IT Policies Manual FY 2024-2025

Docusign Envelope ID: CE02E790-7159-459B-9F50-C807BADBC958

IT POLICY MANUAL FY 2024-2025

PREPARED BY INFORMATION TECHNOLOGY DEPARTMENT

IT Department’s policies in one cohesive reference

Docusign Envelope ID: CE02E790-7159-459B-9F50-C807BADBC958

Information Technology Department's Policy Manual July 1, 2024-June 30, 2025 City of Greensboro, NC

This manual has been created to consolidate all of the IT Department's policies into one cohesive reference. This manual will be reviewed annually and posted to our IT Department website.

Table of Contents

BACK-UP AND RENTENTION POLICY .................................................................................................... 4

CELL PHONE POLICY............................................................................................................................ 6

CHANGE MANAGEMENT POLICY ......................................................................................................... 9

DISASTER RECOVERY POLICY ............................................................................................................. 15

IPAD MANAGEMENT POLICY ............................................................................................................. 17

INFORMATION TECHNOLOGY OPERATIONS POLICY ........................................................................... 19

INFORMATION TECHNOLOGY LOANER DEVICE RENTAL & RETURN POLICY.......................................... 24

LOST OR STOLEN LEASED EQUIPMENT POLICY .................................................................................... 26

ONE CONNECT POLICY ...................................................................................................................... 27

OPEN DATA POLICY .......................................................................................................................... 30

PRINTER POLICY................................................................................................................................ 36

SELF-SUPPORTED DEPARTMENT POLICY ............................................................................................. 39

SURPLUS POLICY ............................................................................................................................... 43

SURVEILLANCE CAMERA MONITORING AND AUDITING POLICY........................................................... 44

TECHNOLOGY REFRESH POLICY.......................................................................................................... 47

2

Docusign Envelope ID: CE02E790-7159-459B-9F50-C807BADBC958

D OCUMENT I NFORMATION Policy Name: Information Technology Department’s Policy Manual Reference Number: GSO-ITDPM-001 Version : 1.0 Effective from : 8/2/2018

Document Change History and Revision Control

Version

Section s Revised

Description of Revision

Changed By

Date

1.0

All

Initial Document Creation

Doug Hanks

8/2/2018

All

Annual Review

Doug Hanks

6/1/2019

All

Annual Review

Doug Hanks

6/4/2020

All

Annual Review

Doug Hanks

6/29/2021

All

Annual Review

Doug Hanks

6/20/2022

All

Annual Review

Doug Hanks

8/8/2023

All

Annual Review

Doug Hanks

6/25/2024

Approval Details

Reviewed and Approved by:

Role

Signature

Date

Rodney Roberts

CIO

6/25/2024

Ja’Tia Thompson

D-CIO

6/25/2024

Sylvia Corum

D-CIO

6/25/2024

3

Docusign Envelope ID: CE02E790-7159-459B-9F50-C807BADBC958

BACK-UP AND RETENTION POLICY

PURPOSE

The purpose of this policy is to define the minimum standards for performing and retaining periodic backups of City of Greensboro computer system data.

SCOPE

These standards apply in their entirety only to the City of Greensboro file servers, SAN/NAS data Storage that are maintained by the Information Technology (IT) Network Services Department of the City of Greensboro. Parties responsible for backup management on other City of Greensboro servers, however, are strongly encouraged to adopt these practices.

POLICY/ROLES AND RESPONSIBILITIES

Data Backup and Retention

1. It is the responsibility of the City of Greensboro IT Network Service Department staff and manager to determine which folders will be backed up on any given City of Greensboro file server.

2. An approved backup job will be scheduled to run on each file server once or more every day. a. Using Cohesity Incremental back-up, a scheduled backup will be run every day of the week on every server and will be retained for 30 days. Extended retention retains 4 weekly each month, 12 monthly and 1 yearly backups. b. Using Netapp snapshot technology every virtual server will have a snapshot taken every day of the week. c. Using Netapp snapshot technology a scheduled snapshot/backup of all file share data residing on SAN/NAS systems will be scheduled to run every 1 hours and be retained with 4 weekly, 7 daily and 8-hour snapshots. d. Using Cohesity replication technology all backups will be scheduled to replicate to a system located at an offsite building and will be retained until the data is no longer needed. e. Cohesity performs validations of each backup to confirm they were successfully completed. a. Full SQL database backup jobs will be scheduled to run on each SQL server every day of the week and will be retained for 30 days. Extended retention retains 4 weekly each month, 12 monthly and 1 yearly backups. b. The SQL Transactional Logs backup jobs will be scheduled to run on each SQL server every 15 minutes of every day of the week and will be retained for the same duration of the full database backup. c. All critical SQL databases will be replicated using Cohesity replication technology. 3. An approved backup job will be scheduled to run on each SQL Database server once or more everyday.

