HomeMy WebLinkAboutMOBILE ELECTRONIC DEVICE 5-2012City of Santa Ana
Administrative
Policies and Procedures
Policy and Procedures on
Mobile Electronic Devices
PURPOSE
City Manager's Authorization
Section:
Date Approved: Number:
May 22, 2012 900.20
The purpose of the Mobile Electronic Device Policy is to establish guidelines for the
assignment and use of the devices, as well as define the methods of protection that the
City of Santa Ana (COSA) requires to administer the devices within the COSA
computing environment.
ORGANIZATIONAL UNITS AFFECTED
This policy applies to all COSA employees, elected officials, volunteers, contractors/
vendors.
DEFINITIONS
A. Computing Environment: a collection of computers, telecommunications and
network equipment, applications, and wiring that support the processing and
communication of electronic information.
B. Contractor /Vendors: any person or body that is recognized as independent of
COSA, engaged to perform services for the organization.
C. Credentials: the means and manner by which access is granted to a specific
resource. This can include user IDs, passwords, badges, tokens, and keys.
D. Information Technology Personnel (ITP): the COSA staff and /or contractors
employed to ensure the health and well -being of the COSA technical
environment.
E. Information Owner: the individual or entity that is responsible for the use and
disclosure of an information asset.
11P
F. Confidential Information: information that may be associated with an individual,
e.g. HIPPA, and /or privileged attorney /client information.
G. Sensitive Information: any information that could potentially be used maliciously to
compromise the security of COSA resources or customers, i.e. administrative
passwords connected to COSA server(s).
H. Malware: includes computer viruses, worms, Trojan horses, spyware, dishonest
adware, crime ware, and other malicious and unwanted software.
Mobile Electronic Device: any portable electronic device that can view, share,
access, and /or process digital information. Examples of a portable electronic
device may include:
• Laptops
• Blackberries
• Smartphones
• Tablets (iPad)
J. Personal Mobile Electronic Device: any mobile electronic device not owned by
COSA, but connected to City server or other COSA connectivity devices that are
subject to this Policy.
K. Third Parties: any entity that interacts with COSA, but is not directly affiliated,
including: clients, contractors, sub - contractors, government agencies, vendors,
community organizations, unions, etc.
L. Authorized user: refers to an employee, elected official, or contractor approved
for assignment of a device. Such a device, if public property, shall be used for
business purposes only.
PROCEDURES
A. COSA shall ensure that only authorized mobile electronic devices are allowed to
be used in the COSA computing environment:
1. Authorization must be received by Department Head prior to any device
be added to the COSA computing environment.
2. All authorized users shall protect all mobile electronic devices, as well as
the data they contain, with an appropriate level of security.
B. COSA shall ensure that all authorized mobile electronic devices are centrally
managed in order to ensure accurate inventory, minimize operational overhead,
2 1 P a g e
and reduce information security risks:
1. All authorized mobile electronic devices shall comply with existing COSA
and ITP technical policies and standards.
2. All authorized mobile electronic devices shall only be managed by
authorized ITP staff.
3. All authorized mobile electronic devices shall be configured in accordance
with the COSA's standard for anti - malware protection, as required and
available.
4. All authorized mobile electronic devices shall be configured, in accordance
with applicable COSA standards.
5. Users shall maintain data on a mobile electronic device in accordance with
COSA's Records Retention and Destruction Policy.
6. All devices purchased by COSA are public property and subject to
disclosure according to the California Public Records Act, the Brown Act,
or any other California laws pertaining to public employees /officials.
7. The COSA reserves the right to inspect any and all files stored on the
devices.
C. All mobile electronic devices shall be physically protected at all times.
1. Not be left unattended in any public locations (e.g. conference rooms).
2. Use built in physical locking features (e.g. laptop cable locks) or shared
securely (e.g. locked cabinets) when left unattended in non - public areas
3. Not be left in vehicles in plain sight.
4. Repairs and /or replacements of COSA devices due to negligence or
misuse must be paid for by the person who was issued device.
D. COSA shall ensure a process is in place to protect sensitive or confidential
information on all approved mobile electronic devices:
1. Storing or sending COSA sensitive or confidential information must be
carefully considered before transmitted through a mobile device.
3 1 P
2. All mobile electronic devices shall be wiped and defaulted prior to
decommissioning, selling, servicing, or transferring.
E. A lost, defective or stolen mobile electronic device must be reported immediately
by authorized user.
1. A loss of an authorized mobile electronic device must be reported to ITP
immediately, (or within a 24 -hour period).
F. Upon termination of employment and /or service to the COSA, the mobile
device(s) must be returned to the appropriate level manager before leaving
position.
