HomeMy WebLinkAbout02-24-10 City Administration Committee Meeting AgendaCITY ADMINISTRATION COMMITTEE
Wednesday February 24, 2009
7:00 PM
COMMON COUNCIL CHAMBERS
AGENDA
1. Chairperson Greeting & Opening Statement
2. Announcements
3. Agenda Review and Amendments
4. Approval of Minutes
5. Statements from the Public
6. Employee Comments
7. Common Council Response
8. Workforce Diversity Committee
9. Safety Committee
10. Communication Committee
11. Regular Reports from Departments Reporting to CA
12. Information Technologies
12.1 Adoption of Acceptable Usage Policy for Computer, Network and Phone Resources –
Resolution
12.2 Adoption of Computer Password Policy - Resolution
12.3 Adoption of Policy for Auditing Computer and Communication Systems - Resolution
13. Common Council
13.1 Change of Starting Time of Monthly Council Meetings from 7:00 PM TO 5:30 PM –
Resolution
13.2 CSEA Classification and Compensation Study – Discussion & Possible Executive
Session
14. Department of Public Works
14.1 Request to Standardize on Master Meter Radio Read Water Meters - Resolution
15 Human Resources
15.1 Director’s Report
16. Finance/Controller’s Office
16.1 Controller’s Report
17. Reports
17.1 Mayor’s Report
17.2 Sub-Committee Updates
17.3 Council Members’ Announcements
17.4 Next Month’s Meeting: March 31, 2009
J:\DRedsicker\AGENDAS\City Admin Comm\2010\2-24 CA Agenda.doc 2/24/10
12. Information Technologies
.1 Adoption of Acceptable Usage Policy for Computer, Network and Phone Resources
WHEREAS, the Department of Information Technology has conferred with other City
departments to develop a policy regarding the appropriate use of computer, network and phone
resources; now, therefore, be it
RESOLVED, That Common Council hereby adopts the “Policy Regarding Appropriate Use of
Computer, Network and Phone Resources” dated February 5, 2010.
J:\DRedsicker\AGENDAS\City Admin Comm\2010\2-24 CA Agenda.doc 2/24/10
Policy Regarding Appropriate Use of Computer, Network and Phone Resources
City of Ithaca
Draft
2/19/10
1.0 Overview
The City of Ithaca is committed to protecting the City's employees, partners and the municipality
from illegal or damaging actions committed knowingly or unknowingly by individuals while
using the City’s computer, network, and phone resources. Such resources include but are not
limited to computer equipment, phone equipment, cell phones, software, operating systems,
storage media, electronic mail, World Wide Web browsers, and file transfer tools. These
resources and/or related licenses are the property of the City and are to be used only for business
purposes in serving the interests of the City, its partners and its customers. It is the responsibility
of every user of a City computer, network, or phone resource to know this policy, and to conduct
their activities accordingly.
Note that the usage of the term “network” throughout this document refers to all wired and
wireless data and communication networks owned or leased by the City.
2.0 Purpose
The purpose of this policy is to set forth the acceptable use of computer, network, and phone
resources in the City of Ithaca. The goal is to protect the user and the City. Inappropriate use of
these resources exposes the City to risks including malware attacks; unauthorized access to City
computer, network, and phone resources; and legal consequences.
3.0 Scope
This policy applies to all employees, contractors, consultants and other workers in the City,
including all personnel affiliated with third parties, who access any computer, network, or phone
resource that is owned or leased by the City.
4.0 Policy
4.1 General Use and Ownership
1. Users of the City’s computer, phone and network resources must be aware that the data
they create and/or store on the City's systems remains the property of the City of Ithaca.
Because of the need to protect the City's assets and interests, management cannot
guarantee the privacy of information stored on any computer, network, or phone resource
belonging to the City with the exception of legally confidential information.
2. For security and network maintenance purposes, authorized individuals within the City
may monitor equipment, systems and network traffic at any time.
3. The City reserves the right to audit computer, network and phone resources on a periodic
basis to ensure compliance with this policy.
4.2 Security and Confidential Information
1. Users shall take all necessary and prudent steps to prevent unauthorized access to the
City’s computer, network and phone resources, and to the City’s data.
2. Authorized users are responsible for the security of their passwords and accounts. Do not
share accounts and/or passwords.
J:\DRedsicker\AGENDAS\City Admin Comm\2010\2-24 CA Agenda.doc 2/24/10
3. Login access to all computer, network and phone resources must be secured using a
security measure approved by the Department of Information Technology. Users must
log off any resource that will go unattended for 15 or more minutes; and the automatic
logoff feature must be set to activate if the resource goes unused for 15 minutes.