4

Docusign Envelope ID: CE02E790-7159-459B-9F50-C807BADBC958

d. Cohesity performs validations of each sql backup to confirm they were successfully completed. e. Infor Lawson is backed up by the AWS Cloud operations team where it is hosted. Refer to the SOC report from AWS for backup policies. 4. An approved backup job will be scheduled to run on each email On-premises Exchange Database server once or more every day. a. Using Cohesity backup technology On-premises Exchange databases are backed up daily and are kept for 30 days. Extended retention retains 4 weekly each month, 12 monthly and 1 yearly backups. b. Exchange Online databases are maintained by Microsoft. c. Exchange On-premises databases are replicated using Cohesity replication technology. d. Cohesity performs validations of each Exchange On-premises database backup to confirm they were successfully completed.

ENFORCEMENT & COMPLIANCE

Enforcement and Compliance of this policy will be the responsibility of the City of Greensboro’s IT Department Network Services Division.

5

Docusign Envelope ID: CE02E790-7159-459B-9F50-C807BADBC958

CELL PHONE POLICY

PURPOSE

The purpose of this policy is to establish a set of procedures concerning the use of City-issued cell phones or the issuance of a cell phone stipend in order to comply with federal, state, and local laws. This policy establishes guidelines for monitoring and controlling cell phone costs, cell phone use, and other administrative issues related to cell phones. By using your city issued cell phone or by receiving a cell phone stipend you are consenting to adhere to the City of Greensboro ’s Cell Phone Policy.

SCOPE

The purpose of this policy is to establish a set of procedures concerning the use of City-issued cell phones or the issuance of a cell phone stipend in order to comply with federal, state, and local laws. This policy establishes guidelines for monitoring and controlling cell phone costs, cell phone use, and other administrative issues related to cell phones. By using your city issued cell phone or by receiving a cell phone stipend you are consenting to adhere to the City of Gre ensboro’s Cell Phone Policy.

POLICY/ROLES AND RESPONSIBILITIES

Cell Phone Stipend

Department heads or designee may request a cell phone stipend for positions within their department, based on the above qualifications. Employees in positions that are approved will receive a stipend to compensate for business use of a personal cell phone.

Rules for receiving a cell phone stipend are as follows:

• Roster employees are not eligible for a stipend. • The stipend will be included in the employee’s semi -monthly payroll check and will begin based on established payroll cutoff dates. • One-half of the stipend amount will be included in each semi-monthly payroll check. • The City is not responsible for damages to a personal cell phone. • The stipend is not an increase in base pay. • The monthly stipend should be reviewed and approved by departments at least annually. • The amount of the reimbursement should not exceed the employee’s plan rate. • Employees agree to allow the City to publish their number and to accept business calls, text messages and emails on their phone. • Non-exempt employees cannot be contacted after hours without compensation. • The Department head or designee may require the employee to use a certain communications platform, consistent with the platform used by other wireless devices in the department, to be eligible for this allowance.

6

Docusign Envelope ID: CE02E790-7159-459B-9F50-C807BADBC958

• Employees authorized by their Department Head or designee to receive a stipend in lieu of the City issued phone may use the device for both City and personal use. Please be advised that this may make your call records a matter of public record. • The Department head or designee may request verification of an active plan and plan rates at any time. • Employees do not have to substantiate or document business use of the phone. • Employees are required to notify their employer immediately if there is any interruption of service due to loss, damage, carrier cancellation, etc. • Employees are encouraged, but not required, to carry insurance on their phone. • The employee is responsible for all contractual services with their wireless provider. • Termination or continuance of the monthly reimbursement will be at the discretion of the Department director. • If an employee is out of work more than 30 days, they may be required to have their stipend suspended until returning to work. Reimbursement Rates It will be up to the Department head or designee to decide the appropriate reimbursement amount necessary for each employee as follows:

Monthly Stipend Allowance: Phone & Data: $45.00 stipend per month Only one City funded data plan is allowed per employee (One Connect Policy)

Phone Only: $25.00 stipend month

Option 2 – Standard City-Issued Phone

Rules for City-issued phones are as follows

• Roster employees are eligible for city-issued phones but they are not eligible for a stipend. • If the employee is assigned a phone for take-home purposes, the employee must accept business calls and/or messages on the phone. • The City is responsible for the purchase of a phone and required accessories from its preferred carrier. • Employees must notify their supervisor immediately of a lost or damaged phone. • Employees may be responsible for reimbursing the City for costs incurred as a result of loss or damage of a City phone and/or accessories due to employee negligence. • Upon separation of employment, employees will return cell phone and all accessories prior to receiving final paycheck. • If an employee is out of work more than 30 days, they may be required to turn in their City issued phone until returning to work. ENFORCEMENT & COMPLIANCE Any employee who is found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. Department Heads or their assigned representative(s) will issue their own guidance regarding personal use and re-payment of any overages encountered by the cell phone user.

