HomeMy Public PortalAboutADM-413_Acceptable Use Policy_Effective 04-26-2021
City of Lebanon
New Hampshire
ADMINISTRATIVE POLICIES & PROCEDURES
CYBER SECURITY
ACCEPTABLE USE POLICY
Policy Number Effective Date Last Revision Page No.
ADM-413 4/26/21 Page 1 of 8
Approved by:
Section 1.0: Purpose
The purpose of this policy is to outline the acceptable use of computer equipment
on the City’s computer network. These rules are in place to protect both employees
and the City. Inappropriate use exposes the city to risks including virus attacks,
compromise of network systems and services, and legal issues.
Section 2.0: Scope
Compliance with this policy is mandatory for all City officials, employees,
committees, and contractors of the City of Lebanon. For the purposes of this
document, this group of individuals will be referred to as “users”. This policy also
applies to all information, computer systems, and data that are used for official City
business regardless of its location. This policy applies to all equipment that is
owned and leased by the city, and to all individuals who operate this equipment. In
addition, users must still abide by local, state and federal laws and regulations as
well as established City policy while using computer systems.
Section 3.0: Definitions
ENCRYPTION is the process that encodes a message or file so that it can only be
read by certain people with the decryption key.
LEVEL OF RIGHTS is the approved access to certain data files and folders on the
computer network. Example: Administrator will have more access to files and
folders than a user.
MEMORY DEVICES store data and can be portable. Examples are USB flash drives
and external USB data storage drives.
NETWORK is a group of computers that use a set of common communication
protocols. This allows for sharing of data and communication between computer
systems.
OPTICAL MEDIA refers to CD-ROMS and DVD-ROMs that have the ability to store
data.
SECURITY BREACH is any incident that results in an unauthorized access to
computer data, applications, networks or devices.
City of Lebanon
New Hampshire
ADMINISTRATIVE POLICIES & PROCEDURES
CYBER SECURITY
ACCEPTABLE USE POLICY
Policy Number Effective Date Last Revision Page No.
ADM-413 4/26/21 Page 2 of 8
Approved by:
Section 4.0: Policy Detail
4.1 General Use and Ownership
1. While the Cyber Services Department desires to provide a reasonable level of
privacy, users should be aware that the data they create on the City systems
remains the property of the City of Lebanon. The need to protect the City’s
network being paramount, employees should have no expectation of privacy
regarding the use of the City’s technology systems.
2. Users are responsible for exercising good judgment regarding the
reasonableness of system use. Users should be guided by Cyber Services
policies on such use, and if there is any uncertainty, employees should
consult their Director, Manager, Supervisor, or the Cyber Services Help Desk.
3. All technology systems usage is subject to inspection to ensure compliance
with City policies; any suspected breaches of security shall be audited by the
Cyber Services Director or designee at any time with or without notice.
4. Information Systems require passwords. User passwords should NEVER be
shared with anyone, including members of the Cyber Services staff, nor
should any efforts be made to obtain the password of another user. If
anyone requests your password, this activity should be reported to the
department’s Director and Cyber Services Director immediately.
5. Anyone that connects to the City Network will be assigned a unique
username and password and is expected to maintain their password. The
sharing of user accounts to log onto systems is not permitted. Users
must always store their computer login credentials in a secure location.
Writing a password down is not considered a secure location
No attempt should be made to obtain a level of rights on a system beyond
what has been expressly granted. Examples of this include attempting to
log onto a system with another user’s login name, accessing an application
or system through back-door access, or the use of hacking tools.
4.2 Workstation Use
1. Users should never leave their workstations in an unprotected state. If a
user anticipates being away from their PC or laptop, they should either log
off their PC or lock it by pressing CTRL+ALT+DEL and selecting “Lock
City of Lebanon
New Hampshire
ADMINISTRATIVE POLICIES & PROCEDURES
CYBER SECURITY
ACCEPTABLE USE POLICY
Policy Number Effective Date Last Revision Page No.
ADM-413 4/26/21 Page 3 of 8
Approved by:
Workstation”. Screen savers are set to activate after 10 minutes or less of
inactivity.
2. Any applications installed on a user’s PC must be approved by Cyber Services
and directly related to fulfilling their job responsibilities. New applications
must work without requiring administrative rights on PCs or laptops.
3. Members of Cyber Services Technical Support staff maintain administrative
level access to all network connected PC’s on the City network. Attempts to
block or override this level of access is prohibited.
4. Any foreign optical media or memory devices (CD-ROMs, USB flash drives,
removable hard drives, etc.) will be scanned for viruses or other malicious
content before files are opened or copied from them. Users can contact the
Cyber Services Help Desk (https://helpdesk2k16.lebnh.com,
ithelp@lebanonnh.com x1427) for assistance.
5. Security related software like Anti-virus and /or Anti-malware software will
be installed on every PC attached to the City network. Users are prohibited
from interfering with the operations of this software. This includes attempts
to uninstall or disable the software.
