Acceptable Use Policy

I. Purpose:

The purpose of this policy is to describe the acceptable use of City of Olympia’s technology assets (e.g., hardware, software, data, and authentication information) by City of Olympia workforce members. Acceptable use of technology assets is essential to ensure City of Olympia meets its regulatory requirements and maintains the confidentiality, integrity, and availability of technology assets used to provide public services.

II. Applicability and Audience

A.    Users

This policy applies to all persons working for, or on behalf of City of Olympia, including workforce members, third parties, volunteers, and contractors accessing technology assets owned and operated by City of Olympia. These requirements apply whether the user is working at a City of Olympia facility or connecting remotely. This policy does not apply to members of the public or workforce members while acting as a member of the public (e.g., while visiting www.Olympiawa.gov to make a payment, look for information, or search for employment opportunities).

B.    Technology Assets

This policy applies to the use of all City of Olympia technology assets including web or “cloud” based platforms, applications, and services that are owned and operated by a service provider on behalf of City of Olympia. This policy also applies to the use of third party or personal devices, if used to access City of Olympia’s technology assets in the process of working for or on behalf of City of Olympia.

C.    Exceptions

Requests for exceptions to this policy must follow the Information Services information security policy exceptions handling process. Please open a ticket with the service desk to request a policy exception.

III. Definitions

All definitions are contained within the City of Olympia Information Security Policy and Standards Glossary.

IV. Policy

A.    System Use Notification

City of Olympia technology assets will display a system use notification where possible, prior to logging in, that states City of Olympia’s ownership of the asset and that the asset is covered by City of Olympia policies and applicable law (e.g., logging into computers or servers, applications including web based or Software as a Service applications, or other equipment such as network and telecommunications equipment).

B.    Acceptable Use Behavior

City of Olympia must protect the confidentiality (authorized access to systems and information), integrity (authorized modification of systems and information), and availability (making sure systems and information are available when needed) of all technology assets supporting City of Olympia’s services. When engaged in the performance of your role with City of Olympia:

1.    Attempts to disable or circumvent any City of Olympia security controls, policies, or procedures (e.g., disabling virus protection or installing unauthorized software) is prohibited. This includes, but is not limited to:

a.    Use of tools that compromise security (e.g., password crackers, network sniffers, attack frameworks and software distributions, proxies, unauthorized VPN clients, or other tunneling technology), except as authorized by the IT Infrastructure Manager

b.    Attempts to disable, defeat, or circumvent any City of Olympia information security components

c.    Intentional or careless interference with the normal operation of City of Olympia technology assets

2.    Use that violates City of Olympia policy or local, state, and/or federal laws is strictly prohibited. This includes, but is not limited to:

a.    Theft of City of Olympia technology assets, including sensitive data

b.    Use of City of Olympia systems for any type of harassment, which includes using any words or phrases that may be construed as derogatory based on race, color, sex, age, creed, disability, marital status, national origin, religion, pregnancy, gender, gender identity or expression, genetic information, sexual orientation, veteran or military status, use of a service animal, or any other status protected by federal, state and local law

3.    Unauthorized use, destruction, modification, or distribution of City of Olympia external and internal systems, applications, and data is prohibited. This includes, but is not limited to:

a.    Release or disclosure of City of Olympia data to unauthorized parties inconsistent with federal, state, and local law (e.g., HIPAA, Chapter 42.56 RCW), City of Olympia policies, or inconsistent with your assigned job role and responsibilities

b.    Attempts to modify administrative settings and configurations or repair hardware and software. Such modifications, configurations and repairs shall only be performed by authorized technology support personnel for the City. This excludes basic troubleshooting such as closing and restarting an application or a restart/reboot of a single workstation. Modification, configuration and repairs of enterprise information technology equipment and networking infrastructure shall only be performed by authorized Information Services support personnel.

c.    Removal of technology assets from City of Olympia premises without prior approval by authorized technology support personnel for your department is prohibited. This excludes technology issued directly to you for employment purposes approved for taking home or from City of Olympia premises by your supervisor, human resources personnel, or Information Services.