G. Support for mobile electronic devices.
1. All COSA - provided equipment shall be supported by the COSA ITP during
business hours (varies by department).
2. Any approved personal mobile electronic device shall be supported by the
device owner's service provider or primary organization's support
department first (e.g. personal Verizon Blackberry shall be supported by
Verizon first). The COSA ITP may support these devices after it has been
deemed a COSA issue by the provider.
H. Approved personal mobile electronic devices shall be protected with the same
level of security as COSA provided equipment.
1. Any employee or third party requesting access to any COSA resource
using a personal mobile electronic device must attain approval by
respective Department Head of Agency.
2. Smartphones and Tablets are approved to connect to the COSA's email
services (e.g. Microsoft Exchange /Outlook).
3. Approved, personal mobile electronic devices may be synchronized with
the user's COSA contacts and calendar information. Calendar information
shall not have any attached documents.
4. Any approved personal mobile electronic device shall not use any
information security assessment tools or software that would expose the
COSA computing environment without approval by ITP.
4 1 P
5. Any approved personal mobile electronic device must comply with all the
standards in this policy and all COSA Security Policies.
6. Any approved personal mobile electronic device user must comply with
COSA's email and Internet Acceptable Use policies.
7. All approved personal mobile electronic devices are subject to all laws
affecting COSA (e.g. e- Discovery, Public Records Act, etc.).
8. COSA has the right to audit the configuration and content of any personal
mobile electronic device that has been approved on the COSA technical
infrastructure. The intent is to ensure that user's mobile electronic devices
do not have any unauthorized sensitive or confidential COSA information,
and that the configuration meets COSA's minimum security standards.
9. Mandatory requirement for the implementation of password protection:
a. for access to the mobile device
b. for access to the City network /email
10. Maximum 5 minute inactivity timeout before requiring the pass code to be
reentered.
11. Mandatory requirement for permission and implementation of "remote
wipe /erase" function for every mobile device before they are connected to
the City email system and computer network.
a. Include City -owned and Privately -owned mobile devices
b. Rules for activation of "remote wipe /erase" to be pre - established
c. "Remote wipe /erase" will be implemented by Information Services
Division - Operations upon triggering of any of the following pre-
established rules.
1. Mobile unit is replaced by different device or "retired" without
replacement.
2. Mobile unit is lost or stolen
3. Transfer of use of the mobile unit to another individual
5 1 P
4. Completion of a mobile device user's relationship with the City [e.g.
retirement, resignation, termination, etc.]
5. To repair a software issue
6. The device is infected by a virus or other malware
7. Needed to protect City data and /or computer network
12. Conditional use provisions for the City to allow a mobile device to connect
to the City network /email include the user's agreement to notify the City of
certain status changes of their mobile device
a. Status changes requiring immediate notification to the City mobile
device support staff include:
1. Mobile unit is lost or stolen
2. Transfer of use of the mobile unit to another individual
3. Completion of a mobile device user's relationship with the City [e.g.
retirement, resignation, termination, etc.]
b. Delays in notification will be cause for immediate disconnection from
the City network /email.
13. Users are responsible for ensuring their data and applications are safe
and backed up.
a. The City does not have the capability to remotely back -up mobile
devices
b. The City is not responsible for lost data or applications due to a remote
wipe /erase.
14. The City has the right to inspect the content [including but not limited to:
data, applications, files, emails, device system files /data, etc.] on mobile
device which was previously granted permission to connect to the City
computer network and /or City email.
15. By accepting the City's permission to connect to the City computer
network and /or City email, the mobile user acknowledges that they do not
have any personnel privacy rights in or to any content [including but not
limited to: data, applications, files, emails, device system files /data, etc.]
created, received, stored -in, passed- through, or sent from their mobile
device.
6 1 P
16. Due to inherent technical issues which inhibit the local management of
some remote devices, Information Technology Personnel cannot be
responsible for installing application software on mobile devices, either
City -owned or privately- owned.
17. SAPD DOJ: Accessing Criminal history via mobile devices is prohibited.
Unless the device uses FIPS 140 -2 encryption and two factor
authentication, accessing criminal history information, including secondary
derived information, is prohibited according to the CLETS PPP and the
SJIS Security policies.
J,. All approved mobile electronic device users shall review this Policy and sign
consent.
PROVISIONS AND CONDITIONS
Violation of this policy by employee can result in disciplinary action including formal
reprimand, suspension, and /or termination. Third parties failing to comply with this
policy may result in COSA exercising its rights pursuant to the underlying contract.
RELATED DOCUMENTS
• Mobile Tablets Policy #900.22
• Internet Acceptable Use Policy #900.21
7 1 P a