HomeMy WebLinkAbout971778.tiff RESOLUTION
RE: ADOPTION OF THE WELD COUNTY INTERNET ACCEPTABLE USE POLICY TO BE
INCORPORATED INTO THE INFORMATION SERVICES SECTION OF THE WELD
COUNTY ADMINISTRATIVE MANUAL
WHEREAS, the Board of County Commissioners of Weld County, Colorado, pursuant to
Colorado statute and the Weld County Home Rule Charter, is vested with the authority of
administering the affairs of Weld County, Colorado, and
WHEREAS, the Director of Finance and Administration has presented to the Board of
County Commissioners, in conjunction with SCT, Inc., and the Information Services Governance
Committee, the Weld County Internet Acceptable Use Policy, as attached hereto and
incorporated herein by reference, and
WHEREAS, the Board of County Commissioners deems it advisable to adopt said Weld
County Internet Acceptable Use Policy and, further, to incorporate said Policy into the Information
Services Section of the Administrative Manual.
NOW, THEREFORE, BE IT RESOLVED by the Board of County Commissioners of Weld
County, Colorado, that the Weld County Internet Acceptable Use Policy be, and hereby is,
adopted.
BE IT FURTHER RESOLVED by the Board that the Director of Finance and
Administration be, and hereby is, directed to incorporate said Policy into the Information Services
Section of the Administrative Manual, publish said policy, and disseminate copies to all County
Departments.
The above and foregoing Resolution was, on motion duly made and seconded, adopted
by the following vote on the 18th day of August, A.D., 1997.
BOARD OF COUNTY COMMISSIONERS
I WELD COUNTY, COLORADO
av
ATTEST'./ ���•.; a EXCUSED
9.
Geor e E. Baxter, Chair
Weld ' oun ,SI4, i=t1i B1 .rd
o r
U /. ` /_ Constance L. Harbert, Pro-Tem
BY: At , ,
wr
v, aE .the Board EXCUSED DATE OF SIGNING , (AYE)
* F; D K. Hall
PRO D AS -re •RM: CUSED
Barbara J. Kirkmeyer
County Attor/ey I / f)
W. H. Webster
971778
DP0006
Weld County
Internet Acceptable Use
Policy
971778
TABLE OF CONTENTS
General 4
Electronic Communications 4
Public Networks 4
Introduction 5
Guidelines 5
Roles and responsibilities 6
Information Services 6
ISGC 6
County Departments and Agencies 7
Protecting Proprietary Information 7
Data Sensitivity 7
Confidential Data 7
Restricted Data 7
Proprietary Data 7
Unclassified Data 8
Data Sensitivity Processing Guidelines 8
Security 9
Modem/Intemet Security 9
Acceptable Use Guidelines 10
General 10
Participation in Discussion Groups 11
Classes of Mail Allowed 12
Qualifications for Access Authority 12
Web Server Guidelines 12
Initial Approval 12
Guidelines 12
Use of Electronic Mail 14
Employee Access 14
Employee Conduct 14
Monitoring 14
Retention/Archiving/Destruction 15
Public Requests 15
2
971778
Glossary of Terms 16
Applicable State of Colorado Codes 17
Appendix A 19
3
971778
General:
Information Services, in conjunction with the Weld County Information Services Governance
Committee(ISGC), has taken the necessary steps to provide an Internet Acceptable Use Policy
(IAUP) on acceptable use of the Internet by County agencies and departments. Any County
agency or department eligible for and having funding for the Internet will be provided with
access under the terms and conditions of this policy. Violation of this policy may be grounds for
having access to Internet services revoked.
The objective of this policy is to minimize the risks to business functions and government owned
assets, and to assure adherence to regulatory and legal requirements and enterprise policies when
County resources are used to access public networks.
The scope of this policy applies to electronic communications on public networks including but
not limited to the following:
Electronic Communications
► e-mail
► File Transfer
► Remote Login
► Remote Control Software
► Discussion Groups/Bulletin Boards
► World Wide Web, Gopher, Web Servers, Wide Area Information Servers (WAIS)
Public Networks
► Internet
► America Online, CompuServe, Prodigy ...
