2023-12-04 - Resolution 2023-36 - ADOPTING AN ACCEPTABLE USE OF INFORMATION TECHNOLOGY RESOURCES POLICY RESOLUTION NO.2023-36
A RESOLUTION ADOPTING AN ACCEPTABLE USE OF INFORMATION TECHNOLOGY RESOURCES POLICY
WHEREAS,the Village of Buffalo Grove has adopted revisions to the Personnel Policy;and
WHEREAS, it is in the best interests of the Village of Buffalo Grove to provide guidance in the use
of information technology resources.
�
NOW THEREFORE, BE IT RESOLVED BY THE PRESIDENT AND BOARD OF TRUSTEES OF THE
VILLAGE OF BUFFALO GROVE,COOK AND LAKE COUNTIES,ILLINOIS,as follows:
SECTION 1. The Acceptable Use of Information Technology Resources Policy attached hereto has been
adopted and shall be in full force effective January 1,2024.
AYES: 6—Johnson,Cesario,Ottenheimer,Stein, Bocek.Weidenfeld
NAYES: 0-None
ABSENT: 0- None
PASSED: December 4,2023
APPROVED: December 4,2023
ATTEST: APPROVED:
��`Y�, 4����.
Jane .Sirabian,Village Clerk Eric N.Smith, i�lage President
`}�`�,���';�`-Y��y��
``L,�Ci .._�'L�t'��i
.,��., i'1` +. ! - �
��uv"'�""U:�i.:�%�
u�� ����
r i_-����e""' ` :�
-'� `- - �
l � - ``
�
J1j��s j����c��,��
.;;:�<•
ACCEPTABLE USE OF I N FORMATION
TECHNOLOGY RESOURCES POLICY
December 4,2023
s • �
This document formalizes the policy for employees,contractors,or guests("Users")of all departments that
comprise the Village of Buffalo Grove on the use of Village information technology resources("Village ITRs").In
addition to this policy,individual agencies or departments may elect to issue additional policies or restrictions
governing the use of ITRs within their respective offices. Use of Village ITRs by any User shall constitute acceptance
of the terms of this policy and any such additional policies.
► : • •
� C • •
Preface..........................................................................................................................................................................1
Tableof Contents..........................................................................................................................................................1
Overview....................................................................................................................:..................................................3
Definitions.....................................................................................................................................................................4
Scope.............................................................................................................................................................................4
Ownershipand Privacy..................................................................................................................................................5
Responsibilitiesand Roles.............................................................................................................................................5
Users.........................................................................................................................................................................5
DepartmentDirectors...............................................................................................................................................6
Information Technology Department.......................................................................................................................6
AcceptableUse of Village ITRs......................................................................................................................................7
DataConfidentiality..................................................................................................................................................7
IdentityProtection Policy.....................................................................................................................................7
CopyrightProtection.................................................................................................................................................7
CybersecurityAwareness..........................................................................................................................................7
Passwords.................................................................................................................................................................8
AcceptableUse Activities..........................................................................................................................................8
Page 1 of 12
UnacceptableUse Activities......................................................................................................................................9
Acceptable Use of Specific Village Information Technology Resources......................................................................10
Email.......................................................................................................................................................................10
EmailProfessionalism.........................................................................................................................................10
EmailCybersecurity............................................................................................................................................10
Email Encryption and Sensitive Information ......................................................................................................10
Emailas Village Record.......................................................................................................................................10
Additional Email Responsibilities........................................................................................................................11
��_ �
Computer Usage and Internet Access.....................................................................................................................11
Tefek nirow g.............................................................................................................................................................11
Related Policies,Procedures,or Standards.................................................................................................................12
RevisionHistory...........................................................................................................................................................12
I
�
�
�
�
Page 2 of 12
�
•
The Village of Buffalo Grove provides Village ITRs that directly support or augment municipal activities of the
Village.Examples Village ITRs include:
• Computers or tablets
• Mobile devices
• Phones
• Public Safety Radios
• Village Network whether wired network,wireless network(Wi-Fi),or other technologies providing
interconnectivity for devices
• Village email
• Software applications
The use of such technology resources is a privilege extended to all employees or individuals in support of our
operational activities. By use of these resources,Users may receive authorized access to Village information,the
Village Network,software or'database applications,and various other computer or communication systems.It is of
vital importance that each User of Village ITRs behaves responsibly,legally,and ethically with these technology
resources in order to safeguard our information and avoid disruptions to Village operations.
