IT Computer Policy

Published on January 2017 | Categories: Documents | Downloads: 21 | Comments: 0 | Views: 198
of 51
Download PDF   Embed   Report

Comments

Content

Louisville Metro Government Information Security Policies
Effective September 1, 2005

TABLE OF CONTENTS

Definitions Policies 1.0 Governing Policy 1.1 Overview 1.2 Purpose 1.3 Policy 1.4 Mechanisms 1.5 Revisions 2.0 Acceptable Use Policy 2.1 Overview 2.2 Purpose 2.3 Scope 2.4 Policy 2.4(1) General Use and Ownership 2.4(2) Security and Proprietary Information 2.4(3) Unacceptable Use 2.4(3a) System and Network Activities 2.4(3b) Email and Communication Activities 2.4(3c) World Wide Web 2.4(4) Social Media Policy 2.5 LMPD Specific 2.6 Enforcement 2.7 Revisions 3.0 Password Policy 3.1 Overview 3.2 Purpose 3.3 Scope 3.4 Policy 3.4(1) General 3.4(2) Guidelines 3.4(2a) General Password Construction Guidelines 3.4(2b) Password Protection Standards 3.4(2c) Password Resets 3.5 Responsibilities 3.6 Enforcement 3.7 Revisions 4.0 User Account Policy 4.1 Overview 4.2 Purpose 4.3 Scope

4.4 Policy 4.4(1) Creations 4.4(2) Deletions 4.5 Enforcement 4.6 Revisions 5.0 Remote Access 5.1 Remote Access/VPN Policy 5.1(1) Overview 5.1(2) Purpose 5.1(3) Scope 5.1(4) Policy 5.1(4a) General 5.1(4b) Digital Subscriber Line (DSL) Connections 5.1(4c) Requirements 5.1(5) Enforcement 5.1(6) Revisions 5.2 Mobile Device Access Policy 5.2(1) Definitions 5.2(2) Overview 5.2(3) Purpose 5.2(4) Scope 5.2(5) Policy 5.2(5a) General 5.2(5b) MGOMD 5.2(5c) BYOD Requirements 5.2(5d) Passwords required to BYOD’s and MGOMD’s 5.2(5e) Lost or Stolen Device Policy for BYOD’s and MGOMD’s 5.2(5f) Termination of Service for BYOD’s and MGOMD’s 5.2(5g) Security Requirements 5.2(6) Enforcement for BYOD’s and MGOMD’s 5.2(7) Revisions 6.0 Software Policy 6.1 Overview 6.2 Purpose 6.3 Scope 6.4 Policy 6.5 Enforcement 6.6 Revisions 7.0 Incident Response Policy 7.1 Overview 7.2 Purpose 7.3 Procedure 7.4 Response 7.5 Revisions 8.0 Information Sensitivity Policy 8.1 Overview

8.2 Purpose 8.2(1) Public Information 8.2(2) Confidential Information 8.2(2a) Third-Party Confidential 8.3 Policy 8.3(1) Minimal Sensitivity 8.4 Enforcement 8.5 Revisions 9.0 Data Retention Policy 9.1 Overview 9.2 Purpose 9.3 Scope 9.4 Policy 9.4(1) Word Processing Files 9.4(2) Administrative Databases 9.4(3) Electronic Spreadsheets 9.4(4) Web Pages 9.4(5) Email 9.4(6) Other 9.5 Responsibilities 9.6 Enforcement 9.7 Revisions 10.0 Network Access/Configuration Policy 10.1 Overview 10.2 Purpose 10.3 Scope 10.4 Policy 10.4(1) Personal Computers and Servers 10.4(2) Networking Devices 10.5 Enforcement 10.6 Revisions 11.0 Data Center Access Policy 11.1 Overview 11.2 Purpose 11.3 Scope 11.4 Policy 11.4(1) Authorization 11.5 Enforcement 11.6 Revisions

Definitions

When used in these rules and regulations, the following words and phrases have the definitions indicated below, unless the context clearly indicates otherwise. ACCOUNT An assigned ID in combination with a password that allows access to network resources, email, shared systems, applications, etc. AFFILIATE Contractor, intern, temporary or vendor who is not explicitly employed by the Louisville Metro Government. CABLE MODEM A special type of modem that connects to a local cable TV line to provide a continuous connection to the Internet. CARD ACCESS SYSTEM Each employee is given an ID card for which appropriate levels of access are granted to enter certain facilities. COMPUTING ASSET Any electronic asset belonging to the Louisville Metro Govt (e.g. - personal computer, server, telephone, keyboard, monitor, fax, printer, etc). DATA Recorded information, regardless of form, media, or location on which it is recorded and maintained. DATA CENTER Refer to locations upon which key/core components of the Louisville Metro Government infrastructure are located. DIGITAL SUBSCRIBER LINE (DSL) A method for moving data at high-speeds over existing phone lines. DOMAIN NAME SERVER (DNS) Used to translate names to IP addresses and vice versa. DUAL-HOMING Having concurrent connectivity to more than one network from a computer or network device. DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP) This is a protocol that lets network administrators centrally manage and automate the assignment of IP addresses. EMPLOYEE

A person employed in a position with Louisville Metro Government (temporarily, permanently, seasonal, part-time, etc.). END-USER Refers to the person that uses the applications, network and computing resources. FILE TRANSFER PROTOCOL (FTP) A standard Internet protocol to exchange files between computers through the Internet or local area network. FIREWALL A firewall is a set of related programs, located at a network gateway that protects the resources of a private network from users from other networks. FRAME RELAY A telecommunication service designed for cost-efficient data transmission for intermittent traffic between local area networks (LANs) and between end-points in a wide area network (WAN). FREEWARE Copyrighted software available for free, with no expectation of cost. HUB A common connection point for devices in a network commonly used to connect segments of a network. INTEGRATED SERVICES DIGITAL NETWORK (ISDN) A set of communications standards allowing a single wire or optical fiber to carry voice, digital network services and video. INTERNET PROTOCOL (IP) ADDRESS Every network-connected device is assigned this to gain access to resources and participate in network activity. INSTANT MESSAGING (IM) An application that alerts users when friends or colleagues are online and allows them to communicate with each other in real time through private online chat areas. INTERNET SERIVCE PROVIDER A company that provides Internet access. NETWORK An interconnected system of computers, printers, etc. PEER TO PEER (P2P) Networks that allow for the sharing and transfer of files.

PERSONAL FOLDERS (pst files) Folders created with Microsoft Outlook that can store saved emails. The folder is either saved on the local computer or on a network server. PROXY (Web Proxy) All Internet traffic flows through this too improve speed by caching web sites and controlling what is accessed. PROTOCOL Describes the manner in which two separate entities can establish communication. REMOTE ACCESS The hookup of a remote computing device via communications lines such as ordinary phone lines or wide area networks to access network applications and information. REMOTE DESKTOP PROTOCOL (RDP) Allows multiple users to be connected interactively to a computer and to the display of desktops and applications to remote computers. ROUTER A device that determines the next network point to which a data packet should be forwarded toward its destination. SECURE FILE TRANSFER PROTOCOL (SFTP) A secure version of the standard file transfer protocol. SECURE SHELL (SSH) An advanced protocol providing secure encrypted remote communications over an unsecured channel, such as the Internet. SECURITY INCIDENT The below are examples, but not limited to, what may define a security incident;  Any potential violation of Federal, State, or Local law involving a Louisville Metro Government information technology asset.  A breach, attempted breach, or unauthorized access of a Louisville Metro Government information technology asset. This may originate from within or outside of the Louisville Metro Government network.  Any Internet worms or viruses.  Any activity or conduct using in whole or in part a Louisville Metro Government technology asset which could be construed as harassing, or in violation of any Louisville Metro Government security policy (e.g.- viewing or forwarding of pornographic material, unacceptable use, etc.). SERVER

A computer on a network that is dedicated to a particular purpose and which stores all information and performs the critical functions for that purpose. SHAREWARE Copyrighted software available for downloading on a free, limited trial basis. SPAM Unsolicited "junk" e-mail sent to large numbers of people to promote products or services. SPLIT-TUNNELING Simultaneous direct access to a non-Louisville Metro Government network (such as the Internet, or a home network) from a remote device while connected into the Louisville Metro Government network via a VPN tunnel. SWITCH A device that filters and forwards packets between network segments. SYSTEMS MANAGEMENT SERVER (SMS) CLIENT Client software that allows administrators to centrally manage operating system security patches and service packs. TERMINAL SERVICES (TS) Allows multiple users to be connected interactively to a computer and to the display of desktops and applications to remote computers. TROJAN A malicious network software application designed to remain hidden on an infected computer. UNIVERSAL SERIAL BUS (USB) DEVICES Devices such as memory sticks, hard drives, CD/DVD recorders that enable storing or redistribution of data. VIRTUAL PRIVATE NETWORK (VPN) A network which uses the public network to transfer information using secure methods. VIRUS A malicious software program that usually spreads from one computer to another usually through sharing of infected files. WIRELESS ACCESS POINT (WAP) A hardware device or a computer's software that acts as a communication hub for users of a wireless device to connect to a wired LAN. WIRING CLOSET

A room or closet that is centrally located and contains operating data-communications and voice equipment, such as network hubs, switches, routers, cross connects, and PBXs. WORKSTATION A networked computer that uses server resources. WORM A malicious software program that usually spreads from one computer to another via computer networks.

