IT Policy Manual FY 2025-26

Docusign Envelope ID: 7298B7CF-E0C0-41E3-973F-EF053E0A4FDA

IT POLICY MANUAL FY 2025-2026

PREPARED BY INFORMATION TECHNOLOGY DEPARTMENT

Docusign Envelope ID: 7298B7CF-E0C0-41E3-973F-EF053E0A4FDA

IT Department’s policies in one cohesive reference

Docusign Envelope ID: 7298B7CF-E0C0-41E3-973F-EF053E0A4FDA

Information Technology Department's Policy Manual July 1, 2025-June 30, 2026 City of Greensboro, NC

This manual has been created to consolidate all of the IT Department's policies into one cohesive reference. This manual will be reviewed annually and posted to our IT Department website.

Table of Contents

BACK-UP AND RENTENTION POLICY ..................................................................................................... 4

CHANGE MANAGEMENT POLICY .......................................................................................................... 6

DISASTER RECOVERY POLICY .............................................................................................................. 12

INFORMATION TECHNOLOGY OPERATIONS POLICY ............................................................................. 14

INFORMATION TECHNOLOGY LOANER DEVICE RENTAL & RETURN POLICY ............................................ 19

LOST OR STOLEN LEASED EQUIPMENT POLICY...................................................................................... 21

MOBILE DEVICE POLICY (CELL PHONES AND iPAD) .................................................................................. 22

ONE CONNECT POLICY ....................................................................................................................... 26

OPEN DATA POLICY............................................................................................................................ 29

PRINTER POLICY................................................................................................................................ 33

SELF-SUPPORTED DEPARTMENT POLICY .............................................................................................. 36

SURPLUS POLICY ............................................................................................................................... 40

SURVEILLANCE CAMERA MONITORING AND AUDITING POLICY ............................................................ 41

TECHNOLOGY REFRESH POLICY .......................................................................................................... 44

2

Docusign Envelope ID: 7298B7CF-E0C0-41E3-973F-EF053E0A4FDA

D OCUMENT I NFORMATION

Policy Name: Information Technology Department’s Policy Manual Reference Number: GSO-ITDPM-001 Version : 1.0 Effective from : 8/2/2018

Document Change History and Revision Control

Version

Description of Revision

Changed By

Date

Section s Revised

1.0

All

Initial Document Creation

Doug Hanks

8/2/2018

All

Annual Review

Doug Hanks

6/1/2019

All

Annual Review

Doug Hanks

6/4/2020

All

Annual Review

Doug Hanks

6/29/2021

All

Annual Review

Doug Hanks

6/20/2022

All

Annual Review

Doug Hanks

8/8/2023

All

Annual Review

Doug Hanks

6/25/2024

All

Annual Review

Doug Hanks

6/25/2025

Approval Details

Reviewed and Approved by:

Role

Signature

Date

8/6/2025

Rodney Roberts

CIO

8/5/2025

Ja’Tia Thompson

D-CIO

8/5/2025

Sylvia Corum

D-CIO

7/22/2025

Naser Yasin

CISO

3

Docusign Envelope ID: 7298B7CF-E0C0-41E3-973F-EF053E0A4FDA

BACK-UP AND RETENTION POLICY

PURPOSE

The purpose of this policy is to define the minimum standards for performing and retaining periodic backups of City of Greensboro computer system data.

SCOPE

These standards apply in their entirety only to the City of Greensboro file servers, SAN/NAS data Storage that are maintained by the Information Technology (IT) Network Services Department of the City of Greensboro. Parties responsible for backup management on other City of Greensboro servers, however, are strongly encouraged to adopt these practices.

POLICY/ROLES AND RESPONSIBILITIES

Data Backup and Retention

1. It is the responsibility of the City of Greensboro IT Network Service staff and managers to determine which folders will be backed up on any given City of Greensboro file server.

2. An approved backup job will be scheduled to run on each file server once or more every day. a. Using Cohesity Incremental back-up, a scheduled backup will be run every day of the week on every server and will be retained for 30 days. Extended retention includes 4 weekly backups per month, monthly backups retained for 12 months and 1 annual backup. b. Using NetApp snapshot technology every virtual server will have a snapshot taken every day of the week. c. Using NetApp snapshot technology a scheduled snapshot/backup of all file share data residing on SAN/NAS systems will be scheduled to run every 1 hours and be retained with 4 weekly, 7 daily and 8-hour snapshots. d. Using Cohesity replication technology all backups will be scheduled to replicate to a system located at an offsite building and will be retained until the data is no longer needed. e. Cohesity performs validations of each backup to confirm they were successfully completed. 3. An approved backup job will be scheduled to run on each SQL Database server once or more every day. a. Full SQL database backup jobs will be scheduled to run on each SQL server every day of the week and will be retained for 30 days. Extended retention includes 4 weekly backups per month, monthly backups retained for 12 months and 1 annual backup. b. The SQL Transactional Logs backup jobs will be scheduled to run on each SQL server every 15 minutes of every day of the week and will be retained for the same duration of the full database backup. c. All critical SQL databases will be replicated using Cohesity replication technology.

