The URL can be used to link to this page

Home My WebLink AboutIT Policy Amendmenti t t t DESCHUTES COUNTY LEGAL COUNSEL JOHN E. LAHERT~ Assistant Legal Counsel it541-330-4645 TO: Commissioner Anthony DeBone DATE: July 5, 2012 Commissioner Tammy Baney Commissioner Alan Unger RE: Amendment of Policy #IT-l FILE NO.: 911-016 The County's Behavioral Health department is currently negotiating a contract with a service provider, TNT Management Resources, Inc., for the creation of an on-line system for sharing sensitive documents. As part of the contract, TNT wants the County to sign a Site Agreement, and individual County employees to sign a User Agreement, regarding the use of certain online resources called "Sharepoint." As a result of TNT's request, the issue has arisen whether the County has policies in place similar to those usually found in third-party software user agreements. The concern is that if obligations imposed upon an employee by a user agreement are not also set out in County policy, then (a) County employees may be less likely to familiarize themselves with, remember, or abide by the terms of the agreement, and (b) the County may have a difficulty disciplining an employee for violating the agreement. I Given these concerns, I have drafted amendments to the current County Admin. Policy #IT-I (Computer, Email and Mobile Computing Device Use) to include provisions of the Sharepoint Site Agreement and the Sharepoint User Agreement not currently set forth in County policy. A I redline of the amended policy is attached. While the amendments have been drafted foremost to comply with the terms of the Sharepoint Site Agreement and Sharepoint User Agreement, the goal is for the policy to address security precautions as they pertain to accessing or transferring sensitive information. I cc: Mark Pilliod Erik Kropp I t Policy IT-1, Computer, E-mail and Mobile Computing Device Use Page 1 Deschutes County Administrative Policy No. IT-1 Effective Date: 11/6/06July **, 2012 COMPUTER, E-MAIL AND MOBILE COMPUTING DEVICE USE STATEMENT OF POLICY It is the policy of Deschutes County to ensure that electronic mail, internet, intranet, and County computers (County Computer Resources) within Deschutes County computer systems are used appropriately and the use is consistent with Oregon Public Records and Government Standards and Practices laws. APPLICABILITY This policy applies to all Deschutes County personnel and volunteers who use County Computer Resources. POLICY AND PROCEDURES In General Except as outlined below, Deschutes County computer equipment, including without limitation hardware, printers, PDA's, laptops, mobile computing devices, software and other electronic information technology (herein collectively "Computer Resources") are to be used only for County business. As used in this policy, references to the Information Technology Department (the “IT Department”) shall include the person or persons designated by the Director of the Road Department and the Director of 9-1-1 to perform such functions on behalf of the Road Department and 9-1-1 respectively. The County may access, enter and inspect County property and Computer Resources assigned to individual employees at any time without notice, including but not limited to computer hard drives, software, files, E-mail, etc. A County employees's use of County Computer Resources must comply with the conditions of use imposed upon the employee by any and all service agreements, user agreements or contractual agreements with commercial Computer Resource service providers., and nothing contained in this policy limits an employee’s duties or liabilities under any such agreement. However, to the extent the terms of this policy are more restrictive, or impose greater obligations upon an employee, than the terms of any such agreement, this policy shall govern. County Computer Resources are provided and shall be used to conduct County business. The County encourages authorized employees to use County Computer Resources as communications, business and research tools. These tools will allow employees to communicate with the public and other audiences, provide information about County Systems and programs, and conduct County business. County Computer Resources, including the Internet, provide access to a wide range of valid and valuable research tools and information. Policy IT-1, Computer, E-mail and Mobile Computing Device Use Page 2 The County may keep a log of employees' Internet use and E-mail. These are considered public records and, unless they qualify for legal exception, are subject to disclosure to the public. Although some information contained on County Computer Resources may be considered public records, each employee has the responsibility to ensure that employee's data maintained or accessed through a County Computer Resource is adequately protected against unauthorized access, by complying with the access controls and other security measures provided by the County. Each employee must should take prudent and reasonable steps to prohibit limit access to that employee's accounts and passwords. An employee's passwords and accounts must remain confidential to that employee, and should not be disclosed to any other person absent (a) special circumstances and (b) approval of the employee’s Department Head.and should be changed frequently. If an employee’s password is disclosed to another person in accordance with this policy, the employee must change his or her password