1.0 Governing Policy 1.1 Overview A security policy is best described with the following definition; “A security policy establishes what must be done to protect information stored on computers. A policy contains sufficient definition of “what” to do so the “how” can be identified and measured or evaluated. An effective security policy also protects an organization and its people. Anyone who makes decisions or takes action in a situation where information is a risk incurs personal risk as well. A security policy allows people to take necessary actions without fear of reprisal. Security policy compels the safeguarding of information, while it eliminates, or at least reduces, personal liability for users and the organization.” -Global Information Assurance Certification Basic Security Policy Version 1.4 February 27, 2001 In other words, a security policy is nothing more than a well-written strategy on protecting and maintaining availability to the Louisville Metro Government information resources. 1.2 Purpose The purpose of this policy is to establish the purpose and dynamics of the Louisville Metro Government Information Security Policies. 1.3 Policy The Governing Policy stands above all other Information Security Policies within the organization.    Due to a constantly changing technological world, these policies are under constant revision. It is the responsibility of all personnel within the Louisville Metro Government organization to read and understand these policies. Careful and ethical use of the Louisville Metro Government computing resources is the responsibility of every individual user and is governed by these policies.

  

These policies balance the rights of use by individual members of the Louisville Metro Government and the responsibility of the organization to deter abuse and mitigate risk. These policies apply to all units that fall under the Louisville Metro Government, including LMPD and all employees and affiliates that use or have access to the Louisville Metro Government information resources. Metro Technology Services will take the necessary security measures or control the allocation of resources with the least possible infringement on the legitimate computing activities of the individual users.

1.4 Mechanisms To provide the best possible computing resources to the Louisville Metro Government while fulfilling its legal and practical responsibilities for security and equitable resource allocation, the Louisville Metro Government will employ several practical mechanisms.  Educational – The Louisville Metro Government will educate its users. Through appropriate media - including but not limited to intranet sites, traditional publications, electronic communications and public forums – information technology personnel will inform users of new and continuing problems and will develop corrective actions and preventive measures expected of individual users in order to comply with their obligation to use Louisville Metro Government information resources responsibly. Legal – In the instances where the Louisville Metro Government is required by law to implement certain security measures, the Louisville Metro Government Metro Technology Services personnel will seek solutions that will have the least impact on the legitimate computing activities of individual users, while at the same time providing maximum security protection or optimal resource allocation. Technical – When the Louisville Metro Government Metro Technology Services personnel have identified a particular technology solution that is required to alleviate a security problem or to control the allocation of resources it will do the following; o Metro Technology Services will determine whether the problem is so urgent that it requires immediate action o If possible, potentially affected users will be notified, normally via an electronic communication o Metro Technology Services will adopt an appropriate solution to the problem and implement it, endeavoring to cause the least possible impact on the computing community





Questions or concerns regarding the Louisville Metro Government Information Security Policies will be directed to the Network Security Administrator at [email protected]. 1.5 Revisions 08-13-04 Original

09-27-04 Revised 01-20-05 Revised 2.0 Acceptable Use Policy 2.1 Overview The Louisville Metro Government is responsible and committed to protecting it’s employees, affiliates and the organization itself from illegal or damaging actions by individuals, either knowingly or unknowingly. Intranet/Internet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing email, web-browsing capabilities, FTP, are the property of the Louisville Metro Government. These systems are to be used for business purposes in serving the interests of the organization in the course of normal operations. Effective security is a team effort involving the participation and support of every Louisville Metro Government employee and affiliate who deals with information and information systems. It is critical that ALL computer users know these guidelines and conduct themselves accordingly. 2.2 Purpose The purpose of this policy is to outline the acceptable use of computer equipment/software within the Louisville Metro Government. These policies are in place to protect the employee (and affiliates) and Louisville Metro Government and it’s electronic assets. Failure to follow this policy exposes the Louisville Metro Government to risks including virus attacks, SPAM attacks, compromise of network systems/services, and legal issues. 2.3 Scope This policy applies to employees and affiliates of the Louisville Metro Government, including all personnel affiliated with third parties. This policy also applies to all equipment that is owned, leased or purchased by the Louisville Metro Government. These policies fall in line with Louisville Metro Government Human Resources policies 1.4-1.6 and 1.8 here: http://metronet.yes/Depts/HR/default.htm. 2.4 Policy 2.4(1) General Use and Ownership    The use of the Internet is for business purposes only. Data that is stored and created on the Louisville Metro Government systems becomes the property of the Louisville Metro Government. The Louisville Metro Government determines the reasonableness of personal use; employees will be guided by this policy.

   



Any information that may be deemed confidential and sensitive will have the proper steps taken (properly labeled and secured) to maintain its integrity. Information Sensitivity Policy and Data Retention Policy. For security and network maintenance purposes, members of the Louisville Metro Government Metro Technology Services may monitor equipment, systems and network traffic at any time, for any reason with or without cause. Louisville Metro Government reserves the right to audit network and systems on a periodic basis to ensure compliance with all IT Security policies. Louisville Metro Government employees and affiliates are responsible for reporting all weaknesses, security incidents and possible misuse of Louisville Metro Government information resources to IT Security. Incident Response Policy Users are responsible for reading all emails and notifications from Metro Technology Services concerning system downtime and upgrades.

2.4(2) Security and Proprietary Information  The information stored on the Louisville Metro Government information systems will be classified as either confidential or non-confidential. Information Sensitivity Policy. Examples of confidential information include, but not limited to, payroll information, employee information and protected health information. Employees will take all necessary steps to prevent unauthorized access to this information. Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts. All PC’s, laptops and workstations will be secured with a password-protected screensaver, locking the desktop or by logging off. Password Policy All systems that are used by an employee or affiliate that are connected to the Louisville Metro Government network must be loaded with Metro Technology Services approved antivirus software and current database. Please refer to the Louisville Metro Government Network and Access Policy. The release of information circumventing any open records procedure is prohibited.







2.4(3) Unacceptable Use The following activities are prohibited. Employees and affiliates may be exempted from these restrictions during the course of their legitimate job responsibilities. At NO time is an employee, or affiliate, of the Louisville Metro Government authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing the Louisville Metro Government owned resources. The lists below are by no means exhaustive, but attempt to provide a framework for activities that fall into the category of unacceptable use. 2.4(3a) System and Network Activities

The following activities are strictly prohibited, with no exceptions: 1. Violations of the rights of any person or company protected by copyright, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by the Louisville Metro Government. 2. Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which the Louisville Metro Government or the end user does not have an active license is strictly prohibited. 3. Employee introduction of malicious programs into the network or on a server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.). 4. No employee or affiliate will reveal his or her User ID/password to anyone. 5. Using a Louisville Metro Government computing asset to actively engage in procuring or transmitting material that is in violation of federal, state or local laws. 6. Making fraudulent offers of products, items, or services originating from any Louisville Metro Government account. 7. Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of their regular job functions. 8. Actively attempting to look for weaknesses within the Louisville Metro Government network is expressly forbidden. 9. Executing any form of network monitoring which will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty is forbidden. 10. Circumventing user authentication or security of any host, network or account. 11. Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet. 12. Providing information about, or lists of, the Louisville Metro Government employees to parties outside the Louisville Metro Government without adhering to the Louisville Metro Government Human Resources Policy 1.6. 13. Use of Louisville Metro Government assets for personal gain (e.g. eBay, running Internet based business, etc). 14. Users must not waste resources by using Internet streaming video or audio without prior approval from Metro Technology Services. 15. Impeding an IT Security or Human Resources investigation. 16. The use of external peripherals such as USB devices that are capable of storing data are forbidden unless approved through the Department of Technology.

17. Engage in any activity that would bring discredit to the Louisville Metro Government. 2.4(3b) Email and Communication Activities The following is unacceptable use: 1. Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (SPAM). 2. Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages. 3. The Louisville Metro Government email system shall not be used for the creation or distribution of any disruptive or offensive messages; including offensive comments about race, gender, disabilities, age, sexual orientation, pornography, religious belief and practice, political beliefs, national origin or anything that may be deemed harassing in nature. 4. Unauthorized use, or forging, of email header information. 5. Solicitation of email for any other email address, other than that of the poster's account, with the intent to harass or to collect replies. 6. Creating or forwarding of "pyramid" schemes of any type. 7. Excessive personal communication that would be deemed non-business related. Human Resources reserves the right to determine excessive. 8. The use of 3rd-Party web mail services such as Hotmail, AOL, Yahoo, etc. is prohibited; the Louisville Metro Government cannot guarantee the security of those systems. 9. The distribution of chain letters and jokes from a Louisville Metro Government email account is prohibited. 10. The use of email for personal gain (e.g. - running a business, shopping, items for sale, etc.) is forbidden. 11. The sending of any Louisville Metro Government information that may be deemed sensitive or confidential to non-authorized recipients whether internal or external to our network. 12. Personal folders (.pst files) within Outlook a. Pst files are unsupported b. Pst files are not to be used as long-term, continuous-use method of storing messages. c. The storage of business critical and sensitive information inside of pst files is prohibited. - Pst files are highly susceptible to corruption and the chances for recovery from backup are not highly successful. 13. The posting of Louisville Metro Government email addresses on Internet web sites or electronic mailing lists is forbidden unless it is implicitly required for an individual to perform their job function.

