Acceptable Use Policy

-3 41 -% <

PREPARED BY IT CYBER SECURITY AND COMPL IANCE DIVISION Information Technology Department

Information Technology Acceptable Use Policy City of Greensboro, NC Cyber Security Division

Table of Content

DOCUMENT INFORMATION ............................................................................................................................................... 2

PURPOSE .................................................................................................................................................................................. 4

SCOPE ........................................................................................................................................................................................ 4

ROLES AND RESPONSIBILITIES..................................................................................................................................... 5

GENERAL ACCEPTABLE USE ........................................................................................................................................... 5

TECHNICAL ACCEPTABLE USE ....................................................................................................................................... 6

ENFORCEMENT & COMPLIANCE........................................................................................................................................10

ACKNOWLEDGMENT......................................................................................................................................................... 11

Information Technology Acceptable Use Policy

1

D OCUMENT I NFORMATION

Policy Name: Information Technology Acceptable Use Policy Document Reference Number: GSO-ITAUP-002 Version : 6.0 Effective from : 6/22/2015

Document Change History and Revision Control

Version

Sections Revised

Description of Revision

Changed By

Date

-

Initial Document Creation and updated version 1.0 to 1.4 Updated with Legal statutes for return of equipment and responsibility to review document annually Addition to General Acceptable Use section Updated Mobile Devices section

Cyber Security Team

5/28/2015

1.0

All

-

2.0

All

Legal

8/25/2021

-

Cyber Security Team/People & Culture

-

3.0

2/13/2023

Updated Password Guidelines

-

Added AI Chatbot Guidelines to Technical Acceptable Use section

-

Cyber Security Team

4.0

6/2/2023

- Updated Social Media section People & Culture 10/31/2023

5.0

Updated roles

- -

Updated social media policy link Added a statement about the use of public VPN services

Cyber Security Team

6.0

2/15/2024

-

Information Technology Acceptable Use Policy

2

Approval Details

Reviewed & Approved By

Role

Signature

Date

2/21/2024

Rodney Roberts

Chief Information Officer

2/21/2024

Nick Brown

Network Services Manager

Information Technology Acceptable Use Policy

3

P URPOSE

The purpose of this policy is to define the principles by which City of Greensboro employees, including full-time staff, part-time staff, contractors, consultants, vendors, trainers, temporary staff and the like will adhere to in order to protect the confidentiality, integrity and availability ofthe City’s systems and information and comply with privacy laws and industry regulations. Protecting systems and information and ensuring compliance with laws and regulations isfundamental to the successful operation of the City. This policy also provides guidelines that anyone employed by the City of Greensboro should consider and must follow at all times (during work hours and after work hours) when posting to their personal social media accounts using a City-owned or personal (privately owned) electronic device and/or equipment. Technology equipment assigned to you as an employee is your responsibility. This includes city cell phones, iPads, tablets, tough books, and computer equipmentsuch as docking stations, monitors, speaker bars, keyboards, mice, laptops, computer cables, etc. Pursuant to N.C.G.S. §95-25.8(a)(2), this advanced written authorization gives the City of Greensboro the authority to make deductions from any final wages to recover the expenses of all lost, damaged, or unreturned equipment issued to the employee upon separation. This Acceptable Use Policy applies to all users of all information systems that are the property ofthe City of Greensboro as well as how employees interact with their personal social media accounts. Specifically, it includes:  All employees, whether employed on a full-time or part-time basis by the City ofGreensboro  All contractors and third parties that work on behalf of and are paid directly by the City of Greensboro  All contractors and third parties that work on behalf of the City of Greensboro but are paid directly by an alternate employer  All employees of partners and clients of the City of Greensboro that access the City of Greensboro’s non-public information systems

S COPE

Information Technology Acceptable Use Policy

4

R OLES AND R ESPONSIBILITIES

Function

Responsibility

1. Define the rules and guidelines outlined in thispolicy 2. Report non-compliance issues to employeemanager and/or HR Adhere to the rules and principles defined in this policy toinclude protecting the confidentiality, integrity and availability of the City’s network, systems, information; employees’ use of social media; and return of City-issued equipment.

