HomeMy WebLinkAbout01-23RESOLUTION 01-23
RESOLUTION OF THE CITY COUNCIL OF THE TOWN OF LOS ALTOS HILLS
ADOPTING THE INFORMATION TECHNOLOGY (IT) POLICY
WHEREAS, the IT Policy replaces Section 14.9 Internet and Electronic Policy of the Employee
Handbook; and
WHEREAS, this policy applies to all employees (full time, part time, contract, temporary, hourly
and seasonal employees), officials, consultants, contractors, volunteers, and any other individuals
who are granted access to the Town's IT system and/or electronic communication platform,
equipment and resources.
WHEREAS, the Technology Committee and the IT Managed Services Provider reviewed the IT
Policy and provided comments and voted in favor of sending the policy to City Council for review
and approval; and
WHEREAS, the Town's IT Managed Services Provider, will ensure all users adhere to the IT
policy (Attachment A); and
NOW THEREFORE, resolved by the City Council of the Town of Los Altos Hills that the
Council hereby adopts the Town's IT Policy.
The above and foregoing Resolution was passed and adopted by the City Council of the Town of
Los Altos Hills at a special meeting held on the 24th day of January 2023 by the following vote:
AYES: Swan, Mok, Schmidt, Tyson
NOES: None
ABSTAIN: None
ABSENT: Tankha
BY -
Linda Swan, Mayor
ATTEST:
Deborah Padovan, City Clerk
Resolution 01-23 Page 1
Attachment A
LOS ALTOS MLLS
1'WOO
�r�"'r1
The Town of Los Altos Hills
Information Technology (IT) Policy
CALIFORNIA
The purpose of this policy is to ensure the proper use of the Town of Los Altos Hills ("Town")
IT Systems. This policy will supersede Section 14.9 Internet and Electronic Mail Policy in the
Employee Handbook.
The Town provides computer, systems and communications equipment to those users who need
it to perform their job responsibilities. The Town's electronic information and communication
systems, including the Town's computers, Town applications, telephones, mobile phones, tablets,
voice mail, scanners, fax machines, email, instant messaging, intranet, internet, electronic
collaboration tools and storage platforms, whether on -premises or in the cloud (collectively
"Information Technology Systems" or "IT Systems").
As IT Systems advance and expand, it is important that Town staff continually use and manage
them in a manner that is consistent with the Town's mission, vision, values, and goals. Questions
or concerns regarding the provisions of this policy should be raised with the Administrative
Services Director. This policy applies to all employees (full time, part time, contract, temporary,
hourly and seasonal employees), officials, consultants, contractors, volunteers, and any other
individuals who are granted access to the Town's IT system and/or electronic communication
platform, equipment and resources.
Section 2 - Definitions
1. User - Town. employee, consultant, volunteer, or any person who uses the Town's
computer and/or communication equipment and their related systems and tools.
2. IT Services – The Administrative Services Director (or designee).
3. IT Managed Services Provider – The firm contracted by the Town to provide technology
services.
4. Encryption – Method of protecting data files from unauthorized access (e.g. create
passwords for documents) above and beyond the network file security systems
established by the IT division.
Section 3 — Policy
A. IT Systems and their contents, including any messages and/or information transmitted by
Town staff, are the property of the Town. Nothing about or contained in the IT Systems shall
or will be considered personal and/or confidential information. The Town may inspect,
monitor, and/or audit all IT Systems, or any information contained in IT Systems, at any
time, for any lawful purpose, without notice to any Town staff. Personal use of IT Systems
should be kept to a minimum and for incidental purposes only. In the event Users use
telephones, computer equipment, Internet access and e-mail for personal affairs, Users shall
not expect the data to be protected from review, preservation, or deletion. Accordingly, Users
Page 1 of 13
Resolution 01-23 Page 2
shall not use the Town's IT Systems to create or transmit information they wish to keep
private.