2.4(3c) World Wide Web It is expected that employees and affiliates will use the Internet to improve job knowledge; to access scientific, technical, and other information on topics that have relevance to the Louisville Metro Government; and to communicate with peers in other government agencies, academia, and industry. The following is unacceptable use: 1. Employees and affiliates of the Louisville Metro Government are advised not to use the Internet for any purpose, which would reflect negatively upon the organization. 2. Employees and affiliates shall not use Internet chat rooms, discussion boards and newsgroups unless these sessions have a direct relationship to the user’s primary job function. 3. Accessing, viewing, retrieving, downloading or printing text and graphics which exceeds the bounds of generally accepted standards of good taste and ethics or which could be deemed inappropriate workplace material is forbidden. 4. Engaging in any activity, which would compromise the security of any Louisville Metro Government host system. 5. Instant messaging, online gambling, gaming activity and peer-to-peer sharing network are forbidden. 6. The use of Internet streaming video and audio is forbidden, unless it has a direct relationship to the user’s primary job function (or permission has been explicitly granted from the Director of Technology). 7. Engaging in personal commercial activities on the Internet, including the offering of services or merchandise for sale or the ordering of services and merchandise from online vendors. 8. Attempting to bypass or circumvent the Louisville Metro Government’s Internet content filter is forbidden. 2.4(4) Social Media Policy In order to address the fast-changing landscape of the Internet and the way Metro employees communicate with citizens as well as other employees, the following represents Metro’s official Social Media Policy. This policy defines the appropriate guidelines required of a Louisville Metro employee that has been designated as a Social Networking Site Owner or Social Networking Site Contributor to Louisville Metro Sponsored Social Networking sites. DEFINITIONS: Social Networking Site—Internet accessible website such as Facebook, MySpace, Twitter, YouTube, etc., as well as blogging and forum sites.

Louisville Metro Sponsored Social Networking Site (hereinafter referred to as “Metro Social Networking Site”)—These sites are sponsored but not hosted by Louisville Metro Government and have the ability to publish articles, facilitate discussion of city issues, operations and services by providing members of the public a manner in which to participate or keep up to date with numerous Louisville Metro activities. Social Networking Site Owner (hereinafter referred to as “Owner”) —The employee who is the primary technical and content contact for the Metro Social Networking Site, responsible for setting the site up, establishing usernames and passwords for contributors and ensuring compliance to this Policy. Social Networking Site Contributor (hereinafter referred to as “Contributor”) — Employee(s) who has username and password access to the site and contributes site content following the guidelines within this Policy. POLICY: a) All Metro Social Networking Sites require written approval of the Department Director, Mayor’s Communications Office Director and the Director of Metro Technology Services, or their designees. Copies of the final written approval shall be kept by the Director of Metro Technology Services’ designee. b) Upon receiving required approval, agencies/departments are responsible for establishing, publishing and updating their pages on Metro Social Networking Sites to comply with this policy. The Mayor’s Office of Communications and Metro Technology Services reserve the right to monitor and update all Metro Social Networking Sites for adherence to this policy. c) Louisville Metro’s website (Louisvilleky.gov) is the city’s primary and predominant Internet presence. d) All Metro Social Networking Sites shall adhere to current Human Resources, Information Technology and departmental policies where applicable. Any exceptions must have written approval from the department director, Director of Human Resources and Director of Technology, or their appointed designees, prior to implementation. e) All Metro Social Networking Sites that provide for comments or postings shall contain a statement that Louisville Metro reserves the right to restrict or remove any content that is deemed noncompliant with Louisville Metro’s Social Media Policy or any applicable law. f) All Metro Social Networking Sites will contain a link back to Louisville Metro’s primary website when possible.

g) All Metro Social Networking Sites will contain verbiage stating the site is an official site of Louisville Metro Government. Additionally, if the official site contains any links that are unofficial, the following verbiage should also be included on the site. “Links to external sites do not constitute endorsements by Louisville Metro Government and Louisville Metro Government does not guarantee the authenticity, accuracy, appropriateness or security of the link, website or content linked hereto.” h) All content, comments and replies posted on Metro Social Networking Sites are subject to the Kentucky Open Records Act. All sites shall clearly indicate that any article and any other content posted or submitted for posting are subject to public disclosure under the Kentucky Open Records Act. The site shall include a notification that public disclosure request must be directed to the department’s public disclosure officer or to the Office of Management and Budget as the official custodian of Metro Louisville records. i) Kentucky state law and relevant Metro Louisville records retention schedules apply to formats and content on Metro Social Networking Sites, including list of subscribers/followers as well as all posts or discussions. All information and records shall be maintained pursuant to a relevant records retention schedule for the required retention period and in a format that preserves the integrity of the original record and is easily accessible. j) Content or comments containing any of the following shall not be allowed for posting on any Metro Social Networking Site. If a comment is posted violating any of the below conditions, it shall be immediately removed upon discovery. 1) Any content that is in violation of federal, state, local laws or this policy 2) Comments not topically related to the particular site or blog article being commented upon 3) Profane language or content 4) Content that promotes, fosters or perpetuates discrimination on the basis of race, sex, creed, color, age, religion, gender identity, marital status, status with regard to public assistance, national origin, physical or mental disability or sexual orientation 5) Sexual content or links to sexual content 6) Conduct or encouragement of illegal activity 7) Harassing language or threats of physical or bodily harm 8) Information that may tend to compromise the safety or security of the public or public systems 9) Content that violates a legal ownership interest of any other party 10) Comments in support of or opposition to political campaigns or ballot measures 11) Content that attempts to solicit business or other commercial activity 12) Defamatory, libelous, offensive or demeaning material. 13) Engaging in combative exchanges. 14) Nonpublic information of any kind.

15) Personal, sensitive or confidential material of any kind. 16) Items involved in litigation or potential litigation. k) All Louisville Metro employees responsible for maintaining Metro Social Networking Sites as an Owner or Contributor shall setup a unique Louisville Metro email address and mailbox to register and administer the site; e.g. [email protected]. l) All Louisville Metro employees responsible for maintaining Metro Social Networking Sites as an Owner or Contributor shall be trained regarding this policy, including their responsibilities to review content submitted for posting to ensure compliance with this policy and with other applicable Metro Policies. m) Any Louisville Metro employee that chooses to participate on Metro Social Networking Sites during business hours must obtain departmental director level approval in writing with valid business need. A copy of this written approval shall be kept by the Department Director or designee. n) Any Louisville Metro employee that uses any Metro Social Networking Site or posts on other sites in the employee’s official Metro capacity should use a separate “official” profile. It is important to differentiate between an employee’s identity as a citizen and an employee’s identity as a public servant. Only Louisville Metro business should be conducted by employees on Metro Social Networking Sites. o) Any employee that fails to comply with this policy may be subject to disciplinary action up to and including termination of employment. p) Employees wishing to start a new Metro Social Networking Site should call the Louisville Metro Service Desk at 574-4444 to begin the process. 2.5 Louisville Metro Police Specific These policies are specific to the Louisville Metro Police Department.    Users shall keep their personal computers on at all times to allow software and configuration updates to be delivered during non-peak hours. Users are not to remove the labels or change the labels placed on equipment by the LMPD ITC. Users are not to move equipment without the approval of the LMPD ITC. (This includes moving computers to another desk, moving printers, moving network equipment, etc.) Users will not store data on their desktops. Storing data on the desktop increases log on time, as the data is made part of the user’s profile. If a users profile becomes damaged, it is possible for data on the desktop to be lost. Creating shortcuts on the desktop that point to data on the network drive will be used



instead.    All software used to access the Internet shall be configured to use the ISA http proxy. All wiring must be installed by a contractor approved by the Louisville Metro Police Department ITC. No personal or confiscated computers, technology equipment (scanners, digital cameras, USB devices, etc.) are to be used or connected to the LMP network that has not been approved by LMPD ITC. Upon meeting requirements, the items may be approved. Any equipment attached to the LMPD network becomes the property of the LMPD ITC.



2.6 Enforcement Any employee (or affiliate) found to have violated this policy will be subject to disciplinary action, up to and including termination of employment. For a comprehensive listing of Information Security Policies please visit the following; http://metronet.yes/Departments/IT/ 2.7 Revisions 07-01-03 Original 06-18-04 Revised 07-14-04 Revised 09-29-04 Revised 12-06-04 Revised 01-20-05 Revised 05-08-12 Revised 3.0 Password Policy 3.1 Overview Passwords are an important aspect of computer security. They are the first line of defense for the protection of system accounts that have access to network resources. A poorly chosen password or a password written and left in the open, could result in a compromise of network resources. As such, all Louisville Metro Government employees and affiliates are responsible for following the appropriate steps, as outlined below, to select and secure their passwords. 3.2 Purpose

The purpose of this policy is to establish a standard for creation of complex passwords, the protection of those passwords, and the frequency of change. 3.3 Scope The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides within the Louisville Metro Government facility, has access to the Louisville Metro Government, or stores any non-public Louisville Metro Government information. This policy for user accounts and passwords will improve the likelihood that the identification of the user is correct and that a user's access is controlled effectively. Both are important in ensuring the City of Louisville's network services remain secure. 3.4 Policy 3.4(1) General      All system-level passwords (Domain Admin, root, enable, application admin accounts, etc.) must be changed on a quarterly basis, every 90 days. All user-level passwords (Email, web, desktop computers, etc.) must be changed on a quarterly basis, every 90 days. Passwords must NEVER be inserted into email messages or any other forms of electronic communication. Passwords must NEVER be shared. All user-level and system-level passwords must conform to the guidelines below.