4.    Use of personal devices including computers, network devices, or any other personal equipment to make a direct network connection (wired or wireless) to City of Olympia internal private networks within City of Olympia facilities is prohibited.

5.    Personal devices such as mobile phones and tablets may be used to access City of Olympia technology such as email, calendar, and unified communications and for purposes of multi-factor authentication. Personal devices must utilize apps (mobile applications and/or software) authorized by Information Services. Personal devices may be denied access if insecure configurations are detected (e.g., a jailbroken phone, or a phone that does not use a password/PIN). City of Olympia reserves the right to require personal mobile devices or mobile apps to be managed by a mobile device or mobile app management solution to protect City of Olympia technology and data.

6.    Use of information systems to solicit for commercial ventures, religious or political causes, or for personal gain unrelated to the processes of working for or on behalf of City of Olympia is prohibited unless explicitly allowed by City of Olympia policy or federal, state, or local law.

7.    City of Olympia’s assets must never be left unattended in an unsecured location (e.g., at the airport, or in a coffee shop). A secured location can be a locked vehicle (out of sight if possible), your home (secured from use by family members and guests), or within designated areas in City of Olympia facilities such as an assigned cubicle or equipment storage location. Please review City of Olympia telecommuting policies and guidance for further information regarding secured location requirements when telecommuting.

8.    When working remotely or in a City of Olympia facility, workforce members must lock or log out of City of Olympia technology assets like laptops when not in use to prevent an unauthorized individual from obtaining data or information. When working with regulated data, workforce members must take additional precautions (e.g., positioning the equipment so the screen cannot easily be viewed or using a screen protector) to prevent others from being able to view the information on the screen while in use. When regulated data is being communicated through phone calls or spoken aloud, workforce members must take precautions (e.g., closing a door, asking people to step out for a few moments, using a headphone, speaking softly, or finding an alternative way to communicate the information) to prevent access by unauthorized parties.

9.    Lost or stolen City of Olympia technology assets must be reported immediately by opening a ticket with the service desk. Your department may have additional procedures for lost or stolen assets. Please speak with your supervisor to determine what these additional procedures may be.

10.    Upon termination of any City of Olympia workforce member, including a third party or contractor, all City of Olympia technology assets must be returned to City of Olympia.

11.    Hardware and software must be procured in accordance with City of Olympia procurement policies, in compliance with Information Services policies and standards, and properly licensed and registered in the name of City of Olympia.

C.    Personal Use

City of Olympia technology assets are purposed for conducting the business of City of Olympia. Occasional personal use of technology equipment issued to workforce members is permitted (e.g., phones and/or unified communication systems, workstations and peripherals like keyboards, monitors, mice, printers, copiers, and fax machines) if the use:

1.    Does not introduce additional financial costs to City of Olympia;

2.    Does not interfere with your assigned job duties;

3.    Does not preempt or interfere with City of Olympia service delivery; and,

4.    Does not otherwise violate City of Olympia, departmental, or agency policies.

Information created, processed, sent, received, or stored during personal use of City of Olympia technology assets will not be handled differently by City of Olympia. Such information may be subject to City of Olympia policies, and federal, state and local laws including Chapter 42.56 RCW (Public Records Act). Personal files should not be permanently stored on City of Olympia technology assets. City of Olympia is not responsible for backing up or recovering personal data.

D.    Acceptable Use of the Internet

You are representing City of Olympia when using City of Olympia’s technology to access the internet, and some types of activities on the internet can pose a security risk to City of Olympia’s technology assets. You are responsible for ensuring that your use of the internet is appropriate, ethical, lawful, and within the scope of your employment at City of Olympia.

1.    City of Olympia reserves the right to block access to internet web sites and addresses, including malicious internet web sites or internet addresses unrelated to City of Olympia’s business.

a.    Blocked websites may include possibly malicious or hacked websites, websites that contain inappropriate or offensive content, or websites provided from geographic locations known to be hostile to the United States. These websites could lead to disclosure of non-public information.

b.    You may submit a ticket to the service desk to unblock websites for legitimate business usage.

