214.08   COMPUTER SECURITY STANDARDS.
   (a)   Risk Assessment.
      (1)   Performing a risk assessment shall be the first step in applying security measures to a given environment. The Information Systems Supervisor shall identify, inventory and classify assets by degree of security risk.
      (2)   This risk assessment should include the potential risks associated with information output devices, whether in the form of diskettes, other modems, on-line or local or remote printers.
   (b)   Physical Security. The physical security of computer equipment shall protect the power switch, plug and CPU. Storage media shall be protected as necessary in locked files or desk drawers. All physical hardware shall be inventoried and have an associated and unique serial number.
(Ord. 93-45. Passed 4-6-93.)
   (c)   Storage Media Protection.
      (1)   Storage media must be protected from accidental or malicious destruction or tampering via regular back-up practices. The best defense involves management expectations and attention to user back-up performance.
      (2)   A back-up of the system will be performed daily and weekly. Departments will be notified in the morning that the system is "up" or operational and then in the evening when the system is "down." In order to back-up the system, all departments shall cease input at the end of the day, approximately 4:30 p.m. A weekly back-up will be performed on Thursday mornings between the hours of 5:00 a.m and 7:30 a.m.
(Ord. 96-166. Passed 11-19-96.)
   (d)   Software Protection. Software security requires protection against unauthorized modifications or destruction of that software. This includes limiting access to application and system control program libraries to only those authorized individuals. All software back-ups are stored off-site at a secured location. Unauthorized duplication of City software will not be sanctioned under any circumstances.
   (e)   Data Security. Users are responsible for determining the nature and importance of information for which they are responsible and to make optimum use of such controls as exist. These include access protection, such as passwords, hard copy output and password protected software.
(Ord. 93-45. Passed 4-6-93.)
   (f)   Access Security.
      (1)   Only authorized employees or authorized contractors shall have access to the City's data processing equipment. A City employee will have access only for particular department functions. Each personal computer must have a password. This password is not to be divulged to anyone, except specified departmental employees. This password is highly confidential, and should anyone learn the password, a new one should be assigned immediately.
      (2)   A listing of codes for files which are the property of the City and which are accessible only by a code shall be maintained by the Information System Supervisor.
      (3)   Any employee who divulges passwords or allows access to the City's equipment or software to nonemployees shall be subject to disciplinary action, as may be appropriate. Such disciplinary action may include dismissal from employment.
(Ord. 96-166. Passed 11-19-96.)
   (g)   Screen and Log-Off Security. The screen should not be viewed by the public. This should prevent the release of information or discourage tampering. The arrangement of any department shall include plans to have the screen not within view of the public. When leaving their work area, employees shall log back to the main system menu.
(Ord. 93-45. Passed 4-6-93.)