A.   Controlling Access: The computer and communications system privileges of all users, systems and programs must be restricted, based on the need to know.

   B.   Automatic Log Off: If there has been no activity on a computer terminal, workstation or computer (PC) for fifteen (15) minutes, the system will automatically terminate any session initiated by IMS personnel. Reestablishment of the session must take place only after the user has provided the proper password.

   C.   Physical Security Measures For Computers And Communications Systems: Buildings which house Salt Lake City Corporation computers or communications systems must be protected with physical security measures that prevent unauthorized persons from gaining access.

   D.   Use Of Personal Computer Systems On Salt Lake City Property: Users must not connect their own computers or computer peripherals into the City's network, or load their personal computer software on City computer equipment without prior authorization from their department head.

   E.   Moving Microcomputer Equipment:

      1.   Computer equipment, such as PCs, printers, etc., under IMS maintenance and support may not be moved without the prior notification and participation of Information Management Services personnel. IMS requires a minimum of five (5) business days' notification prior to the proposed move to allow scheduling of personnel and needed equipment. A move of equipment is not covered under service or maintenance and is on a time and materials basis.

      2.   This chapter does not apply to minor moves within the user's personal work area (e.g., moving a system from the left side of a desk to the right side).

   F.   Alteration/Expansion Of Computers: Computer equipment under IMS maintenance and support may not be altered, modified or upgraded in any way without knowledge and authorization of IMS.

   G.   Prohibition Against Personal Computer Modems In Auto Answer Mode: Users must not leave modems connected to personal computers in auto answer mode in such a way that they are able to receive incoming dial-up calls.

   H.   Security Notice In System Login Banner:

      1.   Every login process for multi-user computers must include a special notice. This notice must state: a) the system is to be used only by authorized users; and b) by continuing to use the system, the user represents that he/she is an authorized user. In addition, specific information about the organization, the computer operating system, the network configuration or other internal matters must not be provided in the login banner until a user has successfully provided both a user ID and a password.

      2.   For legal reasons, in many jurisdictions, it is wise to put all users on notice that the involved system is to be used only for authorized purposes. In the event of a prosecution against those who entered the system unlawfully, one of the most successful defending claims is that there was no notice saying they could not enter. Recent court cases have highlighted the need for organizations to put unauthorized users on notice that their systems are off limits. As a result, a system login banner, displayed each time a user logs in, should provide the electronic equivalent of a no trespassing sign. Our current model requires this only for those logging in with VPN logins. (2019 Compilation)

   A.   Ownership:

      1.   Salt Lake City Corporation software, documentation and all other types of internal information (databases, internal software, computer documentation, etc.) is considered the property of the citizenry of Utah and administered by the State Archives Division of the State of Utah. It must only be used for the business purposes specifically allowed. Use of these information resources for any other reason will be permitted only after written permission has been granted by the designated owner or administer of the information.

      2.   Likewise, this information must not be sold or otherwise transferred to any non-Salt Lake City Corporation party for any purposes other than business purposes expressly authorized by designated owner or administer of the information.

   B.   Privacy Expectations And Information Stored On Salt Lake City Corporation Systems: At any time and without prior notice, Salt Lake City Corporation reserves the right to examine archived electronic mail, personal file directories, hard disk drive files and other information stored on Salt Lake City Corporation information systems. This examination is performed to assure compliance with internal procedures, support the performance of internal investigations and assist with the management of Salt Lake City Corporation information systems.

   C.   Notification Of Suspected Loss Or Disclosure Of Sensitive Information: If secret, confidential or private data is lost, is disclosed to unauthorized parties or is suspected of being lost or disclosed to unauthorized parties, IMS must be notified immediately. Call Customer Support (7272) or Security Administrator (6105) immediately when you think data has been disclosed.

   D.   Attended Operation Required When Printing Sensitive Information: Individuals printing sensitive information are responsible for the security of that information. Individuals may need to attend the printer to maintain this security or physically control the access to the printer.

   E.   Approval Required Before Access To Sensitive Or Valuable Information: Access to Salt Lake City Corporation sensitive or valuable information must be provided only after proper authorization has been obtained.

   F.   Data Backup And Off Site Storage Of Backup Media:

      1.   All sensitive, valuable or critical information resident on Salt Lake City Corporation computer systems must be periodically backed up.