2.    City of Olympia may restrict internet use to reserve bandwidth and resources for critical City of Olympia services during an emergency or severe internet service impact regardless of the legitimacy of the content.

3.    City of Olympia may monitor and log the use of the internet by technology assets connected to City of Olympia operated networks to comply with various laws, legal proceedings, or internal policy, to troubleshoot and support technology, or to monitor and investigate unauthorized activity. This includes, but is not limited to:

a.    Use of monitoring tools installed locally on a workstation;

b.    Analysis of various logs generated by the user or system activity (such as proxy servers, network devices, authentication and directory servers, intrusion prevention/detection devices, firewalls, web/file servers, and other systems as necessary); and,

c.    Traffic analysis on inbound or outbound network traffic, including the interception, decryption, and inspection of encrypted traffic.

4.    While using City of Olympia technology assets you must not:

a.    Use the internet for any unlawful activity or for personal gain

b.    Reproduce, distribute, or display copyrighted materials without prior permission of the copyright owner. This includes text, images, photographs, music files, sound effects, and other legally protected works.

c.    Represent personal opinions as those of City of Olympia, such as in social media, blogs, or forums

d.    Perform any activities that may harm the reputation of City of Olympia operations or staff with controversial issues (e.g., sexually explicit materials). This does not refer to appropriate and legal activities (e.g., activities by collective bargaining units, or use of City of Olympia public or personnel feedback or complaint processes) regarding the delivery of City of Olympia services.

e.    Perform any activities that violate City of Olympia’s Standard of Conduct as defined in Policy 20 of City Policies

f.    Use your City of Olympia password or email address as the account information for any personal accounts used to access internet services, websites, or social media. You must use separate credentials and your personal email address for those activities. You may use your City of Olympia email address as a username when creating an account related to your employment responsibilities at City of Olympia.

E.    Acceptable Use of Electronic Messages

Malicious individuals often use email when trying to acquire City of Olympia customer data, non-public information, and data, or to compromise City of Olympia’s technology assets.

You are required to use City of Olympia messaging applications (e.g., email, instant message, text messaging, etc.) in the following professional manner:

1.    Not all workforce members are authorized to access the same data. Accounts are issued solely for the use of the individual to whom the account has been assigned. Sharing individual account information may lead to unintentional disclosure of data and is prohibited.

a.    Shared mailboxes where an authorized workgroup can monitor emails sent to and from the shared mailbox is allowed

b.    Administrative delegation of access to an individual email account is acceptable (e.g., an executive or administrative assistant or a peer), if this is accomplished through the email system’s delegation functionality and not by sharing credentials.

2.    If you have doubts or serious concerns about the origin or authenticity of an electronic message, or if you receive a highly abnormal or suspicious message, you should report the message by submitting a ticket to the service desk or by use of the messaging systems integrated reporting mechanism (e.g., a phishing button in email clients). Your department may have additional reporting requirements so check with your supervisor.

3.    Use caution when opening emails and attachments, particularly those received from an external sender.

a.    Don’t open any attached files or click on hyperlinks to download files containing macros, scripts, or executables from an unknown or suspicious source.

b.    Malicious messages often appear to come from a valid source and could attempt to make you disclose personal or sensitive information. Use caution when opening attached files or clicking on hyperlinks, or when unusual requests or information is included in the email even if from a familiar sender.

c.    Training will be provided on detecting malicious emails to all City of Olympia workforce members. Additional training may be required if there is repeated susceptibility to malicious emails by individuals.

4.    Do not forward City of Olympia email containing confidential, sensitive, or regulated data to personal email accounts.

5.    Automatic forwarding of email using rules to any external domain (non Olympiawa.gov or other City of Olympia owned and operated domains) requires approval by Information Services and can be requested by opening a ticket with the service desk.

6.    Do not send fictitious or forged messages that could be mistaken for official City of Olympia statements, marketing, or materials.

7.    Do not send junk mail or chain letters.

8.    Do not use profanity, inappropriate language, pornography or sexually explicit material, slanderous, discriminatory language, harassment, or misleading contents.