immediately upon termination of the other person’s authorized use of the password. Passwords should not be kept in written form or in a manner that would enable access to it by another person. Passwords should be changed frequently. When changing a password, common personally -related words, such as family member or pet names, should be avoided. Each employee shall immediately change his/her password if the employee believes any unauthorized person may have gained access to the employee’s password information Any logon scripts or macros that emulate a logon and password, including allowing a web browser to “remember my credentials for this site” (or similar authorization), are prohibited and shall not be used. In the event that a Deschutes County employee becomes aware of, or suspects, that (a) any information contained on a County Computer Resource has been accessed by an unauthorized individual or otherwise compromised, or (b) any County Computer Resource security system has been breached or compromised (including, without limitation, the unauthorized disclosure or use of any password), the employee shall immediately notify his or her Department Head, Deschutes County Legal Counsel and the IT Department. No Deschutes County employee shall leave their computer or other County Computer Resource unattended and logged on in a manner that would allow unauthorized use of such Resource. Employees must avoid locating or using their Computer Resource in a manner that would allow any unauthorized person to view information displayed on the Resource’s screen. Incidental Personal Use Limited minor and incidental personal use which otherwise complies with this policy and which does not interfere with County business is permitted unless this type of use is suspended or terminated for operational or disciplinary reasons (including violation of this policy) by the employee's Supervisor or Department Head. For the limited purpose of compliance with the State Ethics Law (ORS 244.040) this incidental use is considered part of an employee's Formatted: Indent: Left: 0", First line: 0", Right: 0.08", Space Before: 0 pt, Line spacing: single Formatted: Space Before: 0 pt, Line spacing: single Formatted: Font: (Default) Times New Roman Formatted: Font: (Default) Times New Roman Formatted: Space Before: 0 pt, Line spacing: single Formatted: Font: (Default) Times New Roman Policy IT-1, Computer, E-mail and Mobile Computing Device Use Page 3 Examples of limited minor and incidental personal use would be: on non-work time (lunch, breaks and before and after regular work hours), an employee can send and receive personal E- mail, or view an Internet site to check the price of and occasionally purchase an airline ticket; make an occasional investment in his or her deferred compensation account, submit an insurance claim, or sell a used book. County Records Unless otherwise specified by written agreement, all software programs, electronic documents, and data generated and/or residing on the County computer equipment or generated by County employees or others at the direction of the County, and all County Computer Resources are County records and therefore County property. The County reserves the right to access and disclose all messages sent over the E-mail system for any purpose, including the right to disclose E-mail messages to law enforcement officials without prior notice. E-mail messages may be accessed and reviewed at any time by the Department Head, the County Administrator, the Information Technology Director or County Legal Counsel; they may also be accessed and reviewed by computer support staff for the limited purpose of providing support services. The County further retains the discretion to assert any applicable privileges and objections if a public records request or discovery request is made for any County E-mail or other information contained in the County Computer Resources. An employee desiring the County assert a privilege or objection under the Public Records law with respect to County E-mail shall notify the Department Head who in consultation with Legal Counsel shall make a final determination. All use of County Computer Resources shall comply with all federal and state confidentiality laws including, but not limited to, the Health Information Portability and Accountability Act of 1996 ("HIPAA''), and with all County policies regarding confidentiality. Acceptable Internet Use Acceptable uses of the Internet include, but are not limited to, communication or Internet activity that is in direct support of County-budgeted programs and activities. In addition, the following is a general list of acceptable County use of the Internet; it is not intended to be exhaustive: a. Communication for County purposes with other federal, state, or local government agencies, their staffs, committees, boards and/or commissions. b. Communication for job-related professional development, to increase knowledge of issues in a field or subfield of knowledge. c. The use of worldwide webs or search engines to research work-related topics. d. Any other administrative communications or activities that are in direct support of County programs. E-mail use. E-mail should be used as a tool only by County employees or other users authorized by the Department Head for County business purposes. Users should not expect privacy, but observe courtesy and good security practices. There are a variety of ways an E-mail communication can be disclosed to people other