Cyber Security Team

Employees, consultants and contractors

G ENERAL A CCEPTABLE U SE

 The City’s IT resources are for conducting City business. Limited use of City technology, such as occasionally sending a personal email, is permitted if the use does not interfere withyour job requirements or conflict with any City policies or procedures. Use of IT resources for personal gains, or the gains of others, such as performing work for profit is not permitted.  Obey all laws, regulations, and City policies when using IT resources. This includes copyright laws, software-licensing agreements, data privacy and protection laws, and contractual requirements related to intellectual property rights and use of proprietarysoftware products.  Access to City information must be restr icted based on an employee’s need to perform their job. Employees are responsible for the information they access and must exercise good judgment in protecting that information from unauthorized access. Employees must not disclose sensitive information, nor attempt to access information for which they are not authorized.  Do not use IT resources, such as Internet, email or messaging services to harass or intimidate another person, receive or transmit sexually oriented material, or any other material that a reasonable person would construe as offensive, inappropriate, or potentially harmful to others. This includes, but is not limited to, bullying those employed by the City of Greensboro, as well as disparaging anyone because of their gender/sex, race,color, age, national origin, ethnicity, sexual orientation, marital status, military status, familial status, religion, mental or physical disability, gender expression, gender identity, genetic information, political affiliation. In addition, see Social Media section on pages 7-8, Personnel Policies H-10 Harassment Free Workplace, and H-1, Appendix List of Expected and Unacceptable Employee Behavior or Performance.  Do not engage in activities that might harm City’s IT resources. This includes, but is not limited to, introducing computer viruses to the network, disrupting services, damagingfiles or making unauthorized changes to software or information.  Use only IT resources that have been approved by the City’s IT Department. This includes

Information Technology Acceptable Use Policy

5

third-party services, mobile devices, software, and networks connections.  Do not attempt to circumvent any information security measures that have been implemented to protect the City’s systems and information. This includes, but not limited to, using privileged utilities or hacking/password cracking programs in an attempt to gain unauthorized access to systems or information.  Do not use public VPN services to connect to City systems and applications. IP addresses for public VPN services are often classified as malicious and could be blocked by the City’s firewalls.  Do not download and/or install software on your system without first obtaining approval from the IT department.  Do not leave confidential documents unattended on your desk. Documents containing confidential information must be stored in locked cabinets. Your computer screen must also be locked if your desk is left unattended.  Unauthorized access to another employee’s system or phone is strictly prohibited.  Report security violations or incidents immediately to the IT Service Desk at 373-2322 or by emailing the Cyber Security Team atsecurityincidents@greensboro-nc.gov. Technology equipment assigned to you as an employee is your responsibility. This includes city cellphones, iPads, tablets, tough books, and computer equipment such as docking stations, monitors, speaker bars, keyboards, mice, laptops, computer cables, etc.  Upon resigning or termination of employment, this equipment must be returned to the City of Greensboro via your direct manager or the Human Resource departmental representative  Any equipment not returned prior to your final check will be priced with the leasing company and may be charged against your final paycheck. This also includes when an employee does not provide a correct, working code or PIN for City departments to access City equipment including business cell phones  If you are an out of state contractor or do not live locally, a FedEx number will be provided by the department and the equipment must be returned within two weeks at the expense of the City. The equipment must be packed by the FedEx or UPS facility and insured for the leased value. The lease value can be obtained from IT. Tracking numbers for the shipment must be provided in said timeframe.  If computer equipment is not returned by a contractor, the value will be deducted fromthe final payment on the contract Cloud and Third Party Services  Any time a third-party will collect, store, process, transmit or access the City of Greensboroinformation, an information security review must be performed prior to entering into a contract  The review will ensure that there is an acceptable level of risk to the confidentiality, availability and integrity of City’s information. The City of Greensbor o is ultimately responsible for the security of the City’s information’s while it is in the care of a third partyservice provider  Contact the Cyber Security Division to complete a third-party security assessment. Early engagement will avoid any delays to your project T ECHNICAL A CCEPTABLE U SE Assigned Equipment

