HomeMy WebLinkAbout20053367.tiff WELD COUNTY
CODE ORDINANCE 2005-13
IN THE MATTER OF REPEALING AND REENACTING, WITH AMENDMENTS, CHAPTER 9
INFORMATION SERVICES, OF THE WELD COUNTY CODE
BE IT ORDAINED BY THE BOARD OF COUNTY COMMISSIONERS OF THE COUNTY OF
WELD, STATE OF COLORADO:
WHEREAS,the Board of County Commissioners of the County of Weld, State of Colorado,
pursuant to Colorado statute and the Weld County Home Rule Charter, is vested with the authority
of administering the affairs of Weld County, Colorado, and
WHEREAS,the Board of County Commissioners, on December 28, 2000, adopted Weld
County Code Ordinance 2000-1,enacting a comprehensive Code for the County of Weld, including
the codification of all previously adopted ordinances of a general and permanent nature enacted on
or before said date of adoption, and
WHEREAS,the Weld County Code is in need of revision and clarification with regard to
procedures, terms, and requirements therein.
NOW, THEREFORE, BE IT ORDAINED by the Board of County Commissioners of the
County of Weld,State of Colorado,that Chapter9, Information Services,of the Weld County Code
be, and hereby is, repealed and re-enacted, with amendments, to read as follows.
CHAPTER 9
INFORMATION SERVICES
Throughout Chapter 9, replace "The Department of Information Services" with "Information
Services".
Throughout Chapter 9, replace "SCT" Corporation with "ACS" Corporation.
Throughout Chapter 9, replace the subcommittee "Human Services" with "Health and Human
Services".
Throughout Chapter 9, replace"Geographical Information System(GIS)Division"with"GIS", and
replace "the Division" with "GIS".
ARTICLE I
INFORMATION SERVICES
Sec. 9-1-70. Specific duties and responsibilities of Governance Committee.
A through G - No change.
H. Communication and enforcement of policies and procedures.
Sec. 9-1-80. Specific duties and responsibilities of users.
2005-3367
PAGE 1 ORD2005-13
The specific duties and responsibilities of each user are as follows:
A. General responsibilities:
1. Designate a management level position to act as a liaison between the user
department, Governance Committee and Information Services.
2 through 3 - No change.
B. No change.
C. New system development responsibilities:
1 through 5 - No change.
6. Maintain communication with Information Services by attending regularly
scheduled management review meetings.
Sec. 9-1-90. Specific duties and responsibilities of Information Services via contract
services.
The following specific duties will be assigned to the Department of Information Services:
A and B - No change.
C. Direct action responsibilities:
1. Represent the County to vendors of computer and data communications
equipment, systems and services.
2. Provide for the acquisition and administration of personnel, hardware,
software, contracts, grants and related services necessary to support the
information services requirements of any user or the County in general.
3. Inform users in advance of governance approved changes to hardware,
software and related resources which may affect their systems.
4 - 16 - No change.
17. Allow for testing of new systems and major enhancements and technology
prior to production implementation.
18. Control and coordinate the funding for projects.
Remainder of Section - renumber.
ARTICLE II
INFORMATION SERVICES GOVERNANCE COMMITTEE
Sec. 9-2-30. Role.
The role of the Information Services Governance Committee includes the following:
2005-3367
PAGE 2 ORD2005-13
A through C - No change.
D. Identify the annual information system priorities and related budgetary impact.
These priority recommendations will become an integral part of the budget process
subject to adjustment during budget preparation/adoption, and upon final budget
approval, will be established as part of the Department of Information Services
annual work program. All projects must be reviewed and approved by the
Information Services Governance Committee before they can be added to the
Information Services annual work plan.
E through G - No change.
Sec. 9-2-80 Purpose and structure of subcommittees.
A through B - No change.
C. The responsibilities of the functional subcommittees are to:
1 through 4 - No change.
5. Ensure that user department systems design decisions are made in
accordance with annual information system work plans and approved project
schedules.
6 through 8 - No change.
ARTICLE III
COUNTY NETWORK AND INTERNET ACCEPTABLE USE POLICY
Sec. 9-3-10. General provisions.
A. The Department of Information Services,in conjunction with the Information Services
Governance Committee, has taken the necessary steps to provide a County
Network and Internet Acceptable Use Policy on use of the Internet by County
agencies and departments. Any County agency or department eligible for, and
having funding for, the Weld County network or the Internet will be provided with
access under the terms and conditions of this policy.
B through C - No change.
D. This policy applies to any activity performed from a County-owned asset and to all
County employees or contracted agents of the County performing work activities on
behalf of the County. Work activities conducted from remote devices or even
personally owned devices are subject to this policy. The policy applies to electronic
communications on County networks and public networks including, but not limited
to, the following:
1. Electronic Communications:
a. E-mail.
b. File transfer (FTP).
c. Remote login, including VPN, and Citrix.
2005-3367
PAGE 3 ORD2005-13
d. Remote control software.
e. Discussion groups/bulletin boards.
f. World Wide Web, web servers, wide area information servers
(WAIS).
g. Personal computing devices, including Blackberrys, PDA's,and cell
phones.
h. Digital type devices that can communicate with personal computers
or public networks.
H3xx, such as video conferencing.
j. Voice over IP (VOIP).
2. Public Networks:
a. Internet and Internet Services.
b. Internet Service Providers.
c. Bulletin board systems.
d. Weld County network.
e. On-line search services.
Sec. 9-3-20. Introduction.
Weld County network access and Internet access can provide significant business benefits
for County government agencies. However, there are also significant legal, security and
productivity issues related to how the Internet is used. Examples of such issues are listed below.
A. The potential to receive computer viruses Trojans,worms and spyware from Internet
information sources.
B through F - No change.
Sec. 3-2-25. Authorized County Network Access.
A. Secure New Employee Accounts. Authorized access to the County network for
new employees must be approved by the department head, elected official, or
designated person in the department. Requests for new employee security or
changes to existing security must be submitted using the Security Request Form
(Appendix 9-B).
1. Requests for new employee security must be submitted in advance - - at
least three days prior to hire date, and signed by department head, elected
official, or designated person.
2. All documentation authorizing user access to controlled computing and
information resources must be archived and retrievable upon request for all
active accounts. Requests will be retained for a period of five years.