Uses of Town's IT Systems that result in the following are *strictly prohibited and may result in
di.sciplin4ry and/or criminal action:
L Violates or infringes on the rights of any other person, including the right to privacy;
2.. Contains defamatory, false, abusive, obscene, pornographic, profane, sexually oriented,
threatening or illegal material,
3. Violates Town .policy or departmental regulations regarding harassment and
discrimination;
4. Restricts or inhibits other users from using the -system or the efficiency of the computer,
systems;
5.. Constructs e-mail so it. appears to be from another party;
6. Is intended to impede, damage, bring down another party's system, or to commit any
.other form of electronic sabotage;.
7. Encourages the use of controlled substances oruses the system for the purpose of
criminal intent; or
.8. Any other illegal purpose or function; or
9. Use of any messaging system that is not encrypted end-to-end,
R. The use Of IT Systems by Town staff is a privilege that may be withdrawn by the Town at
any time. Town IT Systems shall -not be used for any commercial promotional purpose,
resulting in the opportunity for personal profit or gain excluding IRS recognized retirement
accounts, or to communicate any material with content that violates Town policies and
procedures. The following example are defined as, but not limited to, types of inappropriate
use: Creating, distributing, or purposely activating a computer virus; obscene messages,
making threats; or harassment, sexual or otherwise as defined in Town policies or other
applicable laws.
C. Town staff shall take all reasonable and necessary efforts to prevent unauthorized -persons
from accessing IT Systems and prevent the introduction of electronic malware.
1) Town staff shall never leave IT Systems unattended and in a state. that allows any third
party to gain access to or use IT Systems without the proper authorization.
2) As applicable, all Town IT assets that have logins shall be enabled to use Two -Factor
Authentication (2FA) to reduce the possibility of unauthorized access. All Users are
responsible for protecting the Town's computer assets, computer data, and information
systems always.
3) All Users are responsible for taking all. reasonable and necessary efforts to prevent
9
successful phishing and scam attempts, intended to get Users to reveal financial
information, -system credentials or -other sensitive data, to prevent unauthorized persons
from accessing IT Systems and prevent the introduction of electronic malware.
4) Users are required to take the, KnowBe4 webinars to increase knowledge of phishing and -
scam attempts..
Page 2 of 13
Resolution 01-23 Page 3
5) Users are required to immediately notify IT Services when any IT Systems equipment is
missing, stolen, 'or lost. Missing, stolen, or lost devices also shall be reported to the
director of the employee's Department immediately. Notification shall include an
itemized list of documents stored on such devices.
D. Hardware device standards for IT Systems are set by IT Services and all IT Systems
hardware must be procured through IT Services with department's approval. All hardware
and software shall be installed, configured, and supported by the .IT Managed Services
Provider as determined first by Town -wide policy and then departmental policy. IT Managed
Services Provider shall reconfigure systems and delete unauthorized software and data as
they see fit within the scope of their services.
E. Only software purchased and/or licensed to the Town and installed under the direction of the
Town's IT Managed Services Provider may be used on any IT Systems. Town staff shall not
duplicate or copy any software on any Town IT Systems for use on any personal devices,
equipment, or systems. Further, enrollment in any cloud software platform (SaaS) used to-
conduct
oconduct official Town business or store Town data, must be authorized by IT Services and
any applicable Town -wide policy.
F. Mobile phones See Mobile Telecommunication Devices Policy Section 14.8 of the
Employee Handbook.
G. Town staff shall not create individual offsite storage accounts, such as, cloud storage
accounts, on any platform to store Town. data. Offsite data storage platforms, including,
cloud storage accounts, can only be used to store Town data when specifically authorized by
IT Services. Even when the use of offsite and/or cloud storage services are authorized by the
IT Services, the use of any offsite and/or cloud storage services shall be governed by this
policy. Any access to cloud storage accounts shall require 2FA capabilities.
H. Town -provided USB devices may be used to store non -confidential Town documents as
needed for business purposes. It- is recommended that USB devices be password protected.