      2.   Backups of sensitive, critical and valuable information must be stored in an environmentally protected and access controlled site.

      3.   Production data is expected to be maintained on network servers. This allows for common security and management practices to be applied to the data. This includes timely backups of that data. These processes are managed by Information Management Services, which relieves the end user from the responsibility of guaranteeing the integrity of the data on the network servers (this does not include the user's local drive(s), normally, the C: drive).

      4.   If production or sensitive data is maintained on the local PC, it is the end user's responsibility to maintain the integrity of the data. Typically, this means that data must be backed up each time it changes.

   G.   Regular Purging Of Information Which Is No Longer Needed:

      1.   In accordance with Utah State Statutes and generally accepted records management practices, Salt Lake City Corporation's information must be destroyed or disposed of when no longer needed. Data can only be purged in accordance with the State approved retention schedule. Departments are responsible for ensuring that record sets stored in databases, electronic or paper files, etc., are managed according to the corresponding retention schedule.

      2.   If there are any questions as to that schedule, contact your departmental Records Administrator or call the City Recorder's Office for assistance. Care must be taken to follow that retention schedule and not purge data that is prohibited or keep data after the official purge date.

   H.   Copying, Transferring Or Disclosing Prohibited:

      1.   Salt Lake City Corporation strongly supports strict adherence to software vendor license agreements and copyright holder's notices. Users must not copy software provided by Salt Lake City Corporation to any storage media (i.e., disk, tape, etc.), transfer such software to another computer, or disclose such software to outside parties without written permission from the Director of Information Management Services (or appointee).

      2.   Salt Lake City Corporation allows reproduction of copyrighted material only to the extent that is legally considered "fair use" (backup, contingency planning) or with the permission of the author/owner.

      3.   If users make unauthorized copies of software, the users are doing so on their own behalf, since all such copying is strictly forbidden by Salt Lake City Corporation. Violation of this procedure is subject to disciplinary action.

   I.   Initial Backup Copies Of Microcomputer Software:

      1.   Original copies of computer software shall be stored in a safe and secure location. IMS may, in accordance with vendor licensing agreements, make copies for use by network technicians and help desk personnel. Original master copies should not be used for ordinary business activities when avoidable.

      2.   Information Management Services Department attempts to deliver most software packages to the desktop via a desktop management tool, such as SMS or Zen.

      3.   The Information Management Services Department maintains a library of software products used by Salt Lake City Corporation. End users who purchase software products without the assistance of Information Management Services should make a copy available to the library.

   J.   Registration Of Information Systems Products With Vendors:

      1.   To ensure compliance with software licensing term and agreements and that support and discount upgrades will be readily available, all hardware and software products must be registered with the appropriate vendor. This registration should take place when Salt Lake City Corporation staff takes delivery of new or upgraded information systems products, or soon after it has been determined that such products are not yet registered.

      2.   The Information Management Services Department maintains a database of valid products used by Salt Lake City Corporation. Products not obtained via Information Management Services must be registered in that database.

   K.   All User Involvement With Computer Viruses Prohibited: Users must not intentionally write, generate, compile, copy, propagate, execute or attempt to introduce any computer code designed to self-replicate, damage or otherwise hinder the performance of any computer's memory, file system or software. Such software is known as a virus, bacteria, worm, Trojan horse and similar names.

   L.   Immediate Reporting Of Suspected Computer Virus Infestation: Computer viruses can spread quickly and need to be eradicated as soon as possible to limit serious damage to computers and data. Accordingly, staff must report a computer virus infestation to the Security Administrator or Customer Support (801-535-7272) immediately after it is noticed.

   M.   System Integrity Checking Programs Required For Personal Computers: To promptly detect and prevent the spread of computer viruses, all Salt Lake City Corporation's personal computers (PCs), notebooks and LAN servers must run integrity checking software. This software detects changes in configuration files, system software files, application software files and other system resources. Integrity checking software must be continuously enabled or run daily. (See Virus Detection Procedure.)

   N.   Storage Of Sensitive Information On Personal Computers:

      1.   If sensitive information is to be stored on the hard disk drive or other internal components of a personal computer, it must be protected by either a password access control package or encryption. When sensitive information is written to storage media, the media must be suitably marked with the highest relevant sensitivity classification. Unless encrypted (when not in use), this media must be stored in locked furniture.

