5.1. General Policy Statements

5.1.1. The municipality shall follow cybersecurity requirements in the policies, standards, and procedures approved by the municipality.

5.1.2. The municipality shall protect data and assets (devices, information, or software) and handle them as per their sensitivity and classification in accordance with data protection policy approved by municipality, ensuring data confidentiality, integrity, and availability.

5.1.3. Printed materials shall not be left unattended on shared printers.

5.1.4. Assets or mobile devices shall not be left unattended while outside the municipality's premises, such as on airplanes, in airport lounges, shopping centers, hotels, or during off-site business meetings.

5.1.5. Municipality employees are prohibited from altering, removing, deactivating, or tampering with firewall systems, internet proxy, access gateway devices, antivirus/antimalware software, or any other protection software used by the municipality.

5.1.6. Downloading materials such as images, music, or videos for personal use is prohibited.

5.1.7. Under no circumstances shall any employee engage in illegal activities according to regulatory or governmental regulations while using the information processing facilities provided by the municipality.

5.1.8. External storage media shall be kept in a secure and appropriate manner, ensuring conditions such as proper temperature and storage in a secure, isolated location.

5.1.9. It is prohibited to disclose any information related to the municipality, including system and network information, to unauthorized parties, whether internal or external.

5.1.10. It is prohibited to publish information related to the municipality through media or social networks without authorization from the Authorizing Official.

5.1.11. It is prohibited to use the municipality’s systems and assets for personal benefit or for any purpose not related to the municipality's activities.

5.1.12. It is prohibited to connect personal devices to the networks and systems of the municipality without prior authorization from the cybersecurity department and in compliance with the approved mobile device security policy.

5.1.13. It is prohibited to perform any activities intended to bypass the municipality protection systems, including anti-virus programs, firewall, and malware without prior authorization, and in accordance with the procedures approved by municipality.

5.1.14. The cybersecurity department of the municipality retains its right to monitor and periodically review work-related systems, networks and personal devices, in order to monitor compliance with cybersecurity policies and standards approved by municipality.

5.1.15. Employee or visitor identification cards shall be prominently displayed in all municipality facilities.

5.1.16. The cybersecurity department of the municipality shall be notified in case of loss, theft, or leakage of the municipality's information.

5.1.17. Information and Asset Acceptable Use rules ‏related to ‏Information Processing systems shall be followed up.

5.1.18. All employees and staff shall return all files, documents, information and assets in their possession upon work completion or expiry of their contract/agreement.

5.1.19. It is prohibited to transfer assets off-site without prior permission from relevant departments.

5.1.20. Assets that are off-site shall be protected taking into account the various risks of working outside municipality buildings.

5.1.21. Sessions, meetings and contents related to security awareness campaigns organized by the municipality shall be attended and should be abided by.

5.1.22. All staff shall sign a statement of consent on Asset Acceptable Use approved by municipality.

5.1.23. All staff shall approve and acknowledge the Code of Conduct and Acceptable Use Policy upon any review or update thereof.

5.1.24. Access to municipality assets shall be according to roles and responsibilities required to perform tasks only.

5.1.25. Technical asset administrators shall be alerted about cybersecurity patches to be implemented according to municipality Vulnerability Management and Penetration Testing Policy.

5.1.26. Asset owners shall review user access rights at defined and regular intervals.

5.1.27. The cybersecurity department shall be notified when suspecting any activity that may harm municipality or its assets, such as suspected sites, cybersecurity risks or mail contents that may harm municipality.

5.1.28. In case of non-compliance with any item, municipality must explain and state the reasons.

5.2. Mobile Device Protection

5.2.1. It is prohibited to use external storage media without prior authorization from the cybersecurity department. When used, stored data shall be encrypted according to municipality Encryption Standard.

5.2.2. Devices shall be secured before leaving office by Sign out or Lock, whether leaving for a short time or after working hours.

5.2.3. It is prohibited to use or install hardware, tools, or applications unapproved by municipality on the laptop without prior authorization of IT department.

5.3. Internet and Software Acceptable Use

5.3.1. Security messages that may arise while browsing the internet or internal networks shall be treated cautiously and dealt with only after contacting the cybersecurity department.

5.3.2. It is prohibited to violate the rights of any person or company protected by copyright, patent, or other intellectual property laws or regulations, including, but not limited to, the installation of unauthorized or illegal software for any business purposes, or the use of external storage media without the consent of the municipality.