Town -provided USB devices shall only be plugged into non -Town computer systems that
have been secured (e.g., computers with the latest virus protection installed.) Personal USB.
devices shall not be used to store confidential Town documents other than those listed on the
Town's Intranet. Use of such USB devices is strongly. discouraged.
I. Access to Database and Information
1. All employees will sign the Employee Security Statement before having access to any
private or confidential information or to any Town IT Systems. The original will be
maintained in the employee's personnel record.
a) New employees will sign the Statement as part of the orientation process. Human
Resources Department will be responsible for this procedure.
Page 3 of 13
Resolution 01-23 Page 4
b) Current employees will sign the Statement when access to the IT Systems or any
private or confidential information is granted. Department heads are responsible for
ensuring this procedure is conducted.
c) Any database access credential will have the ability to be revoked by their supervisor.
2. If an employee has a valid business need to access a database on the Town IT Systems,
the following procedure will be followed:
a) The requesting employee will discuss the need with the employee's supervisor.
b) Ifthesupervisor agrees that there is a need, the employee/supervisor will complete
the Request for Employee Access form and. submit it to the Information Services in
the Finance Department.
C) The Administrative Services Director will review the information provided, verify
that an. Employee Security Statement from the requesting employee is on file, and
forward the form to the City Manager/Administrative Services Director with the
Manager's recommendation.
d) Upon approval by the City Manager/Director, IT Services and the Manager will grant
access in the manner approved.
e) The employee's supervisor.is responsible for notifying IT Services and the Manager
of any restrictions or suspensions in access and for ensuring that no improper use of
the access is made by the employee.
f) Access to the Town's IT Systems is granted only -for the convenience of the Town
and may be revoked or suspended at any time without cause.
g) Users shall follow all established procedures for onboarding as well as off -boarding
in case of voluntary or involuntary separation.
J. Vendor Supplied Computer Systems —Town computer(s) shall only be used to access Town
information. No other usage from these systems (e.g., Internet, e-mail) is permissible.
Vendors must be given access through IT Services to the computer systems for remote
support.
K. Data Backup -- Files stored on the Town's IT Systems shall be backed up periodically (e.g.,
nightly) according to the, Town's network backup policies. Users shall utilize network
resources to store their data files to the fullest extent possible to protect the Town's data
resources. Users are responsible for ensuring that critical data. is always stored on network
servers. No Town data shall be stored on desktop computer hard drives except during
network outage problems. Town data shall be copied back to network servers as soon as -
possible and deleted from desktop computer hard drives, laptops, or Town -provide storage
devices. All backups shall be encrypted with keys that are not co -located with the stored
files.
L. Electronic Communication — The Town's IT Systems are designated to facilitate Town
business and communication. through the appropriate use of the electronic communications
systems and electronic storage thereon. The. Town values its electronic communications and
electronic storage and takes measures to safeguard them. from corruption and illegal use, and
to protect the Town ftom any possible liability due to illegal use of electronic
Page 4 of 13
Resolution 41-23 Page.5
communications -and electronic storage. All electronic communications shall be encrypted
end-to-end.
M. Security ---Effective security is a team effort involving the participation and support of every
User who deals with information and/or information systems. Acceptable use standards form
a critical component of enterprise security. See .Attachment A -Information Security
Procedures. Adherence to such security policy will ensure security of information. systems,
various tools and techniques are employed including passwords, authentication tokens,
biometrics, radio-frequency identification technologies, and/or any other means of verifying
an individual's identity (collectively, "Authentication Device(s).")
1. Authentication devices, if issued to or used by Users, shall be kept confidential. Users
shall not share Authentication Devices, or the information contained in an Authentication
Device, with third parties or -other Users, Similarly, Users may not use the Authentication
Devices of other Users, and' may not enter, access, or attempt to enter or access IT
Systems assigned to other Users.
2. For security and network operations purposes,. authorized individuals within IT Service*s
and IT Managed Services and the Town reserves the right to audit networks and systems
as necessary to ensure compliance with this policy. may at any time.
