Controlling Access
The computer and communications system privileges of all users, systems, and programs must be restricted, based on the need-to-know.
Automatic Log-off
If there has been no activity on a computer terminal, workstation, or computer (PC) for fifteen (15) minutes, the system will automatically terminate any session initiated by IMS personnel. Re-establishment of the session must take place only after the user has provided the proper password.
Physical Security Measures for Computers & Communications Systems
Buildings which house Salt Lake City Corporation computers or communications systems must be protected with physical security measures that prevent unauthorized persons from gaining access.
Use of Personal Computer Systems on Salt Lake City Property
Users must not connect their own computers or computer peripherals into the City’s network, or load their personal computer software on City computer equipment without prior authorization from their department head.
Moving Microcomputer Equipment
Computer equipment, such as PCs, printers, etc., under IMS maintenance and support may not be moved without the prior notification and participation of Information Management Services personnel. IMS requires a minimum of five business days notification prior to the proposed move to allow scheduling of personnel and needed equipment. A move of equipment is not covered under service or maintenance and is on a time and materials basis.
This policy does not apply to minor moves within the user’s personal work area (e.g. moving a system from the left side of a desk to the right side.
Alteration/Expansion of Computers
Computer equipment under IMS maintenance and support may not be altered, modified, or upgraded in anyway without knowledge and authorization of IMS.
Prohibition Against Personal Computer Modems in Auto-answer Mode
Users must not leave modems connected to personal computers in auto-answer mode, in such a way that they are able to receive incoming dial-up calls.
Security Notice in System Log-in Banner
Every log-in process for multi-user computers must include a special notice. This notice must state: (1) the system is to be used only by authorized users, and (2) by continuing to use the system, the user represents that he/she is an authorized user. In addition, specific information about the organization, the computer operating system, the network configuration, or other internal matters must not be provided in the log-in banner until a user has successfully provided both a user-ID and a password.
For legal reasons, in many jurisdictions, it is wise to put all users on notice that the involved system is to be used only for authorized purposes. In the event of a prosecution against those who entered the system unlawfully, one of the most successful defending claims is that there was no notice saying they could not enter. Recent court cases have highlighted the need for organizations to put unauthorized users on notice that their systems are off-limits. As a result, a system log-in banner -- displayed each time a user logs-in -- should provide the electronic equivalent of a no-trespassing sign. Our current model requires this only for those logging in with VPN logins.