Professional Documents
Culture Documents
Colorado Dept. of Personnel and Admin Email Use Policy
Colorado Dept. of Personnel and Admin Email Use Policy
Generally. All departmental assets and resources are to be used for conducting public business, in accordance with Article 18 of Title 24, C.R.S., Governors Executive Order D 001-99 establishing the Executive Department Code of Ethics (Jan. 15, 1999), and the Departments Ethics Policy. This policy applies to all State-owned or operated telephones, e-mail, computers (including hardware, software, and data files), printers, copiers, faxes, supplies, vehicles, facilities and other resources of any kind, including work product and work time. State resources may not be used to engage in or promote:
Incidental use for personal or other matters within the scope of employees employment, such as that related to professional associations, or incidental civic or charitable activities, such as food drives, blood drives, shared leave requests, and social events are permissible. The use of any and all state resources are subject to inspection at any time at the direction of the Executive Director, Deputy Executive Director, or Division Director. A Division Director accessing an employees telephone, e-mail, or computer records must notify the employee within 48 hours after access has been provided, unless there is a need for security because of an ongoing investigation. Employees should not expect privacy with respect to their use of state resources, which may be subject to the Colorado Open Records Act as more fully explained in the departmental policy regarding Open Records.
Telephones. Most employees have a state telephone at their work stations, and some employees may be authorized to use a state cell phone or, at the discretion of the Division Director, be reimbursed for business calls made with a personal cell phone. Employees are expected to use available online or other directories rather than incurring directory assistance charges. If personal use of a state telephone results in an additional charge, the employee must reimburse the Department upon receipt of the billing report. However, because they are widely available, employees are expected to use their own calling cards or cell phones for personal long distance calls from the office, unless alternative payment arrangements are made in advance. E-mail. Electronic mail should be used instead of paper memoranda and other documents whenever possible. Global (department-wide) e-mails, including emails to all employees at 633 17th Street, are restricted to the executive management team and such other employees as a member of the team may authorize. The executive management team is responsible for ensuring that global e-mails are only authorized where appropriate, consistent with this policy. The Department provides an electronic bulletin board through the MyDPA intranet, as well as physical bulletin boards in break rooms or other common areas. Employees may post items of general interest on the bulletin boards, subject to the limitations provided in this policy and the departmental Communications Policy. No attachments may be included with electronic postings. Bulletin board postings will be cleared after 30 days. Employees may not create or forward chain e-mails, or post them on a bulletin board. Employees may not send e-mail under another employees name without authorization. Employees shall not disclose other employees messages, internally or externally, for the purpose of embarrassing the sender or receiver. Even though an employee deletes an e-mail, it is still stored in a number of places, including other employees files and system backups. A warning will be sent to a employee when his or her mailbox storage exceeds 40 MB. When the storage reaches 50 MB, the employee will not be able to send e-mail until storage is reduced. E-mails, tasks, and calendar entries will be backed up daily, and at the end of each month all e-mails more than 30 days old will be deleted. Tasks and calendar entries may be retained for no more than one year. Employees are responsible for ensuring that important messages, tasks, and calendar entries are archived in personal folders.
2
Computers. Each personal computer shall be configured and maintained in accordance with technical standards established by the department Chief Information Officer (CIO). No personal software applications may be installed on machines without the approval in advance of the CIO, who may have any unauthorized software removed. Employees may not connect any personallyowned equipment to department computers. Remote access to any information technology system must be approved by the Division Director and the CIO. Each employee must create a confidential nine-character password consisting of a combination of letters, numbers, and symbols, which must be changed every 30 days. Employees must take security precautions including protecting their password and logging off computers before leaving the office. Employees shall not access another employees computer, data, e-mail, or other files without a legitimate business purpose. Employees should store critical data on their divisions shared information drive or their assigned network drives, because routine backups are performed on network drives. Employees should routinely review e-mails, files, and documents deleting those that are no longer needed. Employees should not contact repair technicians or companies, or hardware and software technical support personnel. Reports of potential viruses should be sent to the Help Desk at DPAdesktopsupport@state.co.us or 303 239 HELP (4357). Vehicles. State vehicles may not be used for recreation, personal errands, or in support of any other private purpose, including transporting persons or things unrelated to state business, except where public safety is a concern or where the use is reasonably related to state business but is so incidental that accounting for it would be unreasonable or administratively impractical, as provided in State Fleet Management rules. In addition, in some circumstances, an employees use of a state vehicle may be taxable commuting under the federal Internal Revenue Code. Such circumstances may include employees whose primary place of work is an assigned vehicle, or taking a vehicle home the night before an official state business trip if the trip will not begin by 7:00 the next morning, or taking a vehicle home after an official state business trip if the employee would not be returning to his or normal work location after 5:00 that evening. The Department will use the criteria established by State Fleet Management to determine when a particular use is considered commuting. No employee may use a state vehicle for commuting purposes without the prior approval of the Executive Director or Deputy Executive Director.
