The URL can be used to link to this page

ITS-001 - Information Technology Assets, Systems, and Corporate Data Acceptable Use Policy_2023 Title: Information Technology Assets, Systems, and Corporate Data Acceptable Use Policy Subject: Information Technology Assets, Systems, and Category: Information Technology Corporate Data Acceptable Use Policy Policy No.: COS-ITS-001 M&C Report No.: 2023-077 Effective Date: 2023-03-20 Next Review Date: 2 years Area(s) this policy applies to: Authorized Users of Information Office Responsible for review of this Policy: Technology Assets, Systems, and Corporate Data Information Technology Service Related Instruments: Policy Sponsor: Chief Information Officer (CIO) COS-CC-001 Access Policy COS-CC-004 Information Security Policy COS-CC-010 Privacy Policy COS-IT-003 Mobile Device Governance Document Pages: 9 Revision History: Replaces COS-ITS-001 Internet, Asset and Electronic Mail Acceptable Use Policy 2008 Common Clerk's Annotation for Official Record Date of Passage of Current Framework: 2023-03-20___ I certify that this Policy Statement was adopted by Common Council as indicated above. __ __March 21, 2023______ Common Clerk Date Common Council Approval Date: Date Created: Contact: 2023-03-20 2023-03-14 Chief Information Officer (CIO) Table of Contents 1.0 Policy Statement .......................................................................................................................... 1 2.0 Definitions .................................................................................................................................... 1 3.0 Purpose ........................................................................................................................................ 3 4.0 Ownership.................................................................................................................................... 3 5.0 Applicability ................................................................................................................................. 3 6.0 Responsibilities ............................................................................................................................ 4 6.1 Authorized Users ...................................................................................................................... 4 6.2 Authorized Remote Access Users .............................................................................................. 5 6.3 Personal Use............................................................................................................................. 6 6.4 Management/Supervisors ........................................................................................................ 6 6.5 Information Technology Service................................................................................................ 7 6.6 Human Resource Service .......................................................................................................... 7 7.0 Monitoring ................................................................................................................................... 7 7.1 Systems Monitoring .................................................................................................................. 7 7.2 User Monitoring ....................................................................................................................... 7 8.0 Compliance .................................................................................................................................. 8 9.0 Disclaimer .................................................................................................................................... 9 1.0 Policy Statement 1.1 The City of Saint John (“City”) provides an Authorized User with access to the City's Information Technology Assets, Systems, and Corporate Data (“Information Technology Resources”) including the Internet for the purpose of delivering City services and advancing the plans, goals, and objectives of the City of Saint John in a responsible, secure, ethical, and legal manner. Authorized Users include members of Council and employees of the City or any of its agencies, boards, or commissions that receive service Information Technology Resources or service. 1.2 Prior to accessing Information Technology Resources, all Authorized Users are required to read this policy and acknowledge their agreement to comply with it. Authorized Users must also comply with any training requirements to ensure the safeguarding of Information Technology Resources. 2.0 Definitions 2.1 Access: Assigned permission to use Information Technology Assets, Systems, or Corporate Data in some manner to ensure the integrity and security of these Information Technology Resources. 2.2 Authorized User: An individual who is either: a) a member of Council as defined in the Local Governance Act; b) employed by the City, including permanent, casual, and seasonal employees, students, those employed on contract; or c) a board members or employee of the City’s agencies, boards, or commissions that receive service from the City’s Information Technology Service, that require use of Information Technology Resources to carry out their responsibilities, whether explicitly or implicitly. 2.3 Confidential Information: Information that cannot be shared with the public or other unauthorized individuals as defined under the Local Governance Act SNB 2017, c. 18, the Right to Information and Protection of Privacy Act, SNB 2009, C. R-10.6, as they may be amended from time to time, and other relevant by-laws or legislation (e.g., privileged information, draft by-laws or reports, third-party information, personal identifiable information). 2.4 Corporate Data: Any and all data created or received for furthering the work of the City and its service delivery including, but not limited to, documents, spreadsheets, images, videos, presentations, social media posts, website content, and raw data stored in databases. 