4

Docusign Envelope ID: 7298B7CF-E0C0-41E3-973F-EF053E0A4FDA

d. Cohesity performs validations of each SQL backup to confirm they were successfully completed. e. Infor Lawson is backed up by the AWS Cloud operations team where it is hosted. Refer to the SOC report from AWS for backup policies. 4. An approved backup job will be scheduled to run on each email On-premises Exchange Database server once or more every day. a. Using Cohesity backup technology, On-premises Exchange databases are backed up daily and are kept for 30 days. Extended retention includes 4 weekly backups per month, monthly backups retained for 12 months and 1 annual backup. b. Exchange Online databases are maintained by Microsoft. c. Exchange On-premises databases are replicated using Cohesity replication technology. d. Cohesity performs validations of each Exchange On-premises database backup to confirm they were successfully completed.

ENFORCEMENT & COMPLIANCE

Enforcement and Compliance of this policy will be the responsibility of the City of Greensboro’s IT Department Network Services Division.

5

Docusign Envelope ID: 7298B7CF-E0C0-41E3-973F-EF053E0A4FDA

CHANGE MANAGEMENT POLICY

PURPOSE AND POLICY

This Change Management Policy defines the steps necessary to implement and maintain Change Management (CM) processes for the City of Greensboro’s Information Technology (IT) Department. This document will establish a foundation of what change and change management are, define the items needed for effective CM, establish roles and responsibilities of the people involved, describe the actual steps of the CM process, and specify how they will be accomplished. The purpose of this policy is to define a consistent approach to managing changes to the IT environment.

SCOPE AND OBJECTIVES OF IT CHANGE MANAGEMENT

The IT Department is committed to operational and service excellence. It is paramount that changes to existing system network architecture, internal and external services, products, processes, and any other significant technology-based hardware or software application changes be documented, adjudicated, and vetted before implementation. The objectives of CM are to minimize the adverse impact of required changes on system integrity, to preserve security, to honor existing service level agreements or contracts, to enable the coordination and planning of changes in order to provide a stable test and production environment, and to maximize the productivity of persons involved in the planning, coordinating, and implementation of quality value-added changes. Typically, CM will be utilized to:

• Take corrective action: an intentional activity that adjusts the performance of something already in progress.

• Take preventive action: an intentional activity that ensures future performance goals are met.

• Defect repair: an intentional activity to modify a non-conforming product or service.

• Updates: changes to our current state of affairs or baseline, changes to existing products, services, new user requirements, or simply new ideas.

The City of Greensboro’s IT Department is responsible for application services, geographical information systems, telecommunications, network services, security and compliance, and leasing/deployment of vital IT related products. The realm of information technology spans a diverse group of end users with responsibilities encompassing all areas of municipal government. Technology is thoroughly ingrained in most City Departments, and therefore any change has the potential to be significant. It is therefore critically important to manage change in a proactive and effective manner. It is important to note that each department has a finite amount of resources available to manage IT, therefore every effort to streamline this policy has been made to reduce the impact on our productivity.

6

Docusign Envelope ID: 7298B7CF-E0C0-41E3-973F-EF053E0A4FDA

HIGH LEVEL PROCESS FLOW

7

Docusign Envelope ID: 7298B7CF-E0C0-41E3-973F-EF053E0A4FDA

DEFINITIONS

Break/Fix: Changes that are initiated to repair a non-conforming product or service.

Change: The addition, modification, or removal of anything that could have an effect on IT systems and/or services.

Change Advisory Board (CAB) : An empowered body that oversees change procedures, validates, and approves/rejects documented changes. The CAB is responsible for viewing the information provided in every change request in order to ensure that the changes are sufficiently researched, documented, communicated, planned, and executed according to defined cost, schedule, performance, and risk criteria. Change Coordinator/Requestor (CC) : The person responsible for entering the change into the CM system and managing the change through to its completion. The change coordinator may delegate work activities to their respective staff as appropriate. Change Management (CM) : The process of documenting a change, reviewing the potential impact of that change, controlling the timing of the change and, upon completion, verifying the completeness of the change. Change Manager/Project Manager (CMGR/PM) : The Change Manager is a member of the IT staff who is responsible for changes across the enterprise. In this instance, the change manager and project manager will be synonymous. The Change Manager/Project Manager of the IT Department will ensure that all changes are documented so that each change enters the CAB process for approval or rejection and will monitor progress of the change by utilizing the Program Management Body of Knowledge (PMBOK) standards that are tailored specifically to the department’s needs. Change Request (CR) : A broadly defined term that describes the overall process of requesting validation of a change. The CR is composed of various pieces of information depending on the type of change and the Project Management documentation method employed. Change Type (CT) : Change types are classified as Emergency, Low, Medium, and High. Their classification is dependent upon an acceptable time period established by various service level agreements and can vary by division and stakeholder agreements.