3. Users shall not place'sensitive data (including but n*ot limited to payroll data, financial
records, personnel files, or other confidential information)'on laptop. computers and/or
other portable devices such as USB devices. Users are required to use the remote access
service ' s -authorized and provided by the Town (e.g., VPN) to access sensitive data rather
than downloading data onto laptop hard drives or other portable storage devices.
4. Computers shall not be left unattended in a state that affords inappropriate access to
records of the Town or otherwise compromises security. (e.g.,, lock workstation or
logoff).
5. User's access to computer, communication equipment and network resources may be
limited at any time due to necessary security policies to protect the Town's network. The
Town uses- monitoring software, and shall, at, Executive. Management or IT Services
discretion, prevent unauthorized use.
N. Internet -- All Internet Users are expected to be responsible "cybercitizens, " which means
knowing the tools, rules, and etiquette and behaving in conformance with this policy.
1. Material posted to Internet newsgroups or bulletin boards shall not reflect negatively on
the Town and not violate any trust or copyright laws. Internet access shall be used, only
for Town business during working hours.
2.. Personal use shall be limited. All other Town employment policies (e.g., Workplace.
Harassment Policy, social media Policy) apply to Internet use.
O. No Expectation of Privacy for Computer and Communication Equipment —The 'tools
provided by the Town in. accordance with this policy remain n the property of the Town and
are provided for the purpose of business communications. Accordingly, the Town retains the
right to review Users' usage of such equipment. Users shall have no expectation of privacy
for voice communications, electronic mail (e- mail) communications, internet use,
Page 5 of 13 .
Resolution 01-23 Page 6
messaging, and all other uses of computer and communication equipment. The Town does
use software tools to restrict access to Internet sites and e-mails deemed by Executive
Management to be inappropriate for the workplace. The Town utilizes tools to track Internet
use by Users. Examples of when Executive Management and IT Services may need to review
User usage and messages sent or received include but are not limited to:
1. Retrieving lost messages
2. Recovering from system failures or monitoring system performance
3. Complying with internal and external investigations such as grievances, workplace
harassment claims, or suspected criminal acts
4. Ensuring that. Town systems are being used for business purposes and polices
5. Responding to Public Records Act requests or litigation discovery
No User or department may implement additional security or encryption requirements without
discussing in advance with IT Services and IT Managed Services provider prior to
implementation. Employees shall make the passwords or other keys to "unlock" such encryption
techniques available to their supervisors upon request. At no time shall employees use their
network password as an additional security password.
P. Retention
1. Retention -is Based on the Content of the E-mail. The Town will maintain all e-mail
messages determined by staff to be official records (those that relate in a substantive way
to the conduct of business, or are made or retained for the purpose of preserving the
informational content for future reference) for the period of time designated in the Town's
retention schedule, based upon the content of the e-mail,) by printing and saving them in a
paper subject/ project file, or by saving them electronically in a subject [project folder.
2. Official Records Are Saved and Stored in Subject / Project File Folders. Email messages
which are intended to be retained in the ordinary course of the Town's. business are
recognized as official records that need protection / retention in accordance with the
California Public Records Act. Because the e-mail system is not designed for long term
storage, e-mail communications which are intended to be retained as an official record
(those.that relate in a substantive way to the conduct of business; or those that are made
or .retained for the purpose of preserving the informational content for future reference)
should be saved in an electronic subject / project folder on the Town's network, or be
printed out and the hard copy filed in the appropriate subject / project file so they can be
accessed by other employees.
3. The Town restricts Personable Storage Table (PST) utilization used. to store . copies of
email messages, calendar events, and other personal information.
4. California Environmental Qualily Act CEQA) / National Environmental Quality Act
EPA (usually the Planning Department) e-mails - (only.) E-mail submitted to, or
transferred from the agency, and all internal agency communications, including staff notes
related to a non-exempt CEQA action are required to be retained until Completion of
Page 6 of 13.