This Acceptable Use of Information Technology Resources Policy speaks to the activities and functions in which
Users may engage or not engage as they use various Village ITRs.Any inappropriate use of such resources may
result in the loss of privilege for use or access and may result in disciplinary action.
If you have questions about the acceptability of a particular use of Village ITRs,contact the Administrative Services
Director(brobinson@vbg.org)to assist.
The objectives of this policy are to:
• Ensure that the use of Village ITRs are directly related to,or for the benefit of,Village of Buffalo Grove
operations and services to its residents
• Provide overview of the ownership of information and any implications on public access to Village
Information and User privacy
• Define responsibilities and appropriate usage of Village ITRs
• Minimize disruptions to Village activities from inappropriate use of Village ITRs
Page 3 of 12
� •
Village Information: defined as any information that supports Village activities;this may include operational data,
employee data,citizen data,or other information which may be classified appropriately.
Village ITRs: Village Information Technology Resources include any mobile device,computer-based hardware,
software,or related services that are owned,licensed,or managed by Village of Buffalo Grove and used for
conducting Village business or communications.
Village Network: the system of interconnectivity for computers,printers,phones,mobile devices,or other Village
ITRs which allows such devices to communicate and to access or share information.This may be a wired network
connection at a desk,Wi-Fi,or other communication technologies.
Principle of Least Privilege: The principle of least is that Users only have access to minimum resources that are
necessary to perform their assigned function.The principle applies equally to Users,systems,and processes within �I
the Village. �
Users: employees,agents,officials,consultants,interns,volunteers,guests,or other individuals who have been
granted access to Village ITRs. '
� � I
This policy applies to all Users of Village ITRs,as described above.Further it applies to anyone granted access to
Village Information. Examples of information include:
� administrative records(such as payroll and personnel data;accounting and financial records;transactions,
contracts;registrations;email or other electronic correspondence;etc.)
• judicial documents
• tax records
• other Village proprietary or intellectual property.
�
I
I
I
I
I
Page 4 of 12 �
I
�
• ' ' � � " �
Village of Buffalo Grove owns,controls,and has a custodial responsibility with respect to Village ITRs and any
information stored on or transmitted through such systems.For example,email containing Village of Buffalo Grove
administrative data,or documents pertaining to Village of Buffalo Grove business or judicial activities would be
included.
As a general matter,because such information is Village of Buffalo Grove property,Users of these systems should
have no expectation of privacy regarding these resources or data.Most Village Information and Village ITRs are
subject to the Freedom of Information Act.Users shall always comply with Village records management rules and
records retention requirements for all information,including computer-based information.
• • i ; • ! • •
��-- ----- ---- ---_---- -----------�----�----� i
�'USERS
It is the responsibility of any person using Village ITRs to read, understand,and follow this policy.In addition,Users
are expected to exercise reasonable judgment in interpreting this policy and in making decisions about the use of
ITRs. Responsibilities include:
• Users must abide by all related federal laws,state laws,and local laws along with all pertinent regulations,
and Village or Department policies or operating procedures
• Users of Village ITRs shall adhere to records management rules and retention requirements.when
handling Village Information.
• Users must use Village ITRs with all intent to be legally compliant,ethical,and to show restraint in the ,
consumption of shared resources �
• Users must be professional and respectful when using technology to communicate with others
• Users must be aware that Village of Buffalo Grove adheres to the least-privilege principle for Village ITRs;
for example,data reports that are presented or shared with others should have minimum information
necessary with extraneous and sensitive information removed from the reports
• Users are individually responsible for appropriate use of all resources assigned to them,including the
computer,the network connection,software,and hardware
• Users must be aware that Village of Buffalo Grove has entered into legal agreements or contracts for
many of our software and network resources which require each individual User to comply�with those
agreements.Your agency or department head is the best resource for this information.
• Users must be aware that inappropriate use of Village ITRs may result in the suspension of use or removal
of access to Village ITRs which could affect their ability to perform their work assignments,and
disciplinary action.
Any person with questions regarding the application or meaning of this policy should seek clarification from
appropriate management or from the Administrative Services Director(brobinson@vbg.org).