Emergency Change : These are highly critical changes that must be implemented within 72 hours to react to system failure/outages or to prevent system failure/outages from occurring.

Incident: An unplanned occurrence that disrupts normal operations and has a significant impact on services provided by the IT department.

Initiative : A program management framework that classifies a particular work activity based on enterprise operations. For the purposes of this policy, an initiative consists of the following non-inclusive traits.

8

Docusign Envelope ID: 7298B7CF-E0C0-41E3-973F-EF053E0A4FDA

• An initiative from start to finish will typically last less than 30 days. Initiatives may or may not have start and end dates.

• Initiatives are typically single tasks that do not require detailed milestone definitions and a host of sub-tasks to perform in order to reach a desired goal.

• Initiatives lack uniqueness and are routinely performed on a daily or weekly basis to support operations. Simply they are not recurring.

• Initiatives apply to maintenance required to support system and application infrastructure.

Maintenance: Routine and preplanned activities used to prolong the life cycle of the product or service.

Out of Cycle Change Request: There may be instances where change requests must be routed through following the weekly change management board. These changes were simply not known at the time of the board and cannot wait for the subsequent week. All stakeholders will be provided with a copy of the change and time of institution. All stakeholders will have an opportunity to reject the change request as necessary to maintain operations. In such instances, the change will be mitigated through the Project Manager and the respective stakeholders.

Project : A program management framework that classifies a particular work activity based on enterprise operations. For the purposes of this policy a project consists of the following non-inclusive traits.

• The project from start to finish will last more than 30 days or a month in time.

• The project has a definite start date and a definite end date with defined resources and scope.

• The project should lend itself to having milestones with tasks under each that when completed realizes a significant effort towards your end goal.

• The project will lend itself to having more than a single task but stages where you plan, initiate, and execute to achieve a desired goal.

• The project is a unique effort that is not recurring.

ROLES AND RESPONSIBILITIES

The CAB is an empowered body that oversees change procedures, validates, and approves/rejects documented changes. The CAB is responsible for viewing the information provided in every change request in order to ensure that the changes are sufficiently researched, documented, communicated, planned, and executed according to defined cost, schedule, performance, and risk criteria.

9

Docusign Envelope ID: 7298B7CF-E0C0-41E3-973F-EF053E0A4FDA

• The CAB will convene each week to review, approve, or reject pending CRs.

• The PM (or designee) will administer the CAB meeting by presenting all pending CRs and revisit any approved CRs that have encountered issues for group awareness and subsequent re-direction of the activity.

• The CAB should consist of each division lead or designee when unable to attend.

• Each division leader or designee should analyze each CR for potential impacts to their area of responsibility prior to the CAB meeting and be able to discuss any mitigation activity that might need to take place before approving/rejecting the CR.

• The IT department will err on the side of caution by delaying CRs that have not been fully vetted, or the risk of implementation is too great.

• The CIO has final determination authority to approve or reject pending CRs.

• The Network Services Manager will ensure the lead systems architect is aware of all changes entered into the CM system.

• The PM will ensure the CRs are queued effectively so as not to render significant delays to work efforts that could be accomplished before the CAB has an opportunity to convene. In these instances, the PM will walk projects or initiatives through each division lead for concurrence or rejection. At times, the PM may elect to place the project or initiative on hold until an overall determination can be made by the CAB. • Emergency changes may occur at any time. These are highly critical changes that must be implemented within 72 hours to react to system failure/outages or to prevent system failure/outages from occurring. In these occurrences and during normal business hours (07:30am- 5:30pm) the PM will expedite the CR via phone, email, or any other means available to communicate the issue to the CAB. The PM will keep a log of the CAB contact, and their concurrences/rejections should it need to be referenced later.

10

Docusign Envelope ID: 7298B7CF-E0C0-41E3-973F-EF053E0A4FDA

• For emergency break/fixes after normal business hours will be addressed by the On-call Team. Simply call 336-373-2322. The On-Call team will notify the CIO and PM of any break/fix issues up to 11PM but are authorized to make emergency changes as needed to restore services. The On-Call team will back brief the CIO and PM the following morning at the beginning of the business day and the PM will document the outage via an emergency change request. • Change requests must be filled out in their entirety and will include various programmatic elements, implementation, testing, and fallback plans. Every attempt to test solutions (for functionality and performance gain) will be made before they are introduced to production environment systems.

• Changes will be classified as emergency, low, medium, and high in accordance with existing IT standards.

• The PM will provide training for each CC/R, so they are familiar with the policy, the in-take procedure, and method for closure.

• The PM will communicate with the CIO and Deputy CIO of any major status changes for situational awareness and possible re-direction of the efforts.

• The PM will meet with division leads routinely to update their respective project and initiative status.

• The PM will be responsible for this policy and any subsequent changes or revisions. This policy will be reviewed annually and changes incorporated as required.

• All questions or concerns regarding this plan should be directed to the PM for clarification or adjudication.

ENFORCEMENT & COMPLIANCE

The CC/R will use the single point of entry through Fresh Service to create a change request. For after-hours support please call the Service Desk at 336-373-2322.