Resolution 01-23 Page 7
CEQA (California Environmental. Quality Act) Process'. This does not include:
a. every e-mail and preliminary draft."
b. e-mail equivalent to sticky notes, calen'daring faxes, and social hallway
conversations — that is, e-mails that do not provide insight into the project or
the agency's CEQA compliance with respect to the project — are not within
the scope of [Public Resources Code Section 21167.6, subdivision (e) and
need not be retained to comply with [S]ection 21167.6."
5.' Deletion of E-mail. E-mail communications that DO NOT relate in a substantive 'way to
the conduct of business, or are NOT required to be retained by law nor by the City's
Records Retention policies, and were NOT made or retained for.the purpose of preserving
the informational content for future reference (preliminary drafts, notes, transitory
correspondence., interagency* or intra -agency memoranda not retained in ..the ordinary
course of business,) will be deleted by employees as soon as they are no longer required.
6. The Town will auto -delete e-mails left in the following mail boxes on a routine basis:
a. In Boxes (delete what remains. after 2 years)
b. Sent Items .(delete what remains after 2 years)
c. Deleted Items (delete what remains after 90 days)
Q. Archiving and "Auto -Archiving" of e-mails is not permitted.
R. Personal Devices / Personal Accounts / Text messages. The Town discourages. the use of
Personal - e-mail accounts, cell phones, or other personal devices to - conduct Town business.
If any of these are used to conduct Town business:
1. If the e-mail from a.personal device, personal account, or text contains content that needs
to be preserved, it should be either:
Memorialized via -another record (memorandum, letter, or e-mail) that is saved for its
retention period (based upon the. content of the record); or
2.. Copy or forward the e-mail or text to a city. e-mail account, where it will be properly
saved in compliance with this policy.
3. E-mails, records, and/or text messages stored on personal devices or in personal accounts
relating to the conduct of City business may be subject to the Public Records Act.
4. In the event a request for records is received,, employees must locate all records responsive
to such request, including any records stored -on personal accounts or personal devices
(unless an exemption applies.)
S. Forwarding E-mails. E-mails may only be sent or forwarded to appropriate persons with a
need to know the information to conduct Town business.
T. Protection of Confidential E-mail. Write the word, "Confidential". on protected e-mail. Do
not "interfile" e-mail or other privileged correspondence from the. City Attorney's office with
Golden Door Properties,. LLC v. Superior Court of San Diego County (County of,San Diego, et al., Reall Parties in Interest)
(D0766051 D076924., D076993) (4th Dist. 2020); PRC 2116716
Page 7 of 13
Resolution 01-23 Page 8
public documents (documents that are accessible to the public). These e-mails are subject to
the Attorney -Client and or the Attorney Work Product. privileges, and the contents should not
be disclosed without first checking with the City- Clerk.
U. Litigation Holds Other Types of Holds. E-mails subject to litigation (including a reasonable
expectation of litigation,) claims,. complaints, audits, records requests and/or investigations
are to be preserved and normal retention periods are suspended for these emails (retention
resumes after settlement or completion of the -
tri gering hold):
0
V. Privileged Attorney -Client Communication. All employee's should be aware that
communication and correspondences with the City Attorney's Office, and all work products,
opinions, comments, written correspondences and emails from the City Attorney's Office are
confidential and protected by the attorney-client privilege. Such privilege is only waivable by
the City Council. Thus, employees shall not forward or reproduce attorney . client privileged,
confidential communication and correspondences to any third party outside the Town, with
the exception of Town -retained consultants who are a part of a Town project team or are
providing advisory or project management services to the Town., Any questions regarding
I
whether a communication or correspondence is distributable, or whether a third party is
considered a Town consultant able to receive privileged communication, should be directed
to the City Attorney's. Office.
W. Separation / Transfer of Users
1. The Town's IT Systems must be set, up to immediately disable a separated employee's
access to Town e-mail and/or other technology. Human Resources and Information
Technology shall ensure timely notifications of all employee separations.