Page 5 of 12
i
h
N
�
� D.EPARTMENT DIRECTORS
�
It is the responsibility of each Department Director to support or promote this policy and to ensure employees
have adequate knowledge of the principles outlined herein.Departments individually may provide add�tional
policies or guidelines for the use of Village ITRs,which may not be less restrictive than this policy. �
• Be aware of productivity issues that may arise from the overuse/misuse of email,Internet ac�ss,social
media,and mobile device usage.
• Be aware of the use of sensitive information by Users within your department.Such information may not
be stored on mobile devices that can leave the Village premise.
• If your department must share such sensitive information with outside organizations,it is required to be
encrypted.Please contact the Information Technology Department for details on how to encrypt
information for these purposes. �
• Be aware that inappropriate use of Village ITRs by your staff may result in the suspension of use or
removal of access to Village ITRs for those individuals and disciplinary action. �
�1NFORMATION TECHNOLOGY DEPARTMEIVT
The Information Technology Department is responsible for the administration of Village ITRs which includes the
provisioning and maintenance of such devices,services and network that comprise these ITRs,and it should
provide general training wherever possible for Users in the proper use of such systems.The department shall also
provide User training of policy issues,emphasizing acceptable and unacceptable uses and respond to�questions of
interpretation of this or related policies.Also,this department shall be responsible for on-going review and
maintenance of this policy as required by changes in local,state,and federal law and as necessary fo i local
considerations.Finally,the Information Technology Department should aid any Department in developing
supplemental policies or guidelines related to appropriate use.This support may be limited by feasibility or the
discretion of the Administrative Services Director. �
!
�
�
I
� �
�
�
Page 6 of 12
1
� � � : , � •
The use of Village ITRs empowers Users to work effectively and allows them to deliver better services,�hether
�
internally to the Village or externally to our residents.As such,all Users are encouraged to fully use Village ITRs in
pursuit of the Village's strategic goals and objectives.Should any User be subject to more restrictive policies,
whether by law,by regulations,or by other department requirements,the more restrictive measure will prevail.
I
� DATA CONFIDENTI'ALITY
a
In the regular course of work activities, Users often have access to confidential or proprietary information,such as
personal data about individuals or commercial information about business organizations.Under no circumstances
is it permissible for Users to acquire access to confidential data unless such access is required by theirjjobs.Under
no circumstances may Users disseminate any confidential information that they have rightful access to unless such
dissemination is required by their jobs.As such,Users:
• Must be aware and protective of any information which may be considered confidential or sensitive,
especially that which contains personally identifiable information.If such information must b�e shared with
outside organizations in conducting Village business,it must be encrypted and cannot be sh�red if not
encrypted.
• Must report to the Information Technology Department if you become aware that you have more access
to information or systems than you ought to have for your assigned work.This helps maintailn the
principle of least privilege. �
� ,
�
�
IDENTITY PROTECTION POLICY �
��
�
Improper disclosure of protected personal identifiers such as social security numbers may contribute to
identity theft and any number of resulting credit problems.The Village has adopted this Policy to protect
social security numbers from unauthorized disclosure.In accordance with the Illinois Identity Protection Act,
only employees who are required to use or handle information or documents that contain social�security
numbers shall have access to such information or documents.All employees with access to social security
numbers in the course of their job duties must undergo training to protect the confidentiality of the social
security numbers. '� �
�
+COPYRIGHT PROTE.CTION �
�
Computer programs are valuable intellectual property.Software publishers can be very aggressive i�protecting
their property rights from infringement.Similarly,legal protections can also exist for any information published on
the Internet,such as the text and graphics on a web site.As such,it is important that Users respect the rights of
intellectual property owners.Users should exercise care and judgement when copying or distributing computer
programs or information that could reasonably be expected to be copyrighted.Village intellectual p�operty such as
the Village logo or letterhead may only be used in the conduct of Village business.Users should exercise care in
allowing such property to be used,or misused,for purposes not approved by the Village. I
_ I
y CYBERSECURITY'AINARENESS � ' I
Users should exercise reasonable precautions to prevent the introduction of a computer virus or other malware I
into the Village Network.Avoid opening any email attachments which came unexpectedly,whether?from a vendor I
I
Page 7 of 12 I
I
�
�
M
�
or from a colleague.Report any suspicious emails or files to the Information Technology Department i�mediately
upon discovery.Suspicious emails can be forwarded to support@vbg.or�or via the Phish Alert icon in Outlook.