3. Requested access must be approved by the owner of the data.
4. Login passwords must meet the County required standard, as set forth in
Section 9-3-70.
5. Generic and shared accounts are strictly prohibited. All UserlD's must
2005-3367
PAGE 4 ORD2005-13
uniquely identify users to the system.
B. Secure Employee Terminations.
1. All security requests for employee terminations within the County's
operations must be submitted prior to the last date of employment. Upon
the termination of an employee, all accounts for the employee, including
remote access and email, must be immediately suspended or removed from
all systems.
2. Notification for unplanned terminations must be communicated to Information
Services to immediately disable the account. Security request forms are
required for unplanned terminations, and must be approved by the
department head,elected official,or designated person in the department to
which the terminated employee was assigned.
Sec. 9-3-30. Definitions.
Add the following definitions:
FTP means file transfer protocol.
ISP means Internet Service Provider.
VPN means virtual private network.
Delete the following definitions:
Sec. 9-3-40. Guidelines.
Replace the entire section with the following:
A. Responding to security incidents. All security incidents shall be reported to the IT
Help Desk for immediate escalation.
B. Responding to malfunctions and violations. All employees must play an active roll
in helping to assure the security and quality of all County applications by reporting
any continual malfunctions in software and hardware. In doing so,employees help
to assure the optimum performance and availability of business systems.
1. Employee obligation to report software malfunction. Any employee that
observes continual or recurring malfunctions in any County software must
report the malfunction to their supervisor or the person responsible for that
software.
2. Employee obligation to report hardware malfunction. Any employee that
observes continual or recurring malfunctions in any County information
system hardware must report the malfunction to their supervisor or the
person responsible for hardware maintenance.
3. Employee obligation to report security and policy violations. Any employee
2005-3367
PAGE 5 ORD2005-13
that observes the violation of security and/or security policy is obligated to
report the malfunction to their supervisor.
C. Employee responsibility. The security, protection, and integrity of County
information assets are a premier responsibility of all County employees and
contractors. It is each employee's responsibility to fully understand the information
security policies contained in this document and to apply these policies effectively
to their daily practices and routines. Should an employee be unable to perform, or
not fully understand any of the following policies,whether whole or in part, it is that
employee's responsibility to alert his or her manager as to their difficulty or confusion
with the policy or policies. It is each employee's duty and responsibility to report to
their immediate supervisor any and all violations of these policies that he or she may
have witnessed or have knowledge of.
D. Manager responsibility. It is the responsibility of all managers to assure that all
employees under their supervision fully understand and are in compliance with these
information security policies. Managers are responsible for keeping their employees
up-to-date on any changes regarding these policies. Should any employee
consistently break company policy, it is that manager's responsibility to take
disciplinary measures in accordance with applicable County disciplinary policies or
procedures. It is the responsibility of all managers to ensure that all information
assets under their domain are secured and managed in order to ensure compliance
with relevant polices and procedures.
E. Use of information systems and resources. Employees who are entitled to the
usage of County computing systems to perform the necessary functions identified
with their position, must not misuse or abuse computing systems and resources.
1. Compliance with software copyrights and licenses. All employees must
comply with and respect the copyright laws and license agreements of the
software licensed to the County for use on business computing systems.
2. Use of illegal software. Employees must not download and/or install pirated
or illegal software that violates existing copyright or license agreements.
3. Use of non-approved software. The County strictly forbids the downloading
or installation of non-county owned or licensed software on County
computing systems without prior consent from a supervisor.
4. Acceptable use of passwords. Each password owner shall safeguard and
protect each password they have created, or that is entrusted to them.
Password sharing and account sharing is strictly prohibited. Writing down
passwords is not an acceptable practice; however, if passwords must be
written down,the information shall be stored securely and be accessible only
by the owner. Storing passwords via electronic file or programmable
function keys, scripts, macros or automated logon sequences is strictly
prohibited.
5. Security of the computer desktop through locking practices and
mechanisms. All users of a computing system must either lock the
computer desktop or log off of the system when walking away from a
computer terminal. Additionally,all computing systems covered by HIPAA
2005-3367
PAGE 6 ORD2005-13
must employ the use of a locking screensaver or similar mechanism to
automatically enable after a minimum usage lapse of 5 minutes.
6. Transmission of sensitive information over unsecured networks. Employees
must not send highly sensitive information over unsecured networks without
the use of encryption to secure the transmission. Such examples would be,
but not be limited to:
a. Use of encryption when sending credit card information over the
Internet(look for"https"in the web page URL to assure encryption).
b. Sending confidential business information over unsecured,
non-county networks.
7. Tampering with security mechanisms. All County computing systems must
be equipped with security mechanisms to protect the information and
resources of each system. Employees are not to temper with, reconfigure,
or disable such mechanisms. Such mechanisms would include, but not be
limited to anti-virus software, access controls.
8. Possession of offensive material. County employees are not permitted to
access,view,download, upload,e-mail,store or print material that could be
considered inappropriate, offensive or disrespectful to others.
9. Communication of personal opinions. Employees must refrain from
expressing personal opinions or communicating in a way that could be
embarrassing to the County while using County computing and
communications systems.
10. Illegal access of computer systems. County computing systems must not
be used to obtain illegal access to computer systems, to interfere with the
normal operations of computer systems or to perform malicious acts against
a computer system.
11. Unauthorized testing of computing system security. Employees must never
test the security of computer systems, whether physical or logic based,
without written permission from senior management of both the facility from
where the test is being launched, and the facility where the system resides.
The only exception to this is if such security testing is a known part of the
employee's job description and function.
12. Disclosure of classified information. Employees must never disclose
information that could be considered sensitive, classified or proprietary to
unauthorized persons.
13. User Data Storage. All employees using a County issued computing
workstation must store information relating to their job function on servers
designated for that purpose. This data should not be stored locally on the
workstation unless it is permitted by Information Services.
14. System Changes. Any software that allows configuration changes to
networks, computers and other hardware or software, should only be
2005-3367
PAGE 7 ORD2005-13
installed by members of Information Services.
F. Use of e-mail systems and resources. Based upon the requirements of an
employee's job function, those with a legitimate business need for a county e-mail
account are entitled to the use of county e-mail systems. Such usage is for
enhancing productivity and communications. However, it is important that
employees not misuse or abuse e-mail systems and resources.