11

Docusign Envelope ID: 7298B7CF-E0C0-41E3-973F-EF053E0A4FDA

DISASTER RECOVERY POLICY

PURPOSE AND SCOPE

This Disaster Recovery Policy outlines the steps necessary to restore network operations to the City of Greensboro’s data center and connected facilities during a major degradation or a complete outage of our system architecture. The three main points to be considered with Disaster Recovery are Prevention, Anticipation, and Mitigation. Prevention is the act of avoiding those disasters that can be prevented. Anticipation is to plan and develop adequate measures to counter unavoidable disasters. Finally, mitigation is to effectively manage the disasters and thereby minimize the negative impact. The City of Greensboro’s IT Depart ment is proactively engaged in preventing disaster recovery events from occurring through change management, firewalls, cyber security vulnerability testing, and through network operation monitoring. This policy does not attempt to modify our current prevention procedures, but rather to develop adequate measures to respond to an unavoidable disaster and to mitigate the event from a possible reoccurrence. Roles and responsibilities will be assigned to three separate teams with specific restoration and communication actions that will need to be executed during a disaster recovery event. The primary objectives of disaster recovery are to:

Minimize disruption of operations

•

• Ensure a level of security to prevent the occurrence and to protect the network before the event and to ensure a level of security to any safeguarded information after the event • Assure reliable backup systems

• Aid in restoration of operations with speed

• Communicate the event to all affected stakeholders

DISASTER RECOVERY ROLES AND RESPONSIBILITIES

Initiating the Disaster Recovery Checklist will only occur if there is a major degradation to the data center; a complete data center outage is encountered; or as an exercise. (A major degradation is one that multiple systems and services are affected and to such a degree that the Network Services Manager deems it appropriate to assemble the disaster recovery team to mitigate the situation.) Three teams have been assigned to communicate and mitigate the event. They consist of a RED TEAM or network services staff that will provide technical expertise to restore the network to operational capability, a BLUE TEAM that will perform communication actions and to properly document the event for post mortem analysis, and a GREEN TEAM who by virtue of their position within the City would need to know of the occurrence so that they, in turn, can communicate to their staff and perform their own internal processes for mitigation and

12

Docusign Envelope ID: 7298B7CF-E0C0-41E3-973F-EF053E0A4FDA

sub-system restoration. Once the event is known by any team member, a checklist of steps and protocols has been created for each team to follow. This checklist will be provided to each team member electronically and a hard copy will be stationed in the data center for ease of access. COMMUNICATION During a disaster recovery event, three communications will be sent by the BLUE TEAM. In the event that a BLUE TEAM member is not present, a RED TEAM member will be designated to perform this task. The three communications that will occur are: A communication to the GREEN TEAM that an event is taking place (either real-world or as an exercise). The GREEN TEAM may effectively cascade their communication with respective staff members that may have an internal need to know that a disaster recovery event is in progress). C. A final communication of the outcome to the GREEN TEAM stating the event is either over and normal operations of the outage have been completely restored, -OR- that a temporary fix has been applied but operations may still be degraded until a permanent solution can be implemented. A. An initial communication to the RED AND BLUE TEAM to assemble in the data center. B. Upon completion of a real-world or exercise disaster recovery event, the following postmortem activities will occur. A. Team Members will be dismissed by the RED TEAM Lead. B. The BLUE TEAM Lead will acquire snapshots of the checklist, and the status board used to document system degradation, up, or down status, AND provide the material to the IT Project Manager for analysis and postmortem review by all team members. C. A determination will be made as to the primary reason the event occurred. In cases of actual or suspected security breaches, the IT Project Manager or designee will contact the AIG Security Hotline in accordance with the instructions within the checklist, and they will contact the IT Department’s Cyber Security and Compliance Di vision Manager and conduct an out-brief of the occurrence. D. A review of contact information will take place, and an analysis of restoration times will be carried out. In the absence of a real-world disaster recovery event, the CIO, D-CIO, Network Services Manager, or the IT Project Manager will conduct a quarterly exercise of the Disaster Recovery Checklist. The purpose of this quarterly exercise is to maintain the checklist to its best operational capability. Scenario-based training will also occur so that each team member can maintain checklist proficiency and to review changes to the checklist should they be encountered. Finally, there is a current need to establish an alternate site at Justice should the MMOB Data Center encounter a catastrophic event that would prevent its usage. The IT Department will effectively plan for system restoration capability at the alternate site and perform a real-world fail over test to this location annually. ENFORCEMENT AND COMPLIANCE POSTMORTEM ACTIVITIES AND MITIGATION

13

Docusign Envelope ID: 7298B7CF-E0C0-41E3-973F-EF053E0A4FDA

INFORMATION TECHNOLOGY OPERATIONS POLICY

PURPOSE

The purpose of this policy is to define the IT operation processes and standards to effectively manage IT resources and ensure the continuous availability of systems and applications to City of Greensboro employees, residents and partners. This policy also allows the IT organization to identify efficiencies and areas of improvement to IT processes and standards.