      2.   All data stored on a computer is subject to the same rules, regulations and policies of the GRAMA Act and the corresponding City ordinance. Contact Customer Support (7272) for methods of encrypting your data.

   O.   Storing Sensitive Information On Transportable Computers: Staff in the possession of portable, laptop, notebook, palmtop and other transportable computers containing sensitive Salt Lake City Corporation information should not leave these computers unattended at any time unless the information has been encrypted. Contact Customer Support (7272) for methods of encrypting your data.

   P.   Transferring Sensitive Salt Lake City Corporation Information:

      1.   Before any secret, confidential or private information may be transferred from one computer to another, the person making the transfer must make sure access controls on the destination computer are commensurate with access controls on the originating computer. If comparable security cannot be provided with the destination system's access controls, the information must not be downloaded.

      2.   For this data transfer to take place, a clear business need must exist and advance permission from the information owner must be obtained. Electronic mail or memos are considered valid exceptions to this procedure. Contact Customer Support (7272) for help in determining the access controls of any destination you are considering transferring data to.

   Q.   Approval For End User Production Systems Development Efforts: All software which handles sensitive, critical or valuable information, and has been developed by end users, must have its controls approved by the City Recorder's Office prior to being used for production processing. These controls will be validated in accordance with the GRAMA Act. (2019 Compilation)

   A.   Users Responsible For All Activities Involving Personal User IDs: Users are responsible for all activity performed with their personal user IDs. User IDs may not be utilized by anyone but the individuals to whom they have been issued. Users must not allow others to perform any activity with their user IDs. Similarly, users are forbidden from performing any activity with IDs belonging to other employees, except workstation specific user IDs. If users need to share computer resident data, they should use electronic mail, public directories on local area network servers and other mechanisms. This chapter does not prevent the use of default passwords, typically used for new user ID assignment or password reset situations, which are then immediately changed when the user next logs onto the involved system.

   B.   User ID And Password Required For Computer Connected Network Access: Everyone that has legitimate need to access our network may have an account established on all the necessary Salt Lake City Corporation computers. Your account details the resources that you will have access to. The key to this account is a personal user ID. Associated with this ID is a secret password which you construct. Each time you login to the network, you must verify your identity by specifying your personal user ID and secret password.

   C.   User ID Construction: No matter how many systems they access, Salt Lake City Corporation users must have only one computer system user ID. Unless advance permission from the Security Administrator has been granted, all computer system administrators must consistently observe the user ID naming standards.

   D.   Minimum Password Length: The length of passwords must always be checked automatically at the time that users construct or select them. All passwords must have at least six (6) characters.

   E.   Passwords Must Contain Both Alphabetic And Nonalphabetic Characters: All user chosen passwords must contain at least two (2) alphabetic and two (2) nonalphabetic characters. Nonalphabetic characters include numbers (0-9) and some punctuation. The use of control characters and other nonprinting characters are not allowed because they may inadvertently cause network transmission problems or unintentionally invoke certain system utilities.

   F.   Difficult To Guess Passwords Required:

      1.   All computer system users must choose passwords that cannot be easily guessed. This means passwords must never be the same as the user ID passwords, must not be a word found in the dictionary or some other part of speech. For example, proper names, places and slang must not be used.

      2.   Suggestions for constructing a difficult to guess yet easy to remember password are as follows:

         a.   String several words together (these passwords are also known as "passphrases"); an example would be "14the$", "24theshow", "32getready" and "42go";

         b.   Shift a word up, down, left or right one row on the keyboard;

         c.   Bump characters in a word a certain number of letters up or down the alphabet;

         d.   Combine punctuation or numbers with a regular word;

         e.   Create acronyms from words in a song, a poem or another known sequence of words;

         f.   Combine a number of personal facts, like birth dates and favorite colors;

         g.   Combine upper and lower case letters.

   G.   Periodic Password Changes: All users must change their passwords at least once every fifty six (56) days. Failure to do so will result in the disabling of the user's account. To enable the account, the user must notify the Help Desk (X7272) with proof of identity.

   H.   Writing Passwords Down And Leaving Where Others Could Discover: Passwords must not be written down and left in a place where unauthorized persons might discover them.