1. Acceptable use of e-mail. The use of county e-mail systems and resources
must be restricted to business purposes only. Incidental personal use is
permissible if such use does not interfere with employee productivity,does
not preempt any business activity,and does not consume more than a trivial
amount of county resources.
2. Transmission of offensive messages. Employees must refrain from
sending e-mail messages that may be considered lewd, offensive, or
harassing by or to other people.
3. Transmission of hostile messages. Employees must refrain from sending
e-mail messages that contain angry, violent, or threatening messages.
4. Transmission of disruptive messages. Employees must not participate in
sending, forwarding, or responding to e-mails that are of a disruptive or
coercive nature, such as the distribution of SPAM or chain letters.
5. Transmission of non-incidental, personal messages. Employees are not
permitted to send messages involving the petition or solicitation for personal
gain or interest.
6. Disclosure of login information. The county identifies passwords as highly
sensitive information. Account owners must never divulge their e-mail
account passwords and login information.
7. E-mail Privacy. All County e-mail is a public record and may be subject to
public inspection.
G. Use of Internet systems and resources. All employees who are granted Internet
access are encouraged to use the Internet as part of their daily work environment.
It is, however, important that employees not misuse or abuse County Internet
resources, which could result in disciplinary action by the County.
1. Acceptable Internet connectivity. Employees are only permitted to access
the Internet for County business,using County computing systems,through
authorized County gateways.
2. Personal use of Internet connectivity. Use of County computing resources
to access the Internet must be for legitimate business purposes only.
Incidental personal use of Internet resources is permissible if the use does
not interfere with employee productivity, does not preempt any business
activity, and does not consume more than a trivial amount of County
resources.
2005-3367
PAGE 8 ORD2005-13
3. Affiliation with the County. Employees may make public their affiliation with
the County in work related mailing lists, chat sessions, and other
communication resources on the Internet. This affiliation may be
accomplished directly or it may be implied; however, employees must
indicate that such opinions expressed are their own and not necessarily
those of the County.
4. Inappropriate use of Internet resources. Employees initiating or participating
in communications of an inappropriate or unprofessional way, is strictly
prohibited. Employees must refrain from the use of lewd,offensive or hostile
language when communicating using county resources. Likewise, all
Internet messages that are intended to harass,annoy or alarm persons are
similarly prohibited.
5. Inappropriate use of Internet resources for illegal access. Employees are
strictly prohibited from contacting or probing information systems,of County
origin or otherwise, with the intent to gain unauthorized access. Similarly,
employees must not attempt to disrupt or interfere with the operation or
function of any information systems.
6. Generation of excessive internet traffic. To minimize network traffic, no
automatic requests for information on the Internet and applications that
generate constant network traffic, e.g., Internet radio stations, channels,
music-sharing services, etcetera, are prohibited.
H. Use of networked systems and resources. All employees of the County are granted
access to the network. Employees will require access to the network for Internet
access, network storage, Internet access, etcetera. It is important that employees
not misuse or abuse this resource, which could result in disciplinary action by the
County.
1. Unauthorized testing of computing system security. Employees must never
test the security of network systems and resources, whether physical or
logic based. The only exception to this is if such security testing is a known
part of the employee's job description and function.
2. Disregard for security mechanisms. Employees must not attempt to
bypass security mechanisms as a means for creating shortcuts or for the
performance of pranks or practical jokes.
3. Unauthorized connections to non-county networks. It is strictly forbidden for
employees to establish unauthorized connections to other non-county
networks, public or private, while connected to a County network. This
includes connecting to non-county wireless networks while connected to the
County network.
4. Use of modems on network connected systems. Remote access systems,
such as modems, are strictly prohibited. Such modems may be used for
specific isolated purposes;however,it must remain in a disconnected state
until the exact time that the system is needed. All modems must be
registered with Information Services.
2005-3367
PAGE 9 ORD2005-13
5. Use of encryption for highly sensitive information. Employees must be
aware that when sending sensitive information over County or public
networks that the County does not use encryption to protect the contents of
such information by default. Therefore, it is the responsibility of all
employees to take the necessary precautions to encrypt highly sensitive
information when transmitting.
6. Network Privacy. County and Information Services employees must
understand that all communications using County resources may be
monitored for statistical, legal, and investigative purposes. County and
Information Services employees should expect no right of privacy to
communications made using County equipment and resources.
Use of remote access (VPN). Remote access into County networks is only
permissible through a County owned, Information Services administered, VPN
(Virtual Private Network) solution.
J. Compliance with legal requirements. All usage of commercial software within the
County must conform to all requirements and restrictions imposed by the licenses.
1. Compliance with software licenses and copyrights. All proprietary software,
either owned or purchased by the County, must be used in a way that does
not violate the license or copyright protecting the software.
2. Maintenance of software licenses. All commercial software licenses must
be maintained to assure that any violation of such licenses does not occur
due to the inability to track or control the use of software licensed to the
County. Installations of software must be documented and the licenses of
such software inventoried.
3. Use of pirated or stolen software. Installation of pirated or stolen software
on County information computing systems is expressly prohibited.
4. Recording of communications. Employees shall not record any
communications without the disclosure of the recording and the specific
consent of all persons involved in the communication. This includes, but is
not limited to:
a. Telephone conversations.
b. Teleconferences.
c. Video Conferences.
Sec. 9-3-50. Roles and responsibilities.
A through B - No change.
C. The role of the County departments and agencies is as follows:
1. It is the responsibility of all managers to assure all employees under their
supervision fully understand,and are in compliance with,the County policies.
Managers are responsible for keeping employees up-to-date on any
changes regarding these policies. Should any employee consistently break
2005-3367
PAGE 10 ORD2005-13
County policy, it is that manager's responsibility to tak e disciplinary
measures in accordance with applicable County disciplinary policies or
procedures. It is the responsibility of all managers to ensure all information
assets under their domain are secured, managed, and employee access is
limited to job-specific data.
2. Provide for training of employees who need access.
3. Budget for service and associated training, if needed.
4. Establish their own data sensitivity policy.
Sec. 9-3-70. Weld Network and Internet Security.
Replace the entire section with the following:
A. Weld County relies on internet filtering tools to restrict access to appropriate web
sites for County employees.