3.4(2) Guidelines 3.4(2a) General Password Construction Guidelines Passwords are used for various reasons within the Louisville Metro Government. Therefore it is essential to be conscious in the selection of strong passwords. Poor, weak passwords have the following characteristics:     The password contains less than eight characters The password is found in a dictionary (English or foreign) Previously used passwords The password is a common usage word such as: o Names of family, pets, friends, co-workers, etc. o Computer terms and names, commands, sites, companies, hardware, software o Birthdays and other personal information such as addresses and phone numbers o Words or number patterns like aaabbb, qwerty, 123321, etc (or spelled backwards)

o Any of the above pro/preceded by a digit (e.g., secret1, 1secret). Strong passwords have the following:
  

  

Contain both upper and lower case characters (e.g., a-z, A-Z) Have digits and special characters such as, 0-9, @#$%^&*()_+ Are at least 8 characters long with at least one of the characters listed above embedded Are not in any language, slang, dialect, jargon, etc. Are not based on personal information, names of family, etc. Passwords will never be written down or stored on-line

3.4(2b) Password Protection Standards Do not use the same password for Louisville Metro Government accounts as for non-Louisville Metro Government accounts (e.g., personal ISP account, personal web mail, financial institutions, etc.). Do not share Louisville Metro Government passwords with anyone. All passwords are to be treated as confidential Louisville Metro Government information. Here is a list of “don’ts”:        Don’t reveal a password over the phone to ANYONE Don’t reveal a password in an email message Don’t reveal a password to a supervisor Don’t talk about a password in front of others Don’t reveal a password on questionnaires or security forms Don’t share passwords with family members Don’t reveal passwords to co-workers while on vacation

Do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system (including PDA’s, cell phones or similar devices) without encryption. Passwords must be changed at the pre-determined interval of 90 days. If an account or password is suspected of being compromised, report the incident immediately. Metro Technology Services may perform password cracking or guessing on a periodic or random basis. If a password is cracked or guessed during one of these audits, the user will be required to change it. 3.4(2c) Password Resets

If a password reset is required, the user must call the Help Desk and give their account name and last 4 of their SSN# in order to have their password reset. If your Department has a designated Technical Liaison, they can reset the password for you.

3.5 Responsibilities 3.5(1) Department Responsibility The protection of the Louisville Metro Government technology resources is a basic responsibility of all employees. Each employee is responsible for security within his or her area. Department managers are responsible for ensuring all employees know and understand their obligations to protect information resources. Therefore, each manager must ensure that security implementation procedures and practices are promulgated and enforced in accordance with this security policy. 3.5(2) Employee/Affiliate Responsibility User accounts will be individually owned in order to maintain accountability. Passwords are established at the individual level, the user will be held responsible for all actions taken with their account. There will be no shared or group accounts created. Where supported, the system must be able to display the last use of the individual's account so that unauthorized use may be detected. To prevent individuals from attempting to logon to accounts by guessing passwords, accounts will be locked after three consecutive invalid login attempts. Password resets must follow the policy stated herein for password length/composition. Default passwords are not to be used. Workstations must be secured anytime the PC is left unattended. Employees must log off, lock the computer or activate a password-protected screen saver each time the workstation is left unattended. Use of the screen saver idle time lock activation is required. 3.5(3) Department of Technology Responsibilities Metro Technology Services support technicians may be required to ask for your password in the troubleshooting process. If so, the password must be changed upon the user’s next login. All users will be automatically prompted to change their password every 90 days. You will be notified several days in advance of the expiration date. You will select and enter a new password at your earliest convenience. If you do not comply within the grace period and allow your password to expire, your account will be locked and you will need to call the Help Desk to request the account be reactivated.

Metro Technology Services will periodically monitor compliance with the Louisville Metro Government Password Policy. Passwords that do not meet the requirements of the policy will be detected and corrective action initiated. This could result in your account being locked. 3.6 Enforcement If someone requests or demands a password from you, refer them to this document or have them contact the Metro Technology Services Security Administrator at [email protected]. Metro Technology Services will perform password cracking or guessing on a periodic or random basis. If a password is cracked or guessed during one of these audits, the user will be required to change it. Any employee found to have violated this policy will be subject to disciplinary action, up to and including termination of employment. 3.7 Revisions 01-01-02 Original 06-15-04 Revised 09-15-04 Revised 09-28-04 Revised 01-20-05 Revised 4.0 User Account Policy 4.1 Overview This policy addresses the creation and deletion of user accounts on the Louisville Metro Government network. Due to the numerous account activations and subsequent departures it is imperative that this policy be followed to minimize the impact and administrative overhead of user system accounts. Without proper notification unused system accounts increase the potential for misuse, and the proper re-allocation of server space. 4.2 Purpose The purpose of this policy is to ensure proper creation, activation and deletion of user accounts within the Louisville Metro Government. This involves active and direct participation amongst departmental supervisors/managers and Metro Technology Services personnel. 4.3 Scope This policy applies to all users with accounts, requesting accounts, terminating their access, and departmental supervisors/managers. All other applicable IT Security Policies apply.

4.4 Policy 4.4(1) Creation Metro Technology Services personnel or the authorized Technical Liaisons within the organization will create all accounts. If the accounts are application specific only authorized personnel of those applications will create the accounts. Only the required level of access will be assigned to the account for the user to perform the function of the account. If an account is created for a user that has a known departure date (and the system allows it), the account must be set to be disabled and then deleted within 7 days of the departure date. 4.4(2) Deletion Upon notification of departure or termination it is the responsibility of that user’s supervisor/manger to report it immediately to Metro Technology Services so the departing user’s accounts can be disable/deleted and any information that may be required can be retrieved. 4.5 Enforcement Metro Technology Services will perform account audits at random periods to determine “dead” accounts. If an account has not logged into its perspective system within an allotted timeframe determined by Metro Technology Services the account will be disabled and then deleted. All associated mailboxes and home folders will also be deleted. 4.6 Revisions 01-12-05 Original
5.0 Remote Access 5.1 Remote Access/VPN Policy 5.1(1) Overview Remote access/VPN technology (Virtual Private Network) allows Louisville Metro Government employees and affiliates connect to the Louisville Metro Government network via the Internet in a secure manner. This provides the ability to work from home and other locations not directly connected to the Louisville Metro Government network. 5.1(2) Purpose The purpose of this policy is to define standards for connecting to the Louisville Metro

Government’s network from any host outside the network. These standards are designed to minimize the potential exposure to the Louisville Metro Government from damages, which may result from unauthorized use of Louisville Metro Government technology resources. Damages include the loss of sensitive or organizational confidential data, intellectual properly, damage to public image, damage to critical Louisville Metro Government internal systems, etc. 5.1(3) Scope (a) This policy applies to all Metro Government employees, contractors, temporary workers, vendors, agencies, and agents requesting access to Metro Government resources. This policy applies to remote access conditions used to do work on behalf of the Louisville Metro Government, including reading or sending of email, files, vendor support and viewing Intranet web resources.
(b) This policy also applies to the use of Louisville Metro Government owned PC’s that are computer connected to the Louisville Metro Government network via DSL through VPN.

(c) Remote access implementations that are covered by this policy include, but are not limited to wireless, dial-in modems, frame relay, ISDN, DSL, VPN, SSH, FTP, Terminal Services and cable modems. 5.1(4) Policy (a) General (i) It is the responsibility of Metro Government employees and affiliates with remote access privileges to the Metro Government’s network to ensure that their remote access connection is given the same consideration as the user’s on-site connection to Metro Government resources. (ii) General access to the Internet for recreational use via a Louisville Metro Government remote access account by employees or their immediate household members through the Metro Government is forbidden. (iii) All Louisville Metro Government IT Security and Acceptable Use Policies, as well as record retention and open records requirements for Metro Government records apply to remote access accounts and usage. (iv) All persons having signature authority for approving remote access will be aware that there are costs associated with and security risks involved with persons having the ability to access Metro-owned network resources remotely. Approval will only be granted if there are significant business reasons to do so. (v) Metro Government vendors requesting remote access to support an implementation of their software will do so via Remote Desktop Protocol (RDP)/Terminal Services (TS). (vi) When there is a business requirement to transfer files in and out of the Louisville Metro Government network it will be encrypted and transmitted

through Secure File Transfer Protocol (SFTP) to ensure its integrity and security. (vii) Any and all costs associated with accessing the Louisville Metro Government’s resources remotely are the responsibility of the requesting department. Costs may include, but are not limited to, costs associated with procurement of a computer, Internet Service Provider (ISP) costs, etc. The department manager will determine what costs the agency will absorb and what costs, if any, the remote user will incur for this service. Metro Technology Services is not responsible for absorbing any costs associated with employees and affiliates accessing the Metro Government’s resources remotely. (b) Digital Subscriber Line Connections This section applies to Louisville Metro Government Agencies that connect to our internal network through DSL connections through VPN and agencies that require or provide personal computers to the public for Internet or general usage. When in implementation, all personal computers connected in this manner while follow the guidelines set in all Louisville Metro Government Information Security Policies. Metro Technology Services must have the ability to centrally manage the computers. (c) Requirements (i) A “Remote Access Request Form” must be submitted to Metro Technology Services prior to remote access privileges being granted (except for DSL through VPN connections). (ii) Secure remote access must be strictly controlled. User ID’s/ passwords will be assigned by Metro Technology Services. (iii) At no time will any Louisville Metro Government employee or affiliate provide his/her login password or account to anyone, not even family members. (iv) Louisville Metro Government employees and affiliates with remote access privileges must ensure that their company-owned or personal computer or workstation, which is remotely connected to the Louisville Metro Government’s corporate network, has properly installed anti-virus software utilizing current anti-virus detection definitions, management software and current operating system and application security patches installed. (v) Reconfiguration of a home user’s equipment for the purpose of split-tunneling or dual homing is not permitted at any time. (vi) When remote access is no longer required, it is the department's responsibility to notify Metro Technology Services so access can be terminated. (vii) Remote Access privileges remain in effect for a period of one year. Metro Technology Services will require each remote user (or agency) to submit a new request form, re-authorizing their access.