2.5 Cyber Hygiene: Practices and steps that users of Information Technology Resources take to maintain system health and improve online security, including any methods identified in any current and future training provided by the City’s Information Technology Service. Information Technology Assets, Systems, and Corporate Data Acceptable Use Policy 1 2.6 Information Technology Assets: Any piece of software or hardware owned by the City. This includes, but is not limited to, desktop/laptop/workstation computers, monitors, printers, mobile devices, scanners, storage devices, network devices, Internet access, email, and business applications, telephones and voice mail, facsimile machines, and photocopiers. 2.7 Information Technology Resources: Refers collectively to Information Technology Assets, Systems, and Corporate Data. 2.8 Information Technology Service: City’s service area that manages the City’s networks, devices, software, and Internet for authorized users and enable public service delivery. 2.9 Internet: Large system of connected computers around the world that allows people to share information and exchange data. 2.10 Network: Connection of two or more computer systems, either by cable or wireless connection. 2.11 Printers: Large business machines or desktop units used to print, copy, or scan documents. 2.12 Remote Access: Ability for an Authorized User to access a computer or network from a geographical distance through a wireless network connection. 2.13 Removeable Media: Any type of storage device that can be removed from a computer while the system is running (e.g., USB flash drive or external hard drives). 2.14 Scanners: A business machine or desktop unit used to make electronic copies of documents. 2.15 Software: Set of programs (sequence of instructions) that allows a user to perform a well- defined function or a specified task. 2.16 Software as a Service (SaaS): Internet-based software that processes and stores data online (i.e., cloud). 2.17 System: Collections of multiple Information Technology Resources (e.g., software, hardware, connections, users, and data) working together to gather, process, store, and disseminate information. 2.18 System Monitoring: Continuous review and analysis of the City's Information Technology Resources to assess, maintain, and make improvements to ensure the reliability, security, confidentiality, and integrity of the City's Information Technology Resources. Systems monitoring is not directed at identifiable individuals. 2.19 User Monitoring: Recording, accessing, reviewing or analyzing one or more identified Authorized User's activity on, or use of, the City's Information Technology Resources. Information Technology Assets, Systems, and Corporate Data Acceptable Use Policy 2 3.0 Purpose 3.1 The purpose of this Policy is to define standards, procedures, and restrictions for Authorized Users who have been given access to Information Technology Resources. 3.2 This Policy applies, but is not limited to, all Information Technology Resources as defined herein, and include, but are not limited to, the following: a) Corporate Data b) Internet c) Systems d) Software, either local or network install, or Software as a Service (SaaS) e) Computers (e.g., Desktop, Laptop, Workstation, Toughbooks) f) Mobile devices (also subject to the Mobile Device Governance Policy) g) Monitors h) Keyboards i) Power cords, chargers j) Mouse k) Removeable media (limited, approved use) l) Printers / scanners m) Network infrastructure 3.3 This Policy strives to be comprehensive as it relates to Information Technology Resources; however, it does not address every possible event or violation. Insofar as the Policy does not address a particular event or violation, the appropriateness of the use of the Information Technology Resources shall be measured and evaluated against the general criteria outlined in the Policy. 4.0 Ownership 4.1 The City's Information Technology Resources are the sole property of the City. 4.2 Corporate Data is owned by the City. 4.3 All Authorized Users must provide, when requested by management or delegated staff, specified Information Technology Resources. 4.4 All information and records created or legally acquired using Information Technology Resources are the sole property of the City, with the exception of data created by agencies, boards or commissions and records that are created through the limited personal use as outlined in this Policy. 5.0 Applicability 5.1 This policy applies to all Authorized Users. Employment by the City does not automatically guarantee the initial or ongoing ability to access Information Technology Resources. 5.2 Authorization is only considered for employees that require access to the City’s Information Technology Resources for their work for, or on behalf, of the City. Information Technology Assets, Systems, and Corporate Data Acceptable Use Policy 3 6.0 Responsibilities 6.1 Authorized Users a) The City's Information Technology Resources are corporate resources and are to be used in accordance with this Policy and other applicable City by-laws, policies, and relevant federal and provincial legislation. b) Authorized Users will exercise good judgment and responsibility when accessing Information Technology Resources. c) Information Technology Resources will be used in an ethical and professional manner. d) Authorized Users are responsible for their use of Information Technology Resources at all times, including non-business hours. e) Information Technology Resources will be used in a manner that safeguards the integrity, privacy, and confidentiality of the City's information Systems and Corporate Data. Examples include, but not limited to: i. Protecting and not sharing password(s) used to access Information Technology Resources. ii. Practicing good Cyber Hygiene when using Information Technology Resources, following Information Technology Service processes put in place for security. iii. Not sharing Confidential