Similarly,report if you suspect your account has been accessed or your device has been compromised in some
way. Keep your computer locked when not in use. �
�
r
PASSWORDS `
�. `
Passwords are an important aspect of computer security.They are the front line of protection for user�accounts.A
poorly chosen password may result in a compromise of the Village's entire network.As such,all Village employees
(including contractors and vendors with access to Buffalo Grove systems)are responsible for taking the
appropriate steps,as outlined below,to select and secure their password.
Password Construction Requirements
�
• Be a minimum length of twelve(12)characters on all systems.
• Not be a dictionary word or proper name.
• Not be the same as the User ID.
� Expire within a maximum of 90 calendar days.
• Not be identical to the previous ten(10)passwords.
• Not be transmitted in the clear or plaintext outside the secure location. �t
�
• Not be displayed when entered. �
Password Protection Standards �
Do not use your User ID as your password.Do not share Village of Buffalo Grove passwords with any�ne,including
administrative assistants or secretaries.All passwords are to be treated as sensitive,Confidential Village
f
information.If an account or password is suspected to have been compromised,report the incident tpo the
Administrative Services Director or the IT Department immediately. p
1
Here is a list of"do noYs" �
• Don't reveal a password over the phone to anyone �
r
• Don't reveal a password in an e-mail message �
• Don'talk about a password in front of others
• Don't hint at the format of a password(e.g.,"my family name")
� Don't reveal a password on questionnaires or security forms
• Don't share a password with family members
• Don't write passwords down and store them anywhere in your office.
• Don't store passwords in a file on ANY computer system unencrypted
1
ACCEPTABLE USE.ACT(VITIES ' !
• Users may use only the computers,computer accounts,and computer files for which they have been
authorized
� Users should make a reasonable effort to protect passwords and to secure resources against
unauthorized use or access �
• Activities,communications,or information exchange should be limited to those which are�directly related
to the mission,charter,or work tasks of the Village of Buffalo Grove government
Page 8 of 12
u
4
. I
�
y UNACCEPTABLE USE ACTI.VITIES
tl
It is generally unacceptable for any person to perform or support the following activities as it pertains to the use of
Village ITRs.In certain cases,a User may receive an exception from the Information Technology Depart�ment,if the
activity is necessary for official Village business.This list of unacceptable activities is not all-inclusive: '
• Use of any Village ITRs for any purpose that violates a federal,state,or local law
• Use of any Village ITRs to commercial enterprise or other for-profit activities
• As an authorized User of Village ITRs,you may not enable unauthorized Users or personal deu,ices to
access the Village network or other resources �
I • Attempts to gain,or attempt to gain,unauthorized access to any computer or Village network
• Purchase,install or access unauthorized software.
� Use of another individual's account or attempts to capture or guess another Users'password(s)
r"
• Users shall not knowingly destroy,misrepresent,or alter any Village Information.
• Recognize that Village policies related to employee conduct apply consistently when using technology.As
I such: �
o Do not send threatening or harassing messages,whether sexual or otherwise �
( o Do not attempt to access,share,or store sexually explicit,obscene,or otherwise inappropriate
materials �
o Do not send unsolicited email or other communications � I,
o Do not libel or otherwise defame any person + ,
• Use of tools or programs that cause interference with or disruption of network Users and resources, �
including propagation of computer viruses or other potentially harmful programs(e.g.,password
'crackers,'vulnerability scanners,network sniffers,etc.)
• Attempts to disable,defeat,or circumvent any network security,computer security,or other such
information security resources � I
• The use of any encryption method not approved by the Information Technology Department
�
�
;
Page 9 of 12 �
�
I
� � � : • � � s • � • • • • •
�
� EMAIL. �
r
The use of Village email brings several professional,legal,and security implications that create a high level of
responsibility on each User.As such each User must take the use of,the convenient access to,and the�security of
email accounts they are authorized to use with care.