2-. During separation, Human Resources will. ensure employees'.
a. Forward any e-mails or text messages relating to City business stored on.
personal devices or personal accounts to their City e-mail account.
b. Employees are to close and/or remove any access to City e-mail or other
technology systems from their personal devices.
c.. Information Technology shall ensure that the employee's (former) Supervisor
has access to the former employee's e-mail account.
d. The records stored in. the e-mail account (including any archives,) Of an
employee who separates, or transfers* shall be the 'responsibility of that
employee's (former) supervisor.
e. The former employee's supervisor shall review .the e-mails of the former
employee,. ensure, the content of their e-mail account are preliminary drafts not.
retained in the ordinary course of business (i -.e.. the content does NOT relate in
a substantive way to the conduct of the public's business,) then authorize their
f -period, if
deletion, after' appropriate. records are retained or. their retention
applicable.
f. E-mails that remain in an account (that are not saved in a subject project file
folder outside the e-mail system) will be routinely deleted after 2 years.
Page 8 of 13
Resolution 01-23 Page 9
X. City Council Personal Computing Devices and Electronic Communications. The following
rules shall be applicable to all Los Altos Hills Council Members:
1. To reduce -the amount of paper utilized by the Town, the Town Council Members shall be
provided with the opportunity to utilize personal computing devices to store Town
Council agenda materials and to access agenda materials during Council meetings. For
purposes of this subsection, a "personal computing device" includes Wads, mobile
phones, tablets, laptops, notebooks, desktop computers and other such devices.
2. During Council meetings,- noticed and open to the public pursuant -to the Brown Act, the
use of personal computing devices.by Council Members to receive/send calls, emails, text
messages or other communication is not permitted.
3. All information stored on the personal computing device may be subject to the California
Public Records Act.
4. Use of any personal computing device provided by the Town to members of the Council
shall comply with this IT Policy, shall be the property of the - Town, and shall be returned
to the Town when the Council Member is no longer serving in such capacity.
5. The primary use of personal computing devices shall be for Town related business.
Incidental personal use is permissible provided the use complies with this IT Policy.
Y. Disciplinary Action
Appropriate disciplinary action, in accordance with Section 10 of the Employee Handbook, may be
taken if a User is found in violation of this policy. A User may also be subject to criminal, or civil
prosecution in accordance with other applicable State or Federal laws.
Page 9 of 13
Resolution 01-23 Page 10
ATTACHMENT A
INFORMATION SECURITY PROCEDURES and EMPLOYEE SECURITY
STATEMENT
Section 1 Purpose
The Town shall establish information security procedures to which Users are expected to adhere.
These procedures are an extension of the Information Technology Use Policy and are applicable
to all Users. The Town reserves the right to change the policies and procedures set forth in this
policy at anytime.
Users must not circumvent the policies, procedures, and safeguards implemented with the
technology that protect the Town, its information, and its employees. Users must promptly report
technology related security incidents or concerns to IT Services and IT Managed Services
Provider
Section 27 Policy Specifics
A. Passwords
Passwords are an important aspect of computer security. They are the' frontline of protection for
User accounts. Passwords are -used for various applications at the Town. Some of the more
common uses include network accounts, web accounts, e-mail accounts, screen saver protection,
department specific applications, and voice -mail access.
A poorly chosen password can compromise the Town 's network. As such, all Users are
responsible for taking the appropriate steps, as outlined below, to select and secure their
passwords. The Town requires the following:
Network
Minimum Length: 8 characters
Complexity: letters, numbers, and special characters
Remember last password: 5 previous passwords
Require Password Change: 6 months
Lockout Period: 15 minutes
Never use the same password for Town accounts as for other non -Town account access (e.g.,
personal accounts, bank accounts, benefits, etc.).