Information. iv. Making a request to the Information Technology Service Desk before purchasing Information Technology Resources to ensure security and compatibility assessments are complete. f) Authorized Users exercise reasonable care to protect Information Technology Resources from theft, damage, or illegal access, and against systems designed to disrupt or damage the assets. Examples include, but not limited to: i. Storing Information Technology Resources securely when outside of the workplace. ii. Ensuring unauthorized users are not permitted to use Information Technology Resources. iii. Using Information Technology Resources for their intended purpose. iv. Handling Information Technology Resources with care. g) Any breach to the security of, damage to, or loss of Information Technology Resources shall be immediately reported by the Authorized User to the City of Saint John Information Technology Service Desk and their Manager/Supervisor. h) Authorized Users shall not use any Information Technology Resource not owned by or supplied by the City (including personal email), for the performance of the Authorized User's duties and responsibilities where such use results in a: Information Technology Assets, Systems, and Corporate Data Acceptable Use Policy 4 i. Compromise in security of City Information Technology Resources. ii. Breach of provincial or federal legislation, or related City by-laws and policies. iii. Release of Confidential Information. iv. Unnecessary costs incurred by the City required for Authorized Users to access the City's Information Technology Resources remotely. v. Loss of Corporate Data stored on personal devices. Corporate data must be transferred to City Information Technology Resources as soon as possible and deleted from personal storage. i) Unacceptable use of Information Technology Assets includes, but is not limited to: i. Accessing or carrying out any activities that are obscene, lewd, or pornographic. ii. Carrying out any activities that are harassing, embarrassing, discriminatory or defamatory to another individual, employee, or group, or that are not in the best interest of the City. iii. Carrying out any activities that contravene federal, provincial legislation and City by-laws and policies. iv. Activities that will interfere with the normal operations of the Information Technology Assets, including intercepting or altering information transmitted. v. Violating terms of applicable software licensing agreements or intellectual property laws, including installing software without a license. vi. Disclosing or distributing confidential information without authorization or contrary to City policies and by-laws and relevant federal or provincial legislation. vii. Circumventing the City's security schemes and protection. viii. Unauthorized use, infringement, theft, reconfiguration, movement, or relocation of Information Technology Resources. ix. Downloading or installing applications, software, or systems, including accessing those offered as a Software as a Service, that have not been vetted by the Information Technology Service for security, performance, and compatibility. 6.2 Authorized Remote Access Users a) Authorized Users with Remote Access to the City's Information Technology Resources must only connect using authorized methods. Remote Access will be provided through the Information Technology Service after verification that access is safe and will not negatively impact the City's Systems. b) Authorized Users who use the City's Information Technology Resources for telework, must connect to the City’s network through secure Remote Access. c) Authorized Users must maintain the privacy, confidentiality, and integrity of Corporate Data accessed through Remote Access, following Information Technology Service processes put in place for security. Information Technology Assets, Systems, and Corporate Data Acceptable Use Policy 5 d) All Corporate Data produced, accessed, or altered through Remote Access must be stored on City Information Technology Resources owned or under contract to the City. e) Authorized Users shall not incur any unauthorized costs associated with remotely accessing Information Technology Resources. f) Authorized Users that are working on behalf of the City (e.g., consultant) or guests must comply with the Wi-Fi and External access requests approval process. Remote Access will not be permitted without approval by the City’s Chief Information Officer or designate. g) The City retains the right to terminate an Authorized User’s Remote Access at any time. 6.3 Personal Use a) Reasonable and limited personal use of Information Technology Resources is permitted, provided that, it: i. Does not interfere with the Authorized User's duties and responsibilities. ii. Is lawful and in compliance with applicable City by-laws and policies, and relevant federal or provincial legislation (e.g., training, volunteering). iii. Does not compromise the security of the City’s Information Technology Resources. iv. Is not used for private gain, whether monetary or non-monetary, or advancement or the expectation of private gain. v. Does not result in the City incurring any additional expenses. b) Authorized Users are responsible for properly managing personal files. The City is not liable, nor will it incur any expense to protect or back-up personal files. c) Authorized Users are encouraged to not store their own personal information or personal files on Information Technology Resources. Authorized Users that elect to store their own personal information or personal files acknowledge that they are doing so at their own risk. d) The City’s Information Technology Service does not support personal use of City Information Technology Resources or the use of personal devices. 