___________________________________________________________ Technology equipment assigned to you as an employee is your responsibility. This includes city cell phones, iPads, tablets, tough books, and computer equipment such as docking stations, monitors, speaker bars, keyboards, mice, laptops, computer cables, etc. • Upon resigning or termination of employment, this equipment must be returned to the City of Greensboro via your direct manager or the Human Resource departmental representative • Any equipment not returned prior to your final check will be priced with the leasingcompany and charged against your final paycheck • If you are an out of state contractor or do not live locally, a FedEx number will be provided by the department and the equipment must be returned within two weeks at the expense of the City. The equipment must be packed by the FedEx or UPS facility and insured for the leased value. The lease value can be obtained from IT. Tracking numbers for the shipment must be provided in said timeframe. • If computer equipment is not returned by a contractor, the value will be deducted fromthe final payment on the contract

T ECHNICAL A CCEPTABLE U SE Cloud and 3 rd Party Services

• Any time a third-party will collect, store, process, transmit or access the City of Greensboroinformation, an information security review must be performed prior to entering into a contract • The review will ensure that there is an acceptable level of risk to the confidentiality, availability and integrity of City’s information. The City of Greensboro is ultimately responsible for the security of the City’s information’s while it is in the care of a third party service provider • Contact the Cyber Security Division to complete a third-party security assessment. Early engagement will avoid any delays to your project

Refer to the Third Party Access Policy regarding network access for a third-party

9

GSO-ITAUP-002

Internet Browsing • Do not access websites that are deemed inappropriate, offensive or harmful. The companies that run inappropriate websites may not have good security controls in place.And by accessing these websites, you risk getting your system infected with Malware andyour information compromised • Do not download copyrighted material like software, music and videos without paying for it. Keep in mind, the City is held liable for any copyrighted material being downloaded using City’s systems and the City may end up paying fines as a result • Do not use the network to store or play music or streaming video from the Internet which isnot related to City business • Do not engage in online fraudulent activities. The City is held liable for the activities you conduct online using its systems. Do not engage in any illegal online activities. Refrain from using City’s systems to sell online products and services like selling products on Craigslist or eBay Email Guidelines • Do not send personal or sensitive information in an email to a third-party. Email sent overthe Internet is not secure • Do not use personal email (e.g., Yahoo or Google) for City business • Do not set rules in Outlook to auto-forward email to outside email accounts • Do not use City of Greensboro email address to sign up for any websites not related to City business Password Guidelines • For your password, create an easy to remember password but difficult for a hacker to guess. Try to use “password phrases” (e.g., IOweYou123$$!! or SeeYou@1230!!!). These are really difficult for a hacker to guess but easy for you to remember. And always make sure your password is at least 14 characters in length. The time it takes for a hacker to crack an 8 character password is 6 hours, while it takes more than 10 years to crack a 14 character password • Be wary of key logger Malware. This is a type of Malware that captures your password when you type it into an online service. One indicator that you may have Malware on your system is that the Anti-Malware software stops working (there is a disabled symbol over the Anti Malware icon on the taskbar). If this happens, please report the issue to the IT Service Desk immediately • Your City password must be different than passwords used for personal accounts • Be sure to never share your password with anyone or write it down • And if you believe that your password may have become compromised, please change it immediately Refer to the User Provisioning Policy for further information about password complexity requirements Instant Messaging • Use IM only for workgroup communications of information that would not cause employees or the City harm if the IM conversations were made public (as government employees, IM

1 0

GSO-ITAUP-002

conversations are subject to public inspection pursuant to the North Carolina Public Records Law) • Do not use IM for sending sensitive information between employees Mobile Devices • Mobile Devices have arisen as powerful computing devices with access to sensitive and personal information. Follow these rules to keep sensitive and personal information safe: • Do not circumvent mobile device security controls that have been implemented by the City to protect the device • Protect your mobile device by keeping it in a safe location, and avoid leaving the mobile unattended in a motor vehicle or in a public area • Observe all applicable laws including all such laws restricting the use of mobile deviceswhile driving. If an employee is charged with traffic violations resulting from the use ofa mobile device while driving, the employee will be solely responsible for all liabilities that result from such action • Only install apps with good reputation from reputable sources • Immediately contact the IT Service Desk at 373-2322 if your mobile device is lost orstolen

Refer to the Mobile Device Policy for further information about mobile device usage guidelines

Non-City Owned Computers Non-City Owned Computers include employee owned laptops and home computers. Non-City owned computers can present risks to the City’s systems and applications. For example, Malware hidden on a non-City computer that’s used to access City resources can record all keystrokes entered, including your City’s username and password, then use the information to gain unauthorized access to the City’s systems and sensitive information. Non-City Owned Computers can only be used to access Exchange Webmail access.