B. Department Heads or Elected Officials are the only authority who can request
changes to the default filter restrictions applied to their employees Internet access
(Appendix 9-B).
C. The following remote/Internet security guidelines shall be followed:
1. All remote access falls under the guidelines of the Acceptable Use Policy.
2. The user shall make sure that any related passwords are secure, and shall
not share the passwords or write passwords on paper. Each password
owner shall safeguard and protect each password they have created,or that
is entrusted to them. Password sharing and account sharing is strictly
prohibited. Storing passwords via electronic file or programmable function
keys, scripts, macros or automated logon sequences is strictly prohibited.
Each individual with approved access to County information computing
systems and resources is responsible for creating original, unique and
complex passwords(something known only to them and not easily guessed)
for each account.
3. The user is responsible for securing their remote access information.
Sharing remote access in strictly prohibited.
4. All remote devices and access should be turned off when not being used,
such as VPN or modem. The user should be aware that if he or she has a
modem and is on the County network, it is possible for a virus to attack any
or all networked computers. If the modem is external, it shall be turned off
when not in use.
Add Section 9-3-75, as follows:
Sec. 9-3-75. Physical and Environmental Security Policy.
A. Internal security operations. All offices and office areas within Weld County facilities
2005-3367
PAGE 11 ORD2005-13
must be secured, as appropriate, to prevent unauthorized access to county
information computing systems, resources and network, including the wireless
network.
1. A County-wide standard has been developed for wireless access and all
equipment. This standard includes access points, wireless cards and all
other related equipment. Equipment must be purchased by Information
Services. (See Section 9-1-90.)
a. Only County devices with approved wireless cards are allowed on
the wireless network.
b. Only County employees will be given wireless access.
c. The "Computing Device Request Form" (Appendix 9-D) must be
completed and approved by governance.
d. Approved devices will need to be configured by Information Services
for secure access to the County wireless network.
e. All policies and procedures for accessing the County network apply
for wireless access.
B. Computing in public and untrusted zones. Weld County operates several
computing systems in public access areas and within the County jail for inmate use.
Exposures to the County by the use of these systems must be fully understood and
all known exposures mitigated.
1. Public computing systems. Weld County operates several public access
computers,which are available for use by the public,within the Weld County
facilities. These systems, due to the uncontrolled nature of their use, must
be segregated to an isolated or physically separate segment of the Weld
County network. All access to internal county resources must be tightly
controlled and limited to prevent any misuse of these systems. Auditing
must be enabled on these systems. Users of these systems must be
aware of the specificity and sanctions imposed on these computing
systems.
2. Inmate computing systems. Weld County provides several computers for
the use of inmates within the County jail. Due to the uncontrolled use of
these systems,all inmate computing systems must only maintain a minimal
set of computer resources to prevent abuse of such systems and resources.
This would include:
a. Computers must not maintain any unnecessary ports or peripherals,
including a CD-ROM drive, floppy drive, serial ports, USB ports,
modem, or other non-essential interfaces.
b. Computers must not have access to other computing systems or
servers, except to accomplish the specific purpose for the inmate
computing systems.
2005-3367
PAGE 12 ORD2005-13
c. Computers must not have Internet access.
d. Network access must be segregated from the other County network
segments.
3. Security zones. Specified areas within a facility that are designated as
performing critical functions or contain sensitive information or systems,
must make use of security mechanisms and procedures greater than those
used for areas of lesser criticality or sensitivity. These zones must be
isolated by security controls of reduced permission from the general facility
population. Permission must be based on the need to physically access the
area for a job function. Such security zones would include:
a. Server room.
b. Communications closet.
C. Equipment security. All information computing equipment, and any information
contained or processed by the equipment, must be reasonably protected from
damage, interruption and interception.
1. Protection from power interruptions. All sensitive electronic equipment must
be reasonably protected from interruptions of the power supply including
power fluctuations, power surges, brownouts, and short and long-term
losses. Equipment performing critical functions should have additional or
increased protection from power interruptions.
2. Safety and protection of electrical and communications cabling. All
electrical power and telecommunications cabling must be run observing all
local codes and requirements to prevent such cabling from becoming
hazardous to environments and personnel. All communications cabling
must be reasonably protected from tampering or interception of
communications.
3. Secure disposal of computing equipment. All Weld County computing
equipment and peripherals must be disposed of securely to prevent
unauthorized access to any residual company information.
a. Hard drives. Prior to the disposal of any hard drive or disk drive,the
device must either be physically destroyed or formatted to current
Department of Defense standards.
b. Optical media. Prior to the disposal of any optical media, such as
CD-ROMs, DVD, and ZIP or Jaz cartridges, these devices must be
physically destroyed. This may be accomplished through the use of
shredding or incineration. The optical disc itself must be cut with
scissors or repeatedly scratched in circular motions over the disc.
c. Analog media. Prior to disposal, all analog media must be
completely destroyed. Floppy diskettes must either be shredded in
a large paper shredder or cut with scissors. Backup tapes should
be dismantled with the actual tape shredded or burned (usually this
2005-3367
PAGE 13 ORD2005-13
is best performed by a licensed media destruction contractor).
d. RAM. Prior to disposal, all Random Access Memory modules must
be destroyed. This includes all memory devices such as memory
from computers, memory from printers and FAX machines, or other
memory devices. This is most commonly accomplished through the
use of a hammer where the device is repeatedly struck to physically
smash the memory chips.
IMPORTANT NOTICE: When manually destroying a media device,
always use protective eyewear and apply common sense to avoid
physical injury.
Sec. 9-3-80. Acceptable use guidelines.
A- No change.
B. General.
1. County departments assume responsibility for providing reasonable publicity
and enforcement for this "Internet Acceptable Use Policy". Ultimate
responsibility for traffic that does not conform to this policy lies with the
individual end user. It is the responsibility of the County agency to monitor
and rectify the behavior of its users who disregard this policy.
2. It is also the responsibility of each County department to provide adequate
training for its users.
3. The Department of Information Services and the County accept no
responsibility for the traffic which they transport and which violates the
Acceptable Use Policy of any connected networks, beyond informing the
County if and when a violation is brought to the attention of the Information
Services Governance Committee.
4 through 5 - No change.