4. Postings by any employee or agent of the City from a City email address to non-City
newsgroups, message boards, Web forums, etc., must contain a disclaimer stating that the
opinions expressed are strictly their own and not necessarily those of the City, unless
such posting is performed consistent with the duties of their position.
5. All equipment connected to any City-owned computer, network or phone resource,
whether owned by the user or the City, shall continually execute approved anti-virus
software with a current set of virus definitions.
6. Users must use extreme caution when opening e-mail attachments received from
unknown senders. Such attachments may contain viruses, worms, e-mail bombs, Trojan
horse code, or other forms of malware.
7. Users must never access pop-ups that appear via a web browser. If possible, they must
activate the pop-up blocker provided with their web browser. Pop-ups often provide a
means for malware to transfer onto a computer.
4.3 Unacceptable Use
The following activities are prohibited, except that users may be exempted from certain of these
restrictions if their legitimate job responsibilities require them to certain actions otherwise
defined as unacceptable (e.g., systems administration staff may have a need to disable the
network access of a device if that device is disrupting production services). However, under no
circumstances is an employee or agent of the City authorized or permitted to engage in any
activity that is illegal under local, state or federal law, while utilizing City-owned resources.
System and Network Activities
The following activities are prohibited:
1. Violations of copyright, trade secret, patent or other intellectual property rights, or similar
laws or regulations, including, but not limited to, the installation or distribution of
"pirated" or other software products that are not appropriately licensed for use by the
City.
2. Revealing one’s account password to others or allowing use of one’s account by others.
This includes family and other household members when work is being done at home.
3. Allowing use of City-owned equipment and resources by unauthorized persons including
family and other household members.
4. Using a City computer, network or phone resource to deliberately engage in procuring or
transmitting material that is in violation of or inconsistent with the following City rules or
policies (except when doing so is solely for the purpose of fulfilling the user’s normal job
duties, such as investigation of a crime or violation of policy):
a. Sexual Harassment Policy,
b. Workplace Violence Prevention Policy,
c. Employee Standards of Conduct,
d. Code of Ethics,
e. Electronic Mail Policy,
J:\DRedsicker\AGENDAS\City Admin Comm\2010\2-24 CA Agenda.doc 2/24/10
f. Other City policies.
5. Intentionally causing security breaches or disruptions of City network resources.
Security breaches include, but are not limited to, accessing data of which the user is not
an intended recipient, or logging into a server or account that the user is not expressly
authorized to access, unless these actions are within the scope of regular duties. For
purposes of this section, "disruption" includes, but is not limited to, network sniffing,
pinged floods, packet spoofing, denial of service, and forged routing information for
malicious purposes.
6. Port scanning or security scanning is expressly prohibited unless this activity is a part of
the user's normal job duties.
7. Executing any form of network monitoring which will intercept data not intended for the
user, unless this activity is a part of the user's normal duties.
8. Circumventing user authentication practices or other security measures related to any
equipment, network or account, unless this activity is a part of the user's normal job
duties.
9. Intentionally interfering with or denying service to any user or device (for example,
denial of service attack).
10. Using any program, script or command, or sending messages of any kind, with the intent
to interfere with a user's terminal session or network connection, either locally or via the
Internet.
11. Connecting an unauthorized device, such as a router, switch, hub, phone, storage device,
media device, or computer, that does not belong to the City to the City’s data or phone
networks except as allowed either via advertised guest accounts or by approval of the
Director of Information Technology.
12. Providing information about, or lists of, City users’ computer or electronic accounts to
parties outside the City, except as a part of one’s normal job duties.
13. Accessing Internet Radio, Internet Television and/or other audio or video streaming of a
commercial or entertainment nature, except for the purposes of approved work-related
activity.
14. Use of Internet file sharing including but not limited to Kazaa, Napster, BitTorrent, etc.
15. Use of a computer or other digital devices while driving except as allowed by state or
federal law.
Email and Phone Activities
The following activities are prohibited:
1. Any form of harassment via email, telephone or other communication device, whether
through offensive language or images, or unreasonable frequency, size, and/or type of
messages.
2. Unauthorized use, or forging, of email header information.
3. Creating or forwarding "chain letters" or "Ponzi" or other "pyramid" schemes of any type.
4. Use of text messaging except as required for business purposes.
5. Use of Instant Messaging (IM) including but not limited to such service as provided by
AOL, Yahoo, etc.
6. Use of a cell phone or other portable communication devices while driving except as
allowed by state or federal law.