7

Docusign Envelope ID: CE02E790-7159-459B-9F50-C807BADBC958

Cell Phone/Phone Stipend Request Form

Name: Lawson No: Position: Acct Number: Justification:

Department:

Requested: •

City-issued Cell Phone Cancel City Number

•

Personal Number for Stipend

•

Stop stipend payment Cell Phone Stipend

•

•

Phone and Data ($45.00 per month) Phone Only ($25.00 per month)

•

•

**Before the Stipend can be approved or submitted to payroll you must return all ancillary equipment (EX: cables, chargers, case) to the Information Technology (IT) department Telecomm Services division only! **

I certify that I have received a copy of and understand the City of Greensboro Cell Phone Policy.

Employee Signature Date

Department Head Signature Date

DO NOT SUBMIT THIS FORM TO PAYROLL OR FINANCE. THE TELECOMMUNICATIONS DIVISION OF THE IT DEPARTMENT WILL FORWARD THIS REQUEST WHEN NECESSARY.

8

Docusign Envelope ID: CE02E790-7159-459B-9F50-C807BADBC958

CHANGE MANAGEMENT POLICY

PURPOSE AND POLICY

This Change Management Policy defines the steps necessary to implement and maintain Change Management (CM) processes for the City of Greensboro’s Information Technology (IT) Department. This document will establish a foundation of what change and change management are, define the items needed for effective CM, establish roles and responsibilities of the people involved, describe the actual steps of the CM process, and specify how they will be accomplished. The purpose of this policy is to define a consistent approach to manage changes to the IT environment.

SCOPE AND OBJECTIVES OF IT CHANGE MANAGEMENT

The IT Department is committed to operational and service excellence. It is paramount that changes to existing system network architecture, internal and external services, products, processes, and any other significant technology based hardware or software application changes be documented, adjudicated, and vetted before implementing. The objectives of CM are to minimize the adverse impact of required changes on system integrity, to preserve security, to honor existing service level agreements or contracts, to enable the coordination and planning of changes in order to provide a stable test and production environment, and to maximize the productivity of persons involved in the planning, coordinating, and implementation of quality value-added changes. Typically, CM will be utilized to:

• Take corrective action: an intentional activity that adjusts the performance of something already in progress.

• Take preventive action: an intentional activity that ensures future performance goals are met.

• Defect repair: an intentional activity to modify a non-conforming product or service.

• Updates: changes to our current state of affairs or baseline, changes to existing products, services, new user requirements, or simply new ideas.

The City of Greensboro’s IT Department is responsible for application services, geographical information systems, telecommunications, network services, security and compliance, and leasing/deployment of vital IT related products. The realm of information technology spans a diverse group of end users with responsibilities encompassing all areas of municipal government. Technology is thoroughly ingrained in most City Departments, and therefore any change has the potential to be significant. It is therefore critically important to manage change in a proactive and effective manner. It is important to note that each department has a finite amount of resources available to manage IT, therefore every effort to streamline this policy has been made to reduce the impact to our productivity.

9

Docusign Envelope ID: CE02E790-7159-459B-9F50-C807BADBC958

HIGH LEVEL PROCESS FLOW

10

Docusign Envelope ID: CE02E790-7159-459B-9F50-C807BADBC958

DEFINITIONS

Break/Fix: Changes that are initiated to repair a non-conforming product or service.

Change: The addition, modification, or removal of anything that could have an effect on IT systems and/or services.

Change Advisory Board (CAB) : An empowered body that oversees change procedures, validates, and approves/rejects documented changes. The CAB is responsible for viewing the information provided in every change request in order to ensure that the changes are sufficiently researched, documented, communicated, planned, and executed according to defined cost, schedule, performance, and risk criteria. Change Coordinator/Requestor (CC) : The person responsible for entering the change into the CM system and managing the change through to its completion. The change coordinator may delegate work activities to their respective staff as appropriate. Change Management (CM) : The process of documenting a change, reviewing the potential impact of that change, controlling the timing of the change and, upon completion, verifying the completeness of the change. Change Manager/Project Manager (CMGR/PM) : The Change Manager is a member of the IT staff who is responsible for changes across the enterprise. In this instance, the change manager and project manager will be synonymous. The Change Manager/Project Manager of the IT Department will ensure all changes are documented, that each change enters the CAB process for approval or rejection, and will monitor progress of the change by utilizing Program Management Body of Knowledge (PMBOK) standards that are tailored specifically to the department need. Change Request (CR) : A broadly defined term that describes the overall process of requesting validation of a change. The CR is composed of various pieces of information depending on the type of change and the Project Management documentation method employed. Change Type (CT) : Change types are classified as Emergency, Low, Medium, and High. Their classification is dependent upon an acceptable time period established by various service level agreements and can vary by division and stakeholder agreements.

