A. Ownership:
1. Salt Lake City Corporation software, documentation and all other types of internal information (databases, internal software, computer documentation, etc.) is considered the property of the citizenry of Utah and administered by the State Archives Division of the State of Utah. It must only be used for the business purposes specifically allowed. Use of these information resources for any other reason will be permitted only after written permission has been granted by the designated owner or administer of the information.
2. Likewise, this information must not be sold or otherwise transferred to any non-Salt Lake City Corporation party for any purposes other than business purposes expressly authorized by designated owner or administer of the information.
B. Privacy Expectations And Information Stored On Salt Lake City Corporation Systems: At any time and without prior notice, Salt Lake City Corporation reserves the right to examine archived electronic mail, personal file directories, hard disk drive files and other information stored on Salt Lake City Corporation information systems. This examination is performed to assure compliance with internal procedures, support the performance of internal investigations and assist with the management of Salt Lake City Corporation information systems.
C. Notification Of Suspected Loss Or Disclosure Of Sensitive Information: If secret, confidential or private data is lost, is disclosed to unauthorized parties or is suspected of being lost or disclosed to unauthorized parties, IMS must be notified immediately. Call Customer Support (7272) or Security Administrator (6105) immediately when you think data has been disclosed.
D. Attended Operation Required When Printing Sensitive Information: Individuals printing sensitive information are responsible for the security of that information. Individuals may need to attend the printer to maintain this security or physically control the access to the printer.
E. Approval Required Before Access To Sensitive Or Valuable Information: Access to Salt Lake City Corporation sensitive or valuable information must be provided only after proper authorization has been obtained.
F. Data Backup And Off Site Storage Of Backup Media:
1. All sensitive, valuable or critical information resident on Salt Lake City Corporation computer systems must be periodically backed up.
2. Backups of sensitive, critical and valuable information must be stored in an environmentally protected and access controlled site.
3. Production data is expected to be maintained on network servers. This allows for common security and management practices to be applied to the data. This includes timely backups of that data. These processes are managed by Information Management Services, which relieves the end user from the responsibility of guaranteeing the integrity of the data on the network servers (this does not include the user's local drive(s), normally, the C: drive).
4. If production or sensitive data is maintained on the local PC, it is the end user's responsibility to maintain the integrity of the data. Typically, this means that data must be backed up each time it changes.
Call Customer Support (7272) for assistance in determining the proper methods to back up your personal data.
G. Regular Purging Of Information Which Is No Longer Needed:
1. In accordance with Utah State Statutes and generally accepted records management practices, Salt Lake City Corporation's information must be destroyed or disposed of when no longer needed. Data can only be purged in accordance with the State approved retention schedule. Departments are responsible for ensuring that record sets stored in databases, electronic or paper files, etc., are managed according to the corresponding retention schedule.
2. If there are any questions as to that schedule, contact your departmental Records Administrator or call the City Recorder's Office for assistance. Care must be taken to follow that retention schedule and not purge data that is prohibited or keep data after the official purge date.
H. Copying, Transferring Or Disclosing Prohibited:
1. Salt Lake City Corporation strongly supports strict adherence to software vendor license agreements and copyright holder's notices. Users must not copy software provided by Salt Lake City Corporation to any storage media (i.e., disk, tape, etc.), transfer such software to another computer, or disclose such software to outside parties without written permission from the Director of Information Management Services (or appointee).
2. Salt Lake City Corporation allows reproduction of copyrighted material only to the extent that is legally considered "fair use" (backup, contingency planning) or with the permission of the author/owner.
3. If users make unauthorized copies of software, the users are doing so on their own behalf, since all such copying is strictly forbidden by Salt Lake City Corporation. Violation of this procedure is subject to disciplinary action.
I. Initial Backup Copies Of Microcomputer Software:
1. Original copies of computer software shall be stored in a safe and secure location. IMS may, in accordance with vendor licensing agreements, make copies for use by network technicians and help desk personnel. Original master copies should not be used for ordinary business activities when avoidable.
2. Information Management Services Department attempts to deliver most software packages to the desktop via a desktop management tool, such as SMS or Zen.
3. The Information Management Services Department maintains a library of software products used by Salt Lake City Corporation. End users who purchase software products without the assistance of Information Management Services should make a copy available to the library.
J. Registration Of Information Systems Products With Vendors:
1. To ensure compliance with software licensing term and agreements and that support and discount upgrades will be readily available, all hardware and software products must be registered with the appropriate vendor. This registration should take place when Salt Lake City Corporation staff takes delivery of new or upgraded information systems products, or soon after it has been determined that such products are not yet registered.
2. The Information Management Services Department maintains a database of valid products used by Salt Lake City Corporation. Products not obtained via Information Management Services must be registered in that database.
K. All User Involvement With Computer Viruses Prohibited: Users must not intentionally write, generate, compile, copy, propagate, execute or attempt to introduce any computer code designed to self-replicate, damage or otherwise hinder the performance of any computer's memory, file system or software. Such software is known as a virus, bacteria, worm, Trojan horse and similar names.
L. Immediate Reporting Of Suspected Computer Virus Infestation: Computer viruses can spread quickly and need to be eradicated as soon as possible to limit serious damage to computers and data. Accordingly, staff must report a computer virus infestation to the Security Administrator or Customer Support (801-535-7272) immediately after it is noticed.
M. System Integrity Checking Programs Required For Personal Computers: To promptly detect and prevent the spread of computer viruses, all Salt Lake City Corporation's personal computers (PCs), notebooks and LAN servers must run integrity checking software. This software detects changes in configuration files, system software files, application software files and other system resources. Integrity checking software must be continuously enabled or run daily. (See Virus Detection Procedure.)
N. Storage Of Sensitive Information On Personal Computers:
1. If sensitive information is to be stored on the hard disk drive or other internal components of a personal computer, it must be protected by either a password access control package or encryption. When sensitive information is written to storage media, the media must be suitably marked with the highest relevant sensitivity classification. Unless encrypted (when not in use), this media must be stored in locked furniture.
2. All data stored on a computer is subject to the same rules, regulations and policies of the GRAMA Act and the corresponding City ordinance. Contact Customer Support (7272) for methods of encrypting your data.
O. Storing Sensitive Information On Transportable Computers: Staff in the possession of portable, laptop, notebook, palmtop and other transportable computers containing sensitive Salt Lake City Corporation information should not leave these computers unattended at any time unless the information has been encrypted. Contact Customer Support (7272) for methods of encrypting your data.
P. Transferring Sensitive Salt Lake City Corporation Information:
1. Before any secret, confidential or private information may be transferred from one computer to another, the person making the transfer must make sure access controls on the destination computer are commensurate with access controls on the originating computer. If comparable security cannot be provided with the destination system's access controls, the information must not be downloaded.
2. For this data transfer to take place, a clear business need must exist and advance permission from the information owner must be obtained. Electronic mail or memos are considered valid exceptions to this procedure. Contact Customer Support (7272) for help in determining the access controls of any destination you are considering transferring data to.
Q. Approval For End User Production Systems Development Efforts: All software which handles sensitive, critical or valuable information, and has been developed by end users, must have its controls approved by the City Recorder's Office prior to being used for production processing. These controls will be validated in accordance with the GRAMA Act. (2019 Compilation)