SCOPE

This policy applies to:

1. All Information Technology assets owned and operated by the City of Greensboro.

2. All IT employees, contractors and consultants.

DEFINITIONS

Incident

An event that could impact access to information technology resources

Adding duplicate technology components to provide continuous access to systems and applications in the event of failure to other technological components Improving the reliability of a system or application to make it always available for employees, residents and partners

Redundancy

Availability

Intrusion Prevention System

A software or hardware system that detects and blocks intrusion and cyberattacks against systems and application

14

Docusign Envelope ID: 7298B7CF-E0C0-41E3-973F-EF053E0A4FDA

ROLES AND RESPONSIBILITIES

Function

Responsibility

Chief Information Officer

Provide recommendations regarding IT operations processes and procedures

Cyber Security Team

Conduct internal audits and compliance reviews of systems and applications to ensure compliance with IT Operations Policy

IT Functional Teams

Follow IT Operations Policy to manage systems and applications

POLICY

1. Systems and applications must reside on redundant hardware configurations to provide faster recovery in the event of device failure. Processes and procedures must be defined to provide faster recovery of systems and applications in the event of a hardware failure. 2. On-Premise Systems and applications must be monitored for hardware failures and software availability. In the event of an outage, the appropriate IT administrators must be notified so that action is initiated to mitigate the outage. 3. To manage capacity, the performance of major systems and applications must be monitored. If an environment exceeds predefined thresholds, IT administrators must be notified so that additional hardware resources are added to mitigate the performance issue.

4. Bandwidth utilization on network links must be continuously monitored. If bandwidth utilization exceeds predefined thresholds, network administrators must be notified to mitigate the issue.

5. Application-level firewalls and intrusion prevention systems must be used to restrict access to City of Greensboro systems and applications and automatically block intrusions and cyberattacks. Cyber Security Team Members and network administrators must automatically be notified of potential intrusions so that additional measures can be taken to stop the attack and prevent further damage.

6. Infrastructure and security related incidents that impact systems and applications must be captured, documented and tracked using Fresh Service. This helps ensure that corrective and preventative actions have been documented and implemented to mitigate the incident.

7. Infrastructure and technology components must be reviewed for continued viability. Vendor’s end of life/end of support notifications must be analyzed to determine the impact to the City of

15

Docusign Envelope ID: 7298B7CF-E0C0-41E3-973F-EF053E0A4FDA

Greensboro as a result of end of life/end of support components and a plan must be defined to upgrade or retire the impacted component.

8. Changes to systems and applications must be documented in Fresh Service and communicated to stakeholders using the change review board meeting. The change management process ensures that changes to systems and applications have detailed implementation, testing and fallback plans and that risk to production systems and application as a result of a change is evaluated to minimize the impact on users and residents. 9. Configuration standards including secure configuration must be defined and implemented for workstations, printers, windows servers, SQL databases, IIS servers and network devices to maintain consistency and protect systems and applications from unauthorized access and disclosure of confidential information. The Cyber Security Team must ensure the standards are readily available and are communicated to all teams. 10. Security patches and hot fixes must be deployed regularly to systems, applications and network devices. Security patches and hot fixes must first be adequately tested before deployed to production systems and applications. Patches that address critical vulnerabilities must be deployed in a timely manner to effectivelymitigate the risk to the City of Greensboro systems and information.

11. IT technology standards must be defined and communicated to all IT groups responsible for managing technologies and infrastructure.

12. The Leasing Database is used to manage and track hardware assets that have been installed. Monthly hardware reports for expiring leases are generated and provided to management for review.

13. Periodic checks of desktop software packages must be conducted to ensure that all installed software is officially licensed for the use.

14. On-Premise Systems and applications must be backed up in accordance with the schedule below. Backups must be stored at an off-site facility. Backup failures must be monitored and IT administrators immediately notified of any failure. 15. An approved backup job will be scheduled to run on each file server once or more every day. a. Using Cohesity Incremental back-up, a scheduled backup will be run every day of the week on every server and will be retained for 30 days. Extended retention includes 4 weekly backups per month, monthly backups retained for 12 months and 1 annual backup. b. Using NetApp snapshot technology every virtual server will have a snapshot taken every day of the week. c. Using NetApp snapshot technology a scheduled snapshot/backup of all file share data residing