Emergency Change : These are highly critical changes that must be implemented within 72 hours to react to system failure/outages or to prevent system failure/outages from occurring.

Incident: An unplanned occurrence that disrupts normal operations and has a significant impact to services provided by the IT department.

Initiative : A program management framework that classifies a particular work activity based on enterprise operations. For the purposes of this policy an initiative consists of the following non-inclusive traits.

11

Docusign Envelope ID: CE02E790-7159-459B-9F50-C807BADBC958

• An initiative from start to finish will typically last less than 30 days. Initiatives may or may not have start and end dates.

• Initiatives are typically single tasks that do not require detailed milestone definitions and a host of sub-tasks to perform in order to reach a desired goal.

• Initiatives lack uniqueness and are routinely performed on a daily or weekly basis to support operations. Simply they are not recurring.

• Initiatives apply to maintenance required to support system and application infrastructure.

Maintenance: Routine and preplanned activities used to prolong the life cycle of the product or service.

Out of Cycle Change Request: There may be instances where change requests must be routed through following the weekly change management board. These changes were simply not known at the time of the board and cannot wait for the subsequent week. All stakeholders will be provided a copy of the change and time of institution. All stakeholders will have an opportunity to reject the change request as necessary to maintain operations. In such instances the change will be mitigated through the Project Manager and the respective stakeholders.

Project : A program management framework that classifies a particular work activity based on enterprise operations. For the purposes of this policy a project consists of the following non-inclusive traits.

• A project from start to finish will last more than 30 days or a month in time.

• A project has a definite start date and a definite end date with defined resources and scope.

• A project should lend itself to having milestones with tasks under each that when completed realizes a significant effort towards your end goal.

• A project will lend itself to have more than a single task but stages where you plan, initiate, and execute to achieve a desired goal.

• A project is a unique effort that is not recurring.

ROLES AND RESPONSIBILITIES

The CAB is an empowered body that oversees change procedures, validates, and approves/rejects documented changes. The CAB is responsible for viewing the information provided in every change request in order to ensure that the changes are sufficiently researched, documented, communicated, planned, and executed according to defined cost, schedule, performance, and risk criteria.

12

Docusign Envelope ID: CE02E790-7159-459B-9F50-C807BADBC958

• The CAB will convene each week to review, approve, or reject pending CRs.

• The PM (or designee) will administer the CAB meeting by presenting all pending CRs and re-visit any approved CRs that have encountered issues for group awareness and subsequent re-direction of the activity.

• The CAB should consist of each division lead or designee when unable to attend. Currently our composition is:

Chief Information Officer (CIO)

A.

Deputy-CIOs

B.

Applications Services Manager GIS and Special Projects Manager

C.

D.

ERP Manager

E.

Public Safety Manager Telecomm/VOIP Manager Network Services Manager

F.

G.

H.

Security and Compliance Manager

I.

Project Manager GM911 Manager

J.

K.

• Each division lead or designee should analyze each CR for potential impacts to their area of responsibility prior to the CAB meeting and be able to discuss any mitigation activity that might need to take place before approving/rejecting the CR.

• The IT department will err on the side of caution by delaying CRs that have not been fully vetted or the risk of implementation is too great.

• The CIO has final determination authority to approve or reject pending CRs.

• The Network Services Manager will ensure the lead systems architect is aware of all changes entered into the CM system.

• The PM will ensure the CRs are queued effectively as not to render significant delays to work efforts that could be accomplished before the CAB has an opportunity to convene. In these instances, the PM will walk projects or initiatives through each division lead for concurrence or rejection. At times the PM may elect to place the project or initiative on hold until an overall determination can be made by the CAB. • Emergency changes may occur at any time. These are highly critical changes that must be implemented within 72 hours to react to system failure/outages or to prevent system failure/outages from occurring. In these occurrences and during normal business hours (07:30am- 5:30pm) the PM will expedite the CR via phone, email, or any other means available to communicate the issue to the CAB. The PM will keep a log of the CAB contact and their concurrences/rejections should it need to be referenced at a later time.

13

Docusign Envelope ID: CE02E790-7159-459B-9F50-C807BADBC958

• For emergency break/fixes after normal business hours will be addressed by the Service Desk Team. Simply call 336-373-2322. The Service Desk team will notify the CIO and PM of any break/fix issues up to 11PM but are authorized to make emergency changes as needed to restore services. The Service Desk team will back brief the CIO and PM the following morning at the beginning of the business day and the PM will document the outage via an emergency change request. • Change requests must be filled out in their entirety and will include various programmatic elements, implementation, testing, and fallback plans. Every attempt to test solutions (for functionality and performance gain) will be made before they are introduced to production environment systems.

• Changes will be classified as emergency, low, medium, and high in accordance with existing IT standards.

• The PM will provide training to each CC/R so they are familiar with the policy, the in-take procedure, and method for closure.