► Online Search Services such as Dialog, Paperchase...
► Dialup Bulletin Board Systems
4
971778
Introduction:
Internet access can provide significant business benefits for County government agencies.
However, there are also significant legal, security, and productivity issues related to how the
Internet is used. Examples of such issues are:
► The potential to receive computer viruses from Internet information sources.
► The potential for someone to eavesdrop on data or correspondence which is
exchanged via the Internet.
► The potential for a County government employee,through the content of their
Internet exchanges, to impugn the reputation of local government officials and
thereby invite civil liabilities.
► The potential for County government employees to be enticed by the vast social
and informational forums of the Internet into spending significant work time on
nonproductive activities.
► If County government agencies or any person using an Internet connection
sufficiently upsets other Internet users,the connection could be flooded with
traffic in protest, thus negatively impacting the availability of the service for true
business purposes.
► Outside access to local databases can overwhelm the processing power of the
local network.
Guidelines:
The purpose of the following is to provide a short checklist of procedures which should be
followed while accessing public networks through company resources. These guidelines govern
both County employees, contractors, and anyone working via County direction . For more
specific and detailed policy statements, refer to the sections that follow in this policy manual.
► Use of County resources for accessing public networks is for work related
purposes only.
► Act responsibly when participating in discussions over a public network. Be
polite and do not get abusive in your messages to others. Remember--
defamation can occur due to malicious use of the Internet.
► Do not use public networks inappropriately. Your use may be monitored and
access may be revoked at any time for inappropriate conduct.
5
971778
► Determine and abide by the policies and procedures of any external network you
access. You are expected to be a"responsible network citizen" (Netiquette).
► Downloading of any software programs or applications (including but not limited
to shareware, freeware, demo's, etc) is strictly prohibited. All such requests must
go through Information Services.
► When downloading non-application software, check for copyright or licensing
agreements. If there is any doubt, do not copy. If a licensing agreement exists or
you must pay for the information, it must first be approved by the Information
Services Governance Committee.
► There should be no automatic requests for information on the Internet.
► Avoid the generation of excessive Internet Email.
► The target directory must be scanned with anti-virus software before and after
downloading any file(s) from the Internet. As most downloads are in a"zipped"
format -- scanning the file(s)after"unzipping" is necessary. It is user
responsibility to insure that the downloaded file(s) are free from known viruses.
► Do not use software(network "probes") which attempts to discover properties
about the public network or computing resources connected to that network.
► Be aware that any data transferred via the Internet is prone to be monitored and/or
intercepted by unintended destinations.
► All County e-mail is a Public Record and may be subject to public inspection.
Roles and responsibilities
Role of Information Services
► Establish the Internet Acceptable Use Guidelines
► Apprise elected officials/department heads of any continued abuse
► It is specifically NOT the role of Information Services to act as the "Net Police".
Information Services cannot be held responsible for non-professional usage, improper humor, or
the moderation and monitoring of e-mail or Usenet groups. Disciplinary actions for Sexual
Harassment and Hostile Work Environments violations and for use of County property for
personal purposes are defined by the County policy published in the Employee Handbook.
6
971778
Role of the ISGC
► Review and approve the Internet Acceptable Use Guidelines
► Advocate adherence to the policy
Role of the County Departments and Agencies
► Act as authorizing agent that allows access to the Internet
► Ensure that guidelines are followed
► Provide for training of employees that they want to have access
► Budget for service and associated training, if needed
► Establish their own data sensitivity policy
► See "Protecting Proprietary Information"
Protecting Proprietary Information
Data Sensitivity
Persons transmitting enterprise data over public networks should ensure that the data is processed
according to its level of sensitivity by using the definitions and guidelines which follow. After
having read the following sections, if you are unsure of how to properly handle specific data,
contact the information asset owner(data custodian) for guidance.
