The URL can be used to link to this page

2023-12-04 - Resolution 2023-36 - ADOPTING AN ACCEPTABLE USE OF INFORMATION TECHNOLOGY RESOURCES POLICY RESOLUTION NO.2023-36 A RESOLUTION ADOPTING AN ACCEPTABLE USE OF INFORMATION TECHNOLOGY RESOURCES POLICY WHEREAS,the Village of Buffalo Grove has adopted revisions to the Personnel Policy;and WHEREAS, it is in the best interests of the Village of Buffalo Grove to provide guidance in the use of information technology resources. � NOW THEREFORE, BE IT RESOLVED BY THE PRESIDENT AND BOARD OF TRUSTEES OF THE VILLAGE OF BUFFALO GROVE,COOK AND LAKE COUNTIES,ILLINOIS,as follows: SECTION 1. The Acceptable Use of Information Technology Resources Policy attached hereto has been adopted and shall be in full force effective January 1,2024. AYES: 6—Johnson,Cesario,Ottenheimer,Stein, Bocek.Weidenfeld NAYES: 0-None ABSENT: 0- None PASSED: December 4,2023 APPROVED: December 4,2023 ATTEST: APPROVED: ��`Y�, 4��. Jane .Sirabian,Village Clerk Eric N.Smith, i�lage President `}�`�,��';�`-Y��y�� ``L,�Ci .._�'L�t'��i .,��., i'1` +. ! - � ��uv"'�""U:�i.:�%� u�� r i_-��e""' ` :� -'� `- - � l � - `` � J1j��s j��c��,�� .;;:�<• ACCEPTABLE USE OF I N FORMATION TECHNOLOGY RESOURCES POLICY December 4,2023 s • � This document formalizes the policy for employees,contractors,or guests("Users")of all departments that comprise the Village of Buffalo Grove on the use of Village information technology resources("Village ITRs").In addition to this policy,individual agencies or departments may elect to issue additional policies or restrictions governing the use of ITRs within their respective offices. Use of Village ITRs by any User shall constitute acceptance of the terms of this policy and any such additional policies. ► : • • � C • • Preface..........................................................................................................................................................................1 Tableof Contents..........................................................................................................................................................1 Overview....................................................................................................................:..................................................3 Definitions.....................................................................................................................................................................4 Scope.............................................................................................................................................................................4 Ownershipand Privacy..................................................................................................................................................5 Responsibilitiesand Roles.............................................................................................................................................5 Users.........................................................................................................................................................................5 DepartmentDirectors...............................................................................................................................................6 Information Technology Department.......................................................................................................................6 AcceptableUse of Village ITRs......................................................................................................................................7 DataConfidentiality..................................................................................................................................................7 IdentityProtection Policy.....................................................................................................................................7 CopyrightProtection.................................................................................................................................................7 CybersecurityAwareness..........................................................................................................................................7 Passwords.................................................................................................................................................................8 AcceptableUse Activities..........................................................................................................................................8 Page 1 of 12 UnacceptableUse Activities......................................................................................................................................9 Acceptable Use of Specific Village Information Technology Resources......................................................................10 Email.......................................................................................................................................................................10 EmailProfessionalism.........................................................................................................................................10 EmailCybersecurity............................................................................................................................................10 Email Encryption and Sensitive Information ......................................................................................................10 Emailas Village Record.......................................................................................................................................10 