6. Because of the diversity of resources on the Internet and other public
networks, it is impossible to list all the do's and don'ts. In general, common
sense should be used to judge situations. The following are some
guidelines to start with:
a. Computing resources should be used only for County-related
business in the support of the administrative, instructional,research
and public service objectives of the County.
b. Appropriate use of resources is limited to the official work of
theCounty. Examples of inappropriate use of resources include, but
are not limited to:
1 through 5 - No change.
2005-3367
PAGE 14 ORD2005-13
6) Attempts to make unauthorized entryon the County network.
7 through 10 - No change.
11) Any other activity that can be considered mis-use or harmful
to the County network.
c. Employees must never test the security of computer systems,
whether physical or logic based, without written permission from
senior management of both the facility from which the test is being
launched and the facility where the system resides. The only
exception to this is if such security testing is a known part of the
employee's job description and function.
7. No change.
8. All County departments must accept these guidelines and understand that
network traffic originating from its location is to be consistent with this policy.
The Department of Information Services cannot police the network but may
refer to the appropriate Elected Official or Department Head for disciplinary
action any agency that appears to be in persistent and/or serious abuse of
this policy. Questions pertaining to the policy or interpretation of the policy
should be submitted to the Information Services Governance Committee.
9. No change.
C. Participation in discussion groups.
1. No change.
2. The user must be aware that the information he or she puts out on the
Internet will be perceived as the official County position unless specifically
identified as personal opinion,even in a discussion. If the user is offering his
or her own opinion, he or she shall be sure it is clearly identified as such.
3. No change.
D. No change.
E. All County devices are configured for Internet access unless specifically requested
by the department head or elected official.
Sec. 9-3-90. Web server guidelines.
A. Review. The Department of Information Services and the Governance Committee
will review all Web access and Web content proposals to ensure the project
adheres to all guidelines set forth in this Section.
B. Initial approval. Any proposed Web access must be submitted to the Information
Services Governance Committee for initial approval of the proposed project. The
following information must be provided to the Department of Information Services for
review and assistance in submitting the initial request to the Governance Committee.
2005-3367
PAGE 15 ORD2005-13
1. State the general purpose of the project and how it relates to County
business.
2. Define the scope of the project, including what information is going to be
made available, to whom it will be available, the sensitivity level of the
information, and the identity of the targeted user.
3. Identify any County data accessed not located on the Web server and how
the data will be used.
4. Identify the designated contact person within the department for this project,
who will be responsible for maintaining current information.
5. Identify the security requirements of the project.
C. Guidelines. If initial approval is granted for the project,the following guidelines must
be followed during the development:
1 through 9 - No change.
10. Contents of Web pages should must be approved by the Department
Head/Elected Official or his or her designee.
Sec. 9-3-100. Use of electronic mail.
Electronic mail(e-mail)is defined as any message that is transmitted electronically between
two(2)or more computers or terminals,whether stored digitally or converted to hard(paper)copy.
Under Part 2, Article 72, Title 24, C.R.S., e-mail messages may be considered public records and
may be subject to public inspection, pursuant to Section 24-72-203, C.R.S. All computer-related
information, including e-mail messages and/or digitally stored documents, are the property of the
County and are considered the County's records even if the information resides on privately owned
devices. County e-mail may not be forwarded to employee's personal e-mail accounts.
Sec. 9-3-110. Employee access to e-mail.
A. All County employees with a need are assigned an e-mail address for County
business.
Sec. 9-3-120. Employee conduct with e-mail.
As with any County property or equipment, e-mail should be used for official County
business only. Incidental and occasional personal use of e-mail is permitted. However, strictly
forbidden e-mail usage includes use for personal profit or gain;transmission of political messages;
solicitation of funds for political or other purposes; or sending of harassing messages.
A. Employees must refrain from sending e-mail messages that may be considered
lewd, offensive, or harassing by, or to, other people.
B. Employees must refrain from sending e-mail messages that contain angry, violent,
or threatening messages.
C. Employees must not participate in sending, forwarding, or responding to e-mails
2005-3367
PAGE 16 ORD2005-13
that are of a disruptive or coercive nature, such as the distribution of spam or chain
letters.
D. The County identifies passwords as highly sensitive information. Account owners
must never divluge their e-mail account passwords and login information.
E. Employees must never share e-mail accounts.
ARTICLE VI
GIS System Products and Services
Sec. 9-6-60. Service products and services.
A- No change.
B. The following identify the products and services that are proposed for availability to
the public as the GIS system is developed:
1 - No change.
2. Arc Macro Language (AML) products (programs, menus, computer
programs, forms and written procedures) developed for the administration
of the system may be made available to customers and other County
agencies,departments and appointed and elected offices. No maintenance
of the products is planned to be furnished by the County. Such products
are to be furnished as is, and the decision to release such products is solely
at the discretion of the County. Such products are available to customers
by license agreement and to other County agencies, departments and
appointed and elected offices. It is not intended that custom programs,
etcetera, required for the sole use of the customer will be developed by the
GIS Division.
No change to remainder of section.
Sec. 9-6-70. Rates and charges.
A- No change.
B. Rates and charges for custom products, regular, on-going system services, and
technical assistance.
1 through 2 - No change.
3. The rates to be charged for GIS products, subscription services, AML
products and digital data are set forth in the Products and Rate Schedule
set out at Appendix 5-F of this Code.
4 - No change.
5. All charges are due and payable and shall be collected at the time the order
for products and services is taken,except as otherwise might be established
by contract or license agreement.
2005-3367
PAGE 17 ORD2005-13
No change to remainder of section.
ARTICLE VII
Workstation Remote Control Policy
Sec. 9-7-20. Definitions.
Revise definition of"Remote control software", as follows:
Remote control software: Any software used that enables remote workstations(a second
workstation)to be viewed, controlled or updated remotely, without being physically at the
second workstation.
Sec. 9-7-30. Statement of policy.
A through K- No change.
L. In addition, other components of the workstation application make it possible to
implement mass changes, fixes, or updates to all County workstations
automatically. Updates will be scheduled weekly. It is the end user's responsibility
to support regular maintenance to their workstations to keep workstations secure
and running at optimal performance. This requires end users to adhere to
Information Services guidelines, such as re-booting, etcetera, associated with the
maintenance. Unless under emergency conditions where the IT infrastructure can
be corrupted or damaged, the activity will be scheduled on a weekly basis.