(viii) Organizations/ personnel who wish to implement non-standard remote access solutions to the Louisville Metro Government production network must obtain prior approval from Metro Technology Services. 5.1(5) Enforcement Any employee/affiliate found to have violated this policy will be subject to disciplinary action, up to and including termination of employment. 5.1(6) Revisions 03-01-04 Original 06-24-04 Revised 07-19-04 Revised 09-29-04 Revised 01-20-05 Revised

5.2

Mobile Device Access Policy 5.2(1) Definitions The following definitions shall apply in Section 5.2 of the IT Policy, and are in addition to the Definitions stated at the beginning of the IT Policy. (a) BLUETOOTH. Technology used for wireless headsets, transfer files and sync devices. (b) BYOD (Bring Your Own Device). A device such as a cell phone, or tablet that is owned by the End-User. (c) CHARGING CABLE. The cable utilized to charge a device off of a computer. This does not include chargers that plug directly into an electrical outlet. (d) ENCRYPTION LEVELS. The amount of encryption used by a vendor. Examples of encryption include 128bit AES. (e) GPS. A Global Positioning System. (f) INTERNAL SYSTEMS. Any electronic asset, belonging to Metro Government (e.g. – personal computer, server, telephone, keyboard, monitor, fax, printer, etc). (g) METRO GOVERNMENT. Louisville/Jefferson County Metro Government. (h) MDA. Mobile Device Access (MDA), which is technology used to provide access to Internal Systems through an encrypted and secure mechanism. (i) MGOMD. A Metro Government Owned Mobile Device. (j) MDM ADMINISTRATOR. Mobile Device Management and Metro Technology Services teams. (k) MDMSM. A Mobile Device Managed Secure Mechanism such as Virtual Private Networking(VPN). (l) MOBILE DEVICE COORDINATOR or DEPARTMENT TECHNOLOGY COORDINATOR. A department’s service level manager or technical liaison. (m) MOBILE DEVICE. Any tablet, e-reader, or smartphones, including but not limited to devices such as an IPhone, Ipad, Amazon Kindle, Motorola tablet, etc. (n) MDA PRIVILEGES. The right to use a mobile device to gain access to Metro Government Internal Systems after approval is granted by an employee’s or affiliate’s Department Director. (o) OPERATING SYSTEM. An internal program used to run a mobile device. (p) PGP. An encryption application written to encrypt files, folders, and email, known as Pretty Good Privacy. (q) SYNC. The use of wireless or cellular access to synchronize data between a mobile device and a computer.

(r) SYNC CABLE. A cable utilized to synchronize data between a mobile device and a computer. (s) VIRUS PROTECTION. An antivirus utilized to guard a machine or device from malicious software, including but not limited to software such as McAfee, Symantec, etc. 5.2(2) Overview MDA allows Metro Government employees and affiliates the ability to use Mobile Devices to connect to the Metro Government Internal Systems through a MDMSM. Refer to the Definitions section at the beginning of this policy for a complete listing of acronyms and terminology. 5.2(3) Purpose The purpose of this policy is to define standards and best practices for connecting to the Metro Government’s Internal Systems from mobile devices. These standards are designed to minimize the potential exposure to the Metro Government from damages, which may result from unauthorized use of Metro Government Internal Systems. Damages may include but not be limited to the loss of sensitive or organizational confidential data, intellectual properly, damage to public image, damage to critical Metro Government Internal Systems, etc. 5.2(4) Scope (a) This policy applies to all Metro Government employees and affiliates that may request access to Metro Government’s Internal Systems. This policy applies to MDA conditions used to do work on behalf of the Metro Government, including reading or sending of email, files, vendor support, viewing Internal Systems, and in times of emergencies. (b) This policy applies to BYOD and MGOMD that have access to Metro Government’s Internal Systems via connection by wireless, cellular, or computer connected cables. 5.2(5) Policy (a) General (i) It is the responsibility of End-Users with MDA privileges to ensure that the End-Users’ mobile device connection complies with all Information Technology Security and Acceptable Use Policies, as well as following record retention and open records requirements for Metro Government records. (ii) A completed “Mobile Device Access Request Form” must be submitted to Metro Technology Services prior to MDA privileges being granted. (iii) Any and all costs associated with MDA to Metro Government’s Internal Systems are the responsibility of the requesting department. Costs may

include, but are not limited to, costs associated with procurement of a mobile device, Cellular Data Service and Internet Service Provider costs, licenses, etc. The department director will determine what costs the agency will absorb and what costs, if any, the End-User will incur for this service. (iv) End-Users with MDA privileges must read all messages sent from Metro Technology Services regarding MDA. (v) Metro may inventory applications and the operating system that are installed on mobile devices to determine if the device meets Metro Government’s security requirements prior to the device being allowed access. (vi) Metro may capture the mobile device’s IEMEI Number, IP Address, Cellular Network Carrier, and Phone Number if applicable for device identification. (vii) Pursuant to Metro Government’s Personnel Policies, Section 1.14(8), employees are prohibited from writing, sending, searching, or reading textbased communication when driving a Metro Government vehicle, when driving a personal vehicle on official Metro Government business, or when using electronic equipment supplied by Metro Government, except as may be allowed by KRS 189.292(3), which can be found at http://www.lrc.state.ky.us/krs/189-00/292.pdf. (viii) A Department Director should consider the costs associated with, and security risks involved with, allowing End-Users to access Metro Government Internal Systems. Approval will only be granted if there are significant business reasons to do so. Examples of significant business reasons might include, but not be limited to, allowing access when an End-User is traveling, ill, working off-hours, on call, or when emergencies may prevent being present at work. Other considerations might include increasing productivity, reducing over-time, etc. (ix) Per Metro Government’s Personnel Policies, Section 4.3(3), agency heads must give approval in advance for employees to work in excess of the applicable standard workweek. MDA privileges do not create an exception to Section 4.3(3), so any End-User must obtain approval in advance for the use of the MDA privilege that may result in the accrual of overtime. (x) End-Users with MDA privileges must ensure that any mobile device, whether BYOD or MGOMD, which has access to the Metro Government’s network, has a current operating system and application security patches installed. (xi) End-Users or others who wish to implement non-standard MDA solutions to the Metro Government Internal Systems must obtain prior written approval from Metro Technology Services. (b) MGOMD This section only applies to mobile devices owned and supplied by Metro Government. (i) All MGOMD devices must be inventoried and tagged by Metro Technology Services and provided access. All MGOMD’s will be configured with Metro

Technology Services’ standard security policies and configuration prior to being provided to a department or an End-User. (ii) The installation and usage of applications on MGOMD is subject to approval from Metro Technology Services or the mobile device coordinator for that department. 1. All End-Users must agree to not install or use unapproved applications. 2. All End-Users must agree not to modify the mobile device configuration without consent from Metro Technology Services or without the direction of an approved Metro Government technical support provider. (iii) The use of unapproved, third-party file transfer services, such as DropBox, where data is transported without Metro Government approved data monitoring and policy management, or to storage locations outside the Metro Government network is expressly forbidden. (c) BYOD Requirements This section only applies to BYOD. (i) Metro Government is not responsible for the replacement of a BYOD, or for data plan overages, and/or application store purchases incurred on a BYOD. (ii) Metro Government is not responsible for data loss resulting from use of the MDA service. End-Users are encouraged to securely back up any personal data on a BYOD at regular intervals to minimize any potential data loss. (iii) Metro Government provides limited technical support strictly for the purpose of granting access for MDA to BYOD’s. All other technology support needs are the responsibility of the End-User. (iv) End-Users with a BYOD wishing to access the MDA Infrastructure must have a device with an operating system that meets the following requirements to be evaluated for use. These requirements are subject to change without notice. 1. Encryption Levels set forth by current and supported standards for mobile devices and/or an encrypted storage area must be utilized to protect Metro Government Internal Systems and to hold Metro Government’s data. 2. BYOD must support remote wipe capability by Metro Technology Services. a. The BYOD must support minimum of a 4 digit rotating pin to unlock the device and to unlock the encrypted storage area on the device that holds Metro Government’s data. b. The BYOD must have Virus Protection and Firewall protection if it is available for the mobile device. c. The BYOD must support required application versions as set forth by the department and Metro Technology Services.

