Loading...
HomeMy WebLinkAboutMOBILE ELECTRONIC DEVICE 5-2012City of Santa Ana Administrative Policies and Procedures Policy and Procedures on Mobile Electronic Devices PURPOSE City Manager's Authorization Section: Date Approved: Number: May 22, 2012 900.20 The purpose of the Mobile Electronic Device Policy is to establish guidelines for the assignment and use of the devices, as well as define the methods of protection that the City of Santa Ana (COSA) requires to administer the devices within the COSA computing environment. ORGANIZATIONAL UNITS AFFECTED This policy applies to all COSA employees, elected officials, volunteers, contractors/ vendors. DEFINITIONS A. Computing Environment: a collection of computers, telecommunications and network equipment, applications, and wiring that support the processing and communication of electronic information. B. Contractor /Vendors: any person or body that is recognized as independent of COSA, engaged to perform services for the organization. C. Credentials: the means and manner by which access is granted to a specific resource. This can include user IDs, passwords, badges, tokens, and keys. D. Information Technology Personnel (ITP): the COSA staff and /or contractors employed to ensure the health and well -being of the COSA technical environment. E. Information Owner: the individual or entity that is responsible for the use and disclosure of an information asset. 11P F. Confidential Information: information that may be associated with an individual, e.g. HIPPA, and /or privileged attorney /client information. G. Sensitive Information: any information that could potentially be used maliciously to compromise the security of COSA resources or customers, i.e. administrative passwords connected to COSA server(s). H. Malware: includes computer viruses, worms, Trojan horses, spyware, dishonest adware, crime ware, and other malicious and unwanted software. Mobile Electronic Device: any portable electronic device that can view, share, access, and /or process digital information. Examples of a portable electronic device may include: • Laptops • Blackberries • Smartphones • Tablets (iPad) J. Personal Mobile Electronic Device: any mobile electronic device not owned by COSA, but connected to City server or other COSA connectivity devices that are subject to this Policy. K. Third Parties: any entity that interacts with COSA, but is not directly affiliated, including: clients, contractors, sub - contractors, government agencies, vendors, community organizations, unions, etc. L. Authorized user: refers to an employee, elected official, or contractor approved for assignment of a device. Such a device, if public property, shall be used for business purposes only. PROCEDURES A. COSA shall ensure that only authorized mobile electronic devices are allowed to be used in the COSA computing environment: 1. Authorization must be received by Department Head prior to any device be added to the COSA computing environment. 2. All authorized users shall protect all mobile electronic devices, as well as the data they contain, with an appropriate level of security. B. COSA shall ensure that all authorized mobile electronic devices are centrally managed in order to ensure accurate inventory, minimize operational overhead, 2 1 P a g e and reduce information security risks: 1. All authorized mobile electronic devices shall comply with existing COSA and ITP technical policies and standards. 2. All authorized mobile electronic devices shall only be managed by authorized ITP staff. 3. All authorized mobile electronic devices shall be configured in accordance with the COSA's standard for anti - malware protection, as required and available. 4. All authorized mobile electronic devices shall be configured, in accordance with applicable COSA standards. 5. Users shall maintain data on a mobile electronic device in accordance with COSA's Records Retention and Destruction Policy. 6. All devices purchased by COSA are public property and subject to disclosure according to the California Public Records Act, the Brown Act, or any other California laws pertaining to public employees /officials. 7. The COSA reserves the right to inspect any and all files stored on the devices. C. All mobile electronic devices shall be physically protected at all times. 1. Not be left unattended in any public locations (e.g. conference rooms). 2. Use built in physical locking features (e.g. laptop cable locks) or shared securely (e.g. locked cabinets) when left unattended in non - public areas 3. Not be left in vehicles in plain sight. 4. Repairs and /or replacements of COSA devices due to negligence or misuse must be paid for by the person who was issued device. D. COSA shall ensure a process is in place to protect sensitive or confidential information on all approved mobile electronic devices: 1. Storing or sending COSA sensitive or confidential information must be carefully considered before transmitted through a mobile device. 3 1 P 2. All mobile electronic devices shall be wiped and defaulted prior to decommissioning, selling, servicing, or transferring. E. A lost, defective or stolen mobile electronic device must be reported immediately by authorized user. 1. A loss of an authorized mobile electronic device must be reported to ITP immediately, (or within a 24 -hour period). F. Upon termination of employment and /or service to the COSA, the mobile device(s) must be returned to the appropriate level manager before leaving position. G. Support for mobile electronic devices. 1. All COSA - provided equipment shall be supported by the COSA ITP during business hours (varies by department). 