M. Each occurrence where remote control software is utilized to diagnose or resolve
a workstation issue will be logged using Information Services Help Desk call
tracking procedures.
N - No change.
Sec. 9-7-40. Procedure.
A. To initiate a remote control session, support staff must first make an attempt to get
approval from the end user to take control of his or her workstation. Approval can
be obtained multiple ways, e.g., phone, e-mail, etcetera.
B through E - No change.
F. If the end user is not present when the remote control session ends, the support
staff should follow up with the end user, indicating the date and time the session
was held, a brief description of work performed, and whom to contact if there are
questions. This follow up should be by e-mail or phone message.
ARTICLE VIII
PERSONAL COMPUTING DEVICES
Sec. 9-8-30. Statement of Policy.
A through B - No change.
2005-3367
PAGE 18 ORD2005-13
C. Guidelines.
1 through 3 - No change.
4. To be considered for approval of linking or communicating with the County
network, the personal computing device must meet County hardware and
software standards, as well as wireless standards, established by the
Information Services Governance Committee. Requests failing to meet
County standards will result in denial of access to the County network.
5 through 9 - No change.
10. All personally owned devices must be in full operational order prior to
requesting the installation of synchronization software on the user's desktop
personal computer.
11. If an employee is planning to purchase a personal computing device and
wants to synchronize/link it with the County network, it is the employee's
responsibility to meet County standards, receive approval from the Elected
Official or Department Head, and confirm any County funding of any
additional required hardware and/or synchronization software. Approvals
should be obtained prior to any purchase.
12 - No change.
13. For an employee to synchronize or link personal computing devices with the
County network,the user and personal computing device must be registered
as a user with the Information Services Department.
14. The County does not guarantee continued compatibility with any hardware
device or software being utilized in this environment and is not liable for
personal expenses incurred.
15. The County or Information Services is not responsible for any damage to
personally owned hardware or software that may be incurred while
supporting the personal computing device or related software.
16. Abuse of this policy can result in removal of authorization to have a personal
computing device link or communicate with the County network. Continued
abuse of this policy could lead to employee disciplinary actions, including
termination of employment.
Sec. 9-8-40. Procedure.
A- No change.
B. Any County employee wishing to synchronize a personal computing device with a
desktop personal computer or link it with the County network must first have it
approved by his or her Elected Official or Department Head. There must be a clear
business need to approve the request.
1 through 2 - No change.
2005-3367
PAGE 19 ORD2005-13
3. The requesting user must sign the Personal Computing Device Request
Form explaining the County's right to review any information contained on
the device. This form is available from the Information Services
Department. Along with the user's signature, the employee's full name,
device make and model, operating system and serial number shall be
provided. (See Appendix 9-D.)
C. Information Services will review the information on the Computing Device Request
Form to ensure the hardware and software meet County standards. Information
Services will inform the employee of approval or denial.
D. If hardware or software purchases are involved, purchases will be made after the
Information Services Governance Committee approvals have been obtained.
1. Information Services will process approved requests by ordering and
receiving County standard equipment.
2 - No change.
E through F - No change.
G. Personal Computing Device Standards.
1. Technology standards will be determined by the Information Services
Governance Committee and the Board of Weld County Commissioners. It will be the responsibility
of Information Services to follow those standards when reviewing requests for personal computing
devices and purchasing those devices.
Revise Appendix 9-A, Information Services Function Sub-Committees, as attached.
Revise Appendix 9-B, Computer Security Request Form, as attached.
Revise Appendix 9-C, GIS Functional Subcommittees, as attached.
Add Appendix 9-D, Computing Device Request Form, as attached.
Add Appendix 9-E, Websense Internet Filter Removal Request Form, as attached.
BE IT FURTHER ORDAINED by the Board that the Clerk to the Board be, and hereby is,
directed to arrange for Colorado Code Publishing to supplement the Weld County Code with the
amendments contained herein, to coincide with chapters, articles, divisions, sections, and
sub sections as they currently exist within said Code;and to resolve any inconsistencies regarding
capitalization,grammar, and numbering or placement of chapters,articles,divisions,sections, and
sub-sections in said Code.
BE IT FURTHER ORDAINED by the Board if any section,subsection,paragraph,sentence,
clause, or phrase of this Ordinance is for any reason held or decided to be unconstitutional, such
decision shall not affect the validity of the remaining portions hereof. The Board of County
Commissioners hereby declares that it would have enacted this Ordinance in each and every
section, subsection, paragraph, sentence, clause, and phrase thereof irrespective of the fact that
any one or more sections, subsections, paragraphs, sentences, clauses, or phrases might be
declared to be unconstitutional or invalid.
2005-3367
PAGE 20 ORD2005-13
The above and foregoing Ordinance Number 2005-13 was, on motion duly made and
seconded, adopted by the following vote on the 7th day of December, A.D., 2005.
BOARD OF COUNTY COMMISSIONERS
WELD COUNTY, COLORADO
ATTEST:
William H. Jerke, Chair
Weld County Clerk to the Board
M. J. Geile, Pro-Tem
BY:
Deputy Clerk to the Board
David E. Long
APPROVED AS TO FORM:
Robert D. Masden
County Attorney
Glenn Vaad
First Reading: October 24, 2005
Publication: November 2, 2005, in the Fort Lupton Press
Second Reading: November 16, 2005
Publication: November 23, 2005, in the Fort Lupton Press
Final Reading: December 7, 2005
Publication: December 14, 2005, in the Fort Lupton Press
Effective: December 19, 2005
2005-3367
PAGE 21 ORD2005-13
APPENDIX 9-A
INFORMATION SERVICES
FUNCTIONAL SUBCOMMITTEES
FINANCE AND ADMINISTRATION: HUMAN SERVICES:
Accounting Public Health and Environment
General Services Human Services
Board of County Commissioners Social Services
Clerk to the Board Extension
County Attorney Paramedic Services
Finance
Personnel
Communications PROPERTY:
CRIMINAL JUSTICE: Assessor
Planning and Building Inspection
Coroner Public Works
District Attorney Treasurer
Office of Emergency Management
Sheriff CLERK AND RECORDER:
Motor Vehicle
Recording
Elections
2005-3367
PAGE 22 ORD2005-13
APPENDIX 9-B
COMPUTER SECURITY REQUEST
(Please Print)
Requestor:
Dept: Extension: Date:
NEW EMPLOYEE 0 CHANGE 0
EMPLOYEE TERMINATION 0 Save the HOME DIRECTORY of this user to:
Users Name: Extension:
Dept:
Provide access similar to (name of employee)
ACCESS NOTE
E-Mail Account 0
Internet—Web Filter 0 Websense
Banner 0
Contact Barb Eurich—x4445
PeopleSoft 0
Contact Barb Eurich—x4445
ICRIS 0 C & R Signature
VPN —Add 0 Delete ❑ ❑ User must have broadband at remote location
Citrix—Assessor 0 0
Clerk to the Board 0
Other 0
Social Services ❑ State User Name -
Cats General Qualifier-
Special Instructions: (Specify any additional application security. Department Head security must be
obtained to access department owned applications.)