6. Each user has been allocated disk space on a network file server for storage.
Users can access this storage by selecting their mapped drives. Users should
save all their documents to their network drive to ensure that they are
backed up for disaster recovery purposes. Network storage space is for work
related information only. Content of a personal nature should not be stored
on network drives.
4.3 Local Area Network Use
The Cyber Services Department maintains a robust data/telecommunications
network which enables users to conduct business as efficiently as possible.
This network joins all City-owned PC’s on a common communication
platform, as well as enables Internet communication.
PCs and other network-based devices, such as printers, can only be attached
to the network with approval from Cyber Services.
The connection of personal devices to the City network is prohibited unless
approved by the Cyber Services department. This includes but is not limited
to printers, faxes, monitors, PCs, laptops, storage devices, cell phones, and
network devices.
The Cyber Services Department is solely responsible for configuring devices
to communicate on the network. Attempts to override Cyber Services
configured settings are prohibited. Cyber Services may designate and
City of Lebanon
New Hampshire
ADMINISTRATIVE POLICIES & PROCEDURES
CYBER SECURITY
ACCEPTABLE USE POLICY
Policy Number Effective Date Last Revision Page No.
ADM-413 4/26/21 Page 4 of 8
Approved by:
approve individuals to configure devices. Cyber Services will require proper
training and process compliance before designation is approved.
Network expansion devices, such as wireless access points, switches, or
hubs, are installed and managed exclusively by Cyber Services. These types
of devices, when purchased through local retail stores, are designed for
home use, and can introduce significant security vulnerabilities to the City
network. Installation of these devices by anyone other than Cyber Services
staff is prohibited.
Only select members of Cyber Services staff are permitted to actively
monitor the City Network. The use of network monitoring tools by non-Cyber
Services staff is prohibited.
4.4 Remote Access Use
1. Cyber Services provides a two methods of Remote Access, Cisco AnyConnect
Virtual Private Network (VPN) and LogMeIn. These are the only approved
remote access services to connect to the City’s of network. Only City owned
equipment will be allowed to connect remotely. Department heads or their
designee must approve all user remote access requests.
2. Regardless of the location where remote access is being performed, users
need to ensure that the confidentiality of the information being accessed is
maintained.
4.5 Internet (Web) Use
1. Web browsing and social networking activity should be limited to business-
related sites.
2. Sites that stream video or audio are generally not permitted from the City
network unless there is a business need.
3. Cyber Services maintains a web filtering service that monitors web-related
traffic on the network. Department heads or their designee may request
access to blocked sites for employees where it is necessary for business
functions. Cyber Services actively blocks the following types of contents:
a. Sites known to contain malware/spyware/adware
b. Advertisements/Pop ups
c. Pornography
d. Confirmed spam sources
e. Known hacking sites and sources
f. Keyloggers and monitoring
City of Lebanon
New Hampshire
ADMINISTRATIVE POLICIES & PROCEDURES
CYBER SECURITY
ACCEPTABLE USE POLICY
Policy Number Effective Date Last Revision Page No.
ADM-413 4/26/21 Page 5 of 8
Approved by:
g. Nudity
h. Online gambling
i. Proxy avoidance and anonymizers
j. Phishing and other known fraud sites
k. Online personal storage
l. Instant messaging (Discord, WhatsApp, ICQ, etc...)
4. Cyber Services can generate activity reports for any user when requested by
a Department Head.
5. If Cyber Services discovers in the course of troubleshooting a network or PC
related issue that a user’s web activity is adversely affecting normal business
operations, this will be reported to the appropriate Manager/Director.
6. Sensitive information should never be entered onto a 3rd party web form
unless the site is secure. Users can quickly identify a secure site by locating
a small lock icon at the beginning of the web address. If there is any doubt,
the user should contact the Cyber Services Helpdesk for assistance.
7. The use of P2P (peer to peer) services are prohibited. Examples include
BitTorrent and LimeWire.
4.6 Electronic Mail (Email) Use
1. Email should be used for business use only.
2. Email is not designed for the transfer of large files. Files larger than 20 MB
should not be sent using email. If a user must transfer a larger file to a user
or a group of users, they should contact the Cyber Services Helpdesk for
alternate methods.
3. Emails that contain any form of confidential information must be encrypted.
4. Chain emails and spamming are an abuse of the City’s email system and are
not permitted. This includes spreading email without good purpose to an
individual, group, or system.
5. “Bombing”, which is the flooding of users, groups, or systems with large
email messages, is not permitted.
6. The use of the “DL-COL” distribution group should be limited as much as
possible and should be only for business reasons.
7. Spam is unsolicited email sent from a 3rd party agent outside of the City.
Cyber Services maintains a spam-filtering system, which attempts to filter
out junk email from a users’ inbox. However, since all spam filtering
solutions are rules based and reactive, no spam solution is fool proof.