16

Docusign Envelope ID: 7298B7CF-E0C0-41E3-973F-EF053E0A4FDA

on SAN/NAS systems will be scheduled to run every 1 hours and be retained with 4 weekly, 7 daily and 8-hour snapshots. d. Using Cohesity replication technology all backups will be scheduled to replicate to a system located at an offsite building and will be retained until the data is no longer needed. e. Cohesity performs validations of each backup to confirm they were successfully completed. 16. An approved backup job will be scheduled to run on each SQL Database server once or more every day. a. Full SQL database backup jobs will be scheduled to run on each SQL server every day of the week and will be retained for 30 days. Extended retention includes 4 weekly backups per month, monthly backups retained for 12 months and 1 annual backup. b. The SQL Transactional Logs backup jobs will be scheduled to run on each SQL server every 15 minutes of every day of the week and will be retained for the same duration of the full database backup. c. All critical SQL databases will be replicated using Cohesity replication technology. d. Cohesity performs validations of each SQL backup to confirm they were successfully completed. e. Infor Lawson is backed up by the AWS Cloud operations team where it is hosted. Refer to the SOC report from AWS for backup policies. a. Using Cohesity backup technology, On-premises Exchange databases are backed up daily and are kept for 30 days. Extended retention includes 4 weekly backups per month, monthly backups retained for 12 months and 1 annual backup. b. Exchange Online databases are maintained by Microsoft. c. Exchange On-premises databases are replicated using Cohesity replication technology. d. Cohesity performs validations of each Exchange On-premises database backup to confirm they were successfully completed. 18. Active monitoring of network and Internet communications must be conducted to identify malicious activities and block intrusions and cyber-attacks. Cyber Security personnel must be alerted of any malicious activities to quickly analyze the behavior and prepare the proper response. 19. The Continuity of operations plan must be defined and implemented to ensure the availability of systems and applications in the event of unforeseen disaster. The plan must include recovery procedures for systems and applications and must be tested regularly to identify gaps and areas of improvement. 20. Vulnerability assessments must be conducted regularly to identify and mitigate system and application vulnerabilities the could be exploited to gain access to confidential information. Critical vulnerabilities must be mitigated in a timely manner to protect the City’s systems and confidential information. 17. An approved backup job will be scheduled to run on each email On-premises Exchange Database server once or more every day.

21. IT compliance reviews must be conducted regularly to ensure compliance with laws, regulations, and standards. These reviews must include the following activities:

17

Docusign Envelope ID: 7298B7CF-E0C0-41E3-973F-EF053E0A4FDA

• Ensure that semi-annual backup and recovery tests are conducted and all identified issues are mitigated • Ensure that monthly internal and external vulnerability assessments are conducted against systems and applications, and the results are analyzed and communicated for remediation • Ensuring that security patches have been deployed to systems and applications • Perform quarterly firewall reviews to identify and mitigate configuration weaknesses thatmay allow unauthorized access into systems and applications • Perform annual software compliance checks to ensure that all software installed on endpoints is licensed for the use • Perform regular reviews of domain and system admin access to ensure that appropriate rights have been assigned to proper individuals • Perform monthly secure configuration reviews to ensure that systems and applications adhere to secure configuration standards • Perform monthly reviews of change requests to ensure compliance with policy and procedure • Perform weekly reviews of incidents to ensure that corrective and preventative measures are documented and implemented • Perform regular incident exercise to improve the incident response process • Perform annual disaster recovery exercises to improve disaster recovery processes Compliance deficiencies must be analyzed, documented, and immediately communicated to the individuals responsible for the function or activity to ensure that corrective actions are implemented to mitigate the deficiency. ENFORCEMENT Any violation of this policy may lead to corrective action, up to and including dismissal from employment. The corrective action will depend upon the violation and be subject to the discretion of the employee’s supervisor/manager in accordance with Personnel Policy H-1 Corrective Action. Note: Some departments use Discipline without Punishment as an alternative to H-1. The Police Department has its own corrective action process. COMPLIANCE It is the responsibility of City of Greensboro employees, contractors and consultants to ensure that the policy described in this document is followed. Employees, contractors and consultants must understand that protecting confidential information is a critical part of the City’s security strategy. The Cyber Security Team is authorized to limit access for employees, contractors and consultants that do not comply with this policy. EXCEPTIONS Requests for exceptions to this policy may be granted for systems or applications that have adequate security controls implemented. The security controls must provide good protection against Malware, cyber-attacks and other forms of threats. Requests must be submitted in writing to the Cyber Security Team for review and approval and must include the following details:

1. Purpose for requesting the exception. 2. The risk to the City if the system or application becomes compromised. 3. Mitigation controls that have been implemented to protect the system or application. 4. End date for the exception.

18

Docusign Envelope ID: 7298B7CF-E0C0-41E3-973F-EF053E0A4FDA

INFORMATION TECHNOLOGY (IT) LOANER DEVICE RENTAL AND RETURN POLICY

PURPOSE

The purpose of this policy is to establish a set of procedures concerning loaner equipment check-out and return.

SCOPE

This policy applies to all City employees. This policy establishes specific rental periods, how to submit a request, minimum lead times, fee schedules, processes for billing, and reporting lost or damaged equipment.

DEFINITIONS

There are no associated definitions applicable to this policy.

ROLES AND RESPONSIBILITIES

End users will adhere to the guidelines stated herein. If you have any questions regarding this policy, please contact the Service Desk (336-373-2322).

ENFORCEMENT AND COMPLIANCE

Enforcement and Compliance of this policy will be the responsibility of the City of Greensboro's IT Department, Service Desk, the end-user, and their respective City Department Director.