Additional Email Responsibilities........................................................................................................................11 ��_ � Computer Usage and Internet Access.....................................................................................................................11 Tefek nirow g.............................................................................................................................................................11 Related Policies,Procedures,or Standards.................................................................................................................12 RevisionHistory...........................................................................................................................................................12 I � � � � Page 2 of 12 � • The Village of Buffalo Grove provides Village ITRs that directly support or augment municipal activities of the Village.Examples Village ITRs include: • Computers or tablets • Mobile devices • Phones • Public Safety Radios • Village Network whether wired network,wireless network(Wi-Fi),or other technologies providing interconnectivity for devices • Village email • Software applications The use of such technology resources is a privilege extended to all employees or individuals in support of our operational activities. By use of these resources,Users may receive authorized access to Village information,the Village Network,software or'database applications,and various other computer or communication systems.It is of vital importance that each User of Village ITRs behaves responsibly,legally,and ethically with these technology resources in order to safeguard our information and avoid disruptions to Village operations. This Acceptable Use of Information Technology Resources Policy speaks to the activities and functions in which Users may engage or not engage as they use various Village ITRs.Any inappropriate use of such resources may result in the loss of privilege for use or access and may result in disciplinary action. If you have questions about the acceptability of a particular use of Village ITRs,contact the Administrative Services Director(brobinson@vbg.org)to assist. The objectives of this policy are to: • Ensure that the use of Village ITRs are directly related to,or for the benefit of,Village of Buffalo Grove operations and services to its residents • Provide overview of the ownership of information and any implications on public access to Village Information and User privacy • Define responsibilities and appropriate usage of Village ITRs • Minimize disruptions to Village activities from inappropriate use of Village ITRs Page 3 of 12 � • Village Information: defined as any information that supports Village activities;this may include operational data, employee data,citizen data,or other information which may be classified appropriately. Village ITRs: Village Information Technology Resources include any mobile device,computer-based hardware, software,or related services that are owned,licensed,or managed by Village of Buffalo Grove and used for conducting Village business or communications. Village Network: the system of interconnectivity for computers,printers,phones,mobile devices,or other Village ITRs which allows such devices to communicate and to access or share information.This may be a wired network connection at a desk,Wi-Fi,or other communication technologies. Principle of Least Privilege: The principle of least is that Users only have access to minimum resources that are necessary to perform their assigned function.The principle applies equally to Users,systems,and processes within �I the Village. � Users: employees,agents,officials,consultants,interns,volunteers,guests,or other individuals who have been granted access to Village ITRs. ' � � I This policy applies to all Users of Village ITRs,as described above.Further it applies to anyone granted access to Village Information. Examples of information include: � administrative records(such as payroll and personnel data;accounting and financial records;transactions, contracts;registrations;email or other electronic correspondence;etc.) • judicial documents • tax records • other Village proprietary or intellectual property. � I I I I I Page 4 of 12 � I � • ' ' � � " � Village of Buffalo Grove owns,controls,and has a custodial responsibility with respect to Village ITRs and any information stored on or transmitted through such systems.For example,email containing Village of Buffalo Grove administrative data,or documents pertaining to Village of Buffalo Grove business or judicial activities would be included. As a general matter,because such information is Village of Buffalo Grove property,Users of these systems should have no expectation of privacy regarding these resources or data.Most Village Information and Village ITRs are subject to the Freedom of Information Act.Users shall always comply with Village records management rules and records retention requirements for all information,including computer-based information. • • i ; • ! • • ��-- ----- ---- ---_---- -----------�----�----� i �'USERS It is the responsibility of any person using Village ITRs to read, understand,and follow this policy.In addition,Users are expected to exercise reasonable judgment in interpreting this policy and in making decisions about the use of ITRs. Responsibilities include: • Users must abide by all related federal laws,state laws,and local laws along with all pertinent regulations, and Village or Department policies or operating procedures • Users of Village ITRs shall adhere to records management rules and retention requirements.when handling Village Information. • Users