J:\DRedsicker\AGENDAS\City Admin Comm\2010\2-24 CA Agenda.doc 2/24/10
5.0 Enforcement
Any user of the City’s computer, phone or network resources found to have violated this policy
may be subject to disciplinary action, up to and including termination of employment.
The Director of Information Technology is responsible for the proper implementation of this
policy and for monitoring the use of City computer, wired and wireless network, and phone
resources.
6.0 Definitions
Term Definition
Denial of Service Preventing legitimate users of a service from using that service.
Forged Routing Routing information which is misleading or incorrect or which
Information would tend to disguise the origin of the routed material. Usually refers to
information that is not generated by any routing device (such as a mail
server), but is inserted by a party using software which is designed to
produce false routing information (headers in the case of E-mail). Can
provide unauthorized access to a computer resource or generate denial-of-
service attacks.
Malware Any computer code created and distributed for malicious purposes.
Network Sniffing A process of observing all of the traffic flowing into and out of a computer
attached to a network. Similar to eavesdropping on a phone line.
Packet Spoofing One of the most common forms of on-line camouflage that allows an
attacker to gain unauthorized access to a computer or a network.
Pinged Flood A simple type of denial-of-service attack.
Pop-up A form of web advertising or dialog box that appears in a new window.
Port Scanning Probing a computing resource that is connected to the network to discover
information about its access points. Hackers use this method to test for
possible weaknesses.
Security Scanning A means of testing a network for security vulnerabilities.
Spam Unauthorized and/or unsolicited electronic mass mailings.
7.0 Revision History
J:\DRedsicker\AGENDAS\City Admin Comm\2010\2-24 CA Agenda.doc 2/24/10
12. Information Technologies
.2 Adoption of Computer Password Policy
WHEREAS, the Department of Information Technology has conferred with other City
departments to develop a policy regarding computer passwords; now, therefore, be it
RESOLVED, That Common Council hereby adopts the “Computer Password Policy” dated
February 12, 2010.
J:\DRedsicker\AGENDAS\City Admin Comm\2010\2-24 CA Agenda.doc 2/24/10
Computer Password Policy
City of Ithaca
2/19/10
Draft
1.0 Overview
Passwords are an important aspect of computer security. They are the front line of protection for
user accounts. A poorly chosen password may result in the compromise of the City of Ithaca's
entire network. As such, all City of Ithaca employees, including contractors and vendors with
access to City of Ithaca systems, are responsible for taking the appropriate steps, as outlined
below, to select and secure their passwords.
Note that the usage of the term “network” throughout this document refers to all wired and wireless data and
communication networks owned or leased by the City.
2.0 Purpose
The purpose of this policy is to establish a standard for the creation of strong passwords, the
protection of those passwords, and the frequency of change.
3.0 Scope
This policy pertains to all personnel who are responsible for a computer account or any form of
access to City resources that requires a password and that (1) is located at any City facility; (2)
provides access to the City’s network; or, (3) stores any confidential City information.
4.0 Policy
4.1 General
• All administrative passwords (e.g., root, network administration, application
administration, etc.) must be changed every month.
• All user passwords (e.g., email, web, desktop computer, etc.) must be changed every two
months. The recommended change interval is every month.
• Users who have administrator accounts and/or administrative privileges granted through
group memberships or program assignments must have a password for these accounts
that differs from passwords for all other accounts held by that user.
• Passwords must not be inserted into email messages or other forms of electronic
communication.
• Passwords must not be shared with any other person except staff of the Information
Technology Department as needed for troubleshooting purposes. Any other sharing of
passwords must be approved by the Director of Information Technology.
• All user-level and system-level passwords must conform to the guidelines described
below.
4.2 Guidelines
A. Characteristics of Strong Passwords
Passwords are used for various purposes. They are used to protect user accounts, web accounts,
email accounts, and, in combination with a screen saver, access to computers. Because attempts
to infiltrate systems by unauthorized personnel continue to increase, particularly by means of the
Internet, everyone must select strong passwords.
J:\DRedsicker\AGENDAS\City Admin Comm\2010\2-24 CA Agenda.doc 2/24/10
Strong passwords have the following characteristics:
• Contain both upper and lower case characters (e.g., a-z, A-Z).
• Have digits and punctuation characters as well as letters e.g., 0-9, !@#$%^&*()_+|~-
=\`{}[]:";'<>?,./).
• Are at least eight alphanumeric characters long.
• Are not a word in any language, slang, dialect, jargon, etc.
• Are not based on personal information, names of family, etc.
Poor, weak passwords have the following characteristics:
• The password contains less than eight characters.