2. Any approved personal mobile electronic device shall be supported by the device owner's service provider or primary organization's support department first (e.g. personal Verizon Blackberry shall be supported by Verizon first). The COSA ITP may support these devices after it has been deemed a COSA issue by the provider. H. Approved personal mobile electronic devices shall be protected with the same level of security as COSA provided equipment. 1. Any employee or third party requesting access to any COSA resource using a personal mobile electronic device must attain approval by respective Department Head of Agency. 2. Smartphones and Tablets are approved to connect to the COSA's email services (e.g. Microsoft Exchange /Outlook). 3. Approved, personal mobile electronic devices may be synchronized with the user's COSA contacts and calendar information. Calendar information shall not have any attached documents. 4. Any approved personal mobile electronic device shall not use any information security assessment tools or software that would expose the COSA computing environment without approval by ITP. 4 1 P 5. Any approved personal mobile electronic device must comply with all the standards in this policy and all COSA Security Policies. 6. Any approved personal mobile electronic device user must comply with COSA's email and Internet Acceptable Use policies. 7. All approved personal mobile electronic devices are subject to all laws affecting COSA (e.g. e- Discovery, Public Records Act, etc.). 8. COSA has the right to audit the configuration and content of any personal mobile electronic device that has been approved on the COSA technical infrastructure. The intent is to ensure that user's mobile electronic devices do not have any unauthorized sensitive or confidential COSA information, and that the configuration meets COSA's minimum security standards. 9. Mandatory requirement for the implementation of password protection: a. for access to the mobile device b. for access to the City network /email 10. Maximum 5 minute inactivity timeout before requiring the pass code to be reentered. 11. Mandatory requirement for permission and implementation of "remote wipe /erase" function for every mobile device before they are connected to the City email system and computer network. a. Include City -owned and Privately -owned mobile devices b. Rules for activation of "remote wipe /erase" to be pre - established c. "Remote wipe /erase" will be implemented by Information Services Division - Operations upon triggering of any of the following pre- established rules. 1. Mobile unit is replaced by different device or "retired" without replacement. 2. Mobile unit is lost or stolen 3. Transfer of use of the mobile unit to another individual 5 1 P 4. Completion of a mobile device user's relationship with the City [e.g. retirement, resignation, termination, etc.] 5. To repair a software issue 6. The device is infected by a virus or other malware 7. Needed to protect City data and /or computer network 12. Conditional use provisions for the City to allow a mobile device to connect to the City network /email include the user's agreement to notify the City of certain status changes of their mobile device a. Status changes requiring immediate notification to the City mobile device support staff include: 1. Mobile unit is lost or stolen 2. Transfer of use of the mobile unit to another individual 3. Completion of a mobile device user's relationship with the City [e.g. retirement, resignation, termination, etc.] b. Delays in notification will be cause for immediate disconnection from the City network /email. 13. Users are responsible for ensuring their data and applications are safe and backed up. a. The City does not have the capability to remotely back -up mobile devices b. The City is not responsible for lost data or applications due to a remote wipe /erase. 14. The City has the right to inspect the content [including but not limited to: data, applications, files, emails, device system files /data, etc.] on mobile device which was previously granted permission to connect to the City computer network and /or City email. 15. By accepting the City's permission to connect to the City computer network and /or City email, the mobile user acknowledges that they do not have any personnel privacy rights in or to any content [including but not limited to: data, applications, files, emails, device system files /data, etc.] created, received, stored -in, passed- through, or sent from their mobile device. 6 1 P 16. Due to inherent technical issues which inhibit the local management of some remote devices, Information Technology Personnel cannot be responsible for installing application software on mobile devices, either City -owned or privately- owned. 17. SAPD DOJ: Accessing Criminal history via mobile devices is prohibited. Unless the device uses FIPS 140 -2 encryption and two factor authentication, accessing criminal history information, including secondary derived information, is prohibited according to the CLETS PPP and the SJIS Security policies. J,. All approved mobile electronic device users shall review this Policy and sign consent. PROVISIONS AND CONDITIONS Violation of this policy by employee can result in disciplinary action including formal reprimand, suspension, and /or termination. Third parties failing to comply with this policy may result in COSA exercising its rights pursuant to the underlying contract. RELATED DOCUMENTS • Mobile Tablets Policy #900.22 • Internet Acceptable Use Policy #900.21 7 1 P a