• The PM will communicate with the CIO and Deputy CIO of any major status changes for situational awareness and possible re-direction of the efforts.

• The PM will meet with division leads routinely to update their respective project and initiative status.

• The PM will be responsible for this policy and any subsequent changes or revisions. This policy will be reviewed annually and changes incorporated as required.

• All questions or concerns regarding this plan should be directed to the PM for clarification or adjudication.

ENFORCEMENT & COMPLIANCE

The CC/R will use the single point of entry through Fresh Service to create a change request. For after-hours support please call the Service Desk at 336-373-2322.

14

Docusign Envelope ID: CE02E790-7159-459B-9F50-C807BADBC958

DISASTER RECOVERY POLICY

PURPOSE AND SCOPE

This Disaster Recovery Policy outlines the steps necessary to restore network operations to the City of Greensboro’s data center and connected facilities during a major degradation or a complete outage of our system architecture. The three main points to be considered with Disaster Recovery are Prevention, Anticipation, and Mitigation. Prevention is the act of avoiding those disasters that can be prevented. Anticipation is to plan and develop adequate measures to counter unavoidable disasters. Finally, mitigation is to effectively manage the disasters and thereby minimize the negative impact. The City of Greensboro’s IT Department is proactively engaged in preventing disaster recovery events from occurring through change management, firewalls, cyber security vulnerability testing, and through network operation monitoring. This policy does not attempt to modify our current prevention procedures, rather to develop adequate measures to respond to an unavoidable disaster and to mitigate the event from a possible reoccurrence. Roles and responsibilities will be assigned to three separate teams with specific restoration and communication actions that will need to be executed during a disaster recovery event. The primary objectives of disaster recovery are to:

Minimize disruption of operations

•

• Ensure a level of security to prevent the occurrence and to protect the network before the event and to ensure a level of security to any safeguarded information after the event • Assure reliable backup systems

• Aid in restoration of operations with speed

• Communicate the event to all affected stakeholders

DISASTER RECOVERY ROLES AND RESPONSIBILITIES

Initiating the Disaster Recovery Checklist will only occur if there is a major degradation to the data center; a complete data center outage is encountered; or as an exercise. (A major degradation is one that multiple systems and services are affected and to such a degree that the Network Services Manager deems it appropriate to assemble the disaster recovery team to mitigate the situation.) Three teams have been assigned to communicate and mitigate the event. They consist of a RED TEAM or network services staff that will provide technical expertise to restore the network to operational capability, a BLUE TEAM that will perform communication actions and to properly document the event for post mortem analysis, and a GREEN TEAM who by virtue of their position within the City would need to know of the occurrence so that they, in turn, can communicate to their staff and perform their own internal processes for mitigation and

15

Docusign Envelope ID: CE02E790-7159-459B-9F50-C807BADBC958

sub-system restoration. Once the event is known by any team member, a checklist of steps and protocols has been created for each team to follow. This checklist will be provided to each team member electronically and a hard copy will be stationed in the data center for ease of access. COMMUNICATION During a disaster recovery event, three communications will be sent by the BLUE TEAM. In the event that a BLUE TEAM member is not present, a RED TEAM member will be designated to perform this task. The three communications that will occur are: A communication to the GREEN TEAM that an event is taking place (either real-world or as an exercise). The GREEN TEAM may effectively cascade their communication to respective staff members that may have an internal need to know that a disaster recovery event is in progress). C. A final communication of the outcome to the GREEN TEAM stating the event is either over and normal operations of the outage have been completely restored, -OR- that a temporary fix has been applied but operations may still be degraded until a permanent solution can be implemented. A. An initial communication to the RED AND BLUE TEAM to assemble in the data center. B. A. Team Members will be dismissed by the RED TEAM Lead. B. The BLUE TEAM Lead will acquire snapshots of the checklist and the status board used to document system degradation, up, or down status, AND provide the material to the IT Project Manager for analysis and post mortem review by all team members. C. A determination will be made as to the primary reason the event occurred. In cases of actual or suspected security breaches, the IT Project Manager or designee will contact the AIG Security Hotline in accordance with the instructions within the checklist, and they will contact the IT Department’s Cyber Security and Compliance Division Manager and conduct an out-brief of the occurrence. D. A review of contact information will take place and an analysis of restoration times will be performed. In the absence of a real-world disaster recovery event, the CIO, D-CIO, Network Services Manager, or the IT Project Manager will conduct a quarterly exercise of the Disaster Recovery Checklist. The purpose of this quarterly exercise is to maintain the checklist to its best operational capability. Scenario-based training will also occur so that each team member can maintain checklist proficiency and to review changes to the checklist should they be encountered. Finally, there is a current need to establish an alternate site at Justice should the MMOB Data Center encounter a catastrophic event that would prevent its usage. The IT Department will effectively plan for system restoration capability at the alternate site and perform a real-world fail over test to this location annually. ENFORCEMENT AND COMPLIANCE POST MORTEM ACTIVITIES AND MITIGATION Upon completion of a real-world or exercise disaster recovery event, the following post mortem activities will occur.