Information Technology Acceptable Use Policy

6

Refer to the Third Party Access Policy regarding network access for a third-party

Internet Browsing  Do not access websites that are deemed inappropriate, offensive or harmful. The companies that run inappropriate websites may not have good security controls in place.And by accessing these websites, you risk getting your system infected with Malware andyour information compromised  Do not download copyrighted material like software, music and videos without paying for it. Keep in mind, the City is held liable for any copyrighted material being downloaded using City’s systems and the City may end up paying fines as a result  Do not use the network to store or play music or streaming video from the Internet which is not related to City business  Do not engage in online fraudulent activities. The City is held liable for the activities you conduct online using its systems. Do not engage in any illegal online activities. Refrain from using City’s systems to sell online products and services like selling products on Craigslist or eBay AI Chatbot Guidelines  Never upload documents or data that contain confidential information including personal identifiable information (PII), bank account numbers, credit card information, social security numbers, and other financial or confidential information  Never provide your login information  Never upload process documents that are specific to the operation of the City of Greensboro (i.e. SOPs, SCADA documents, architectural diagrams, configuration documents, software development documentation, operational documents related to Police, Fire and GM911)  Do not use Chatbots to search for private information about employees or residents  Never use Chatbots for any illegal or fraudulent activities. The City is held liable for any activities you perform using the City’s IT resources  You should not use Chatbots to get personal, legal or medical advice  Check the responses provided by the Chatbots before utilizing it. As some information may be inaccurate or the content might be protected by copyright laws and cannot be used without authorization  Do not click on links provided in Chatbot responses. As some may direct you to malicious websites intended to compromise your credentials. Always check with the Cyber Security Team first before clicking on any links Email Guidelines  Do not send personal or sensitive information in an email to a third-party. Email sent over the Internet is not secure  Do not use personal email (e.g., Yahoo or Google) for City business  Do not set rules in Outlook to auto-forward email to outside email accounts  Do not use City of Greensboro email address to sign up for any websites not related to City business Password Guidelines  For your password, create an easy to remember password but difficult for a hacker to guess. Try to use “password phrases” (e.g., IOweYou123$$!! or SeeYou@1230!!!). These are really

Information Technology Acceptable Use Policy

7

difficult for a hacker to guess but easy for you to remember. And always make sure your password is at least 14 characters in length. The time it takes for a hacker to crack an 8 character password is 6 hours, while it takes more than 10 years to crack a 14 character password  Be wary of key logger Malware. This is a type of Malware that captures your password when you type it into an online service. One indicator that you may have Malware on your system is that the Anti-Malware software stops working (there is a disabled symbol over the Anti- Malware icon on the taskbar). If this happens, please report the issue to the IT Service Desk immediately  Your City password must be different than passwords used for personal accounts  Be sure to never share your password with anyone or write it down  And if you believe that your password may have become compromised, or someone has inadvertently seen it, please change it immediately.

Refer to the User Provisioning Policy for further information about password complexity requirements

Instant Messaging 

Use IM only for workgroup communications of information that would not cause employees or the City harm if the IM conversations were made public (as government employees, IM conversations are subject to public inspection pursuant to the North Carolina Public Records Law)  Do not use IM for sending sensitive information between employees