   I.   User Chosen Passwords Must Not Be Reused: Users must not construct passwords that are identical or substantially similar to passwords that they had previously employed for the last ten (10) instances of changing passwords.

   J.   Suspected Disclosure Requires Password Changes: Aside from initial password assignment and password reset situations, if there is reason to believe that a password has been disclosed to someone other than the authorized user, the password must be immediately changed.

   K.   Unused Accounts Will Be Deleted: All user accounts that have not been used for one hundred eighty (180) days will be disabled from computer security files. To reestablish the account, the users must notify the Security Administrator and repeat the processes required of a new user.

   L.   Limit On Consecutive Unsuccessful Attempts To Enter Password: To prevent password guessing attacks, the number of consecutive attempts to enter an incorrect password must be strictly limited. After five (5) unsuccessful attempts to enter a password, the involved user ID will be suspended until reset by the Help Desk (X7272).

   M.   Assignment Of Expired Passwords: Wherever system software permits, the initial passwords issued to a new user by a network administrator must be valid only for the involved user's first online session. At that time, the user must be forced to choose another password before any other work can be done.

   N.   Display And Printing Of Passwords: Wherever system software permits, the display and printing of passwords must be masked, suppressed or otherwise obscured such that unauthorized parties will not be able to observe or subsequently recover them.

   O.   Storage Of Passwords In Readable Form: Passwords must not be stored in readable form in batch files, automatic login scripts, software macros, web pages, in computers without access control, or in other locations where unauthorized persons might discover them.

   P.   Prevention Of Password Retrieval: Computer and communication systems must be designed, tested and controlled so as to prevent the retrieval of stored passwords, whether they appear in encrypted or unencrypted form.

   Q.   Reliance On Operating System User Authentication Process: Salt Lake City Corporation application systems developers must consistently rely on the password access controls provided by an operating system or an access control package that enhances the operating system. Developers must not construct separate mechanisms to collect passwords or user IDs, nor must they rely on other mechanisms to identify or authenticate the identity of users.

   R.   Changing Vendor Default Passwords: All vendor supplied default passwords must be changed before any computer or communications system is used for Salt Lake City Corporation business.

   S.   Password Change Procedure: The following procedure can be followed to change your password(s) on Salt Lake City Corporation computers:

      1.   From the desktop, use "control, alt, delete keys" and select change your password.

      2.   Call the Help Desk (X7272). (2019 Compilation)

   A.   Use For Business Purposes: Salt Lake City Corporation management encourages staff to use the internet for business purposes. If it is used for personal purposes, it should be done on personal, not company time and on a very limited basis. (See section 52-5-8, "Acceptable Use Procedure", of this chapter.)

   B.   Reliability Of Information From Internet: All information taken off the internet should be considered suspect until confirmed by another source. There is no quality control process on the internet, and a considerable amount of internet information is outdated, inaccurate or deliberately misleading.

   C.   Handling Software And Files Downloaded From Internet: All software and files downloaded from non-Salt Lake City Corporation sources via the internet (or any other public network) must be screened with virus detection software (see Virus Scanning Procedure). This screening must take place prior to being run or examined via another program, such as a word processing package.

   D.   Remote User Connections Through Internet Require Approved Firewalls, Antivirus Protection And Authentication: All remote user connections with Salt Lake City Corporation internal networks using the internet (or any other publicly accessible computer network) must include an approved firewall and antivirus system.

   E.   Approved Connecting Technologies Include Virtual Private Network (VPN) Or Dial-In Server (RAS):

      1.   All users wishing to establish a connection with Salt Lake City Corporation computers via the internet must authenticate before gaining access. This must be done via an extended user authentication process approved by the IMS Security Administrator.

      2.   Salt Lake City Corporation reserves the right to audit the security measures in effect on these connected systems without prior warning. Salt Lake City Corporation also reserves the right to immediately terminate network connections of any City remote users not meeting these requirements.

   F.   Approval Required For Third Party Network Connections:

      1.   City users may not establish internet or any other external network physical connections which could allow non-Salt Lake City Corporation users to gain access to Salt Lake City Corporation systems and information unless prior approval of the IMS Security Administrator has been obtained.

      2.   Third party connections with the Salt Lake City Corporation internal networks using the internet (or any other publicly accessible computer network) must include an approved firewall and antivirus system.