Non-City Owned Computers cannot be used for: • Access to internal City systems and applications • Access to the City via VPN • Saving email and attachments when using Exchange Webmail

File Transfer Service The City’s standard method for exchanging documents is Dropbox which utilizes very secure methods to ensure that documents sent and received are protected against eavesdropping and compromise. Contact the Cyber Security and Compliance Manager if you require to use Dropbox. Removable Storage Devices • Sensitive information is not to be copied or stored on USB Flash drive • Contact the Cyber Security Team if your job requires you to transport sensitive informationon USB Flash drives • IT approved external hard drives are allowed for backing up data from a laptop or a desktop

1 1

GSO-ITAUP-002

computer. However, the drive must never be transported out of the City offices • Removable storage devices must be returned to IT for proper disposal when no longerneeded

Internet of Things (IoT) Devices • Configure the IoT device with a strong password • Ensure the firmware on the device is updated regularly • Read provided instructions or ask vendor for additional recommendations

S OCIAL M EDIA___________________________________________________________________ Employees assume any and all risks associated with their personal/private blogging, live streaming, and use of social media on privately owned equipment/devices. Sharing informationonline and in social media amplifies your voice. What you say can instantaneously spread to a global audience and possibly impact your workgroup whether you intend it to or not. The statements you make can live indefinitely and what you say reflects on you and on the City of Greensboro, especially if you identify yourself as a City of Greensboro employee. You engage in social media when you use any of the following: • Maintain a personal blog or website • Comment on news articles or blog posts • Maintain a social media account (Facebook, Twitter, Instagram, LinkedIn, etc.) Never post or discuss sensitive City information online. This may include information related to business units, employees, administration, residents, vendors, and audio or video recording or photographing other employees or residents without their knowledge. Any information that is not publicly available is considered sensitive. • Do not disparage, insult, harass or bully other employees or family members ofemployees (see Personnel Policy H-10 Harassment Free Workplace Policy). • Do not engage in defamatory, harassing, vulgar or other forms of inappropriatelanguage or conduct (see policy referenced above). • City employees are not permitted to speak on behalf of the City with residents, vendors,etc. over social media outlets, unless explicitly authorized by the Communications and Marketing Department. • City employees should refrain from making posts and/or engaging in discussions on their personal social media accounts that could possibly impact and/or defame the City, their departments, workgroups and/or create dissen s ion among other employees. This includes, but is not limited to, political posts/discussions. NOTE: Please see subsection (d.3.) below, and the required online Learning Management System (LMS) module on Political Activity. Also, the H-2 Employee Complaint Resolution Policy (LMS module) provides a process to follow should you have concerns about your employment conditions and/or relationships with otheremployees. • City-owned devices should not be used for personal/private blogging, live streaming, or personal/private use of social media sites. The following requirements apply to your use of social media: •

1 2

GSO-ITAUP-002

• Employees who engage in personal/private blogging, live streaming, or use of socialmedia sites whether using a City or privately owned personal electronic device/ equipment may not: a) Attribute personal statements, opinions, or beliefs to the City of Greensboro. Keep in mind that if you identify yourself as a City employee on social media, others maybelieve you are speaking on behalf of the City unless you state otherwise. By stating you are not speaking on behalf of the City does not relieve you of the responsibility to adhere to and follow the requirements of this and any other City policies; b) Disclose confidential City information; c) Use the City logo; or d) Post any material that could: 1. Be construed as harassment, hate speech, or libel; 2. Be determined that you engaged in unacceptable employee behavior as stated in the Appendix of Personnel Policy H-1, List of Expected and Unacceptable Employee Behavior or Performance to include audio or videorecording or photographing anyone employed by the City of Greensboro orresidents without their knowledge; or 3. Be disruptive to the work environment because it impairs workplace discipline or control, impairs or erodes working relationships, createsdissention among co-workers, interferes with job performance, or obstructs operations. Refer to the Social Media Policy for further information about employee use of social networks E NFORCEMENT & C OMPLIANCE___________________________________________________________ Any violation of this policy may lead to disciplinary action, up to and including dismissal fromemployment. The disciplinary action will depend upon the violation and be subject to the discretion of the employee’s supervisor/manager in accordance with Personnel Policy H-1 Discipline Without Punishment (DWP) Policy. The Fire and Police Departments have their own corrective action processes. It is the responsibility of City of Greensboro employees, contractors and consultants to ensure that the policy described in this document is followed. Employees, contractors and consultants must understand that protecting confidential information is a critical part of the City’s security strategy. The Cyber Security Team is authorized to limit access for employees, contractors and consultants that do not comply with this policy. • Live streaming on social media during an employee’s work hours is strictly prohibited without prior approval of the employee’s Department Director.