1. The rental period for all equipment is one week.

2. All requests for equipment rental should be made by entering a Service Desk Ticket (https://itsupport.greensboro-nc.gov/).

3. With the acceptance of the Service Desk request, the end- user’s department is contractually obligated to the fees associated with the IT Device Rental Agreement. The fee schedule is listed below and will be updated annually and published in the Information Technology Service Catalog.

19

Docusign Envelope ID: 7298B7CF-E0C0-41E3-973F-EF053E0A4FDA

CURRENT FEE SCHEDULE FOR LOANER EQUIPMENT

Laptops

$70 for up to 7 days

The rental period will operate as follows:

Once the loaner equipment is returned, the user's department account will be charged the weekly rate for the loan duration, over the initial loan period.

Rules of Use:

• City of Greensboro rental Devices are for use by current staff.

• If the device is not returned in 30 days, I understand I will be billed for the full replacement cost.

• You are responsible for ensuring the Loaner device is not damaged, lost, or stolen while checked out to you.

• Reservations are not accepted for loaner devices. Devices are rented on a first-come, first-serve basis.

• Do not save data to the loaner device. Everything saved on the hard drive will be lost when you return.

20

Docusign Envelope ID: 7298B7CF-E0C0-41E3-973F-EF053E0A4FDA

LOST/STOLEN LEASED EQUIPMENT POLICY

PURPOSE

The City of Greensboro’s Information Technology (IT) Department has written this policy to guide and direct employees on lost or stolen leased equipment.

SCOPE

These standards apply to all City employees and staff utilizing leased equipment.

DEFINITIONS

There are no associated definitions applicable to this policy.

POLICY/ROLES AND RESPONSIBILITES

All City employees and staff should abide by the procedures outlined herein. The following procedure is utilized when leased equipment has been reported as lost or stolen:

1. The customer or Department Liaison must notify the Service Desk team to obtain final pricing of lost or stolen equipment. When reporting the device stolen, please provide the following information: • Equipment Serial Number • Name and Employee Number of Client Requesting the Final Pricing • Department Name • Account number to be charged with final price • If Stolen, Relevant Police Report Data • Should the lost or stolen equipment be located, the liaisons should notify the Service Desk team and relinquish the equipment. The team will take the following actions: • Notify IT Security if the equipment is stolen and the Cyber Security division will file a claim to protect sensitive data with the Cyber Insurance Carrier AIG. • Contact the leasing company and obtain the final price. • Notify the liaison of the final billing amount charged the account provided. • Authorize the leasing company to proceed with the invoice, Prepare the check order and mark equipment accordingly in the leasing database. 2.

ENFORCEMENT AND COMPLIANCE

Enforcement and Compliance with this policy will be the responsibility of the City of Greensboro’s IT Leasing and Deployment Staff.

21

Docusign Envelope ID: 7298B7CF-E0C0-41E3-973F-EF053E0A4FDA

MOBILE DEVICE POLICY

PURPOSE

The purpose of this policy is to establish comprehensive guidelines and procedures for the use, procurement, and management of mobile devices (including smartphones, cell phones, and tablets such as iPads) issued by or used to access the systems and applications of the City of Greensboro. This includes City-issued devices and personal devices receiving a stipend or used to access City resources. The policy is intended to ensure compliance with applicable federal, state, and local laws, control costs, protect sensitive City information and define security and administrative requirements.

SCOPE

This policy applies to all City of Greensboro employees who use mobile devices — including City-issued and personally owned devices — to access City systems, applications, communications, or perform work-related duties.

DEFINITIONS:

• Mobile Device : Includes smartphones (e.g., iPhone, Galaxy S), tablets (e.g., iPad, Surface), and any portable device capable of connecting to wireless data services. • MDM (Mobile Device Management) : A security platform that manages and secures mobile devices used to access City data and systems. • Rooted/Jail-broken Device : A mobile device whose operating system has been modified to remove manufacturer or carrier restrictions, which compromises security protocols.

POLICY/ROLES AND RESPONSIBILITIES

General Guidelines for All Mobile Devices

1. The City may provide mobile devices to employees whose job duties require them.

2. City-owned devices are the property of the City and must be returned upon separation or request.

3. The City is not responsible for personal data on City-owned devices.

4. Non-exempt employees may not be contacted outside of work hours without compensation in accordance with FLSA and City policy. 5. All applicable laws must be followed, especially regarding device use while driving. If an employee is charged with traffic violations resulting from the use of City-owned mobile device while driving, the employee will be solely responsible for all liabilities that result from such action.

22

Docusign Envelope ID: 7298B7CF-E0C0-41E3-973F-EF053E0A4FDA

6. Devices must not be used for illegal, unauthorized, or unsafe purposes.

7. Employees must avoid using public Wi-Fi networks unless otherwise authorized.

8. Devices that are rooted or jail-broken will be blocked from accessing City systems.

9. Devices must use authentication (passcode, Face ID, etc.).

10. City-applied security controls must not be circumvented.

11. Only reputable apps should be installed on personal devices; personal apps are not allowed on City devices.

12. Security updates must be applied when instructed by IT.

13. Lost or stolen devices must be immediately reported to Telecom.

14. Before service or repair, all City information must be removed from the device.

15. Upon employee separation, City information must be locally erased.

City-issued Cell Phones

• Available to employees whose roles justify them, including roster employees.