      3.   Salt Lake City Corporation reserves the right to audit the security measures in effect on these connected systems without prior warning. Salt Lake City Corporation also reserves the right to immediately terminate network connections with all third party systems not meeting such requirements.

   G.   Posting/Transferring Salt Lake City Corporation Material To Internet: Users must not place Salt Lake City Corporation material (software, internal memos, documentation, and all other types of internal information) on any publicly accessible internet computer system unless the posting has first been approved by the City Recorder's Office and/or the IMS Security Administrator.

   H.   Sending Sensitive Information Using Internet:

      1.   Salt Lake City Corporation secret, proprietary or private information must never be sent over the internet unless it has first been encrypted by approved methods. Unless specifically known to be in the public domain, source code must always be encrypted before being sent over the internet.

      2.   Staff must not send credit card numbers, login passwords or other security information or payments information via internet electronic mail if it is in readable (unencrypted) form. Readable electronic mail sent via the internet has the same security as a post card; sensitive information unsuitable for a post card must not be sent by internet electronic mail.

   I.   Tools Used To Break Systems Security Prohibited: Unless specifically authorized by the IMS Security Administrator, Salt Lake City Corporation employees must not acquire, possess, trade or use hardware or software tools that could be employed to evaluate or compromise information systems security. Examples of such tools include those which defeat software copy protection, discover secret passwords or identify security vulnerabilities. (2019 Compilation)

   A.   Overview: Information Management Services (IMS) intentions for publishing an Acceptable Use Policy are in support of Salt Lake City Corporation's established culture of openness, trust and integrity. IMS is committed to protecting Salt Lake City Corporation's employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.

   B.   Purpose Of This Procedure: The purpose of the information technology resources (e.g., e-mail, electronic voice, video communication, facsimile, internet/intranet/extranet related systems and future technologies) provided by Salt Lake City Corporation, is to support City agencies in achieving their mission and goals, and to improve City government in general.

   C.   General Use And Ownership; Privacy Of Records:

      1.   Salt Lake City Corporation is committed to respecting the rights of its employees, including their reasonable expectation of privacy. However, it is also responsible for servicing and protecting its electronic communication networks. Salt Lake City Corporation has the right to access and disclose the contents of electronic files, as required for legal, audit or legitimate operational or management purposes.

      2.   Do not transmit personal information about yourself or someone else using corporate resources without proper authorization. The confidentiality of such material cannot be guaranteed. E-mail and other electronic files may be accessible through the discovery process in the event of litigation. Each of these technologies may create a "record" and therefor are reproducible and subject to judicial use or a Government Records Access and Management Act (GRAMA) request for information.

   D.   Retention/Disposition Of Electronic Records: Just as with any other government record, electronic records are retained or disposed of in accordance with GRAMA. Refer to GRAMA or ask the City Recorder's Office if you need additional information or for guidance in this area.

   E.   Warnings/Corrective Actions: Each City agency shall review complaints or instances of unacceptable use brought to its attention. Violators are subject to corrective action and discipline and may also be prosecuted under City, State and Federal Statutes. (2019 Compilation)

Please refer to the following appendices for detailed information:

   A.   Access only files, data and protected accounts that are your own, that are publicly available, or to which you have been given authorized access.

   B.   Use corporate resources efficiently and productively. Refrain from monopolizing systems, overloading networks with excessive data, playing computer games or wasting computer time, connect time, disk space, printer paper or other corporate resources.

   C.   Be responsible for the use of your accounts. Under no circumstances shall you give your passwords to another person. Guard yourself against unauthorized access to your accounts. Follow City password procedures.

   D.   Seek the advice of the authorized supervisor responsible for any corporate resource if you are in doubt concerning your authorization to access that resource.

   E.   Conduct yourself as a representative of both the City agency and Salt Lake City Corporation as a whole.

   F.   Effective use of computer resources is important to Salt Lake City Corporation. To help improve the effectiveness of your use of these resources, incidental and occasional personal use is permitted, as long as such use does not:

      1.   Disrupt or distract the conduct of City business;

      2.   Involve solicitation;

      3.   Involve a for profit personal business activity;

      4.   Have the potential to harm the City; or

      5.   Involve illegal activities.