13

GSO-ITAUP-002

E XCEPTIONS_______________________________________________________________________________ Requests for exceptions to this policy may be granted for systems or applications that have adequate security controls implemented. The security controls must provide good protection against Malware, cyber-attacks and other forms of threats. Requests must be submitted in writing to the Cyber Security and Compliance Manager for review and approval and must include the following details: 1) Purpose for requesting the exception 2) The risk to the City if the system or application becomes compromised 3) Mitigation controls that have been implemented to protect the system or application 4) End date for the exception

14

GSO-ITAUP-002

BACK-UP AND RETENTION POLICY

PURPOSE The purpose of this policy is to define the minimum standards for performing and retaining periodic backups of City of Greensboro computer system data. SCOPE These standards apply in their entirety only to the City of Greensboro file servers, SAN/NAS data Storage that are maintained by the IT Network Services Department of the City of Greensboro. Parties responsible for backup management on other City of Greensboro servers, however, are strongly encouraged to adopt these practices.

POLICY/ROLES AND RESPONSIBILITIES

Data Backup and Retention

1. It is the responsibility of the City of Greensboro IT Network Service Department staff and manager to determine which folders will be backed up on any given City of Greensboro file server. 2. An approved backup job will be scheduled to run on each file server once or more every day. a. Using Veeam Incremental back-up, a scheduled backup will be run every day of the week on every standalone server and kept for 30 days. Full backups performed each week to confirm consistency. b. Using Netapp snapshot technology a scheduled snapshot/backup of all file data residing on SAN/NAS systems will be scheduled to run every 4 hours and will be retained for 30 days. c. Using Netapp data mirror technology all data residing on the Netapp Storage Systems will be scheduled to replicate all LUNs data to a remote SAN/NAS system located at an off-site building and will be retained until the data is no longer needed. 3. An approved backup job will be scheduled to run on each SQL Database server once or more every day. a. Full SQL database backup jobs will be scheduled to run on each sql server every day of the week and kept for 30 days. Full backups performed each week to confirm consistency. b. All critical SQL databases will be located on SAN/NAS systems and the data will be replicated to a remote SAN/NAS system using NetApp snap-mirror technology. c. Verifying Backups/Integrity check: a sampling of SQL databases restore are performed to validate the integrity of backup jobs d. Infor Lawson is backed up by the AWS Cloud operations team where it is hosted. Refer to the SOC report from AWS for backup policies.

4. An approved backup job will be scheduled to run on each email Exchange Database server once or more every day.

15 | P a g e

a. Using Netapp DB snapshot technology Full Exchange database and log backup jobs will be scheduled to run daily and seven snapshots retained. b. All critical Exchange databases will be located on SAN/NAS systems and the data will be replicated to a remote SAN/NAS system using Netapp snapmirror technology. c. After every Exchange database backup jobs, a post validation process takes place to validate the integrity of each backup session

5. Backup media is stored at secured off-site facility within few miles from the main City of Greensboro Data Center.

6. Backup media will not be left unattended in vehicles at any time.

ENFORCEMENT & COMPLIANCE

Enforcement and Compliance of this policy will be the responsibility of the City of Greensboro’s IT Department Network Services Division.