(v) MDA of a BYOD will not be allowed if the BYOD has been “Modified”, “Jail Broken” or “Rooted.” (vi) Bluetooth must be set to require a prompt for access by password when not in use to prevent unauthorized access. (vii) If available, a BYOD wireless connection will be configured to prompt the user for approval before establishing a connection to any wireless network. (viii) An End-User of a BYOD shall not ever connect their personal device to a Metro Government computer with a sync or charging cable. (d) Passwords required to BYOD’s and MGOMD’s (i) Secure MDA must be strictly controlled. User ID’s, passwords, and access codes will be assigned by Metro Technology Services. 1. Mobile devices will have a password enforced and configured with an auto locking timer. All mobile devices should block access to the device until a valid password is provided. 2. Devices will be configured to automatically wipe after 10 failed unlock attempts. (ii) At no time will any Metro Government employee or affiliate provide his/her login, device password, or account to anyone, not even family members. (e) Lost or Stolen Device Policy for BYOD’s and MGOMD’s (i) GPS will be enabled for all mobile devices supporting location services and any access accounts required to support mobile device recovery will be shared and maintained by the MDM Administrator. This will allow the mobile device, in case it is lost or stolen, to be traced and potentially recovered by the authorities. (ii) It is the responsibility of the End-User to report a lost or stolen mobile device to the authorities and Metro Technology Services to prevent unauthorized access to the device and Metro Government’s Internal Systems. (iii) Remote Wipe will be enabled on the mobile device in the event the device is lost or stolen. Metro Technology Services reserves the right to remotely wipe any device lost or stolen to protect the integrity of the data contained on the mobile device and to prevent unauthorized access to Metro Government resources. (iv) A mobile device provided by Metro Government is the End-User’s responsibility. If the mobile device is lost or broken by the End-User, the EndUser may be responsible for the replacement value of the mobile device as deemed by Metro Technology Services or the department technology coordinator. (f) Termination of Service for BYOD’s and MGOMD’s

(i) When MDA is no longer required due to termination of employment with Metro or for any other reason, it is the End-User department's responsibility to notify Metro Technology Services so access can be promptly terminated. (ii) Metro Government data will be removed from a mobile device upon the termination of the MDA agreement. (g) Security Requirements (i) When there is a business requirement to transfer large files in and out of the Metro Government Internal Systems it will be encrypted and transmitted through SFTP or PGP to ensure its integrity and security. (ii) An End-User is not permitted to alter the security software configuration of the mobile device. (iii) For MGOMD the End-User is responsible for bringing or sending the mobile device to the IT Security Department and handing over necessary device access codes when notified that the device has been selected for a physical security audit, or in the event the device is needed for e-discovery purposes. 5.2(6) Enforcement for BYOD’s and MGOMD’s (a) Any End-User found to have violated this policy will be subject to termination of MDA and/or disciplinary action, up to and including termination of employment or a contract. (b) Violation of any of this policy may result in revocation of use of the MDA and removal of Metro data from the mobile device. If a violation occurs, a report will be made to the end user’s supervisor for potential disciplinary action, up to and including termination. (c) Metro Technology Services Security reserves the right to terminate MDA at any time if a security incident is detected. 5.2(7) Revisions
    Original Draft – 9/7/2012  

5.4 Policy 5.4(1) General  It is the responsibility of Metro Government employees and affiliates with remote access privileges to the Metro Government’s network to ensure that their remote access connection is given the same consideration as the user’s on-site connection to Metro Government resources. General access to the Internet for recreational use via a Louisville Metro Government remote access account by immediate household members through the Metro Government is forbidden. All Louisville Metro Government IT Security Policies apply to remote access accounts and usage.

 







All persons having signature authority for approving remote access will be aware that there are costs associated with and security risks involved with persons having the ability to access Metro-owned network resources remotely. Approval will only be granted if there are significant business reasons to do so. Metro Government vendors requesting remote access to support an implementation of their software will do so via Remote Desktop Protocol (RDP)/Terminal Services (TS). When there is a business requirement to transfer files in and out of the Louisville Metro Government network it will be encrypted and transmitted through Secure File Transfer Protocol (SFTP) to ensure its integrity and security.

Any and all costs associated with accessing the Louisville Metro Government’s resources remotely are the responsibility of the requesting department. Costs may include, but are not limited to, costs associated with procurement of a computer, Internet Service Provider (ISP) costs, etc. The department manager will determine what costs the agency will absorb and what costs, if any, the remote user will incur for this service. Metro Technology Services is not responsible for absorbing any costs associated with employees and affiliates accessing the Metro Government’s resources remotely. 5.4(1a) Digital Subscriber Line Connections This section applies to Louisville Metro Government Agencies that connect to our internal network through DSL connections through VPN and agencies that require or provide personal computers to the public for Internet or general usage. When in implementation, all personal computers connected in this manner while follow the guidelines set in all Louisville Metro Government Information Security Policies. Metro Technology Services must have the ability to centrally manage the computers.

5.4(2) Requirements     A “Remote Access Request Form” must be submitted to Metro Technology Services prior to remote access privileges being granted (except for DSL through VPN connections). Secure remote access must be strictly controlled. User ID’s/ passwords will be assigned by Metro Technology Services. At no time will any Louisville Metro Government employee or affiliate provide his/her login password or account to anyone, not even family members. Louisville Metro Government employees and affiliates with remote access privileges must ensure that their company-owned or personal computer or workstation, which is remotely connected to the Louisville Metro Government’s corporate network, has properly installed anti-virus software utilizing current anti-virus detection definitions,

   

management software and current operating system and application security patches installed. Reconfiguration of a home user’s equipment for the purpose of split-tunneling or dual homing is not permitted at any time. When remote access is no longer required, it is the department's responsibility to notify Metro Technology Services so access can be terminated. Remote Access privileges remain in effect for a period of one year. Metro Technology Services will require each remote user (or agency) to submit a new request form, re-authorizing their access. Organizations/ personnel who wish to implement non-standard remote access solutions to the Louisville Metro Government production network must obtain prior approval from Metro Technology Services.

5.5 Enforcement Any employee/affiliate found to have violated this policy will be subject to disciplinary action, up to and including termination of employment. 5.6 Revisions 03-01-04 Original 06-24-04 Revised 07-19-04 Revised 09-29-04 Revised 01-20-05 Revised 6.0 Software Policy 6.1 Overview Throughout the Louisville Metro Government there are multiple software applications that are used to support the organization. There are also many freely available, departmentally purchased, personally owned, etc. software applications that have been found to be installed on Louisville Metro Government computers. As such, all Louisville Metro Government employees and affiliates are responsible for following this policy to ensure the stability and integrity of the information infrastructure remains intact. 6.2 Purpose The purpose of this policy is to establish a baseline for software that is installed and supported on the Louisville Metro Government personal computers. It also pertains to unlicensed, illegally

copied/distributed, potentially damaging and resource intensive applications that could have negative impacts on the stability of the production network. 6.3 Scope The scope of this policy includes all personnel who use a personal computer (PC’s) and servers on the Louisville Metro Government network. 6.4 Policy As an employee/affiliate of the Louisville Metro Government it is the user’s responsibility to ensure that all software has been approved and licensed to be used by Metro Technology Services. Almost all software has a License Agreement that is displayed upon installation, it is important that that agreement be read and understood prior to installation.       All software that has not been pre-approved by Metro Technology Services will be considered in violation of this policy. There shall be no computer installed with a server class operating system that is not pre-approved by Metro Technology Services. If a personal computer on the Louisville Metro Government network is found to have unapproved software, the Louisville Metro Government retains the right to remove the application and/or disconnect the machine from the network. If there is a software application that a department or personnel are looking into purchasing, it essential to contact Metro Technology Services to ensure compatibility and security are in line with this and all other applicable IT Security Policies. All software purchased by the Louisville Metro Government is owned by the Louisville Metro Government and may not be used for personal use, financial gain, copied or redistributed to non-authorized persons. No peer-to-peer, freeware, non-standard screensavers, shareware, games, personally owned software or chat (Instant Messaging) software is allowed.

6.5 Enforcement The Louisville Metro Government’s Metro Technology Services retains the right to scan the network for installed software on all computers to ensure compliance with this policy. Any employee found to have violated this policy will be subject to disciplinary action, up to and including termination of employment. 6.6 Revisions 06-28-04 Original 07-19-04 Revised 09-28-04 Revised 01-20-05 Revised

7.0 Incident Response Policy 7.1 Overview Keeping the Louisville Metro Government information assets secure in today’s interconnected computing environment is a true challenge that becomes difficult as new technologies emerge. Threats from outside and inside our network pose incredible risks to the Louisville Metro Government information assets, not to mention the potential legal liabilities imposed. It is everyone’s responsibility to mitigate those risks and report them accordingly. 7.2 Purpose Due to a variety of issues, including the safety and privacy of all Louisville Metro Government employees and affiliates, it is imperative that all security related incidents be properly reported to their supervisors, Human Resources and/or to the IT Security Administrator. These are policies and procedures for the Louisville Metro Government employees and affiliates to report any potential security incidents. This policy will outline the anticipated response by the Metro Technology Services Security and Compliance Team. 7.3 Procedure Metro Technology Services Security and Compliance Team will be notified immediately of any suspected or real security incident involving a Louisville Metro Government information technology asset. With the exception of the steps outlined below, it is imperative that only the Security and Compliance Team personnel take any investigative or corrective action if the incident involves Louisville Metro Government technology asset. When faced with a potential security violation, employees and affiliates will take the following action:  If the incident involves a compromised computer system o DO NOT alter the state of the computer system o The computer will remain on and all of the currently running applications left as is. DO NOT shutdown the computer or restart the computer. o Immediately disconnect the computer from the network by removing the network cable from the back of the machine.  If the incident involves a potential violation of a Human Resource Policy then employees and affiliates will report the incident as described by Section 1.8 of the Human Resources Personnel Policies.  If the incident involves a compromised User ID and password the password must be reset immediately and the incident must be reported.  If it is unclear whether a situation will be considered a security incident, the IT Security Administrator will be notified to evaluate the situation, [email protected]. Security incidents involving possible violation of Federal, State, or Local laws will be reported immediately. The Security and Compliance Team in conjunction with Human Resources will work directly with any law enforcement agency as required. Document any information that

may pertain to the incident. This may include times, dates, and the nature of the incident. Any information you can provide will aid in responding in an appropriate manner. 7.4 Response  The Security and Compliance Team will first attempt to determine if the security incident justifies a formal incident response. o In cases where a security incident does not require an incident response, the situation will be forwarded to the appropriate person(s) to ensure all technology support services required are rendered. An incident response may range from getting a critical system back online, gathering evidence, taking appropriate legal action against individual(s), or notifying the appropriate “third-parties” of the inappropriate activity.