16

Docusign Envelope ID: CE02E790-7159-459B-9F50-C807BADBC958

iPAD MANAGEMENT POLICY

PURPOSE

The purpose of this policy is to manage iPad procurement and support of the City of Greensboro’s iPad resources. In addition to this policy there are procedures for iPad resource tracking and configuration control. Users are responsible for abiding by this policy and the procedures defined herein. Users will adhere to the same security standards as desktops and laptops (Acceptable Use).

SCOPE

This policy applies to all City employees.

DEFINITIONS

There are no associated definitions applicable to this policy.

POLICY/ROLES AND RESPONSIBILITIES

The Service Desk is the primary agent for ensuring iPad procurement. The Telecommunications/VOIP division is responsible for deployment and support of City-owned iPads.

It is the responsibility of the liaison and user to report issues immediately via a Service Desk ticket, like cracked screens, edges, chips, burned out pixels, dead display, and bleed through.

Note: AppleCare covers 2 years from the shipping date and up to two instances of repair on each device. To check the current status on a warranty, please visit: https://checkcoverage.apple.com/in/en.

Procurement process for requesting an iPad: •

Liaison and department head approval and sign-off • Centralized through IT • Lease equipment for two years • Configuration 128gb • Wireless Card Options – 4g and/or Wi-Fi • Additional accessories can be purchased through your respective department

iPad Rollout / Deployment : New Equipment is shipped to MMOB, LG14. The iPad is received via the leasing database. • Shipped on Date: Date Shipped •

Received Date: Date entered into L.D.

• Scheduled Date: Date when ready to Deploy •

Completed Date: Date deployed to

Telecomm.

17

Docusign Envelope ID: CE02E790-7159-459B-9F50-C807BADBC958

• Email to Mobile Device Manager notifying of the equipment receipt and hand off to the Mobile Device Manager within 24 hours.

Deployment:

• Mobile Device Manager configures and deploys iPad. • The Mobile Device Manager sets up email on the device. • For replacement iPads, the old iPad will be backed up to the cloud and the new iPad will be configured from the cloud backup. Then email will be set up on the device.

IT Management and Support:

Application Purchases: •

Place a Service Desk Request for post installation business related Apps (Telecommunications Manager for the actual purchase) • Charge back purchases to departments

The Mobile Device Manager will be the primary support person but the Service Desk will assist with support as needed.

• Required password with 5-minute auto-lock • iPad Policy will forbid “Jail Breaks” • Mobile Device Technician will support Email • Mobile Device Technician will support network connectivity • Wireless network will support authenticated permissions for internet access

IT Support and Network fees: •

Please refer to the IT Department’s Service Catalog for current fees as they are adjusted periodically.

Personal iPad Device Support : •

Provide exchange setup information via instructions only. • Provide public Wi-Fi information

Note: The department will be charged the iPad's current value if returned password locked or PIN locked.

ENFORCMENT AND COMPLIANCE

Enforcement and Compliance of this policy will be the responsibility of the City of Greensboro’s IT Department, Telecommunications/VOIP division.

18

Docusign Envelope ID: CE02E790-7159-459B-9F50-C807BADBC958

INFORMATION TECHNOLOGY OPERATIONS POLICY

PURPOSE

The purpose of this policy is to define the IT operation processes and standards to effectively manage IT resources and ensure the continuous availability of systems and applications to City of Greensboro employees, residents and partners. This policy also allows the IT organization to identify efficiencies and areas of improvement to IT processes and standards.

SCOPE

This policy applies to:

1. All Information Technology assets owned and operated by the City of Greensboro.

2. All IT employees, contractors and consultants.

DEFINITIONS

Incident

An event that could impact access to information technology resources

Adding duplicate technology components to provide continuous access to systems and applications in the event of failure to other technology components Improving the reliability of a system or application to make it always available for employees, residents and partners

Redundancy

Availability

Intrusion Prevention System

A software or hardware system that detects and blocks intrusion and cyberattacks against systems and application

19

Docusign Envelope ID: CE02E790-7159-459B-9F50-C807BADBC958

ROLES AND RESPONSIBILITIES

Function

Responsibility

Chief Information Officer

Provide recommendations regarding IT operations processes and procedures

Conduct internal audits and compliance reviews of systems and applications to ensure compliance to IT Operations Policy

Cyber Security Team

IT Functional Teams

Follow IT Operations Policy to manage systems and applications

POLICY

1. Systems and applications must reside on redundant hardware configurations to provide faster recovery in the event of device failure. Processes and procedures must be defined to provide faster recovery of systems and applications in the event of a hardware failure. 2. On-Premise Systems and applications must be monitored for hardware failures and software availability. In the event of an outage, the appropriate IT administrators must be notified so that action is initiated to mitigate the outage. 3. To manage capacity, performance of major systems and applications must be monitored. If an environment exceeds predefined thresholds, IT administrators must be notified so that additional hardware resources are added to mitigate the performance issue.