5.3.3. A secure and authorized browser shall be used to access the internal network or the internet.

5.3.4. It is prohibited to use techniques that allow bypassing the proxy or firewall to access the internet.

5.3.5. It is prohibited to upload or install software and tools on the municipality assets without prior authorization from the cybersecurity department.

5.3.6. It is prohibited to use the internet for non-business purposes, including uploading media and files, as well as using file-sharing software, without prior authorization from the cybersecurity department.

5.3.7. It is prohibited to conduct security checks to discover vulnerabilities, including penetration testing, or to monitor the municipality's networks and systems or third-party networks and systems, without prior authorization from the cybersecurity department.

5.4. Email Acceptable Use

5.4.1. It is prohibited to use email, telephone, or e-fax for non-business purposes. Their use shall only be in accordance with the cybersecurity policies and standards approved by the municipality.

5.4.2. It is prohibited to exchange messages containing inappropriate or unacceptable content, including messages with internal and external parties.

5.4.3. Encryption techniques shall be used when sending sensitive information via email or communication systems, as per the Data Protection Policy approved by municipality.

5.4.4. The municipality email address should not be registered on any site not related to work.

5.4.5. The municipality has the right to disclose email content after obtaining the necessary permits from the representative and the cybersecurity department, in accordance with the municipality's relevant approved procedures and regulations.

5.4.6. It is prohibited to open suspicious or unexpected emails and attachments, even if they appear to be from reliable sources. The cybersecurity department shall be notified in case of suspicion.

5.4.7. All incoming and outgoing emails, both internal and external, shall be scanned by the IT department before reaching the end user.

5.4.8. Municipality employees shall not forward emails to any address outside the municipality without the approval of the information owner or the person who created it, unless the information is clearly of a public nature.

5.4.9. Email attachments shall not be opened if they have not been scanned by email security solutions, unless they are from trusted individuals.

5.5. Video Conferences and Web-based Communications

5.5.1. It is prohibited to use unauthorized tools or software to make calls or hold video conferences related to work.

5.5.2. It is prohibited to make calls or hold video conferences not related to work without prior authorization to use the municipality tools or software.

5.5.3. It is prohibited to hold meetings related to work in public places due to the risk of leaking classified information.

5.5.4. The organizer of a video conference shall classify the invitation as "Secret" or "Public" when creating the invitation.

5.5.5. Video conferences shall be protected with passwords and shared securely only with the invited participants.

5.5.6. When invited to a "Secret" video conference, all participants shall consider the following:

• Attend the video conference from a closed room, meeting room, or a place where audio or visual information cannot be leaked.

• Use a headset during the video conference.

• Content sharing or recording by any participants during the video conference is not allowed.

• Ensure to leave the meeting once it is concluded.

5.6. Passwords Use

5.6.1. It is necessary to choose secure passwords and safeguard the municipality systems and assets passwords in accordance with the municipality Identity and Access Management Policy. Passwords shall be different from those used for personal accounts, such as personal email and social media accounts.

5.6.2. It is prohibited to share passwords by any means, including electronic correspondence, voice calls, and paper writing. Users shall not disclose passwords to any other party, including co-workers and IT department employees. If this occurs, the cybersecurity department shall be notified immediately.

5.6.3. Passwords shall be changed on a regular basis or upon obtaining a new password from the system administrator.

5.6.4. It is prohibited to use previously used or common passwords. It is also prohibited to share the user's password with anyone.

5.7. Office Use

5.7.1. Employees shall ensure the desktop and screen are free of classified and sensitive information according to the approved classifications by the municipality.

5.7.2. It is prohibited to leave any municipality classified or sensitive information in places that are easily accessible or accessed by unauthorized persons.

5.7.3. It is prohibited to leave office doors and cabinets containing classified and sensitive information open.

5.7.4. When an employee is not at his/her desk or workstation, he/she shall remove all paper documents and data storage media, especially classified information and data, from the desk or any other locations such as printers, fax machines, and copiers, to ensure that no sensitive materials are left behind.

5.7.5. Employees shall store these documents and media in secure places such as locked cabinets if necessary.

5.7.6. Employees shall keep any confidential documents or materials out of sight when not needed, especially when the office is empty (preferably inside a fire-resistant cabinet).

5.7.7. Employees shall secure their devices when finished with their work, unless secured by an appropriate mechanism, for example, a password-protected screensaver.