• The password is a word found in a dictionary (English or other language).
• The password is a common usage word such as:
o Names of family, pets, friends, co-workers, fantasy characters, etc.
o Computer terms and names, commands, sites, companies, hardware, software.
o The words "City of Ithaca”, "Ithaca", "COI" or any derivation.
o Birthdays and other personal information such as addresses and phone numbers.
o Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
o Any of the above spelled backwards.
o Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
Try to create passwords that can be easily remembered. One way to do this is create a password
based on a song title, affirmation, or other phrase, and using mixed characters to represent it. For
example, Happy Birthday could be: H@ppy B1rthD@y; or by using the first character of each
word, a phrase such as "This May Be One Way To Remember" could result in a password like
"TmB1w2R!".
NOTE: Do not use either of these examples as passwords!
B. Password Protection Standards
• Do not use the same password for City of Ithaca accounts and for your non-City of Ithaca
accounts (e.g., personal ISP account, online retail account, benefits, etc.). Except when
necessary, do not use the same password on various City of Ithaca systems. For example,
select one password for your computer login, a different password for e-mail access, and
another one for Munis login.
• Do not share City of Ithaca passwords with anyone, including administrative assistants or
department heads. All passwords are to be treated as sensitive, confidential City of Ithaca
information.
• Do not reveal a password over the phone to ANYONE.
• Do not store passwords in an electronic document or in any other non-secure manner.
• Do not post your password on your computer, keyboard, monitor, or any other computer
or printer resource.
J:\DRedsicker\AGENDAS\City Admin Comm\2010\2-24 CA Agenda.doc 2/24/10
• Do not reveal a password in an email message.
• Do not reveal a password to the boss.
• Do not talk about a password in front of others.
• Do not hint at the format of a password (e.g., "my family name").
• Do not reveal a password on questionnaires or security forms.
• Do not share a password with family members.
• Do not reveal a password to co-workers while on vacation.
• Do not use the "Remember Password" feature of applications.
• Do not store passwords in a file on ANY computer system (including a Blackberry or
similar devices) without encryption.
If someone demands a password, refer them to this document or have them call the Information
Technology Department.
If there is any suspicion that an account or password has been compromised, report the incident
to the Information Technology Department and change all passwords.
Password checks may be performed on a periodic or random basis by the Information
Technology Department. If a password is figured out during one of these scans, the user will be
required to change it.
C. Application Development Standards
Application developers must ensure their programs contain the following security precautions.
Applications:
• Must support authentication of individual users, not groups.
• Must not store passwords in clear text or in any easily reversible form.
• Must provide for some sort of role management, such that one user can take over the
functions of another without having to know the other's password.
• Must support TACACS+, RADIUS and/or X.509 with LDAP security retrieval, wherever
possible.
D. Use of Passwords and Passphrases for Remote Access
Access to the City of Ithaca networks via remote access is controlled using either a one-time
password authentication or a public/private key system with a strong passphrase.
E. Passphrases
Passphrases are generally used for public/private key authentication. A public/private key system
defines a mathematical relationship between the public key that is known by all, and the private
J:\DRedsicker\AGENDAS\City Admin Comm\2010\2-24 CA Agenda.doc 2/24/10
key that is known only to the user. Without the passphrase to "unlock" the private key, the user
cannot gain access to a system.
Passphrases are not the same as passwords. A passphrase is a longer version of a password and
is, therefore, more secure. A passphrase is typically composed of multiple words. Because of
this, a passphrase is more secure against "dictionary attacks."
A good passphrase is relatively long and contains a combination of upper and lowercase letters
plus numeric and punctuation characters. Some examples of a good passphrase:
“The*?#>*@TrafficOn13Was*&#!#ThisMorning” (read between the symbols), or
“H3lpTh0s3Wh0H3lpTh3ms3lv3s!” (replace the 3’s with e’s and the 0’s with o’s to discover the
original word).
All of the rules mentioned above that apply to passwords also apply to passphrases.
5.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.
The Director of Information Technology is responsible for the proper implementation of this
policy and for monitoring the use of passwords and passphrases on City computer and network
resources.
6.0 Definitions
Terms Definitions
Application Administration Account Any account used for the administration of an
application (e.g., SQL database administrator, Munis
administrator).
7.0 Revision History
J:\DRedsicker\AGENDAS\City Admin Comm\2010\2-24 CA Agenda.doc 2/24/10
12. Information Technologies
.3 Adoption of Policy for Auditing Computer and Communication Systems
WHEREAS, the Department of Information Technology has conferred with other City
departments to develop a policy regarding auditing of computer and communication systems;
now, therefore, be it
RESOLVED, That Common Council hereby adopts the “Policy for Auditing Computer and
Communication Systems” dated February 12, 2010.