Mobile Devices 

Mobile devices have arisen as powerful computing devices with access to sensitive and personal information. Follow these rules to keep sensitive and personal information safe:  Do not circumvent mobile device security controls that have been implemented by the City to protect the device  Protect your mobile device by keeping it in a safe location, and avoid leaving the mobile unattended in a motor vehicle or in a public area  Observe all applicable laws including all such laws restricting the use of mobile deviceswhile driving. If an employee is charged with traffic violations resulting from the use ofa mobile device while driving, the employee will be solely responsible for all liabilities that result from such action  Access to the mobile device must be protected with a passcode, Face ID, pattern matching or other types of authentication mechanisms  Only City approved apps with a good reputation from reputable sources are to be installed on City-issued mobile devices  Employees are not permitted to install personal apps on City-issued mobile devices. This includes social media, dating, shopping and other types of personal apps. If an employee requires a personal app to be installed, they must submit a service request to the Cyber Security Team. The request is reviewed and either approved or denied  Immediately contact the IT Service Desk at 373-2322 if your mobile device is lost orstolen

Information Technology Acceptable Use Policy

8

Refer to the Mobile Device Policy for further information about mobile device usage guidelines

Non-City Owned Computers Non-City Owned Computers include employee owned laptops and home computers. Non City owned computers can present risks to the City’s systems and applications. For example, Malware hidden on a non- City computer that’s used to access City resources can record all keystrokes entered, including your City’s username and password, then use the information to gain unauthorized access to the City’s systems and sensitive information. Non-City Owned Computers can only be used to access Exchange Webmail access. Non-City Owned Computers cannot be used for:  Access to internal City systems and applications  Access to the City via VPN  Saving email and attachments when using Exchange Webmail File Transfer Service The City’s standard method for exchanging documents is Dropbox which utilizes very secure methods to ensure that documents sent and received are protected against eavesdropping andcompromise. Contact the Cyber Security Team if you require to use Dropbox. Removable Storage Devices  Sensitive information is not to be copied or stored on USB Flash drive  Contact the Cyber Security Team if your job requires you to transport sensitive information on USB Flash drives  IT approved external hard drives are allowed for backing up data from a laptop or a desktop computer. However, the drive must never be transported out of the City offices  Removable storage devices must be returned to IT for proper disposal when no longer needed Internet of Things (IoT) Devices  Configure the IoT device with a strong password  Ensure the firmware on the device is updated regularly  Read provided instructions or ask vendor for additional recommendations Social Media Employees assume any and all risks associated with their personal/private blogging, live streaming, and use of social media on privately owned equipment/devices. City-owned devices should not be used for personal/private blogging, live streaming, or personal/private use of social media sites. Live streaming on social media during an employee’s work hours is strictly prohibitedwithout prior approval of the employee’s Department Director. You engage in social media when you use any of the following:  Maintain a personal blog or website  Comment on news articles or blog posts

Information Technology Acceptable Use Policy

9

 Maintain a social media account (Facebook, Twitter, Instagram, LinkedIn, etc.)

For guidance on employees’ personal use of social media, please see the City’s Social Media & Public Speech Policy City of Greensboro Personnel Policy Manual - Page H320 (cld.bz).

E NFORCEMENT & C OMPLIANCE

Any violation of this policy may lead to disciplinary action, up to and including dismissal fromemployment. The disciplinary action will depend upon the violation and be subject to the discretion of the employee’s supervisor/manager in accordance with Personnel Policy H-1 Discipline Without Punishment (DWP) Policy. The Fire and Police Departments have their own corrective action processes. It is the responsibility of City of Greensboro employees, contractors and consultants to ensure thatthe policy described in this document is followed. Employees, contractors and consultants must understand that protecting confidential information is a critical part of the City’s security strategy. The Cyber Security Team is authorized to limit access for employees, contractors and consultants that do not comply with this policy. Requests for exceptions to this policy may be granted for systems or applications that have adequate security controls implemented. The security controls must provide good protection against Malware, cyber-attacks and other forms of threats. Requests must be submitted in writingto the Cyber Security Team for review and approval and must include the following details: 1) Purpose for requesting the exception 2) The risk to the City if the system or application becomes compromised 3) Mitigation controls that have been implemented to protect the system or application 4) End date for the exception

E XCEPTIONS

Information Technology Acceptable Use Policy

10