• Business calls and messages must be accepted if the device is taken home.

• The City pays for devices and accessories; employees must notify supervisors of damage/loss.

• Employees may reimburse the City for negligence-related damage.

• Devices and accessories must be returned upon employment separation. Devices must be factory reset by the employee or their supervisor before being returned to Telecom

• Devices may be reclaimed during long-term absences (30+ days).

Cell Phone Stipends

Department heads or designees may authorize a monthly stipend to employees using personal phones for business:

• Roster employees are not eligible for stipends.

• Stipend is included in semi-monthly payroll, not base pay.

• Reviewed and approved annually; cannot exceed personal plan rate.

• Employees agree to allow business use and publishing of their number.

• The City is not liable for damage; employees manage their own service contracts.

• Non-exempt employees must be compensated if contacted after hours.

• Call records may be subject to public record laws.

23

Docusign Envelope ID: 7298B7CF-E0C0-41E3-973F-EF053E0A4FDA

• Verification of active service plans may be requested.

• Employees are required to notify their employer immediately if there is any interruption of service due to loss, damage, carrier cancellation, etc.

• The employee is responsible for all contractual services with their wireless provider.

• Termination or continuance of the monthly reimbursement will be at the discretion of the Department director.

• Stipends may be suspended if the employee is out for over 30 days.

Stipend Rates:

Phone & Data: $45/month

•

Phone Only: $25/month

•

• Only one City-funded data plan per employee is permitted.

iPad Management

Procurement & Deployment

• All iPad procurement is through the Telecom division.

• Requires liaison and department head approval.

• Standard configuration: 128 GB, with optional 5G/Wi-Fi.

• Leased iPads are shipped to MMOB, logged in the leasing database, and deployed by the Mobile Device Manager.

• Carrier (T-Mobile or Verizon) procured iPads are purchased by the department and logged by Telecom.

• Accessories must be purchased by departments.

Deployment & Setup

• The Mobile Device Manager configures the device, sets up email, and restores backups for replacements.

Support & Usage

• Service Desk and Mobile Device Manager provide support.

• Device must auto-lock within 5 minutes and be password protected.

Jail-breaking is prohibited.

•

• Email and network connectivity is supported by the Mobile Device Technician.

24

Docusign Envelope ID: 7298B7CF-E0C0-41E3-973F-EF053E0A4FDA

• Departments are charged for support and network access based on the IT Service Catalog.

• Password-locked iPads must be returned unlocked, or the department will be charged the device’s value.

ENFORCEMENT AND COMPLIANCE:

• Cyber Security Division : Ensures compliance and may block access for non-compliant devices.

• Department Heads : Determine eligibility, authorize stipends, oversee compliance.

• IT Department : Manages device procurement, deployment, and ongoing support.

• Employees : Must follow all rules outlined in this policy; violations may result in disciplinary action, including termination.

All policy components apply concurrently and must be reviewed annually to ensure continued alignment with evolving technology, security standards, and legal requirements.

25

Docusign Envelope ID: 7298B7CF-E0C0-41E3-973F-EF053E0A4FDA

ONE CONNECT POLICY

PURPOSE

The purpose of this policy is to establish a set of procedures concerning the use of City-issued mobile devices that utilize a cellular connection. This policy establishes guidelines for monitoring and controlling cellular costs, cellular service use, and other administrative issues related to mobile devices.

SCOPE

It has become increasingly necessary for certain City of Greensboro staff to have mobile devices with cellular services to allow them internet access in almost any location. This policy will put parameters around only utilizing one city-issued cellular connection to minimize cost to the organization. This policy does not guarantee any position the right to a City-issued mobile device. In keeping with public records requirements, all records related to City-issued mobile devices are considered public record, except in instances where protected by law.

DEFINITIONS

There are no associated definitions applicable for this policy.

POLICY/ROLES AND RESPONSIBILITES

General Policy •

If an employee is out of work more than 30 days, they may be required to turn in their City-issued mobile device or have their cellular service suspended until returning to work. This will be at the discretion of the employee’s department head or designee.

One Cellular Connection •

City staff should only have one mobile computing device with cellular service. For example, if staff currently have a laptop with a Verizon/T-Mobile cellular connection there is no business need to have an iPad or Tablet with a Verizon/T-Mobile cellular connection; the laptop can be used as the mobile computing device with cellular service. • City staff should only have one device that connects to the internet via Verizon/T-Mobile cellular service; the one device may be used as a mobile hotspot for wireless connection with their additional devices. For example, if staff are assigned a smart phone by the City, they can turn it into a mobile hotspot and connect their tablet or laptop via the wireless connection to the internet created by the smart phone.

26