Therefore, if a user is repeatedly receiving unsolicited email, user should add
email to the block list and then delete.
City of Lebanon
New Hampshire
ADMINISTRATIVE POLICIES & PROCEDURES
CYBER SECURITY
ACCEPTABLE USE POLICY
Policy Number Effective Date Last Revision Page No.
ADM-413 4/26/21 Page 6 of 8
Approved by:
8. Phishing is a type of malicious email that appears to be from a legitimate
source, such as a financial institution, that requests that you click on a web
link and enter in a sensitive personal information. Attackers then use the
information provided to engage in identity theft. As with spam, Cyber
Services actively filters phishing emails intended for city employees.
However, if you do receive this type of email, simply click on the “Phish Alert
Report” button in Outlook. Users may also opt to contact Help Desk for
further investigation. You should NEVER respond to any email requesting
any of the following items:
a. Social Security number
b. Credit Card numbers
c. Passwords
d. Bank account numbers
e. Information specific to the City’s network or telephone system.
9. Spoofing is a technique used for spam and phishing, where the sender makes
it appear that the email originated from a different source. The email may
appear to be from you and also to you, or it may be to you but is not from
the apparent sender. Attackers use these spoofed emails to get you to click
on virus links, and also to obtain personal information from you. If you
suspect you have been spoofed, simply delete the email.
4.7 Social Networking Use
Social networks are online communities of people or organizations that share
interests and/or activities and use a wide variety of internet technology to make the
interaction a rich and robust experience. Examples of social networking services
include blogs, Facebook, LinkedIn, Twitter and many others. This also includes
forms of online publishing such as discussion groups, file sharing, user generated
video and audio and virtual worlds. Employees that choose to participate in social
networks as a City employee shall adhere to the following.
1. City Policy ADM-100, rules, regulations, and standards of conduct apply to
employees that engage in social networking activities while conducting City
business. Use of the City’s e-mail address, website and communicating in
your official capacity will constitute conducting City business.
2. Departments have the option of allowing employees to participate in existing
social networking sites as part of their job duties. Department heads may
allow or disallow employee participation in any social networking activities in
their departments for business use.
City of Lebanon
New Hampshire
ADMINISTRATIVE POLICIES & PROCEDURES
CYBER SECURITY
ACCEPTABLE USE POLICY
Policy Number Effective Date Last Revision Page No.
ADM-413 4/26/21 Page 7 of 8
Approved by:
3. Protect your privacy, the privacy of citizens, and the information that the City
holds. Follow all privacy protection laws like HIPPA and protect sensitive and
confidential City information.
4. Follow all copyright laws, public records laws, records retention laws, fair use
and financial disclosure laws and any others that might apply to the City or
your functional area.
5. Do not cite vendors, suppliers, clients, citizens, co-workers or other
stakeholders without their approval. When you do, make a reference and,
where possible, link back to the source.
6. Make it clear that you are speaking for yourself and not on the behalf of the
City. If you publish content on any website outside of the City of Lebanon
and it has something to do with the work you do or subjects associated with
the City, use a disclaimer such as this: “The postings on this site are my own
and don’t necessarily represent the City’s positions or opinions.”
7. Do not use ethnic slurs, profanity, personal insults, or engage in any conduct
that would not be acceptable in the City’s workplace. Avoid comments or
topics that may be considered objectionable or inflammatory.
8. If you identify yourself as a City employee, ensure that your profile and
related content is consistent with how you wish to present yourself with
colleagues, citizens, and other stakeholders.
9. Correct your mistakes, and don’t alter previous posts without indicating that
you have done so. Frame any comments or opposing views in a positive
manner and don’t instigate an argument or harass others on the internet.
10.Add value to the City of Lebanon through your interaction. Provide
worthwhile information and perspective.
4.8 Mobile Device
1. City owned and issued mobile devices are to be used for City business and
personal use kept to a minimum.
2. Employees must adhere to the security features enabled and enforced by the
Cyber Services department, which include the enforcement of a PIN.
3. If you lose your device or it is stolen, immediately contact the Cyber Services
department. The Cyber Services department will remotely lock and/or
remotely wipe the device. All business and personal data will be deleted.
4. Do not share your PIN or password with anyone.
5. Users must obey all laws regarding mobile devices while operating a motor
vehicle.
City of Lebanon
New Hampshire
ADMINISTRATIVE POLICIES & PROCEDURES
CYBER SECURITY
ACCEPTABLE USE POLICY
Policy Number Effective Date Last Revision Page No.
ADM-413 4/26/21 Page 8 of 8
Approved by:
Section 5.0: Procedures
Section 6.0: References (Charter/Code/State Statutes)
NIST 800-53
NIST Cybersecurity Framework
ADM-411 Access Control and Password Policy
ADM-100 Guidelines for Use of Social Media
Section 7.0: Policy & Procedure Revision History
Section Revisions Date
Original Adoption 4/26/21
Amendment
Amendment
Amendment