IT Policies Manual FY 2024-2025

Docusign Envelope ID: CE02E790-7159-459B-9F50-C807BADBC958

Greensboro as a result of end of life/end of support components and a plan must be defined to upgrade or retire the impacted component.

8. Changes to systems and applications must be documented in Fresh Service and communicated to stakeholders using the change review board meeting. The change management process ensures that changes to systems and applications have detailed implementation, testing and fallback plans and that risk to production systems and application as a result of a change is evaluated to minimize the impact to users and residents. 9. Configuration standards including secure configuration must be defined and implemented for workstations, printers, windows servers, SQL databases, IIS servers and network devices to maintain consistency and protect systems and applications from unauthorized access and disclosure of confidential information. The Cyber Security Team must ensure the standards are readily available and are communicated to all teams. 10. Security patches and hot fixes must be deployed regularly to systems, applications and network devices. Security patches and hot fixes must first be adequately tested before deployed to production systems and applications. Patches that address critical vulnerabilities must be deployed in timely manner to effectively mitigate the risk to the City of Greensboro systems and information.

11. IT technology standards must be defined and communicated to all IT groups responsible for managing technologies and infrastructure.

12. The Leasing Database is used to manage and track hardware assets that have been installed. Monthly hardware reports for expiring leases are generated and provided to management for review.

13. Periodic checks of desktop software packages must be conducted to ensure that all installed software is officially licensed for the use.

14. On-Premise Systems and applications must be backed up in accordance to the below schedule. Backups must be stored at an off-site facility. Backup failures must be monitored and IT administrators immediately notified of any failure. 15. An approved backup job will be scheduled to run on each file server once or more every day. a. Using Cohesity Incremental back-up, a scheduled backup will be run every day of the week on every server and will be retained for 30 days. Extended retention retains 4 weekly each month, 12 monthly and 1 yearly backups. b. Using Netapp snapshot technology every virtual server will have a snapshot taken every day of the week. c. Using Netapp snapshot technology a scheduled snapshot/backup of all file share data residing

21