Department Head Approval: Date:
Technical Director Approval: Date:
Implemented by: Date:
PAGE 24
2005-3367
11121-1911(15_11
APPENDIX 9-C
GIS FUNCTIONAL SUBCOMMITTEES
FINANCE AND ADMINISTRATION: ASSESSOR:
Accounting Assessor
General Services Treasurer
Board of County Commissioners
Clerk to the Board CLERK AND RECORDER:
County Attorney
Finance Motor Vehicle
Personnel Recording
Elections
CRIMINAL JUSTICE:
PUBLIC WORKS:
Coroner
District Attorney Public Works
Office of Emergency Management Engineering
Sheriff
PLANNING SERVICES:
HUMAN SERVICES:
Planning and Zoning
Public Health and Environment Building Inspection
Human Services
Social Services
Extension
Paramedic Services
2005-3367
PAGE 24 ORD2005-13
APPENDIX 9-D
Weld County Government
Computing Device Request Form
By signing below, I acknowledge that I have reviewed Weld County's "Computing Device
Request Form". I understand that it is my responsibility to adhere to the established policies and
practices for authorization to communicate, link, synchronize, copy, or transfer data between my
personal computing device and any device linked to the Weld County network. All devices must
meet stated Weld County standards.
➢ Employee must obtain the department head or elected official approval.
Employee Name:
Department Name:
➢ Provide information on the Computing Device you will be using:
Device Manufacturer:
Device Make & Model:
Device Serial Number:
Device Operating System:
(Include version#) (must be a version of either Palm OS or Windows CE)
Device owned by (circle one): Weld County or Weld Employee
Employee's Signature: Date:
Director's Signature: Date:
(Requesting Department's Authorizing Signature)
Note: Synchronization software must be legally licensed by Weld County. If required,the requesting department is responsible
for obtaining funding approval and requesting Information Services to purchase the necessary software.
Approved by:
Director: (Information Services Department) Date:
This document is not intended as an express or implied employment contract between Weld
County and any of its employees.
PAGE 26
2005-3367
ORD2005-13
APPENDIX 9-E
Information Services
Websense Internet Filter Removal Request
STATUS I CATEGORY 'ACCESS
Select access by entire category or by subcategory
Blocked Abortion-Sites with neutral or balanced presentation of the issue. I
Pro-Choice--Sites that provide information about or are sponsored by organizations that support legal abortion or that offer
support or encouragement to those seeking the procedure. n
Pro-Life--Sites that provide information about or are sponsored by organizations that oppose legal abortion or that seek
increased restriction of abortion. n
Blocked Adult Material-Parent category that contains the categories:Adult Content,Lingerie and Swimsuit,
Nudity,Sex,Sex Education n
Adult Content--Sites that display full or partial nudity in a sexual context,but not sexual activity;erotica;sexual
paraphernalia;sex-oriented businesses as clubs,nightclubs,escort services;and sites supporting online purchase of such
goods and services.
Lingerie and Swimsuit--Sites that offer images of models in suggestive but not lewd costume,with seminudity permitted.
Includes classic'cheese-cake,'calendar,and pinup art and photography. Includes also sites offering lingerie or swimwear for n
sale.
Nudity--Sites that offer depictions of nude or seminude human forms,singly or in groups,not overtly sexual in intent or
effect. n
Sex--Sites that depict or graphically describe sexual acts or activity,including exhibitionism;also sites offering direct links to
such sites.
Sex Education--Sites that offer information about sex and sexuality,with no pornographic intent.
Blocked Advocacy Groups-Sites that promote change or reform in public policy, public opinion,social practice
economic activities and relationships. n
Open Business and Economy-Sites sponsored by or devoted to business firms, business associations,
industry groups,or business in general. n
Financial Data and Services--Sites that offer news and quotations on stocks,bonds,and other investment vehicles,
investment advice,but not online trading. Includes banks,credit unions,credit cards,and insurance. n
Blocked Drugs-Parent category that contains the categories:Abused Drugs, Prescribed Medications, Marijuana!,
Supplements/Unregulated Compounds n
Abused Drugs--Sites that promote or provide information about the use of prohibited drugs,except marijuana,or the abuse n
or unsanctioned use of controlled or regulated drugs;also,paraphernalia associated with such use or abuse.
Marijuana--Sites that provide information about or promote the cultivation,preparation,or use of marijuana.
Prescribed Medications--Sites that provide information about approved drugs and their medical use.
Supplements and Unregulated Compounds--Sites that provide information about or promote the sale or use of chemicals
not regulated by the FDA(such as naturally occurring compounds). n
Filtered Education-Parent category that contains the categories:Cultural Institutions,Educational Institutions,
Educational Materials n
Cultural Institutions--Sites sponsored by museums,galleries,theatres(but not movie theatres),libraries,and similar
institutions;also,sites whose purpose is the display of artworks. n
Educational Institutions--Sites sponsored by schools and other educational facilities,by non-academic research institutions,
or that relate to educational events and activities. n
Educational Materials--Sites that provide information about or that sell or provide curriculum materials or direct instruction;
also,learned journals and similar publications. n
Reference Materials--Sites that offer reference-shelf content such as atlases,dictionaries,encyclopedias,formularies,white
and yellow pages,and public statistical data. n
Filtered Entertainment-Sites that provide information about or promote motion pictures, non-news radio and
television,books,humor,and magazines.
MP3--Sites that support downloading of MP3 or other sound files or that serve as directories of such sites.