Passwords should not be written down. No User shall share their User ID or passwords with any
other Town User, non -Town User, or person. No User shall log a person in and allow that person
to perform work under a User ID. and password that does not belong to that individual. Authority
and access to all information is based on User ID. If a person needs additional authority or
access, that person, their supervisor, or their employee contact (in the case of a vendor) shall*
contact IT Services to set it up.
Page 10 of 13
Resolution 01-23 Page 11
All passwords are to be treated as sensitive and confidential. Users shall not reveal their
password to anyone in any circumstances. For example, Users shall not reveal their password -
over the phone, in an e-mail message, in any form of writing, including to any co-worker, family
member, etc.
As applicable, all accounts shall be protected by Two -Factor Authentication (2FA).
B. Use of Town IT Systems with Non -Town Computer Equipment
Users, can connect to the Town's network their personal computer equipment (excluding USB
storage devices) to check email, calendar, and contacts, but not permitted to access other shared
networks.
Any employee who wishes to attach or connect a consultant, vendor, or contract worker's
personal computer equipment (including laptops) to the Town's network shall agree to follow all
the polices set forth, in the Town's IT Use Policy when attaching computer equipment to the
Town's network at any Town facility.
1) Town staff shall inform non -Town. employees of the inspection requirements, and when
possible, provide advance notice to IT Managed Services Provider through the Help Desk
to schedule the inspection..
2) The Town shall. attempt to maintain the privacy of the individual's equipment, but once
attached to the Town's network, the Town retains the right to inspect the computer
equipment .in accordance with the IT Policy.
Except, as explicitly authorized, Users shall not allow Town.documents to be stored on a hard
drive or other storage media attached to a non -Town personal computer. Users shall not allow
personal computer equipment that is connected to the Town's network to be configured to allow
web hosting, sharing, or wi-fi services.
Town network access shall not be used to download files from the Internet, including but not
limited to video, music, or applications, to a personal, non -Town computer. No attempt shall be
made to access data by' any unauthorized means. The Town's security policies may limit
network access,
C. Vendor Remote Desktop Support
In certain circumstances Town Vendors. are allowed to provide remote support to specific User
desktop computers. If a User allows a vendor to ' remotely support the desktop, computer Users
shall ensure that only the Vendor -specific application is open on the desktop.
D. Employee Security Statement
By signing this form, I confirm that I have read, Understand, and agree to the IT Policy and
Attachment A. and understand the consequences for non-compliance to its terms.*
Page 11 of 13
Resolution 01-23 Page 12
Thee Town collects and receives confidential and personal information from the public to
administer the various functions for which it has responsibility. The Town is committed to
protecting this information from unauthorized access, use, or disclosure. I understand the
following are my responsibilities:
1. As an employee 'of the Town, I may access confidential and personal information
maintained by the Town only when necessary to accomplish the responsibilities of my
employment. I shall not access or use this confidential or personal information for
reasons personal to me or. for personal gain.
2. I may disclose confidential or personal information maintained by the Town only to
individuals who have been authorized to receive. it through the, appropriate procedures as
governed by ' State law and Town ordinances and policy. In the case of confidential or
personal information, a proper accounting of all disclosures must be made.
3.. I understand I have a duty to promptly notify a supervisor of an indication of misuse or
unauthorized disclosure of confidential or personal information by any employee of the
Town.
4: I understand that computer passwords to the various Town systems are considered
confidential information.
Page 12 of 13
Resolution 01-23 Page 13
Town of Los Altos Hills Information Technology .Policy Receipt
I have read and understand the IT Policy including security policies and regulations stated above:
I understand that failure to comply with these policies and regulations may result .in disciplinary
action up* to .and including termination from employment. Additionally, I understand that I may
also.be subject to criminal or civil prosecution in accordance with other applicable State or
Federal laws.
I certify under penalty of perjury, under the. State of California, that.the foregoing statements are
true and correct.
Executed at: County, California.
(City) (County)
Date: Employee Signature:
Print Name:
Date:
Administrative Services Director:
r
Page 13 of 13
Resolution 01-23 Page 14