J:\DRedsicker\AGENDAS\City Admin Comm\2010\2-24 CA Agenda.doc 2/24/10
Policy for Auditing Computer and Communication Systems
City of Ithaca
Draft
2/19/10
1.0 Purpose
This policy governs the audit of any computer and/or communications system owned by the City
of Ithaca, or that has been connected to the City’s wired or wireless network.
Audits may be conducted to:
4. Ensure integrity, confidentiality and availability of information and resources.
5. Investigate possible security incidents to ensure conformance to City of Ithaca policies.
6. Monitor user or system activity where appropriate.
2.0 Scope
This policy covers all computer and communication devices owned or operated by the City of
Ithaca. This policy also applies to any computer or communications device not owned by the
City which has been connected to the City’s wired or wireless network.
3.0 Policy
When so requested by the Information Technology Director, another Department Head or the
Mayor, any City employee shall provide his/her consent and cooperation so as to allow the
Department of Information Technology, and/or its designee, to access that employee’s City-
assigned computer or communications device (or any other computer or communications device
which that employee has connected or allowed to be connected to the City’s wired or wireless
network), so the audits authorized in this policy can be performed. The employee shall provide
passwords, protocols, addressing information, and network connections sufficient for the
Department of Information Technology to perform its audit.
This access may include:
7. User level and/or system level access to any computing or communications device.
8. Access to information (electronic, hardcopy, etc.) that may be produced, transmitted, or
stored on City of Ithaca equipment or premises.
9. Access to interactively monitor and log traffic on City of Ithaca computing or
communications systems.
4.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.
The Director of Information Technology is responsible for the proper implementation of this
policy and for the auditing of any computer or communications device owned and/or operated by
the City, and of any other computer or communications device that has been connected to the
City’s wired or wireless network.
5.0 Revision History
J:\DRedsicker\AGENDAS\City Admin Comm\2010\2-24 CA Agenda.doc 2/24/10
13. Common Council
.1 Change of Starting Time of Monthly Council Meetings from 7:00 PM TO 5:30 PM
WHEREAS, the City of Ithaca Common Council presently meets on the first Wednesday of each
month at 7:00 PM, and
WHEREAS, Common Council meetings have often continued into late evening hours, thus
reducing the possibility for public participation as well as the public's ability to follow these
proceedings broadcast on Public Access Television, and
WHEREAS, it is desirable that Common Council meetings be conducted during a time period
that would be more convenient for the public to attend these meetings; now, therefore, be it
RESOLVED, The Common Council of the City of Ithaca supports moving the Common
Council meeting time from 7:00 PM to 5:30 PM on the usual meeting day, the first Wednesday
of each month.
J:\DRedsicker\AGENDAS\City Admin Comm\2010\2-24 CA Agenda.doc 2/24/10
14. Department of Public Works
.1 Water & Sewer Division- Request to Standardize on Master Meter Radio Read Water
Meters
WHEREAS, this Common Council has been requested by the DPW Water and Sewer Division
to standardize on Master Meter water meter equipment to be used by the Water and Sewer
Division and to authorize the City to purchase approved equipment from the manufacturer, or a
representative thereof, and
WHEREAS, radio based automatic meter reading systems are proprietary by manufacturer, and
the radio read system components are not interchangeable between manufacturers, and there
where a number of different commercially available systems with different features and
capabilities. Our staff along with Johnson Controls staff worked together from January of 2007
to January of 2008 to investigate, research, identify, evaluate, specify, check, and select the best
available system to meet the City’s needs and goals, and
WHEREAS, it is deemed to be in the best interest of the City for reasons of efficiency,
compatibility and economics to approve such standardization as more fully spelled out in the
following items:
1. Master Meter is the current meter equipment used in the City;
2. Master Meter is compatible with radio frequency and data format with the Govern
billing system;
3. Master Meter water meter equipment are less expensive than other equivalent
water meters;
4. This action will minimize the inventory of repair parts which would have to be
maintained for the service of said meter equipment;
5. Labor costs for maintenance and service of a standard type of equipment will be
less than are required to service different types of meter equipment;
6. Standardization provides the need for service training on one form of equipment;
now, therefore be it
RESOLVED, That pursuant to Section 103, subdivision 5 of General Municipal Law of the
State of New York, this Common Council hereby authorizes the standardization of Master Meter
radio read water meters and associated equipment to be purchased and used by the City of Ithaca
Department of Public Works Water & Sewer Division.