3
Facilities. Non-governmental organizations may be granted permission to use state facilities when the use relates to the mission of the Department and its employees and does not conflict with the Departments operations, policies, or any applicable law. A non-governmental organization may be charged for the use of facilities and related expenses such as air conditioning, heating, lighting, janitorial services, or other support services, and shall be liable for any and all damages associated with its use of the facilities. No organization may use the Departments facilities without the prior written approval from the Executive Director or Deputy Executive Director.
STATE OF COLORADO
Department of Personnel & Administration
COMPUTER STANDARDS
October 26, 2006
State Equipment on Department Network. Only State-owned computer equipment may be used on the Departments network. Employees may not connect any personally owned equipment to the Departments network or computer systems, including but not limited to laptops, notebooks, desktop computers, monitors, printers, external drives, jump drives, cables, PDAs, cell phones, or other devices, except as approved by the Division Director and authorized by the CIO. Contractors and vendors are required to use state owned equipment on the Departments network and to have a DPA network login account. These arrangements are made through the Information Technology Unit. After Hours and Flex-place Computing Support. Support outside of normal business hours (Monday through Friday 7 AM 5 PM) is limited to emergencies and the urgent needs of employees who normally work swing, graveyard, or weekend shifts. State equipment used for after hours or flex-place computing will be brought to the Information Technology Unit for repair during normal business hours. Use of the Remedy Help Desk System for Desktop Support. Employees must submit requests for desktop support assistance through the Remedy Help Desk system. Requests are prioritized and handled based on severity of impact to the employee and the Department.
such as keeping printing to a minimum, not using the email system for unnecessary mass communications, and not abusing Internet access privileges with unnecessary and non-business related browsing. Employees are expected to use computing resources in a fair, considerate and appropriate manner so that the use of resources by one employee does not cause degradation of performance for another employee. The Information Technology Unit may set limits on an employees use of a shared resource to ensure that resources are available for others. Remote Computing. Working from a remote site or traveling with a laptop is a privilege approved by the employees Division Director and authorized by the Department CIO. Remote access can be terminated at any time for misuse. Remote computing requires the use of DSL or wireless connectivity and VPN or other technology approved by the Department CIO to access the Departments network. In some cases access to specific applications will also require the approval of a security variance.
Email Usage
Email Box Size. The Departments State Resources Policy describes an employees responsibilities for use of the email system. Email box size is limited to 50 Megabytes because of system resource limitations. Employees are required to use personal folders rather than the email box for storage of email messages of enduring value. Email in your inbox, sent mail, and tasks that are over thirty days old are purged once a month. Calendar entries over one year old are purged once a year. Automatic Forwarding of Email. In order to prevent unauthorized or inadvertent disclosure of sensitive information, automatic forwarding of email is not allowed unless approved by an employees Division Director and authorized by the Department CIO. Sensitive information should be encrypted using encryption software installed only by the Information Technology Unit. Email Monitoring. Anti-spam, anti-virus, and content filtering technologies are used to monitor inbound and outbound email and block or quarantine undesirable messages. IT systems and security personnel on occasion must view and analyze email messages during monitoring or investigation of system failures or security events. Employees should have no expectation of privacy for any email message and should ensure all content in email is appropriate. Email Attachments Blocked File Extensions. Viruses and malware are easily spread through email, especially in spam, advertisements, chain email messages, and messages from non-governmental sources, such as messages from friends and family members. Because the mere act of opening the attachment can infect a computer, systems administrators have blocked several file extensions for audio files, video/movie files, executables, and scripts. Assistance with the electronic transfer of business related files may be obtained from the Information Technology Unit. Email Accounts of Terminated Employees: Accounts for terminated employees are suspended and any existing or incoming message held for 30 days. An auto response message will be placed on the account advising the sender that the employee no longer works in the Department and asking the sender to resend the message to a person designated by the terminated employees Division Director. Non-State Email Systems. Use of external email systems such as Hotmail, G-Mail or Yahoo expose the Departments computing resources to viruses and malware because they bypass the States spam filtering, content filtering and anti-virus protection systems. An employee using state owned computer equipment is permitted to use the Departments email system only. Exceptions are made only by the Department CIO upon request of a Division Director.
Internet Usage
Internet Use and Appropriate Web Content. Employee use of the Internet is monitored by the Department to ensure appropriate use. Employees may use the Internet to access appropriate content and business related web sites. Access to inappropriate web content, such as gambling and pornography, is controlled by URL filtering software. Sometimes URLs are blocked in error. The Department CIO will unblock a specific URL upon request of the Division Director. Streaming Audio/Video. Use of streaming or live audio/video is limited to business use only. Provision of streaming resources to others requires permission from the Department CIO. Owners of streamed content must demonstrate adherence to copyright laws and licensing terms to the Department CIO. Downloading of files, photos, wallpapers, programs, and other data is not permitted without special authorization from the Department CIO. IT systems personnel in the Department manage bandwidth and fair use of resources as equitably as possible. In most work sites bandwidth is insufficient to support multiple employees using Internet radio, a form of streaming audio, except for business related purposes. Should bandwidth monitoring show degradation of network speed due to the excessive use of Internet radio, employees will be notified to stop using Internet radio.