must use Village ITRs with all intent to be legally compliant,ethical,and to show restraint in the , consumption of shared resources � • Users must be professional and respectful when using technology to communicate with others • Users must be aware that Village of Buffalo Grove adheres to the least-privilege principle for Village ITRs; for example,data reports that are presented or shared with others should have minimum information necessary with extraneous and sensitive information removed from the reports • Users are individually responsible for appropriate use of all resources assigned to them,including the computer,the network connection,software,and hardware • Users must be aware that Village of Buffalo Grove has entered into legal agreements or contracts for many of our software and network resources which require each individual User to comply�with those agreements.Your agency or department head is the best resource for this information. • Users must be aware that inappropriate use of Village ITRs may result in the suspension of use or removal of access to Village ITRs which could affect their ability to perform their work assignments,and disciplinary action. Any person with questions regarding the application or meaning of this policy should seek clarification from appropriate management or from the Administrative Services Director(brobinson@vbg.org). Page 5 of 12 i h N � � D.EPARTMENT DIRECTORS � It is the responsibility of each Department Director to support or promote this policy and to ensure employees have adequate knowledge of the principles outlined herein.Departments individually may provide add�tional policies or guidelines for the use of Village ITRs,which may not be less restrictive than this policy. � • Be aware of productivity issues that may arise from the overuse/misuse of email,Internet ac�ss,social media,and mobile device usage. • Be aware of the use of sensitive information by Users within your department.Such information may not be stored on mobile devices that can leave the Village premise. • If your department must share such sensitive information with outside organizations,it is required to be encrypted.Please contact the Information Technology Department for details on how to encrypt information for these purposes. � • Be aware that inappropriate use of Village ITRs by your staff may result in the suspension of use or removal of access to Village ITRs for those individuals and disciplinary action. � �1NFORMATION TECHNOLOGY DEPARTMEIVT The Information Technology Department is responsible for the administration of Village ITRs which includes the provisioning and maintenance of such devices,services and network that comprise these ITRs,and it should provide general training wherever possible for Users in the proper use of such systems.The department shall also provide User training of policy issues,emphasizing acceptable and unacceptable uses and respond to�questions of interpretation of this or related policies.Also,this department shall be responsible for on-going review and maintenance of this policy as required by changes in local,state,and federal law and as necessary fo i local considerations.Finally,the Information Technology Department should aid any Department in developing supplemental policies or guidelines related to appropriate use.This support may be limited by feasibility or the discretion of the Administrative Services Director. � ! � � I � � � � Page 6 of 12 1 � � � : , � • The use of Village ITRs empowers Users to work effectively and allows them to deliver better services,�hether � internally to the Village or externally to our residents.As such,all Users are encouraged to fully use Village ITRs in pursuit of the Village's strategic goals and objectives.Should any User be subject to more restrictive policies, whether by law,by regulations,or by other department requirements,the more restrictive measure will prevail. I � DATA CONFIDENTI'ALITY a In the regular course of work activities, Users often have access to confidential or proprietary information,such as personal data about individuals or commercial information about business organizations.Under no circumstances is it permissible for Users to acquire access to confidential data unless such access is required by theirjjobs.Under no circumstances may Users disseminate any confidential information that they have rightful access to unless such dissemination is required by their jobs.As such,Users: • Must be aware and protective of any information which may be considered confidential or sensitive, especially that which contains personally identifiable information.If such information must b�e shared with outside organizations in conducting Village business,it must be encrypted and cannot be sh�red if not encrypted. • Must report to the Information Technology Department if you become aware that you have more access to information or systems than you ought to have for your assigned work.This helps maintailn the principle of least privilege. � � , � � IDENTITY PROTECTION POLICY � �� Improper disclosure of protected personal identifiers such as social security numbers may contribute to identity theft and any number of resulting credit problems.The Village has adopted this Policy to protect social security numbers from unauthorized disclosure.In accordance with the Illinois Identity Protection Act, only employees who are required to use or handle information or documents that contain social�security numbers shall have access to such information or documents.All employees with access to social security numbers in the course of their job duties must undergo training to protect the confidentiality of the social security numbers. '� � � +COPYRIGHT