A. Authentication to Systems
Authentication is the process that allows authorized users to provide and prove their identity to access Village systems. The Village maintains several types of systems, and most systems require some form of authentication for access. Required authentication can be as simple as accessing a system from an approved workstation or as complicated as requiring possession of an authentication device. The requirements for the type of authentication assigned to a system or user is based on the sensitivity of the system. Systems with very sensitive information or systems that provide the ability to change or access information from uncontrolled (mobile) locations will require more stringent authentication.
There are three possible forms or factors of authentication:
1) Something you know (username and password or PIN number)
2) Something you have (a special key, card, or token)
3) Something you are (biometrics such as fingerprints, voice recognition, etc.)
The basic form of authentication is single factor and is generally based on something you know. This information is equivalent to a key and, in most cases, will identify an individual person. Extended authentication is multi-factor, meaning that something you know will be combined with something you have. If multifactor authentication is required, each user will be issued a special device called a key (usually a Village ID or token) that will be combined with something they know (a PIN or password) to provide authentication. In the future, the Village may choose to employ the third factor, such as fingerprints.
If you have been issued a token or Village ID access device, you should treat this as any other key. You are responsible for keeping your PIN private and for keeping the key itself secure. If the key is ever lost or compromised, you must report it to the IT Department immediately. If you lost your Village ID or token, you will be responsible for the cost of replacement.
Unless clearly distinguished as shared, all authentication methods are unique and private to an individual user and should never be shared with other users!
Your computer must be locked if it is logged on and unattended for more than 10 minutes. Do not log on to your system if someone can see you keying in your password. Report any irregularities flagged by the password access program (last login time and date, number of attempts to login, etc.) to your supervisor or to the IT Department.
B. Network Access Restrictions
The Village provides network and Internet access to computer users for Village business related activities. As part of the network system, the Village provides content filtering, reporting, and protection from external network threats. It is absolutely forbidden under this policy to attempt to circumvent any element of the Village's default Internet configuration. This includes, but is not limited to, manually connecting Village equipment to other networks, or connecting non-Village equipment to the Village network. This applies to both wired and wireless connections. There may be specific exclusions for laptops that have been appropriately configured to be protected on external networks, but no attempt should be made to connect to other networks without express approval from Information Systems.
It is also prohibited under this policy to make or attempt to make any Village resource accessible from the Internet without the approval of IT. Internet-based desktop sharing systems are not allowed unless installed and configured by the IT Department.
C. Password Selection and Protection
Passwords are an important part of security and should be selected carefully and protected from use by anyone other than the owner. Employees may not share their passwords with anyone other than an IT Department employee. Do not write it down where someone can easily find it, do not send it over the Internet, Intranet, email, dial-up modem, or any other communication line. Do not log into a computer and allow someone else to use it.
If you have a question about password selection or safekeeping, please see your supervisor or someone from the IT Department.
D. Hackers
Hackers frequently penetrate computer systems by calling unsuspecting employees representing themselves as new employees, supervisors, or other trusted individuals. Through a variety of probing questions, they obtain information necessary for their invasive programs to do their work.
Never give any information about computer systems out over the telephone or in any other way to anyone but authorized IT personnel. If someone requests such information, get their name, and phone number, and tell them you will get right back to them. Report the incident immediately to the Information Systems help desk. Without your help, the Village has little chance of protecting the Village's computer systems.
Using hacker programs and trying to access computer systems using hacker techniques is prohibited. Trying to hack into third party computer systems using Village computers is prohibited and will be reported to the appropriate authorities. If you are caught hacking, it is a serious offense. If you identify vulnerability in the Village's computer security system, report it to the IT Department immediately.
E. Phishing
Phishing is a term used to describe the illegal practice of obtaining personal information from you by pretending to be a legitimate organization. This is most done by sending emails, pop-up messages, or instant messages with links to sites that appear to be from a legitimate organization. These links will direct you to enter personal information such as passwords, social security numbers, bank account numbers, credit card numbers, etc. These sites often appear official and may include graphics from the legitimate organization's site. Legitimate organizations never request information in this manner. Since business is increasingly done via the Internet, it is very important to be continually vigilant by using safe techniques to retrieve and update information.
The easiest way to avoid becoming a victim of a phishing attack is to never click on links contained in these messages. Instead, open another browser session and manually navigate to the site of interest - do not cut and paste addresses from the message. Also verify that the "lock" icon displays in your browser indicating that the connection is secure. If you have any concerns, use the phone and call a phone number you know to be legitimate to speak to someone at the company. Do not rely on phone numbers contained in the message.
If you believe you unknowingly supplied sensitive information to an illegitimate site, contact your supervisor immediately.
F. Locks
Store external storage devices such as floppy disks, CDs, DVDs, flash drives, USB keys, printed reports, and other sensitive items in a locked drawer. You should lock your computer or log off when it is not in use for more than ten (10) minutes. If you have been issued a key or token, you should log off, remove it, and take it with you if you will be away from your workstation. There are practical exceptions to this, such as some types of in-vehicle use. Lock the door to your office or work area when leaving for the night if you have confidential information that could be easily accessed.
G. Removable Devices
Removable devices are a well-known source of malware infections and have been directly tied to the loss of sensitive information in many organizations. To minimize the risk of loss or exposure of sensitive information maintained by Village of Romeoville and to reduce the risk of acquiring malware infections on the Village network, users may not use any removable devices on Village workstations or that have not been provided by our IT Department. Outside or personal removable devices are prohibited. For users with the proper permission, the following rules apply:
• Staff may only use removable devices purchased by the Village of Romeoville or from a trusted third party that have been issued by the IT Department.
• Village of Romeoville removable devices may not be connected to or used in computers that are not owned or leased by the Village of Romeoville without explicit permission from the employee's Department Director. Devices must be scanned upon return using the virus scanning software present on all PCs to help ensure that the removable device does not introduce malware into the Village's network.
• Sensitive information should be stored on removable devices only when required in the performance of the user's assigned duties and in accordance with the confidentiality section of this policy.
• All Village-owned removable devices need to be always accounted for.
If you have a unique situation that requires the use of removable devices, please contact the IT Department for assistance in setting up the appropriate security procedures.
If the virus scanning software detects an issue on a removable device, contact the IT Department for assistance.
(Ord. 23-1853, passed 5-3-23)