Security
Workstation Anti-Virus Protection. All DPA computers have Norton Anti-Virus software installed and configured to receive updates from the Departments Norton Anti-Virus server. Employees should not disable the anti-virus software and should periodically check to ensure that virus definition files are up to date. If the employee is granted permission to use removable media the employee must scan the files immediately after connecting the removable media using the Norton virus scanning feature. An employee authorized to use removable media must receive training in its use from the Information Technology Unit. Workstation Patch and Update Management. The LANDesk patch, update, and security management system is installed on DPA computers for the maintenance of a secure and functional computing environment in the Department. Employees should take the time to allow the automatic installation of patches and updates when first notified by LANDesk but may in some cases delay the installation up to three times if the installation is disruptive to the employees work. Any computer that is not kept up to date will be taken to the Information Technology work room for manual application of updates. Workstation Security. When leaving the workstation unattended employees should lock their machine by pressing CTRL-ALT-DEL and clicking on lock computer or by holding the Windows key and pressing the L key. This action prevents unauthorized use of a machine and secures the machine more quickly than waiting for the 15 minute screensaver password to activate on an idle machine. Laptop Physical Security. Laptops should be physically secured with a laptop cable or other mechanism to prevent theft. Laptops are subject to the same computer standards as desktops and may only have settings modified by the Information Technology Unit. Laptops issued in lieu of desktop PCs as well as shared laptops must be connected to the network at least once per week to receive patches and updates. Shared laptops must be brought to the Information Technology Unit on a set schedule for auditing. Specifically Prohibited Software. Applications and software that have been determined to pose a security risk are specifically prohibited and may not be installed on DPA computer equipment. Instant messaging, chat, and games are categorically prohibited. Requests for installation of any application or software must be approved by a Division Director and authorized by the Department CIO. Peer-to-Peer File Sharing Prohibited. Applications that allow file sharing using peer-to-peer access of the hard drive pose several risks to the Department including violation of copyright law, degradation of network performance, unintended access 8
to sensitive data, and exposure to viruses, malware and other activities of hackers. Because of these risks P2P file sharing and downloading is prohibited. Removable Media. Use of removable media, such as external disk drives, jump drives, CDs, diskettes, Blackberries, or PDAs must be approved by a Division Director and authorized by the Department CIO. Only state-owned equipment may be used. All external storage devices must be scanned using the anti-virus software before any files are used. Employees must be trained to use the approved device by the Information Technology Unit. Blackberry Security. Blackberries should be password protected and the employee should make every attempt to secure the device from physical loss or theft. An employee should report a theft or loss immediately. Wireless Devices. Use of wireless devices to access the Departments network is strictly controlled and authorized by the Department CIO upon request of the Division Director. VPN Services. VPN services may be used after an employee is approved for use of VPN by the Division Director and authorized by the Department CIO. Use of VPN is a privilege and can be terminated at any time for misuse. Only the DPA standard client software may be used and will be installed on the workstation by the Information Technology Unit. Incident Reporting. All DPA employees should remain alert for and aware of suspicious activity on their computers. Extreme slowness, uncontrolled mouse movement, and changes in font or formatting may be indicative of an intrusion or virus on the machine. An urgent desktop support work request should be initiated whenever suspicious activity is noted on a computer. Incident Response. As a result of security monitoring the Information Technology Unit may contact an employee or the employees supervisor by phone or email and ask for various urgent tasks to be performed. In most cases, the Desktop Support technician will take control of the machine using the LANDesk remote console and clean the machine of viruses, code, malware, or spyware. In some cases, the technician will ask the employee to disconnect the machine from the network, or to stop using the machine and power it off. The machine will then be transported to the Information Technology Unit for diagnosis and repair. Secure Transmission of Sensitive and/or Confidential Email and Files. Ensuring the secure transmission of sensitive and/or confidential email and files is critical to the Departments credibility. Sensitive and/or confidential email and files must be
encrypted prior to sending in an email message or must be transferred with secure FTP software approved and installed by the Information Technology Unit. Password Protected Screensaver. Activation of a password protected screensaver after fifteen minutes of idle time is required. The password protected screensaver protects against passersby inadvertently viewing sensitive information and prevents misuse of a machine by a hacker or another employee. Passwords for Employee Network Accounts and Applications. A minimum nine character password or passphrase composed of letters, numbers, and special characters is required for the employee network login account. The password expires every 30 days. The network accounts are set to lock after the third incorrect password attempt. Passwords for DPA and statewide applications have varying requirements which as a user, the employee agrees to follow. Passwords should never be shared. Power Off Computers at End of Business Day. Turning off your computer at the end of the business day or when you will be away from your desk for more than four hours helps prevent the spread of viruses, malware, and other works of hackers while the machines are unattended at night. Exceptions to this requirement are granted by the Department CIO only upon request of a Division Director.
10