4. Bandwidth utilization on network links must be continuously monitored. If bandwidth utilization exceeds predefined thresholds, network administrators must be notified to mitigate the issue.

5. Application level firewalls and intrusion prevention systems must be used to restrict access to City of Greensboro systems and applications and automatically block intrusions and cyberattacks. Cyber Security Team Members and network administrators must automatically be notified of potential intrusions so that additional measures can be taken to stop the attack and prevent further damage.

6. Infrastructure and security related incidents that impact systems and applications must be captured, documented and tracked using Fresh Service. This helps ensure that corrective and preventative actions have been documented and implemented to mitigate the incident.

7. Infrastructure and technology components must be reviewed for continued viability. Vendor’s end of life/end of support notifications must be analyzed to determine the impact to the City of

20

Docusign Envelope ID: CE02E790-7159-459B-9F50-C807BADBC958

Greensboro as a result of end of life/end of support components and a plan must be defined to upgrade or retire the impacted component.

8. Changes to systems and applications must be documented in Fresh Service and communicated to stakeholders using the change review board meeting. The change management process ensures that changes to systems and applications have detailed implementation, testing and fallback plans and that risk to production systems and application as a result of a change is evaluated to minimize the impact to users and residents. 9. Configuration standards including secure configuration must be defined and implemented for workstations, printers, windows servers, SQL databases, IIS servers and network devices to maintain consistency and protect systems and applications from unauthorized access and disclosure of confidential information. The Cyber Security Team must ensure the standards are readily available and are communicated to all teams. 10. Security patches and hot fixes must be deployed regularly to systems, applications and network devices. Security patches and hot fixes must first be adequately tested before deployed to production systems and applications. Patches that address critical vulnerabilities must be deployed in timely manner to effectively mitigate the risk to the City of Greensboro systems and information.

11. IT technology standards must be defined and communicated to all IT groups responsible for managing technologies and infrastructure.

12. The Leasing Database is used to manage and track hardware assets that have been installed. Monthly hardware reports for expiring leases are generated and provided to management for review.

13. Periodic checks of desktop software packages must be conducted to ensure that all installed software is officially licensed for the use.

14. On-Premise Systems and applications must be backed up in accordance to the below schedule. Backups must be stored at an off-site facility. Backup failures must be monitored and IT administrators immediately notified of any failure. 15. An approved backup job will be scheduled to run on each file server once or more every day. a. Using Cohesity Incremental back-up, a scheduled backup will be run every day of the week on every server and will be retained for 30 days. Extended retention retains 4 weekly each month, 12 monthly and 1 yearly backups. b. Using Netapp snapshot technology every virtual server will have a snapshot taken every day of the week. c. Using Netapp snapshot technology a scheduled snapshot/backup of all file share data residing

21

Docusign Envelope ID: CE02E790-7159-459B-9F50-C807BADBC958

on SAN/NAS systems will be scheduled to run every 1 hours and be retained with 4 weekly, 7 daily and 8-hour snapshots. d. Using Cohesity replication technology all backups will be scheduled to replicate to a system located at an offsite building and will be retained until the data is no longer needed. e. Cohesity performs validations of each backup to confirm they were successfully completed. 16. An approved backup job will be scheduled to run on each SQL Database server once or more everyday. a. Full SQL database backup jobs will be scheduled to run on each SQL server every day of the week and will be retained for 30 days. Extended retention retains 4 weekly each month, 12 monthly and 1 yearly backups. b. The SQL Transactional Logs backup jobs will be scheduled to run on each SQL server every 15 minutes of every day of the week and will be retained for the same duration of the full database backup. c. All critical SQL databases will be replicated using Cohesity replication technology. d. Cohesity performs validations of each sql backup to confirm they were successfully completed. e. Infor Lawson is backed up by the AWS Cloud operations team where it is hosted. Refer to the SOC report from AWS for backup policies. a. Using Cohesity backup technology On-premises Exchange databases are backed up daily and are kept for 30 days. Extended retention retains 4 weekly each month, 12 monthly and 1 yearly backups. b. Exchange Online databases are maintained by Microsoft. c. Exchange On-premises databases are replicated using Cohesity replication technology. d. Cohesity performs validations of each Exchange On-premises database backup to confirm they were successfully completed. 18. Active monitoring of network and Internet communications must be conducted to identify malicious activities and block intrusions and cyber-attacks. Cyber Security personnel must be alerted of any malicious activities to quickly analyze the behavior and prepare the proper response. 19. Continuity of operations plan must be defined and implemented to ensure the availability of systems and applications in the event of unforeseen disaster. The plan must include recovery procedures for systems and applications and must be tested regularly to identify gaps and areas of improvements. 20. Vulnerability assessments must be conducted regularly to identify and mitigate system and application vulnerabilities the could be exploited to gain access to confidential information. Critical vulnerabilities must be mitigated in a timely manner to protect the City ’ s systems and confidential information. 17. An approved backup job will be scheduled to run on each email On-premises Exchange Database server once or more every day.