9.    Do not use City of Olympia messaging applications to send unprofessional, threatening, libelous, or derogatory messages.

F.    Acceptable Use of Voice Communications Systems

City of Olympia’s phone and communication systems are provided to facilitate business activities. Similar to internet browsing and other computing activities, phone call information and metadata (e.g., Caller ID, Date and Time of Call, Call Duration) may be monitored and logged.

1.    If the call will be recorded, you must notify all call participants that the call will be monitored or recorded, including the purpose of recording at the outset of the recording and include the notification in the recording. This does not apply to lawful monitoring or recording that does not require consent in accordance with federal, state, or local law (e.g., RCW 9.73.030). Voicemail or other automated telephony system recordings comply with this section if the recorded greeting clearly indicates that the caller has reached a voicemail system or is about to be recorded.

2.    Call recordings containing sensitive or regulated data presents serious security and compliance risk and should be avoided. Departments or agencies that will purposefully and continuously record sensitive or regulated data such as payment card data or protected health information must notify the IT Infrastructure Manager unless explicitly authorized in federal, state, or local law (e.g., calls to 911).

G.    Acceptable Use of Wireless Networks

Not all wireless networks are configured with strong security protections. In addition, unauthorized and malicious wireless devices may pose a risk to City of Olympia technology assets. While performing your role at City of Olympia:

1.    Direct connections (i.e., directly connected to internal wireless access points or physical network infrastructure like a data jack in a wall plate or a network switch port) to City of Olympia’s protected internal private wired and wireless network is provided only to City of Olympia workforce members using City of Olympia owned and operated technology assets. Third parties, vendors, contractors, and other non-City of Olympia personnel access to City of Olympia’s protected internal private wireless or wired network is prohibited without prior approval by Information Services who may employ security measures to prevent unauthorized network connectivity. If an exception is required for a legitimate business need, please open a ticket with the service desk.

2.    Third-party internet access (such as access provided at airports, hotels, and coffee shops) carry potential security risks to City of Olympia technology assets. Special care should be taken to ensure you are connecting to the correct network and not bypassing any security alerts and warnings.

3.    City of Olympia’s wireless network infrastructure may only be altered and managed by authorized Information Services personnel.

4.    You must not install, connect, or modify any wireless infrastructure such as Wireless Access Point (WAPs) to City of Olympia’s network without explicit written authorization from Information Services.

H.    Acceptable Use While Utilizing Remote Access Technology

Remote access to City of Olympia’s applications is available for workforce members to work outside of the office or for telecommuting. While using remote access:

1.    Ensure you do not type any remote access passwords while someone is watching.

2.    Only store passwords in a password manager or browser configuration approved by Information Services.

3.    Do not leave technology assets unattended and remotely logged on to City of Olympia’s network. When not in use, store your equipment and media used to remotely access City of Olympia systems in a secured location.

4.    Do not share passwords, smart cards, tokens, keys, fobs or any other access or authentication devices with any other person.

5.    Vendors must be limited to the minimum amount of privilege and access required to perform the necessary duties while using remote access methods approved by Information Services.

a.    Remote support sessions must first be authorized by City of Olympia technology support personnel before the session is established and terminated as soon as the vendor has finished their work.

b.    No vendor may be given remote access that is not strictly controlled and monitored.

c.    Vendors shall not be given permanent remote access to City of Olympia’s network unless that access is strictly limited to the systems supported by the vendor and controls are in place to monitor their activities to ensure they are not able to gain additional access to other City of Olympia technology assets from the systems they are able to remotely access.

6.    Remote access to technology assets that contain sensitive or regulated data requires multi-factor authentication and use of a secure connection between the host and the remote device.

a.    You must not use remote access products like TeamViewer, GoToMyPC, or similar products unless approved by Information Services.

b.    Do not use unsecured public or private wireless networks. Do not bypass warnings that indicate the wireless network is not secure.

I.    Acceptable Use of Social Media

1.    You must exercise judgment and use caution when interacting online. It is important to remember that in an online environment, the lines between public and private, and personal and professional, are not always clear. When you identify yourself as a City of Olympia workforce member, employee or affiliate on social media, a perception is created about you as a representative of City of Olympia, your expertise, City of Olympia customers, and City of Olympia itself.