2005-3367
PAGE 27 ORD2005-13
APPENDIX 9-E
Information Services
Websense Internet Filter Removal Request
Blocked Gambling-Sites that provide information about or promote gambling or support online gambling,
involving a risk of losing money. n
•
Blocked Games-Sites that provide Information about or promote electronic games,video games,computer
games, role-playing games, or online games. Includes sweepstakes and giveaways. n
Open Government-Sites sponsored by branches,bureaus,or agencies of any level of government,except fo
the armed forces.
Military--Sites sponsored by branches or agencies of the armed services.
Political Organizations--Sites sponsored by or providing information about political parties and interest groups focused on
elections or legislation. n
Filtered Health -Sites that provide information or advice on personal health or medical services, procedures,or
devices,but not drugs.Includes self-help groups. n
Blocked Illegal or Questionable-Sites that provide instruction in or promote nonviolent crime or unethical or
dishonest behavior or the avoidance of prosecution therefor. n
Information Technology-Sites sponsored by or providing information about computers,software,the
Filtered Internet,and related business firms, including sites supporting the sale of hardware,software, ❑
peripherals,and services.
Computer Security--Sites that provide information about or free downloadable tools for computer security.
Hacking--Sites that provide information about or promote illegal or questionable access to or use of computer or I�
communication equipment,software,or databases. I I
Proxy Avoidance--Sites that provide information about how to bypass proxy server features or to gain access to URLs in any l�
way that bypasses the proxy server. I I
Search Engines and Portals--Sites that support searching the Web,news groups,or indices or directories thereof.
URL Translation Sites--Sites that offer online translation of URLs.These sites access the URL to be translated in a way tha
bypasses the proxy server,potentially allowing unauthorized access.
Web Hosting--Sites of organizations that provide hosting services,or top-level domain pages of Web communities
Blocked Internet Communication-Parent category that contains the categories: Email,Web Chat
Web Chat—Sites that host Web chat services or that support or provide information about chat via HTTP or IRC.
Web-based Email--Sites that host Web-based email.
Blocked 'Job Search-Sites that offer information about or support the seeking of employment or employees. I I I
Blocked Militancy and Extremist-Sites that offer information about or promote or are sponsored by groups
advocating antigovernment beliefs or action. n
Open News and Media -Sites that offer current news and opinion,including those sponsored by newspapers,
general-circulation magazines,or other media.
Alternative Journals--Online equivalents to supermarket tabloids and other fringe publications.
Blocked Racism and Hate-Sites that promote the identification of racial groups,the denigration or subjection of I�
groups,or the superiority of any group. I I
Filtered Religion-Parent category that contains the categories:Traditional Religions,Non-Traditional Religions I I
Non-Traditional Religions and Occult and Folklore--Sites that provide information about or promote religions not specifies
in Traditional Religions or other unconventional,cultic,or folkloric beliefs and practices. n
Traditional Religions--Sites that provide information about or promote Buddhism,Bahai,Christianity,Christian Science,
Hinduism,Islam,Judaism,Mormonism,Shinto,and Sikhism,as well as atheism. I I
2005-3367
PAGE 28 ORD2005-13
APPENDIX 9-E
Information Services
Websense Internet Filter Removal Request
Shopping-Sites that support the online purchase of consumer goods and services except: sexual
Filtered materials, lingerie,swimwear,investments,medications,educational materials,computer software or ❑
hardware,alcohol,tobacco,travel,vehicles and parts,weapons.
Internet Auctions--Sites that support the offering and purchasing of goods between individuals.
Real Estate--Sites that provide information about renting,buying,selling,or financing residential real estate.
Filtered Social Organizations-Parent category that contains the categories: Professional and Worker
Organizations,Service and Philanthropic Organizations,Social and Affiliation Organizations
Professional and Worker Organizations--Sites sponsored by or that support or offer information about organizations I�
devoted to professional advancement or workers interests. I I
Service and Philanthropic Organizations--Sites sponsored by or that support or offer information about organizations I�
devoted to doing good as their primary activity. I I
Social and Affiliation Organizations--Sites sponsored by or that support or offer information about organizations devoted l�
chiefly to socializing or common interests other than philanthropy or professional advancement. I I
Filtered Society and Lifestyles-Sites that provide information about matters of daily life,excluding I�
entertainment,health,hobbies,jobs,sex,and sports. I I
Alcohol and Tobacco--Sites that provide information about,promote,or support the sale of alcoholic beverages or tobacco products or associated paraphernalia. I�
I I
Gay or Lesbian or Bisexual Interest--Sites that provide information about or cater to gay,lesbian,or bisexual lifestyles,
including those that support online shopping,but excluding those that are sexually or issue-oriented. n
Hobbies--Sites that provide information about or promote private and largely sedentary pastimes,but not electronic,video, _
or online games.
Personal Web Sites--Sites published and maintained by individuals for their personal self-expression and ends.
Personals and Dating--Sites that assist users in establishing interpersonal relationships,excluding those intended to
arrange for sexual encounters and excluding those of exclusively gay or lesbian or bisexual interest.
Restaurants and Dining--Sites that list,review,advertise,or promote food,dining,or catering services.
Filtered 'Special Events-Sites devoted to a current event that requires separate categorization. I I
Filtered Sports -Sites that provide information about or promote sports,active games,and recreation.
Sport Hunting and Gun Clubs--Sites that provide information about or directories of gun clubs and similar groups,including
war-game and paintball facilities. n
Tasteless-Sites with content that is gratuitously offensive or shocking, but not violent or frightening.
Blocked Includes sites devoted in part or whole to scatology and similar topics or to improper language,humor, n
or behavior.
Open 'Travel-Sites that provide information about or promote travel-related services and destinatinations. I I l
Filtered Vehicles-Sites that provide information about or promote vehicles,including those that support online
purchase of vehicles or parts. n
Violence-Sites that feature or promote violence or bodily harm,including self-inflicted harm; or that
Blocked gratuitously display images of death,gore,or injury; or that feature images or descriptions that are 0
grotesque or frightening and of no redeeming value.
Blocked Weapons-Sites that provide information about,promote,or support the sale of weapons and related
items. n
Blocked Can't acces site
Filtered Can access using quota time
2005-3367
PAGE 29 ORD2005-13
Hello