21. IT compliance reviews must be conducted regularly to ensure compliance to laws, regulations, and standards. These reviews must include the following activities:

22

Docusign Envelope ID: CE02E790-7159-459B-9F50-C807BADBC958

• Ensure that semi-annual backup and recovery tests are conducted and all identified issues are mitigated • Ensure that monthly internal and external vulnerability assessments are conducted against systems and applications, and the results are analyzed and communicated for remediation • Ensuring that security patches have been deployed to systems and applications • Perform quarterly firewall reviews to identify and mitigate configuration weaknesses that may allow unauthorized access into systems and applications • Perform annual software compliance checks to ensure that all software installed on endpoints is licensed for the use • Perform regular reviews of domain and system admin access to ensure that appropriate rights have been assigned to proper individuals • Perform monthly secure configuration reviews to ensure that systems and applications adhere to secure configuration standards • Perform monthly reviews of change requests to ensure compliance to policy and procedure • Perform weekly reviews of incidents to ensure that corrective and preventative measure are documented and implemented • Perform regular incident exercise to improve incident response process • Perform annual disaster recovery exercise to improve disaster recovery processes Compliance deficiencies must be analyzed, documented, and immediately communicated to the individuals responsible for the function or activity to ensure that corrective actions are implemented to mitigate the deficiency. ENFORCEMENT Any violation of this policy may lead to corrective action, up to and including dismissal from employment. The corrective action will depend upon the violation and be subject to the discretion of the employee’s supervisor/manager in accordance with Personnel Policy H -1 Corrective Action. Note: Some departments use Discipline without Punishment as an alternative to H-1. The Police Department has its own corrective action process. COMPLIANCE It is the responsibility of City of Greensboro employees, contractors and consultants to ensure that the policy described in this document is followed. Employees, contractors and consultants must understand that protecting confidential information is a critical part of the City’s security strategy. The Cyber Security Team is authorized to limit access for employees, contractors and consultants that do not comply with this policy. EXCEPTIONS Requests for exceptions to this policy may be granted for systems or applications that have adequate security controls implemented. The security controls must provide good protection against Malware, cyber-attacks and other forms of threats. Requests must be submitted in writing to the Cyber Security Team for review and approval and must include the following details: 1. Purpose for requesting the exception. 2. The risk to the City if the system or application becomes compromised. 3. Mitigation controls that have been implemented to protect the system or application. 4. End date for the exception.

23

Docusign Envelope ID: CE02E790-7159-459B-9F50-C807BADBC958

INFORMATION TECHNOLOGY (IT) LOANER DEVICE RENTAL AND RETURN POLICY

PURPOSE

The purpose of this policy is to establish a set of procedures concerning loaner equipment check-out and return.

SCOPE

This policy applies to all City employees. This policy establishes specific rental periods, how to submit a request, minimum lead times, fee schedules, processes for billing, and reporting lost or damaged equipment.

DEFINITIONS

There are no associated definitions applicable to this policy.

ROLES AND RESPONSIBILITIES

End users will adhere to the guidelines stated herein. Any questions regarding this policy please contact Service Desk (336-373-2322).

ENFORCEMENT AND COMPLIANCE

Enforcement and Compliance of this policy will be the responsibility of the City of Greensboro's IT Department, Service Desk, the end-user, and their respective City Department Director.

1. The rental period for all equipment is one week.

2. All requests for equipment rental should be made by entering a Service Desk Ticket (https://itsupport.greensboro-nc.gov/).

3. With the acceptance of the Service Desk request, the end-users department is contractually obligated to the fees associated with the IT Device Rental Agreement. The fee schedule is listed below and will be updated annually and published in the Information Technology Service Catalog.

24

Docusign Envelope ID: CE02E790-7159-459B-9F50-C807BADBC958

CURRENT FEE SCHEDULE FOR LOANER EQUIPMENT

Laptops

$70 for up to 7 days

The rental period will operate as follows:

Once the loaner equipment is returned, the user's department account will be charged the weekly rate for the loan duration, over the initial loan period.

Rules of Use:

• City of Greensboro rental Devices are for use by current staff.

• If the device is not returned in 30 days, I understand I will be billed for the full replacement cost.

• You are responsible for ensuring the Loaner device is not damaged, lost, or stolen while checked out to you.

• Reservations are not accepted for loaner devices. Devices are rented on a first-come, firstserve basis.

• Do not save data to the loaner device. Anything saved on the hard drive will be lost when you returned.

25