than the intended recipient. Deschutes County has the right to monitor the usage of any County Computer Resources. All E-mail sent to or from County Computer Resources are public records, whether in printed or electronic form, and are subject to Policy IT-1, Computer, E-mail and Mobile Computing Device Use Page 4 the disclosure and inspection provisions of ORS 192 as it currently exists or may from time to time be amended. E-mail, Intranet messages and downloaded files shall be retained and destroyed in accordance with retention schedules issued by the Oregon Secretary of State, Archives Division. Records may be retained either in hard copy or electronic format. If a hard copy of the E-mail message or downloaded file is printed, then the electronic version may be deleted. One version should be kept according to the applicable retention schedule and subject to the Oregon Secretary of State, Archives Division. Questions about retention of E-mail messages (or other public records) shall be directed first to the Department Head, then, if necessary, to County Legal Counsel. The intended recipient of an E-mail communication can forward information to a third party without the sender's knowledge. In addition,Deschutes County shall not be responsible for Internet or E-mail communications that are misdirected or disclosed to third parties due to human or system error, nor for communications disclosed in the course of maintaining the system or fixing a system problem, nor for communication intercepted by unauthorized individuals. E-mail should be used wisely It is appropriate to use E-mail to exchange County business- related information with colleagues, provide project updates and status reports, share meeting times and scheduling information, provide reports and information that have been requested by the other party, and let a Supervisor know of important changes and developments. If an employee receives an inappropriate E-mail, he or she should take appropriate steps to inform the sender to not send such E-mail, notify their supervisor management about the inappropriate email, forward the message to no one other than IT to block future messages from the same source if blocking is possible, and thereafter delete the message. The employee should contact the IT Department if assistance is needed. Due to the potential for disrupting employees' work County-wide E-mail broadcast (to "Everyone") should be used only in very limited situations and may not be sent without the prior approval of the Public Communications Coordinator and/or the County Administrator. All-staff E-mail may be sent without prior approval in cases of personnel announcements, Countywide outages of telephone, HVAC or other support systems, or in cases of scheduled computer maintenance that will limit access to programs and applications. All-staff E-mail will be approved when it is necessary to reach a majority of County employees regardless of work location and work hours and will be limited to messages that comply with this policy and meet all the following criteria: • The message is clearly related to County Business. • The message is of potential interest and benefit to a majority of County employees. • The message promotes events that are accessible by County employees regardless of work location and work hours. • The message does not contain a solicitation of funds for the benefit of a private party, including a private non-profit group, except for the annual United Way campaign. • The message contains information of a time or date sensitive nature that makes E-mail more reasonable than use of the County's Intranet or other means of communication. Policy IT-1, Computer, E-mail and Mobile Computing Device Use Page 5 Prudent Exercise of Judgment Employees must represent Deschutes County's best interests, with a prudent exercise of judgment in the use of County Computer Resources. This includes avoiding visiting pornographic sites or "sounding off' in public forums -- for example, chat rooms, newsgroups and mailing lists. When logged in from a site that is identifiable with Deschutes County, employees will avoid any communications or activities that are libelous, harmful to Deschutes County's reputation or are unauthorized expressions of County policies. Employees shall respect the rights of others. Employees shall not copy or distribute any copyrighted material found on the Internet. Employees are to treat all material as copyrighted, unless the author has given his or her permission for the material to be redistributed. Employees shall avoid monopolizing systems, connect time, disk space and other computer resources. The Information Technology Department shall be contacted to restore backed-up data files. All persons accessing County Computer Resources from remote locations are required to have virus checking software installed on the computer equipment used to access the County Computer Resources. The virus checking software must be operational and must be at the latest release. Unacceptable Use of County Computer Resources Employees are strictly prohibited from engaging in, or using County Computer Resources in connection with, any of the activities described below. This list is illustrative of prohibited activities and is not intended to be all-inclusive. If a prohibition exists in any applicable state or federal law, administrative rule, other administrative procedure or directive established within the employee's department, it is likewise applicable