6.4 Management/Supervisors a) Abide by the responsibilities of an Authorized User, Remote Authorized User, and Personal Use. b) Ensure staff are aware of the content and have completed training for this Policy. c) Ensure any changes or amendments to this Policy are adequately communicated to and understood by assigned staff. Information Technology Assets, Systems, and Corporate Data Acceptable Use Policy 6 d) Authorize access and access changes for users within their service areas to the City’s Information Technology Resources, following Information Technology Service processes put in place for access. 6.5 Information Technology Service a) Establish and communicate processes and standards related to this Policy to ensure Information Technology Resources are running in an efficient and secure manner (e.g., authorize access, installation of new software). b) Security screening and installation of new hardware, software, and related components will be managed at the sole discretion of the Chief Information Officer or Information Technology Service designate. c) Configuration and maintenance of Technology Information Resources that are the responsibility of the Information Technology Service (e.g., network, back-up, software for managing, operating, and securing Information Technology Resources). d) Conduct System Monitoring and User Monitoring set out in this Policy. e) Support any investigations required from a breach, or suspected breach of this policy in consultation with the Human Resources Service. 6.6 Human Resources Service a) Investigate any breaches of this Policy and implement any disciplinary action stemming from such breaches. 7.0 Monitoring 7.1 Systems Monitoring a) The City of Saint John has the right to conduct Systems Monitoring at any time, at will and in its sole discretion, including the right to filter and quarantine both inbound and outbound content, as may be necessary to protect the integrity, security, confidentiality, or reliability of Information Technology Resources. b) Filtering software and monitoring tools are not designed to, nor can they be expected to, limit access to all objectionable or inappropriate materials or malicious content on the Internet and the failure of such filtering software to block access to such materials in a particular instance is not an answer to the sanctions contemplated by this Policy. c) As part of System Monitoring, the City may recover deleted files and data stored or accessed using the Information Technology Resources. 7.2 User Monitoring a) The City may conduct Authorized User Monitoring, with approval through the Chief Information Officer, if there are reasonable grounds or a reasonable belief based on Information Technology Assets, Systems, and Corporate Data Acceptable Use Policy 7 credible information received to support Authorized User Monitoring, including but not limited to: i. An Authorized User is violating this Policy or other City by-laws and policies, or any relevant federal and provincial legislation in their use of Information Technology Resources. ii. An Authorized User is using Information Technology Resources in a fashion incompatible with the Authorized User's job duties or responsibilities. iii. The results from general Systems Monitoring provide reasonable grounds to review a specific Authorized User's activity. iv. The Chief Information Officer determines it necessary to protect and maintain the Information Technology Resources from an immediate or imminent threat. v. The General Counsel determines it necessary to support the City’s compliance with legal requirements or defend itself in legal proceedings. vi. For any other legitimate business, corporate or human resources purposes. b) Authorized Users shall not have any expectation of privacy or exemptions from User Monitoring when using Information Technology Resources, including such limited personal use as permitted in accordance with Section 6.3 Personal Use in this Policy. c) If the City discovers activities or has reason to suspect activities which do not follow the applicable law, or policies, business practices or administrative procedures of the City, records respecting the use of Information Technology Resources may be retrieved without prior notification to the Authorized User involved for the purpose of proving and documenting inappropriate use as outlined in this Policy. 8.0 Compliance 8.1 Should activities or suspected activities trigger an investigation, the Authorized User that is the subject of such investigation is obligated to cooperate with any such investigation. The Authorized User may be subject to additional disciplinary or legal consequences should such investigation reveal that steps were taken by the individual under investigation to frustrate or otherwise interfere with the integrity of the investigative process (e.g., altering or deleting data material to the investigation). 8.2 Violations of this Policy will be administered in accordance with the City’s disciplinary policies and procedures. 8.3 Sanctions for inappropriate use of Information Technology Resources may include, but are not limited to, one or more of the following: i. Temporary or permanent cancellation of access to Information Technology Resources. ii. Disciplinary action per established disciplinary policies and procedures up to and including dismissal. iii. Legal action per applicable laws and contractual agreements. Information Technology Assets, Systems, and Corporate Data Acceptable Use Policy 8 9.0 Disclaimer 9.1 The City assumes no liability for any direct or indirect damages arising from an Authorized User’s connection to and use of Information Technology Resources and assumes no liability for any direct or indirect damages suffered by an Authorized User arising from his or her personal use of the Information Technology Resources. The City is not responsible for the accuracy of information found on the Internet and only enables the accessing and dissemination of information through its Information Resources. Individuals are solely responsible for verifying the accuracy and currency of all material that they access, use, and send through the Internet. Information Technology Assets, Systems, and Corporate Data Acceptable Use Policy 9