16 | P a g e

CELL PHONE POLICY

PURPOSE The purpose of this policy is to establish a set of procedures concerning the use of City-issued cell phones or the issuance of a cell phone stipend in order to comply with federal, state, and local laws. This policy establishes guidelines for monitoring and controlling cell phone costs, cell phone use, and other administrative issues related to cell phones. By using your city issued cell phone or by receiving a cell phone stipend you are consenting to adhere to the City of Greensboro’s Cell Phone Policy. SCOPE The purpose of this policy is to establish a set of procedures concerning the use of City-issued cell phones or the issuance of a cell phone stipend in order to comply with federal, state, and local laws. This policy establishes guidelines for monitoring and controlling cell phone costs, cell phone use, and other administrative issues related to cell phones. By using your city issued cell phone or by receiving a cell phone stipend you are consenting to adhere to the City of Greensboro’s Cell Pho ne Policy. Department heads or designee may request a cell phone stipend for positions within their department, based on the above qualifications. Employees in positions that are approved will receive a stipend to compensate for business use of a personal cell phone. Rules for receiving a cell phone stipend are as follows • Roster employees are not eligible for a stipend. • The stipend will be included in the employee’s semi -monthly payroll check and will begin based on established payroll cutoff dates. • One half of the stipend amount will be included in each semi-monthly payroll check. • The City is not responsible for damages to a personal cell phone. • The stipend is not an increase in base pay. • The monthly stipend should be reviewed and approved by departments at least annually. • The amount of the reimbursement should not exceed the employee’s plan rate. • Employees agree to allow the City to publish their number and to accept business calls, text messages and emails on their phone. • Non-exempt employees cannot be contacted after hours without compensation. • The Department head or designee may require the employee to use a certain communications platform, consistent with the platform used by other wireless devices in the department, to be eligible for this allowance. • Employees authorized by their Department Head or designee to receive a stipend in lieu of the City issued phone may use the device for both City and personal use. Please be advised that this may make your call records a matter of public record. • The Department head or designee may request verification of an active plan and plan rates at any time. POLICY/ROLES AND RESPONSIBILITIES Cell Phone Stipend

17 | P a g e

• Employees do not have to substantiate or document business use of the phone. • Employees are required to notify their employer immediately if there is any interruption of service due to loss, damage, carrier cancellation, etc. • Employees are encouraged, but not required, to carry insurance on their phone. • The employee is responsible for all contractual services with their wireless provider. • Termination or continuance of the monthly reimbursement will be at the discretion of the department director. • If an employee is out of work more than 30 days, they may be required to have their stipend suspended until returning to work.

Reimbursement Rates

It will be up to the Department head or designee to decide the appropriate reimbursement amount necessary for each employee as follows:

Monthly Stipend Allowance: Phone & Data: $45.00 stipend per month Only one City funded data plan is allowed per employee (One Connect Policy)

Phone Only: $25.00 stipend month

Option 2 – Standard City-Issued Phone

Rules for City-issued phones are as follows • Roster employees are eligible for city-issued phones but they are not eligible for a stipend. • If the employee is assigned a phone for take-home purposes, the employee must accept business calls and/or messages on the phone. • The City is responsible for the purchase of a phone and required accessories from its preferred carrier. • Employees must notify their supervisor immediately of a lost or damaged phone. • Employees may be responsible for reimbursing the City for costs incurred as a result of loss or damage of a City phone and/or accessories due to employee negligence. • Upon separation of employment, employees will return cell phone and all accessories prior to receiving final pay check. • If an employee is out of work more than 30 days, they may be required to turn in their City issued phone until returning to work.

ENFORCEMENT & COMPLIANCE

Any employee who is found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. Department Heads or their assigned representative(s) will issue their own guidance regarding personal use and re-payment of any overages encountered by the cell phone user. Please note: the IT Department does not support personal phones. If you receive a stipend and are using a personal phone, the IT Department will aid the person with installation of Maas360.

18 | P a g e

CITY CELL PHONE & PHONE STIPEND REQUEST Name: Employee #: Department: Position # & Title: Justification:

Request Date: Requested:

☐ City-issued Cell Phone ☐ Cancel City Number _____________________________ ☐ Personal Number for Stipend ______________________ ☐ Stop stipend payment ☐ Cell Phone Stipend ☐ Phone and Data ($45.00 per month) ☐ Phone Only ($25.00 per month)

**If you are moving from a City Cell Phone to a Stipend, you must return all ancillary equipment (EX: cables, chargers, case to Telecomm Services) Before the Stipend can be approved or submitted to payroll) I certify that I have received a copy of and understand the City of Greensboro Cell Phone Policy. Acct Number:

X Employee Signature

X Department Head Signature

Information Technology Telecom Office

Finance Office

Date Recorded: Click or tap to enter a date.