and incorporated by reference herein. While limited minor and incidental personal use is permitted, such use does not include or permit any prohibited activity. Prohibited activities: • Attempting to or circumventing, reducing, or defeating security or auditing systems of County Computer Resources or those of any other organization without prior authorization from County Legal Counsel or the IT Director. • Taking any action that attempts to or renders the user's computer equipment unusable or that interferes with another’s use of County Computer Resources including any activity around the workstation that may result in damage to any County Computer Resources. • Obtaining unauthorized access to any computer systemComputer Resource. • Using another individual's password, account or identity without explicit authorization of the individual, unless this is approved by the individuals’ Department Head,the IT Director, County Legal Counsel, or the County Administrator. Policy IT-1, Computer, E-mail and Mobile Computing Device Use Page 6 • Providing the employee's own password, access identifiers or other access to County Computer Resources, to anyone, except in special circumstances and as not authorized in advance by the employee’s Department Head. or IT Department. • Monitoring or intercepting the files or electronic communications of employees or third parties, unless this is approved by the employee’s Department Head, County Legal Counsel, or the County Administrator, law enforcement officials or as an authorized use of a particular software program (e.g., calendar management). • Engaging in illegal, fraudulent, tortuous, libelous or malicious conduct. • Downloading software off the Internet without previous authorization from the IT Department. • Except as allowed under any software license and as authorized by the IT Department, copying or downloading any software from or onto County Computer Resources. No unauthorized software or hardware is permitted on County Computer Resources. Any commercial software residing on County Computer Resources shall be purchased through an authorized vendor or otherwise lawfully obtained. Except as otherwise allowed under the software license obtained by the County, and except for backup/archival purposes, software owned by Deschutes County or installed on County Computer Resources is covered under the copyright laws and shall not be copied, duplicated, or installed on any other computer resource. • Soliciting or supporting political or religious causes or beliefs unless otherwise allowed under ORS 260.432 for elected officials. • Using County Computer Resources in a manner that would constitute or might be construed by a reasonable person to constitute an endorsement of a specific commercial entity. • Working on behalf of organizations without any professional or business affiliation with Deschutes County, or working on behalf of organizations with such affiliation but outside of the specific County business with them. • Except as expressly authorized by the Department Head, the County Administrator or the Board of County Commissioners as a matter of County concern, using County Computer Resources to solicit for non-profit or charitable activity. • Sending, printing, or storing offensive, obscene, or defamatory material. This includes initiating or circulating a report, knowing it to be false, concerning an alleged or impending fire, explosion, crime, and catastrophe or other emergency, while intending to cause public inconvenience or alarm. • Sending uninvited E-mail of a personal nature. • Visiting or viewing pornographic Internet sites, downloading pornographic materials from the Internet, sending or retrieving sexually explicit or objectively offensive messages, Policy IT-1, Computer, E-mail and Mobile Computing Device Use Page 7 cartoons or jokes, ethnic slurs, racial epithets or any other statement or image that might be construed as Harassment (as defined by either ORS 166.065 or the County's Non-harassment Policy), disparagement, libel, or discrimination based on age, marital status, sex, race, sexual orientation, national origin, disability, or religious or political beliefs. • Annoying or harassing other individuals, including any prohibited form of Harassment or forging another's identity or attempting to conceal the origin of the message in any other way. • Distributing or storing chain letters, solicitations, junk mail, spam, offers to buy or sell goods, or other non-business material of a trivial or frivolous nature. • Using County Computer Resources to play games during working hours. • Using County Computer Resources for personal financial gain or the financial gain of the user's family, or for the avoidance of personal financial detriment or the avoidance of personal financial detriment to the user's family. • Removing County Computer Resources from County premises without prior authorization from the Department Head. • Obligating the County to any subscription service (Internet, etc.) or incurring any long distance phone charges on County-paid phone lines for modem connections without approval from the Department Head or IT Director. • Purchasing computer hardware, such as printers or scanners, for use with County Computer Resources without first consulting IT to insure the hardware and its features are compatible with the Deschutes County computing environment. Mobile Computing Devices (MCDs) Mobile Computing Devices include personal digital assistants (PDAs), laptop