PROTE.CTION � � Computer programs are valuable intellectual property.Software publishers can be very aggressive i�protecting their property rights from infringement.Similarly,legal protections can also exist for any information published on the Internet,such as the text and graphics on a web site.As such,it is important that Users respect the rights of intellectual property owners.Users should exercise care and judgement when copying or distributing computer programs or information that could reasonably be expected to be copyrighted.Village intellectual p�operty such as the Village logo or letterhead may only be used in the conduct of Village business.Users should exercise care in allowing such property to be used,or misused,for purposes not approved by the Village. I _ I y CYBERSECURITY'AINARENESS � ' I Users should exercise reasonable precautions to prevent the introduction of a computer virus or other malware I into the Village Network.Avoid opening any email attachments which came unexpectedly,whether?from a vendor I I Page 7 of 12 I I � � M � or from a colleague.Report any suspicious emails or files to the Information Technology Department i�mediately upon discovery.Suspicious emails can be forwarded to support@vbg.or�or via the Phish Alert icon in Outlook. Similarly,report if you suspect your account has been accessed or your device has been compromised in some way. Keep your computer locked when not in use. � � r PASSWORDS ` �. ` Passwords are an important aspect of computer security.They are the front line of protection for user�accounts.A poorly chosen password may result in a compromise of the Village's entire network.As such,all Village employees (including contractors and vendors with access to Buffalo Grove systems)are responsible for taking the appropriate steps,as outlined below,to select and secure their password. Password Construction Requirements � • Be a minimum length of twelve(12)characters on all systems. • Not be a dictionary word or proper name. • Not be the same as the User ID. � Expire within a maximum of 90 calendar days. • Not be identical to the previous ten(10)passwords. • Not be transmitted in the clear or plaintext outside the secure location. �t � • Not be displayed when entered. � Password Protection Standards � Do not use your User ID as your password.Do not share Village of Buffalo Grove passwords with any�ne,including administrative assistants or secretaries.All passwords are to be treated as sensitive,Confidential Village f information.If an account or password is suspected to have been compromised,report the incident tpo the Administrative Services Director or the IT Department immediately. p 1 Here is a list of"do noYs" � • Don't reveal a password over the phone to anyone � r • Don't reveal a password in an e-mail message � • Don'talk about a password in front of others • Don't hint at the format of a password(e.g.,"my family name") � Don't reveal a password on questionnaires or security forms • Don't share a password with family members • Don't write passwords down and store them anywhere in your office. • Don't store passwords in a file on ANY computer system unencrypted 1 ACCEPTABLE USE.ACT(VITIES ' ! • Users may use only the computers,computer accounts,and computer files for which they have been authorized � Users should make a reasonable effort to protect passwords and to secure resources against unauthorized use or access � • Activities,communications,or information exchange should be limited to those which are�directly related to the mission,charter,or work tasks of the Village of Buffalo Grove government Page 8 of 12 u 4 . I � y UNACCEPTABLE USE ACTI.VITIES tl It is generally unacceptable for any person to perform or support the following activities as it pertains to the use of Village ITRs.In certain cases,a User may receive an exception from the Information Technology Depart�ment,if the activity is necessary for official Village business.This list of unacceptable activities is not all-inclusive: ' • Use of any Village ITRs for any purpose that violates a federal,state,or local law • Use of any Village ITRs to commercial enterprise or other for-profit activities • As an authorized User of Village ITRs,you may not enable unauthorized Users or personal deu,ices to access the Village network or other resources � I • Attempts to gain,or attempt to gain,unauthorized access to any computer or Village network • Purchase,install or access unauthorized software. � Use of another individual's account or attempts to capture or guess another Users'password(s) r" • Users shall not knowingly destroy,misrepresent,or alter any Village Information. • Recognize that Village policies related to employee conduct apply consistently when using technology.As I such: � o Do not send threatening or harassing messages,whether sexual or otherwise � ( o Do not attempt to access,share,or store sexually explicit,obscene,or otherwise inappropriate materials � o Do not send unsolicited email or other communications � I, o Do not libel or otherwise defame any person + , • Use of tools or programs that cause interference with or disruption of network Users and resources, � including propagation of computer viruses or other potentially harmful programs(e.g.,password 'crackers,'vulnerability scanners,network sniffers,etc.) • Attempts to disable,defeat,or circumvent any network security,computer security,or other such information security resources � I • The use of any encryption method not approved by the Information Technology Department � � ; Page 9 of 12 � � I � � � : • � � s • � • • • • • � � EMAIL. � r The use of Village email brings several professional,legal,and security implications that create a high level of responsibility