Data Sensitivity Definitions
Confidential Data
► Shows specific strategies and major directions
► Confidential information as defined by local, state or federal laws, rules or
regulations (e.g. Social Services data)
► Data of other business/persons with respect to which the
enterprise is under an obligation of confidentiality
Restricted Data
► Working files not completed for public dissemination
► Is of such a nature that unauthorized disclosure would be against the best interest
of the County
► Personnel Data
► Data with restricted use or access per local, state or federal laws, rules or
regulations (e.g. criminal justice data)
Proprietary Data
All enterprise related information requiring baseline security protection, but failing to
meet specified criteria for higher classifications:
7
971778
► Organizational Policies and Procedures that are internal by nature
► Internal announcements
Unclassified Data
Information which requires no security protection:
► Public information
► Public announcements
► Internal correspondence and documentation which do not merit a security
classification.
Data Sensitivity Processing Guidelines
Confidential Restricted Proprietary Unclassified
Encrypted Encrypted Owner defines High Volume
permissions
Use other alternatives
(mail carrier)
Owner defines Owner defines High volume
permissions permissions
Use other alternatives
(mail carrier)
Marked High volume
confidential
Use other alternatives
(mail carrier)
Electronic
confirmation
required
High volume
Use other
alternatives(Mail
Carrier)
8
971'778
Security
Internet growth over the last several years has been many tens of thousands of percent. There are
literally hundreds of millions of pages of Internet information and billions of publicly available
files. It is impossible to monitor every site in the world to determine if the site has material
available which violates policy. Even if a specific item is in violation of County standards,
blocking access will not prevent access to the material, as many sites are either mirrored at other
locations, or change their name and IP number regularly to avoid prosecution.
Modem/Internet Security
Therefore, the following modem/Intemet security guidelines must be adhered to:
► When utilizing a modem for remote access to another computer one must be aware and
follow the acceptable use policy, if any, regarding the remote public/private system.
► There is no such thing as a 100 percent secure system, the human element is always the
weakest link in system security.
► Make sure any related passwords are secure, DO NOT share the password(s) or write
passwords on paper. Also, it is recommended that a password consists of letters and
numbers.
► Within the software which controls the modem, it is recommended that the "answer off'
(if applicable) mechanism is exercised in all situations, unless approved by Information
Services.
► If one elects to download non-application software , the download directory MUST be
scanned with an anti-virus program immediately following the download. Information
Services will be happy to train the end-user on utilizing the anti-virus program. Be aware
if you have a modem and are on the County network, it is possible for a virus to attack
any or all networked computers.
► Do not distribute the phone number of the shared or dedicated modem line unless it is
absolutely required
► If the phone number to the remote system is long-distance, keep the call to a minimum
length as possible.
► If the modem is external, turn it off when the modem is not in use.
9
971778
Acceptable Use Guidelines
This section represents a guide to the acceptable use of the Internet for County employees. This
section intends only to address the issue of Internet use. In those cases where data
communications are carried across other regional networks, network users are advised that
acceptable use policies of those other networks apply and may limit use.
General
Participating agencies assume the responsibility for providing reasonable publicity and
enforcement for this"Internet Acceptable Use Policy". Ultimate responsibility for traffic that
does not conform to this policy lies with the individual end user. It is the responsibility of the
County agency to monitor and rectify the behavior of their users who disregard this policy.
It is also the responsibility of the agencies to provide adequate training for their users to ensure
appropriate network use.
Information Services and the County accepts no responsibility for the traffic which it transports
and which violates the acceptable use policy of any connected networks, beyond informing the
County agency if and when a violation is brought to the attention of the ISGC.
All use of the Internet must be consistent with the goals and purposes of the Internet and within
the spirit of this acceptable use policy. The guidelines listed herein are provided to make clear
the categories of use which are consistent with the purposes of the Internet. The intent is not to
exhaustively enumerate all such possible uses or misuses.
Internet computing resources are world-wide, and all users are urged to exercise common sense
and decency with regard to these shared resources. Particular attention should be paid to policies
developed for various Internet services by Internet users (such as Usenet policies).