7.5 Revisions 07-01-04 Original 09-27-04 Revised 01-20-05 Revised 8.0 Information Sensitivity Policy 8.1 Overview The Information Sensitivity Policy is intended to help employees determine what information can be disclosed to non-employees, as well as the relative sensitivity of information that will not be disclosed outside of the Louisville Metro Government without proper authorization. The information covered in these guidelines includes, but is not limited to, information that is either stored or shared via any means. This includes: electronic information, information on paper, and information shared orally or visually (such as telephone and video conferencing). All employees will familiarize themselves with the information handling guidelines that follow this introduction. It will be noted that the sensitivity level definitions were created as guidelines and to emphasize common sense steps to take to protect Louisville Metro Government confidential information. Questions about the proper classification of a specific piece of information will be addressed to your manager and/or to the Department of Archives. Questions about these guidelines will be addressed to Metro Technology Services IT Security ([email protected]). Note: As a government entity the Louisville Metro Government is subject to Open Records Requests as defined by KRS 61.872 to 61.884 and also follow the Data Retention Policy. 8.2 Purpose All Louisville Metro Government information is categorized into two main classifications:

 

Public Confidential

8.2(1) Public Public information is information that has been declared public knowledge by someone with the authority to do so. And can be freely given to anyone without any possible damage to the Louisville Metro Government. 8.2(2) Confidential Confidential contains all other information. It is a continuum, in that it is understood that some information is more sensitive than other information, and will be protected in a more secure manner. Also included in Louisville Metro Government confidential is information that is less critical, such as telephone directories, general Louisville Metro Government information, personnel information, etc., which does not require as stringent a degree of protection. 8.2(2a) Third Party Confidential A subset of Louisville Metro Government confidential information is "Louisville Metro Government Third Party Confidential" information. This is confidential information belonging or pertaining to another corporation/entity, which has been entrusted to the Louisville Metro Government by that company under nondisclosure agreements and other contracts. Examples of this type of information include everything from joint development efforts to vendor lists, customer orders, and supplier information. Information in this category ranges from extremely sensitive to information about the fact that we've connected a supplier / vendor into the Louisville Metro Government’s network to support our operations. It would also include medical or confidential information about employees, citizens, inmates, or other groups served by the Louisville Metro Government. Some of this information may be protected by federal or state law, or both. Louisville Metro Government personnel are encouraged to use common sense judgment in securing confidential information to the proper extent. If an employee is uncertain of the sensitivity of a particular piece of information, he/she will contact their manager or Metro Technology Services IT Security Administrator. 8.3 Policy The Sensitivity Guidelines below provides details on how to protect information at varying sensitivity levels. Use these guidelines as a reference only, as the Louisville Metro Government confidential information in each section may necessitate more or less stringent measures of protection depending upon the circumstances and the nature of the confidential information in question.

8.3(1) Minimal Sensitivity General Louisville Metro Government information, some personnel and technical information; Access: Louisville Metro Government employees and affiliates with a business need to know. Distribution within the Louisville Metro Government: Standard interoffice mail, approved electronic mail and electronic file transmission methods. Distribution outside of the Louisville Metro Government internal mail: U.S. mail and other public or private carriers, approved electronic mail and electronic file transmission methods. Electronic distribution: No restrictions except that it only be sent to approved recipients. Storage: Keep from view of unauthorized people; erase whiteboards, do not leave in view on desktops. Personal computers will be administered with security in mind. Protect from loss; electronic information will have individual access controls where possible and appropriate. Disposal/Destruction: Deposit outdated paper information in specially marked disposal bins on Louisville Metro Government premises; electronic data will be expunged/cleared and reliably erased or physically destroyed. Penalty for deliberate or inadvertent disclosure: Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law. 8.3(2) More Sensitive General Louisville Metro Government business, financial, technical, and most personnel information; Access: Louisville Metro Government employees and non-employees with signed nondisclosure agreements who have a business need to know. Distribution within the Louisville Metro Government: Standard interoffice mail, approved electronic mail and electronic file transmission methods. Distribution outside of the Louisville Metro Government internal mail: Sent via U.S. mail or approved private carriers. Electronic distribution: No restrictions to approved recipients within the Louisville Metro Government but will be encrypted or sent via a private link to approved recipients outside of the Louisville Metro Government organization. Storage: Individual access controls are highly recommended for electronic information. Disposal/Destruction: In specially marked disposal bins on Louisville Metro Government premises; electronic data will be expunged/cleared and reliably erased or physically destroyed. Penalty for deliberate or inadvertent disclosure: Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law.

8.3(3) Most Sensitive Louisville Metro Government organizational secrets, operational, personnel, financial, source code and technical information integral to the success of the organization; Access: Only those individuals within the Louisville Metro Government organization designated with approved access and signed non-disclosure agreements. Distribution within the Louisville Metro Government: Delivered direct - signature required, envelopes stamped confidential, or approved electronic file transmission methods. Distribution outside of the Louisville Metro Government internal mail: Delivered direct; signature required; approved private carriers. Electronic distribution: No restrictions to approved recipients within the Louisville Metro Government but it is highly recommended that all information be strongly encrypted. Storage: Individual access controls are very highly recommended for electronic information. Physical security is generally used, and information will be stored in a physically secured server. Disposal/Destruction: Strongly Encouraged: In specially marked disposal bins on Louisville Metro Government premises; electronic data will be expunged/cleared and reliably erased or physically destroyed. Penalty for deliberate or inadvertent disclosure: Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law. 8.4 Enforcement Any employee found to have violated this policy will be subject to disciplinary action, up to and including termination of employment. 8.5 Revisions 07-08-04 Original 09-28-04 Revised 09-29-04 Revised 9.0 Data Retention Policy 9.1 Overview Data retention policies are documents that deal with the issue of maintaining information in your possession (and/or on Louisville Metro Government electronic resources) for a predetermined length of time. Different types of data require different lengths of retention. In addition to describing how long various types of information must be maintained in possession, this retention policy will describe procedures for archiving the information, guidelines for destroying the information when the time limit has been exceeded. It is important to note that retention time is based upon content and function of the information itself.

The Louisville Metro Government generates incredible amounts of paperwork and terabytes of electronic data. The sensitivity of this data varies from harmless correspondence to documents that could have significant repercussions if obtained by outside parties. Some of this data has great value to the organization. This policy is in line with the Information Sensitivity Policy, the Department of Archives Record Retention Schedule and the Kentucky Department for Libraries and Archives Schedule for Electronic Records. 9.2 Purpose The purpose of this policy is to define the appropriate amount of time “data” is kept before being destroyed. The primary focus of this document applies to data stored in electronic format, but applies to all paper data as well. It will also define how long the data will be kept and for what purposes (e.g. - legal, historical, disaster recovery, etc.) While this policy is by no means exhaustive, it does provide a framework for which all Louisville Metro Government employees/affiliates must be aware. 9.3 Scope This policy applies to all data stored and maintained within the Louisville Metro Government, primarily email and data stored on Louisville Metro Government IT resources. This includes but is not limited to word processing files, administrative databases, electronic spreadsheets, web pages, email, tracking/auditing logs and optical images. This policy also applies to all Louisville Metro Government employees/affiliates who deal with “data” through the course of their normal work activities. 9.4 Policy Data retention times will vary dependant upon the type of data it is and in accordance with applicable data retention laws. Also, certain departments within the Louisville Metro Government may have varying lengths of time for which the data may be retained. 9.4(1) Word Processing Files Agencies will take measures to protect permanent records produced by word processing software, either by printing the documents or preserving them in electronic form separately from materials of a non-permanent nature. This is to prevent accidental deletion or destruction with non-permanent records when the retention period for nonpermanent records has expired. Non-permanent word processing files may be stored with other non-permanent electronic records and deleted with them at the end of their retention period.