computers, and cell phones with data access capabilities including, but not limited to Blackberrys and other smart phones, iPods, tablet PCs, and other portable electronic computer equipment. The Information Technology Department will support only those MCDs purchased and owned by the County. Support for County owned mobile computing devices includes installation, training, and interfacing to Microsoft calendaring, E-mail, tasks, and notes. MCD's owned by County employees will not be supported. Non-County owned mobile computing devices may not be connected in any way to the internal County secure network. Assistance for non-County owned mobile computing devices will be limited to providing the configuration parameters necessary to establish a connection to approved County resources. The Information Technology Department will not assume responsibility for data loss on MCDs. Use of mobile computing devices to connect to County resources must be approved by the requestor's Department Head and the Information Technology Department. Mobile computing devices are computing and data storage devices. Mobile computing device users assume all responsibility for securing their mobile computing device and its data in Policy IT-1, Computer, E-mail and Mobile Computing Device Use Page 8 accordance to the County computer usage policy, the guidelines presented in the County security training, and all federal, state, and local laws to which the data is subject. Express Waiver of Privacy Rights Employees and Volunteers should not expect personal privacy with respect to any of their activities using County Computer Resources. Deschutes County reserves the right to review any information, files or communications created, sent, used, stored, deleted, or received on its computer systems. The County has the right and the capability of restoring E-mail messages and visited internet sites that a user has attempted to delete. In exchange for the County assigning County Computer Resources to the employee and allowing the employee's use of Computer Resources, each employee expressly waives any privacy interest the employee may have in the use of County Computer Resources that is not in compliance with this policy. Enforcement. The County will investigate any alleged abuses of its computer equipment resources. As part of the investigation, the County may access the electronic files of its employees. The County reserves the right to periodically conduct system audits including the review of all files of all County computer systems to ensure proper use of its computer resources. Although the County wishes to ensure that the personal information of its employees is protected, in the course of its investigation, the County may reveal private, employee-related information to other employees. Employees violating any aspect of this policy may have their access to computer resources restricted and are subject to discipline, up to and including termination of employment. Furthermore, employees using County Computer Resources for defamatory, illegal, or fraudulent purposes, in violation of federal or state laws, or in violation of applicable terms of use imposed by a Computer Resource provider, also may be subject to civil liability and/or criminal prosecution. Other pPolicies, Laws and Agreements Other computer equipment policies may be implemented by County departments which augment this policy. Under no circumstances, however, will these other policies be less restrictive than this policy. To the extent that a County employee's use of a County Computer Resource is subject to conditions of use imposed upon the employee by any service agreement, user agreement or contractual agreement with a commercial Computer Resource provider, nothing contained in this policy shall limit an employee’s duties or liabilities under such agreement. However, to the extent the terms of such agreement are less restrictive than this policy, this policy shall govern. Nothing contained in this policy limits an employee’s duties and liabilities under Federal, State, or Local laws governing protected information, privacy protections, trademarks, patents, and other trade secret protections and laws. The Information Technology Director shall develop and annually review and update Information Security Procedures for the protection of the confidentiality, integrity and Formatted: Indent: Left: 0", Right: 1.96" Policy IT-1, Computer, E-mail and Mobile Computing Device Use Page 9 availability of County data assets. These procedures shall specifically address data access, system security and log-in controls, audit processes, physical security of computer and data resources, operational security and communications security. These procedures may be reviewed as they are updated by the County Administrator and/or the Board of Commissioners, but shall be exempt from public disclosure pursuant to ORS 192.501(23)(c), as it currently exists or may from time to time be amended. All users or County Computer Resources may be required to attend training in information security awareness. Implementation All employees including volunteers and those hired from employment agencies shall acknowledge in writing receipt of this policy and such acknowledgement shall be included in the employee's personnel file. Any questions relative to the intent or application of this policy should be directed to the County Administrator, who is delegated the responsibility to interpret and implement this policy.