2.    Creation and use of a social media account on behalf of City of Olympia must be done in compliance with City of Olympia social media policies.

J.    No Expectation of Privacy

1.    City of Olympia must monitor all systems and users of technology assets in order to maintain a secure environment and meet compliance requirements. You should have no expectation of privacy or confidentiality while using City of Olympia technology assets, including internet access and emails. Usage may be monitored for policy, security, or network management reasons and is subject to inspection at any time. Inspection and monitoring of City of Olympia technology assets by management does not require the consent of individual workforce members.

2.    All electronic messages or data created, stored, transmitted, or received over City of Olympia systems or through City of Olympia internet connections are subject to inspection or monitoring. City of Olympia reserves the right to store and/or access the contents of any messages or data sent over its networks and use that information to enforce its policies or comply with federal, state, or local law. If the content violates regulations or laws, City of Olympia reserves the right to submit the information to law enforcement for potential prosecution.

K.    Reporting Known or Suspected Vulnerabilities or Security Incidents

You must report known or suspected security weaknesses, instances of inappropriate access, and suspicious activities to Information Services by opening a ticket with the service desk. Your department may also have reporting requirements so please check with your supervisor.

1.    You will be responsible for the confidentiality, integrity, and availability of your files. If concerning circumstances occur with your files such as inappropriate access, loss of the files, or changes are made to files without your consent please speak with your supervisor and report this issue by opening a ticket with the service desk.

2.    You must report suspicious activities happening to or on your workstation such as someone remote controlling the workstation without your consent or new and unfamiliar software performing unusual activities by opening a ticket with the service desk.

V. Implementation Plan

This policy becomes effective for City wide use on the date that it is signed by the City Manager. All new technology implementations and new material changes to existing technology implementations must ensure compliance with this policy as of the effective date. All other technology implementations must be brought into compliance within four years after the effective date.

VI. Maintenance

A.    This policy will be maintained by Information Services. This includes, but may not be limited to:

1.    Interpretation of this policy

2.    Ensuring this policy content is kept current

3.    Recommending updates to this policy and related resources

4.    Developing an escalation and mitigation process if an Organization is not in compliance

5.    Assisting Organizations to understand how to comply with this policy

6.    Monitoring annual compliance by Organizations

B.    This policy will automatically expire five (5) years after its effective date. A new, revised, or renewed policy will be initiated by Information Services prior to the expiration date.

VII. Consequences for Noncompliance

Violations of this policy may be grounds for disciplinary action, up to and including termination and enforcement action which may include civil or criminal charges.

VIII. Appendix A: References

•    45 CFR Part 164 (HIPAA)

•    Chapter 42.56 RCW

•    RCW 9.73.030

IX. Appendix B: Relevant Compliance Requirements

This section provides references to key regulations and standards that apply to City of Olympia. This section does not replace the authoritative source and is just a reference to assist with further research. Please use the Compliance Standard and Section No. to further research the entirety of the regulation, framework or standard from the authoritative source.

Compliance Standard

Section No.

Description

HIPAA

45 CFR 164 Subpart C

Security Standards for the Protection of Electronic Protected Health Information

45 CFR 164.316

Policies and procedures and documentation requirements.

CJIS Security Policy v5.9

5.2.1

Basic Security Awareness Training

PCI DSS v3.2

12.3.5

Acceptable Uses of the Technology

NIST CSF

PR.AT

Awareness and Training

PR.IP

Information Protection Processes and Procedures

NIST 800-53r5

AC-8

System Use Notification

AT-1

Policies and Procedures

PL-4

Rules of Behavior

PS-6

Access Agreements

CIS Controls v7.1

17

Implement a Security Awareness Training Program

Wa. St. DOL Data Licensing Agreement

RCW 46.12.630

RCW 43.17.425

Data sharing agreement with Washington State Department of Licensing for Parking Management. DOL Vehicle Data Permissible and Secure Use Policy and Procedure

History: New August 2023.