Because of the diversity of resources on the Internet, an even moderately complete listing of do's
and don'ts would be quite large. In general, common sense should be used to judge situations.
The following guidelines are given as a starting point.
► Computing resources should be used only in the support of the administrative,
instructional, and research objectives of the County.
► Appropriate use of resources is limited to the official work of the agencies.
► Examples of inappropriate use of resources include, but are not limited to,
► any traffic that violates State/Local and Federal laws
► any traffic that is unethical in nature
► distribution of unsolicited advertising
► propagation of computer worms and/or viruses
► distribution of chain letters
10
971778
► attempts to make unauthorized entry to another network node
► use for recreational games
► personal use
► sexually offensive material
The ISGC endorses the following guidelines concerning computing resources.
► Respect the privacy of others. Do not seek information about, obtain copies of, or modify
electronic information belonging to other users unless explicitly authorized to do so by
those users.
► DO NOT share passwords with others or use passwords not belonging to you.
► Respect appropriate laws and copyrights. The distribution of programs, databases, and
other electronic information resources is controlled by the laws of copyright, licensing
agreements, and trade secret laws. These should be observed.
All County agencies must accept these guidelines and understand network traffic originating
from their location is to be consistent with this policy. Information Services can not police the
network but may refer to the appropriate office holder for disciplinary action any agency that
appears to be in persistent and/or serious abuse of this policy. Questions pertaining to the policy
or interpretation of the policy should be submitted to the ISGC.
Information Services may at any time make a determination that particular uses are not consistent
with the purposes of the Internet connection. Such determinations will be reported to the
agency's department head, as appropriate, for information and possible imposition of sanctions.
Persistent and/or serious violations of the policy may result in withdrawal of approval to use the
Internet or other penalties.
Participation in Discussion Groups
There should be a good business reason for participating in any discussion group over the
Internet.
Even in a discussion but not limited to a discussion, the user must be aware that the information
he or she puts out on the Internet will be perceived as the official Weld County position unless
specifically identified as personal opinion. If you are offering your own opinion, be sure it is
clearly identified as such. Also, a good rule of thumb is: "If you would be embarrassed to have
someone read it on a postcard, don't say it on the Internet."
In addition, all of the rules which apply to other forms of written correspondence apply here,
even though the style is more casual.
11
971778
Classes of Mail Allowed
Setting the standards for both casual and official correspondence is the responsibility of the
individual department and would be the same for the Internet as for other forms of written
correspondence.
Qualifications for Access Authority
Before Information Services approves a user for Internet access, a Weld County Computer
Security Request Form(see appendix A) must be properly filled out and according to the normal
procurement process.
Web Server Guidelines
Information Services and the Weld County Governance Committee will review all Web access
proposals to ensure the project adheres to all guidelines set forth in this section.
1. Initial Approval- Any proposed Web access must be submitted to the Information
Services Governance Committee for initial approval of the proposed project.
A. The following information must be provided to Information Services for them to
review and assist in submitting the initial request to the Governance Committee.
1) State the general purpose of the project and how it relates to Weld County
business.
2) Define the scope of the project. What information is going to be made
available and to whom. Who is the targeted user of the project.
3) Provide initial design documentation, which includes a rough page layout,
applets, links, images, etc.
4) Identify any Weld County data accessed that is not located on the web
server and indicate how the data will be used.
5) Who is the designated contact person within the department for this
project. This person will be responsible for maintaining current
information.
6) What are the security requirements of the project.
2. Guidelines -If initial approval is granted for the project,the following guidelines must
be followed during the development.
12
971778
A. Information Services must establish and maintain a fully functioning firewall for
web access projects to be operating in production.
B. Information Services will monitor applications and network activity and set
restrictions as needed to prevent problems with Weld County data or internal
network processing.
C. Appropriate security levels will be maintained by Information Services.
D. Information Services will approve and allocate resource requirements.
E. To help ensure compatibility between applications, use development tools as
defined by Information Services and approved by the ISGC.
F. Information Services must first review and approve the proposed location of the
data and Web page access, Web server, and network access points.
