The city shall adopt the following security procedures and requirements for the purposes of attempting to prevent and mitigate identity theft:
(A) All new accounts must be opened in person at the City Building, 700 North Walnut Street, Hartford City, Indiana;
(B) Paper documents, files and hard copies of electronic media containing secure information will be stored in locked file cabinets;
(C) Employees will not leave sensitive papers out on their desks when they are away from their work areas;
(D) Employees will store files when leaving their work areas;
(E) Employees will log off from their computers when leaving their work areas;
(F) Visitors who must enter areas where sensitive information or files are kept must be escorted by an employee of the city;
(G) No visitor will be given any entry codes or allowed unescorted access to the office of the City Clerk-Treasurer or the surrounding work areas;
(H) Access to sensitive information will be controlled using passwords; employees shall choose passwords with a mix of letters, numbers and random characters, user names and passwords shall not be identical and passwords will be changed at least monthly;
(I) Passwords will not be shared or posted near work areas;
(J) Anti-virus and anti-spyware programs shall be run on individual computers and on servers on a regular basis;
(K) When new software is installed, vendor- supplied default passwords will be changed;
(L) The city’s computer network will have a firewall where the network connects to the Internet;
(M) References will be checked and background checks will be done before hiring employees who will have access to sensitive information;
(N) Access to a customer’s personal identifying information will be limited to employees who “need to know,” and employees who do not “need to know” such information will not be provided with access to such information;
(O) Procedures will be developed to ensure that employees of the city who leave their employment with the city or transfer to another department of the city no longer have access to sensitive information;
(P) Employees will be trained on a regular basis, not fewer than twice a year;
(Q) Employees will be alerted of any occurrences of telephone or email phishing; for the purposes of this section, PHISHING means the fraudulent process of attempting to acquire sensitive information for the purpose of identity theft by posing as a trustworthy entity in an electronic communication;
(R) If paper records must be disposed of, then said paper records will be shredded before the same are placed in the trash;
(S) If any data storage media must be disposed of, then said media shall be shredded, have holes punched in said media’s body, be incinerated or otherwise be made “unreadable” before being placed in the trash; and
(T) If a service provider shall perform an activity in connection with city accounts, then the City Clerk-Treasurer shall exercise his or her discretion in reviewing such arrangements in order to ensure, to the best of his or her ability, that the service provider’s activities are conducted in accordance with the program and with certain policies and procedures, agreed upon by contract, which are designed to detect any red flags which may arise in the performance of the service provider’s activities, and to take appropriate steps to prevent or mitigate identity theft.
(Ord. 2009-10, passed 6-1-2009)