on each User.As such each User must take the use of,the convenient access to,and the�security of email accounts they are authorized to use with care. � EMAIL PROFESSIONALISM II IVillage email addresses identify the organization that sent the message,in our case it typicaliy takes�the form of( ' firstinitialmiddleinitiallastname@vb�.or�)Because of this Users should consider email messages to�be the I , equivalent of letters sent on official Village letterhead.Users should ensure that all emails are written in a professional and courteous tone.Although many Users regard email as a convenient and informal�ay to icommunicate,Users should remember that emails are recorded for o�cial Village record and may be copied, printed,or forwarded by recipients.As such,Users should not write anything in an email message that they would not feel just as comfortable putting into a formal Village document. EMAIL CYBERSECURITY � As email is a widely used means of communication,it is also the primary method of cyber-attack on the Internet. Users have a responsibility to identify fraudulent Village or other commercial solicitation to avoid the dangers. The Information Technology Department routinely conducts email phishing tests with Village employees. These tests are designed to teach employees how to identify and avoid dangerous emails. Supplemental�training is also provided for employees who are prone to clicking on these test phishing emails. As such,employees who � repeatedly fail the phishing tests three or more times will have the following remediation steps applied progressively: � � • Discussion with employee's Department Head on the risk and necessary training ' I • Suspension of employee's email access pending their Department Head's request to the Administrative Services Director to reinstate the employees email account � • Suspension of employee's email access pending full review with Department Head,IT Direetor,and other administrative staff,as needed EMAIL ENCRYPTION AND SENSITIVE INFORMATION J � Email messages are generally sent in plain text via untrusted networks over the Internet that are�outside of the Village's control. When these messages are sent without appropriate security safeguards,they are like postcards that can be read,copied,and modified at any point along these paths. It is vital that s�nsitive information is only sent if absolutely necessary,and if sent such emails shall be encrypted. � EMAIL AS VILLAGE RECORD Email communications are subject to the Village's record retention ordinance(s)and policies.Although deletion of unnecessary email communications is strongly encouraged,Users should refer to the approved retention schedule for proper disposition of email communications.The Information Technology Department is authorized to enforce the Village's record retention schedules on behalf of Users. � Page 10 of 12 � h � � � � ADDITIONAL EMAIL RESPONSIBILITIES ? Each User has the following responsibilities for use of Village email.Any necessary exceptions to this list may only be provided by the Information Technology Department: • Use of email applications(such as Outlook)or mobile mail apps is only permitted on Village-issued devices • Access to Village email from personal or other devices not issued by the Village may only be performed via webmail services • No Village email address may be automatically forwarded to an external email account • Do not open and/or forward email from unknown senders.This is vital to prevent Village info�mation from being exposed to ransomware or other cyber-attack. Report any suspicious emails to � � support@vbs.ors ' � I GO�MPUTER USAGE AND_INTERNET ACCE� � � �__ j Use of the Internet increases the risk of exposing Village information and computer systems to cybersecurity breaches. Because of this,Village ITRs are to be used only for Village activities.We recognize there may be , incidental personal use of Internet on Village-issued devices,but this activity must be limited and cannot be performed at all if such activity is in violation of this policy.Additionally,personally owned devices are not authorized to connect to the Village's private network and access Village information. The following are restrictions on activities performed on or with Village-issued computers: I • Users must lock their computers when stepping away to prevent unauthorized access ' • Users must not store passwords to accounts or systems directly on their computer unencrypted or in � written form � • Users must not share their passwords or system passwords with anyone and should prompM1tly notify the Information Technology Department if they suspect their password or device has been corripromised • Users must avoid saving information or files to their local computers,but instead should sa�e Village Information on approved cloud-based storage • Do not purchase,download,install,access,or use any software without authorization of the Village Manager or Administrative Services Director. ' • Do not install or download any app without authorization from the Information Technology Department. i TELEWORKLN6 � Users who are approved by their department for telework must follow all requirements indicated m the Village of Buffalo Grove Personnel Policy.Teleworking requires Village-issued ITRs to be used for remote access into the Village Network.Personally owned devices may not be used for these purposes. t � A Page 11 of 12 � � ■ / . . • � • ' � � � ' � Village of Buffalo Grove Personnel Policy Village of Buffalo Grove Procurement Policy Illinois Freedom of Information Act(5 ILCS 140/1 et seq) Village of Buffalo Grove Records Management and Retention Policy • • • �. . .. . . December 4,2023 Admin Services Published Page 12 of 12