G. All development and/or enhancements to a project must be performed and tested
on a designated test Web server.
H. After testing is completed and the project is reviewed by Information Services, the
project will be transferred to the production Web server. Only Information
Services will have development access on the production Web Server.
I. Information Services' main priority is to maintain the integrity of the Weld
County data and in-house network processing capabilities. If at any time,the web
page and/or associated links/controls do not adhere to the set standards or cause a
problem for what ever reason, the web page may be terminated without
notification.
J. Contents of Web pages should be approved by Department Head/Elected Official
or his or her designee.
13
971778
Use of Electronic Mail
Electronic mail ("e-mail") is defined as any message that is transmitted electronically between
two or more computers or terminals, whether stored digitally or converted to hard(paper) copy.
Under part 2 of article 72 of title 24, C.R.S. ,e-mail messages are considered public records and
may be subject to public inspection, Pursuant to §24-72-203, C.R.S. All computer-related
information, including e-mail messages, are the property of Weld County and are considered the
County's records.
1. Employee Access
All county employees with a need will be assigned a users address by Information
Services. These addresses may be used to send and receive e-mail messages to/from
other county employees. Conduct for use of these e-mail systems is detailed below.
Elected officials and department heads may also request an e-mail address that is Internet-
accessible. At the request of the department head or elected official, employees will be
provided Internet-accessible e-mail addresses for conducting county business. Employees
will be provided such e-mail addresses, pending county technology capabilities and
availability; continued access to Internet-accessible e-mail will be contingent upon the
employee's conduct, as outlined previously in this document and reviewed below. Costs
associated with e-mail access will be evaluated annually and determined through the
County's budget process.
2. Employee Conduct
As with any county property or equipment, a-mail should be used for official county
business only. However, strictly forbidden e-mail usage includes use for personal profit
or gain; transmission of political messages; solicitation of funds for political or other
purposes; or sending of harassing messages.
3. Monitoring
Because e-mail is county property,the county has the right to inspect and review any e-
mail or other data stored on county computers/equipment. Information Services is
responsible for monitoring electronic mail through regular computer/network
maintenance. Additionally, County officials may inspect and copy e-mail and computer
records when there are indications of impropriety by an employee, when substantive
information must be located and no other means are readily available, or when necessary
for conducting county business. Supervisors may review the contents of an employee's
electronic mail without the employee's consent.
14
971778
4. Retention/Archiving/Destruction
E-mail messages that concern policies, decision-making, specific case files, contracts or
other information that should be kept as part of the official records of county business
should be retained by the recipients of such e-mail. Therefore, employees are responsible
for retaining and archiving electronic mail messages as official records of county
business. E-mail messages should be stored on the County's network drives.
The Director of Information Services is the official custodian of electronically/digitally
stored information, including electronic mail. Information Services is responsible for
monitoring and retrieving archived data/information.
Users (employees) are responsible for archiving e-mail messages. After 45 days,
employees should delete e-mail messages to minimize storage requirements. Information
Services is responsible for long-term storage of electronic mail and will retain/destroy e-
mail records in accordance with the records retention schedules established for records by
the State (pursuant to part 1 of article 17 of title 6, C.R.S.)
5. Public Requests
Public requests for electronic mail that is a public record should be submitted to the
elected officiaUdepartment head. Public requests for public records will be handled in
compliance with the Public Records Act. If a request is made to inspect electronic mail
County staff shall prior to release consult with the elected official/department head prior
to allowing inspection of the correspondence for the purpose of determining whether the
correspondence is a public record.
Members of the public who request public electronic mail records will be charged for the
costs of providing those records, in accordance with the County fee schedule.
15
971778
Glossary of Terms
Data Custodian Owner or person responsible for the data.
E-mail (electronic mail)widely used network application in which mail messages
are transmitted electronically between end users over various types of
networks using various network protocols.
Gopher The Internet Gopher is a distributed document delivery service. It lets
users access various types of data residing on multiple hosts. This is done
by presenting the user menu documents and by using a client-server
communications model.
HTTP Hyper Text Transport Protocol
ISGC Information Services Governance Committee.