Date Entered in Payroll: Click or tap to enter a date.

Recorded By: ________________________

Recorded By: __________________________

| Cell Phone Policy

CHANGE MANAGEMENT POLICY

PURPOSE AND POLICY

This Change Management Policy defines the steps necessary to implement and maintain Change Management (CM) processes for the City of Greensboro’s Information Technology (IT) Department. This document will establish a foundation of what change and change management are, define the items needed for effective CM, establish roles and responsibilities of the people involved, describe the actual steps of the CM process, and specify how they will be accomplished. The purpose of this policy is to define a consistent approach to manage changes to the IT environment.

SCOPE AND OBJECTIVES OF IT CHANGE MANAGEMENT

The IT Department is committed to operational and service excellence. It is paramount that changes to existing system network architecture, internal and external services, products, processes, and any other significant technology based hardware or software application changes be documented, adjudicated, and vetted before implementing. The objectives of CM are to minimize the adverse impact of required changes on system integrity, to preserve security, to honor existing service level agreements or contracts, to enable the coordination and planning of changes in order to provide a stable test and production environment, and to maximize the productivity of persons involved in the planning, coordinating, and implementation of quality value-added changes. Typically, CM will be utilized to:

Take corrective action: an intentional activity that adjusts the performance of something already in progress.

Take preventive action: an intentional activity that ensures future performance goals are met.

Defect repair: an intentional activity to modify a non-conforming product or service.

Updates: changes to our current state of affairs or baseline, changes to existing products, services, new user requirements, or simply new ideas.

The City of Greensboro’s IT Department is responsible for applica tion services, geographical information systems, telecommunications, network services, security and compliance, and leasing/deployment of vital IT related products. The realm of information technology spans a diverse group of end users with responsibilities encompassing all areas of municipal government. Technology is thoroughly ingrained in most City Departments, and therefore any change has the potential to be significant. It is therefore critically important to manage change in a proactive and effective manner. It is important to note that each department has a finite amount of resources available to manage IT, therefore every effort to streamline this policy has been made to reduce the impact to our productivity.

20 | P a g e

HIGH LEVEL PROCESS FLOW

Identify Change

Initiate Change Request

Close

Update CMDB Update System Docs

Everyone -Complete each CR field

Change Management Process

Test and Verify

CAB Review

Approve or Reject

Testing Plan Fallback Plan

Implement

Communicate

Users Stakeholders including IT Management

Implementation Plan

21 | P a g e

DEFINITIONS

Break/Fix: Changes that are initiated to repair a non-conforming product or service.

Change: The addition, modification, or removal of anything that could have an effect on IT systems and/or services.

Change Advisory Board (CAB) : An empowered body that oversees change procedures, validates, and approves/rejects documented changes. The CAB is responsible for viewing the information provided in every change request in order to ensure that the changes are sufficiently researched, documented, communicated, planned, and executed according to defined cost, schedule, performance, and risk criteria. Change Coordinator/Requestor (CC) : The person responsible for entering the change into the CM system and managing the change through to its completion. The change coordinator may delegate work activities to their respective staff as appropriate. Change Management (CM) : The process of documenting a change, reviewing the potential impact of that change, controlling the timing of the change and, upon completion, verifying the completeness of the change. Change Manager/Project Manager (CMGR/PM) : The Change Manager is a member of the IT staff who is responsible for changes across the enterprise. In this instance, the change manager and project manager will be synonymous. The Change Manager/Project Manager of the IT Department will ensure all changes are documented, that each change enters the CAB process for approval or rejection, and will monitor progress of the change by utilizing Program Management Body of Knowledge (PMBOK) standards that are tailored specifically to the department need. Change Request (CR) : A broadly defined term that describes the overall process of requesting validation of a change. The CR is composed of various pieces of information depending on the type of change and the Project Management documentation method employed. Change Type (CT) : Change types are classified as Emergency, Low, Medium, and High. Their classification is dependent upon an acceptable time period established by various service level agreements and can vary by division and stakeholder agreements.

Emergency Change : These are highly critical changes that must be implemented within 72 hours to react to system failure/outages or to prevent system failure/outages from occurring.