� EMAIL PROFESSIONALISM II
IVillage email addresses identify the organization that sent the message,in our case it typicaliy takes�the form of( '
firstinitialmiddleinitiallastname@vb�.or�)Because of this Users should consider email messages to�be the I
,
equivalent of letters sent on official Village letterhead.Users should ensure that all emails are written in a
professional and courteous tone.Although many Users regard email as a convenient and informal�ay to
icommunicate,Users should remember that emails are recorded for o�cial Village record and may be copied,
printed,or forwarded by recipients.As such,Users should not write anything in an email message that they
would not feel just as comfortable putting into a formal Village document.
EMAIL CYBERSECURITY �
As email is a widely used means of communication,it is also the primary method of cyber-attack on the Internet.
Users have a responsibility to identify fraudulent Village or other commercial solicitation to avoid the dangers.
The Information Technology Department routinely conducts email phishing tests with Village employees. These
tests are designed to teach employees how to identify and avoid dangerous emails. Supplemental�training is
also provided for employees who are prone to clicking on these test phishing emails. As such,employees who
�
repeatedly fail the phishing tests three or more times will have the following remediation steps applied
progressively: �
�
• Discussion with employee's Department Head on the risk and necessary training '
I
• Suspension of employee's email access pending their Department Head's request to the Administrative
Services Director to reinstate the employees email account �
• Suspension of employee's email access pending full review with Department Head,IT Direetor,and other
administrative staff,as needed
EMAIL ENCRYPTION AND SENSITIVE INFORMATION J
�
Email messages are generally sent in plain text via untrusted networks over the Internet that are�outside of the
Village's control. When these messages are sent without appropriate security safeguards,they are like
postcards that can be read,copied,and modified at any point along these paths. It is vital that s�nsitive
information is only sent if absolutely necessary,and if sent such emails shall be encrypted. �
EMAIL AS VILLAGE RECORD
Email communications are subject to the Village's record retention ordinance(s)and policies.Although deletion
of unnecessary email communications is strongly encouraged,Users should refer to the approved retention
schedule for proper disposition of email communications.The Information Technology Department is authorized
to enforce the Village's record retention schedules on behalf of Users. �
Page 10 of 12
�
h
�
�
�
�
ADDITIONAL EMAIL RESPONSIBILITIES ?
Each User has the following responsibilities for use of Village email.Any necessary exceptions to this list may
only be provided by the Information Technology Department:
• Use of email applications(such as Outlook)or mobile mail apps is only permitted on Village-issued devices
• Access to Village email from personal or other devices not issued by the Village may only be performed
via webmail services
• No Village email address may be automatically forwarded to an external email account
• Do not open and/or forward email from unknown senders.This is vital to prevent Village info�mation
from being exposed to ransomware or other cyber-attack. Report any suspicious emails to �
�
support@vbs.ors '
� I
GO�MPUTER USAGE AND_INTERNET ACCE� �
� �__ j
Use of the Internet increases the risk of exposing Village information and computer systems to cybersecurity
breaches. Because of this,Village ITRs are to be used only for Village activities.We recognize there may be
,
incidental personal use of Internet on Village-issued devices,but this activity must be limited and cannot be
performed at all if such activity is in violation of this policy.Additionally,personally owned devices are not
authorized to connect to the Village's private network and access Village information.
The following are restrictions on activities performed on or with Village-issued computers:
I
• Users must lock their computers when stepping away to prevent unauthorized access '
• Users must not store passwords to accounts or systems directly on their computer unencrypted or in
�
written form �
• Users must not share their passwords or system passwords with anyone and should prompM1tly notify the
Information Technology Department if they suspect their password or device has been corripromised
• Users must avoid saving information or files to their local computers,but instead should sa�e Village
Information on approved cloud-based storage
• Do not purchase,download,install,access,or use any software without authorization of the Village
Manager or Administrative Services Director. '
• Do not install or download any app without authorization from the Information Technology Department.
i
TELEWORKLN6 �
Users who are approved by their department for telework must follow all requirements indicated m the Village of
Buffalo Grove Personnel Policy.Teleworking requires Village-issued ITRs to be used for remote access into the
Village Network.Personally owned devices may not be used for these purposes.
t
�
A
Page 11 of 12
� � ■ / . . • � • ' � � � ' �
Village of Buffalo Grove Personnel Policy
Village of Buffalo Grove Procurement Policy
Illinois Freedom of Information Act(5 ILCS 140/1 et seq)
Village of Buffalo Grove Records Management and Retention Policy
• • •
�. . .. . .
December 4,2023 Admin Services Published
Page 12 of 12