Once a printed record copy is distributed, the electronic version may be deleted. If the official record copy is kept electronically, however, it must be retained for the retention period listed in the State University Model Schedule. Documents such as letters, messages, memoranda, reports, handbooks, policies and procedures, and manuals written on hard drives or diskettes are considered works in progress or drafts until the final draft is accepted as the official version. Creators may delete drafts and revisions once the record copy has been produced. The working copies will be retained only if they are used to document how decisions were reached in developing programs and policies of the office or unit, or aid in the interpretation or purpose of the final document (e.g. to explain why certain changes were made or to clarify intent.) Some records are now created only in electronic form, whereas in years past they might have been hard copies. In these cases, the record retention schedule that applied to the hard copy is still applicable to the current electronic version. If the retention period has been met and a hard copy would be destroyed, the electronic version may be deleted. 9.4(2) Administrative Databases Many offices use databases containing information fields arranged and secured so that the information can be maintained or removed for use for various purposes. Much of the utility of a database lies in its flexibility and dynamic character. They change often as information is added, deleted, or modified. Ultimately, from this body of raw information, many different distinct queries can produce different results. Documents generated from selected information in databases are often produced in hard copy and distributed; however, the databases themselves are retained primarily in electronic format. Few records generated from databases are to be retained permanently. Record copies of reports and other documents generated from databases that document official policies will be printed for permanent retention. Records that are non-policy in nature and are used for informational purposes, or do not set official guidelines or procedures, may be deleted in accordance with the Archives Record Retention Schedule. If hard copy records produced from a database are maintained in the office files, and these hard copies have a limited retention period, the electronic files may be deleted when the information is superseded or no longer useful. 9.4(3) Electronic Spreadsheets Spreadsheets in electronic format such as hard disks or diskettes and used to produce a hard copy that is maintained in established files may be deleted when no longer useful. If the spreadsheet is kept electronically, it can be deleted when the authorized retention period is reached. If the electronic system contains several spreadsheets with different retention periods, and if the software does not easily

allow deletion of individual records, delete the records after the longest retention period has been met. 9.4(4) Web Pages Louisville Metro Government agencies use the World Wide Web instead of or in conjunction with paper documents to publish information about their programs. Materials provided on Louisville Metro Government web sites must be managed as other Louisville Metro Government records are. Documents that in hard copy format would qualify as official archivaeable records with permanent or long term value will be printed and retained. Web documents that do not set or document official policies or procedures and are of a transitory nature may be deleted once their usefulness has ended. 9.4(5) Electronic Mail Email does fall under the statutory definition of public records, and as such, the e-mail issued by and received by Louisville Metro Government employees/affiliates is subject to open records requests and can be discoverable under legal actions brought against the Louisville Metro Government. Senders and recipients of e-mail must be aware that the legal standards for the retention and disposition of Louisville Metro Government records also apply to e-mail. Email categories include official and general, the same as that of hard copy office correspondence. Official is defined as documenting the major functions, activities and programs of the Louisville Metro Government and important events in its history. Email that falls under this definition must be retained under the guidelines in the Archives Record Retention Schedule. Employees/affiliates will print and retain in department files or store in an accepted, retrievable electronic format email that reflects the official position of the Louisville Metro Government or that documents the administrative, legal, and fiscal requirements of the institution. It is recommended printing these emails as the most reliable form of long-term preservation. General e-mail correspondence which is non-policy in nature and not critical to administrative, fiscal, or legal requirements can be deleted in accordance with guidelines in the Archives Records Retention Schedule. Form letters, notices of meetings, duplicates and forwarded messages from other offices, spam, and other email messages of a transient nature can be considered reference or information-only material and can be deleted at the discretion of the user. Disposition of email will take place on a regular and systematic basis in accordance with approved records retention guidelines. 9.4(6) Other

All other types of data that is stored and maintained that does not fall under the category of Open Records Requests, and/or Record Retention Schedule and does not serve any other purpose but for system tracking, auditing, or transitory purposes will be destroyed at the discretion of Metro Technology Services. 9.5 Responsibilities It is the responsibility of all employees and affiliates to understand and follow this policy according to the Department of Archives Record and Retention Schedule for their corresponding department. Along with that, it is also imperative that any Federal, Sate or Local laws that govern the storage and classification of data be followed as well. 9.6 Enforcement At times designated, Metro Technology Services in conjunction with the appropriate agencies will review and save/delete any data that falls out of compliance with this policy. 9.7 Revisions 01-25-05 Original 10.0 Network Access/Configuration Policy 10.1 Overview The Louisville Metro Government network infrastructure is an essential resource for accomplishing the missions of the Louisville Metro Government. These resources represent a substantial investment and must be managed responsibly to ensure their integrity and security. Metro Technology Services is responsible for maintaining the Louisville Metro Government information resources. These resources include the computer communication infrastructure as well as the network services such as email, intranet/internet web pages, databases, Internet connectivity, and various other services. The network is a shared resource, which requires a level of trust and management capabilities between all inter-connected devices. In order to maintain the availability and reliability of those resources, this policy has been created.

10.2 Purpose This policy outlines the rules and requirements for network access within the Louisville Metro Government. This policy also falls in line with all other Louisville Metro Government Information Security Policies and pertains to all devices accessing these resources. 10.3 Scope This following applies to all computers that are connected or are to be connected to the Louisville Metro Government network. This is to provide a framework from which to base all

daily operations. While these requirements are not all-inclusive they will be used as a guide from which to base any activity involving the placement of personal computers, servers and networking devices on the Louisville Metro Government computer network. 10.4 Policy All devices attaching to the Louisville Metro Government must abide the following conditions. 10.4(1) Personal Computers/Servers This section applies to all personal computers and servers that are connected to the Louisville Metro Government network whether directly or through VPN. All other Louisville Metro Government IT policies and applicable laws apply.  All computers/servers connected to the network must have Metro Technology Services approved antivirus software installed. This enables central administration and mitigates the network against virus outbreaks.  All computers/servers without antivirus protection will not be allowed on the Louisville Metro Government network.  All computers/servers must have a Metro Technology Services standard core load operating system image and have the ability to be managed by the Metro Technology Services administrators. o If an agency has their own standard operating system image, Metro Technology Services must approve it.  All computers/servers connected to the Louisville Metro Government network must have all up-to-date installations of all recommended system, application, firmware and security patches; including Microsoft Systems Management Server Client (SMS).  If a computer/server is requiring a static IP address and/or DNS name, this form must be filled; IP/DNS Requests.  No unauthorized servers are permitted on the Louisville Metro Government network without approval from Metro Technology Services.  No computers/servers shall have “open shares” available without the consent of Metro Technology Services. Open shares not properly configured are targets for abuse.  Prior to departmental purchases, Metro Technology Services must be involved to ensure the equipment meets the current standards of the organization.  Users will not remove access, or in other ways block access, of the Metro Technology Services administrators access to any computer/server on the network.  No computers/servers shall be used to assign IP addresses (DHCP) on the network unless it is managed by Metro Technology Services.  When new patches/service packs are issued from vendors, it is the responsibility of the application/server owners to test the new patches/service packs for their particular application. If any issues arise it is their responsibility to report that to Metro Technology Services in a timely manner. 10.4(2) Networking Devices

This section applies to all devices that have the ability to isolate or extend the Louisville Metro Government network (routers, hubs, switches, wireless access points, and repeaters).  No personally or departmentally purchased firewalls, routers, repeaters, switches, hubs or wireless access points are to be installed without the consent of the Metro Technology Services. This is to ensure that network resources are used to full capabilities and provide the ability to manage those devices as required. Users are not permitted to alter network hardware in any way (Data Center Access Policy). No personal computers should be configured as a routing device or used to extend the network.

 

10.5 Enforcement The Louisville Metro Government Metro Technology Services retains the right to disconnect any machine/server from the network that falls out of compliance with this policy. Upon further review and investigation the disconnected machine may not be re-connected until deemed in compliance. Metro Technology Services will at times, as deemed necessary, audit the network for rogue machines/servers and networking devices to enforce this policy. Any employee found to have violated this policy will be subject to disciplinary action up to and including termination. 10.6 Revisions 07-08-04 Original 09-28-04 Revised 01-24-05 Revised 11.0 Data Center Access Policy 11.1 Overview The core of the Louisville Metro Government computer systems reside in Data Centers and wiring closets located at various locations. It is essential that higher measures of physical security be in place to mitigate any risks to the core infrastructure of the Louisville Metro Government computer systems and ensure those systems run unabated. 11.2 Purpose The purpose of this policy is to control the physical access and control methods for which access to the Louisville Metro Government Data Centers/wiring closets are given. 11.3 Scope

This policy applies to all employees/affiliates and third parties requiring access to the Louisville Metro Government Data Centers and wiring closets. All other Louisville Metro Government IT Security Policies apply. 11.4 Policy  Only authorized persons shall access the datacenter for legitimate business purposes.  All persons not given specific access (via the card access system) to the Data Center/wiring closets must sign a logbook indicating their time in, time out, and purpose for their visit.  Vendors, or those requiring access to the data center for specific purposes will be accompanied by an authorized person at all times.  The secured area should only be accessed to meet a business requirement of the Louisville Metro Government. When such a requirement is complete, that person(s) will leave the area.  Access cards are not to be shared between authorized and un-authorized persons.  Any resources located inside of the Data Centers are to only be moved by the person directly responsible for that resource.  Food, drink and other fluids must not be introduced to the Data Centers. 11.4(1) Authorization Only personnel with a legitimate business purpose for access to the data center will be provided access. All personnel requesting access must do the following:  This form must be filled out http://metronet.yes/Depts/Facilities/pdf/Key.pdf.  An authorized member of Metro Technology Services must sign-off on the request  An authorized member of the Facilities Department must also sign-off on the request.  Access will only be granted for a pre-determined period of time.  All vendors (non-Louisville Metro Government personnel) must be escorted at all times while in the Data Center. 11.5 Enforcement Any employee (or affiliate) found to have violated this policy will be subject to disciplinary action, up to and including termination of employment. Metro Technology Services and Facilities Management reserves the right to deny and revoke access to any individuals who are in violation of this policy and/or do not require the access. 11.6 Revision 07-12-04 Original 01-24-05 Revised

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close