Internet Term used to refer to the world's largest intemetwork, connecting
thousands of networks worldwide and having a"culture"that focuses on
simplicity, research, and standardization based on real-life use.
IP Internet protocol. The network layer for the TCP/IP Protocol Suite. It is a
connectionless, best-effort switching protocol that offers a common layer
over dissimilar networks.
SCT Systems and Computer Technology Corporation.
Usenet The thousands of topically named newsgroups, the computer which run
them, and the people who read and submit Usenet news.
WAIS Wide Area Information Servers. A distributed information service that
offers natural language input, indexed searching, and lets the results of
initial searches influence future searches.
WWW World wide web. A project that merges information retrieval and
hypertext to make an easy to use,powerful, global, academic information
system.
16
971778
Applicable State of Colorado Codes
§ 18-5.5-101. Defmitions
As used in this article, unless the context otherwise requires:
(1) "Authorization" means the express consent of a person which may include an employee's
job description to use said person's computer, computer network, computer program, computer
software, computer system,property, or services as those terms are defined in this section.
(2) "Computer" means an electronic device which performs logical, arithmetic, or memory
functions by the manipulations of electronic or magnetic impulses, and includes all input, output,
processing, storage, software, or communication facilities which are connected or related to such
a device in a system or network.
(3) "Computer network" means the interconnection of communication lines (including
microwave or other means of electronic communication)with a computer through remote
terminals, or a complex consisting of two or more interconnected computers.
(4) "Computer program" means a series of instructions or statements, in a form acceptable to
a computer, which permits the functioning of a computer system in a manner designed to provide
appropriate products from such computer system.
(5) "Computer software" means computer programs, procedures, and associated
documentation concerned with the operation of a computer system.
(6) "Computer system" means a set of related, connected or unconnected, computer
equipment, devices, and software.
(7) "Financial instrument" means any check, draft, money order, certificate of deposit, letter
of credit, bill of exchange, credit card, debit card, or marketable security.
(8) "Property" includes, but is not limited to, financial instruments, information, including
electronically produced data, and computer software and programs in either machine or human
readable form, and any other tangible or intangible item of value.
(9) "Services" includes, but is not limited to, computer time, data processing, and storage
functions.
(10) To "use" means to instruct, communicate with, store data in, retrieve data from, or
otherwise make use of any resources of a computer, computer system, or computer network.
17
971778
§ 18-5.5-102. Computer crime
(1) Any person who knowingly uses any computer, computer system, computer network, or
any part thereof for the purpose of devising or executing any scheme or artifice to defraud;
obtaining money,property, or services by means of false or fraudulent pretenses, representations,
or promises; using the property or services of another without authorization; or committing theft
commits computer crime.
(2)Any person who knowingly and without authorization uses, alters, damages, or destroys
any computer, computer system, or computer network described in section 18-5.5-101 or any
computer software,program, documentation, or data contained in such computer, computer
system, or computer network commits computer crime.
(3) If the loss, damage, or thing of value taken in violation of this section is less than one
hundred dollars, computer crime is a class 3 misdemeanor; if one hundred dollars or more but
less than four hundred dollars, computer crime is a class 2 misdemeanor; if four hundred dollars
or more but less than fifteen thousand dollars, computer crime is a class 5 felony; if fifteen
thousand dollars or more, computer crime is a class 3 felony.
18
971778
Appendix A
19
971778
Weld County - COMPUTER SECURITY-REQUEST
Requestor:
Dept: Extension: Date:
ADD DELETE CHANGE
Users Name:
Dept: Extension: Term ID:
Servers: Groups:
EMAIL Groups:
SECURITY Manager(s):
Facilities:
SERVER Banner/PeopleSoft UNIX (Banner batch)
EMAIL Modem/Dial-in Modem/Dial-out
Internet- EMAIL Internet - WEB /FTP
Special Instructions:
Elected Official/Department Head's Approval:
Date:
Director of IS Approval:
Date:
Implemented by:
Date:
20
' 971778
Hello