Incident: An unplanned occurrence that disrupts normal operations and has a significant impact to services provided by the IT department.

Initiative : A program management framework that classifies a particular work activity based on enterprise operations. For the purposes of this policy an initiative consists of the following non inclusive traits. • An initiative from start to finish will typically last less than 30 days. Initiatives may or may not have start and end dates. • Initiatives are typically single tasks that do not require detailed milestone definitions and a host of sub-tasks to perform in order to reach a desired goal.

22 | P a g e

• Initiatives lack uniqueness and are routinely performed on a daily or weekly basis to support operations. Simply they are not recurring. • Initiatives apply to maintenance required to support system and application infrastructure.

Maintenance: Routine and preplanned activities used to prolong the life cycle of the product or service.

Project : A program management framework that classifies a particular work activity based on enterprise operations. For the purposes of this policy a project consists of the following non inclusive traits. • A project from start to finish will last more than 30 days or a month in time. • A project has a definite start date and a definite end date with defined resources and scope. • A project should lend itself to having milestones with tasks under each that when completed realizes a significant effort towards your end goal. • A project will lend itself to have more than a single task but stages where you plan, initiate, and execute to achieve a desired goal. • A project is a unique effort that is not recurring.

ROLES AND RESPONSIBILITIES

The CAB is an empowered body that oversees change procedures, validates, and approves/rejects documented changes. The CAB is responsible for viewing the information provided in every change request in order to ensure that the changes are sufficiently researched, documented, communicated, planned, and executed according to defined cost, schedule, performance, and risk criteria. • The CAB will convene each week to review, approve, or reject pending CRs. • The PM (or designee) will administer the CAB meeting by presenting all pending CRs and re-visit any approved CRs that have encountered issues for group awareness and subsequent re-direction of the activity.

• The CAB should consist of each division lead or designee when unable to attend. Currently our composition is:

(A) Chief Information Officer (CIO) (B) Deputy-CIOs (C) Applications Services Manager (D) GIS and Special Projects Manager (E) Public Safety Manager (F) Telecomm/VOIP Manager (G) Network Services Manager (H) Security and Compliance Manager

(I) Project Manager (J) GM911 Manager

• Each division lead or designee should analyze each CR for potential impacts to their area of responsibility prior to the CAB meeting and be able to discuss any mitigation activity that might need to take place before approving/rejecting the CR. 23 | P a g e

• The IT department will err on the side of caution by delaying CRs that have not been fully vetted or the risk of implementation is too great.

• The CIO has final determination authority to approve or reject pending CRs.

• The Network Services Manager will ensure the lead systems architect is aware of all changes entered into the CM system.

• The PM will ensure the CRs are queued effectively as not to render significant delays to work efforts that could be accomplished before the CAB has an opportunity to convene. In these instances, the PM will walk projects or initiatives through each division lead for concurrence or rejection. At times the PM may elect to place the project or initiative on hold until an overall determination can be made by the CAB. • Emergency changes may occur at any time. These are highly critical changes that must be implemented within 72 hours to react to system failure/outages or to prevent system failure/outages from occurring. In these occurrences and during normal business hours (07:30am-5:30pm) the PM will expedite the CR via phone, email, or any other means available to communicate the issue to the CAB. The PM will keep a log of the CAB contact and their concurrences/rejections should it need to be referenced at a later time. • For emergency break/fixes after normal business hours will be addressed by the Service Desk Team. Simply call 336-373-2322. The Service Desk team will notify the CIO and PM of any break/fix issues up to 11PM but are authorized to make emergency changes as needed to restore services. The Service Desk team will back-brief the CIO and PM the following morning at the beginning of the business day and the PM will document the outage via an emergency change request. • Change requests must be filled out in their entirety and will include various programmatic elements, implementation, testing, and fallback plans. Every attempt to test solutions (for functionality and performance gain) will be made before they are introduced to production environment systems.

• Changes will be classified as emergency, low, medium, and high in accordance with existing IT standards.

• The PM will provide training to each CC/R so they are familiar with the policy, the in-take procedure, and method for closure.

• The PM will communicate with the CIO and Deputy CIO of any major status changes for situational awareness and possible re-direction of the efforts.

• The PM will meet with division leads routinely to update their respective project and initiative status.

24 | P a g e