Douglas County Personnel Rule #21

ACCEPTABLE USE OF COUNTY ELECTRONIC
INFORMATION SYSTEMS

21.1     All county electronic information systems are to be used for County business only, with minor exceptions, and use of these systems shall be conducted in accordance with this policy.  This policy applies to all county employees and others ("users") who have access (direct or through any type of remote access solution) to any county electronic system.

21.1.1                          Definition

County means Douglas County acting through each of its department heads, boards, or commissions.

County systems or systems means all County electronic information devices, interconnections, and technical information related to them.  Examples include all computer devices (whether networked or standalone), software and hardware (CPU's, memory devices, storage devices and storage media), telephones, personal digital assistants (PDA's, Pocket PC's), cellular-based communications devices that access the County network, voice mail systems, fax machines, pagers, copiers, recorders, transmitters, printers, scanners, and any similarly connected, or related, devices.  For purposes of this policy, an electronic record or communication includes any data or information in any form processed or stored within the system whether generated directly or indirectly.

Department    Whenever the context allows, "department" refers to the particular County department that owns or controls a system at issue.

Information Technology Department means any person under the direction of the Information Technology Director, either staffed within the Information Technology Department, or a designee outside of the Information Technology Department approved by the respective department head and the Information Technology Director.

User means any person(s), County employee or not, acting on behalf of the County, who has access to and makes use of any County electronic system referenced in this policy.

Public Access means usage of any County electronic system, by general public or County employee, that has been expressly designed and designated as a public accessible device.

Information means information of any kind used in any way in County systems, Examples include messages, communication, e-mails, files, records, recordings, images, graphics, transmissions, signals, programs, macros, software, and data.

Publishing means using systems to disseminate or spread information to the public or beyond the user's area of authority with the County.  Examples include newsletters, web pages, fliers, chain letters, and postings to Internet groups or to e-mail lists.

Systems includes other systems accessed by or through those devices, such as the Internet, e-mail, cable television, and phone services.  Systems includes designs, specifications, passwords, access codes, and encryption codes.  Systems also includes any identifiers for devices, users or accounts.

Uses, uses, used means any use of County systems to affect information in any way by County employees, officers, agents, or volunteers. Examples include using systems to search, produce, calculate, extract, forward, print, publish, receive, send, transmit, apply, run, control, download, upload, records, copy, rename, access, alter, delete, erase, encrypt, or store any information.

21.1.2              Systems and information are County property.  All systems and information are, and shall remain, the property of the County, subject to its sole control.  No part of systems or information are, or shall become, the private property of any system user.  The County owns all legal rights to control, transfer, or use of all or any part or product of its systems.  All uses must comply with this policy and with all other County policies and rules that apply.  Nothing in this policy shall be construed to abridge any rights of County to control its systems, their uses, or information.

Systems are for County business.  Except as allowed under this policy, systems may be used only for the business of the County as defined by the County.

21.1.3              The County reserves, and intends to exercise, all rights relating to information used in its systems.  The County reserves the right to trace, review, audit, access, intercept, block, restrict, screen, delete, recover, restore, publish, or disclose any information, at any time without notice.  The County does not intend to tap phone conversations without notice or due process of law.  However, it may authorize a party to any conversation to record it, as permitted by State Law.  The County may withdraw permission for any or all personal or business uses of its systems at any time without cause or explanation.  No one shall grant access to systems without County authorization.

All Users should also be aware that the use of a password does not give rise to any right of privacy and that the use of the deletion keystroke, or a delete function, does not necessarily mean that a record, communication, or document has been eliminated from the System.

21.1.4              Desktop security mechanisms, including passwords, scramblers, encryption methods, re-mailer services, proxies, anonymizers, drop-boxes, or identity-stripping may not be used without County approval, access, and control.  No user may attempt to access, copy, forward, delete, or alter the messages of any other user without County authorization.  A County system may not be used to attempt unauthorized access to any information or system.

21.1.5              Physical Security of County information systems is important.  Because of this, no member of the general public should be provided access to any County system unless that system has been configured for public access.  Users are required to log out of the network and turn off personal computers when not in use overnight and over weekend periods, unless there is a business purpose (ie, backups, scheduled jobs, etc) for leaving the computer on.  Any computer left on in these situations must be locked with a password protection system, such as a password enabled screensaver.  To insure appropriate security, departments are required to identify "high risk" locations to the Information Technology Director, A work area in which a workstation cannot be effectively secured for County-only utilization, or is expressly configured for access by the general public, is considered to be "high risk".

21.1.6              Network passwords are utilized as a key element of the System security strategy.  Passwords are required of all Users.  System defined requirements for minimum password length, password renewal, and password reuse applies to all Users of the System, and may be required by the Information Technology Department.  System users should protect their passwords, share only as necessary, and change them immediately if the password is compromised.  Periodic password changes, with limitations on password reuse, are enforced as a matter of network security.  Information Technology may require passwords that do not meet minimum security requirements to be changed immediately.  Passwords should never be written or posted in areas that are in visible sight, including on or around a PC workstation.  Devices designated as Public Access may be excluded from these requirements where business practices deem it impractical.

21.1.7              Users assigned remote access rights (dialup, RAS, VPN, etc) are to safeguard security information provided including phone numbers, security codes, and passwords.  Remote access capabilities are assigned to specific individuals and are non-transferable between Users.  Remote access to County systems should be limited to only the minimum duration in which such access is needed, and should be immediately removed when no longer needed for County purposes.

21.1.8              Many sophisticated system monitoring and diagnostic tools are readily available through the Internet.  Implementation of any of these types of system monitoring and/or diagnostic tools, such as keyboard capture, network diagnostic, scanning, "sniffing", password cracking or testing , or port mapping tools by Users is prohibited, unless pre-authorized by the Information Technology Department.

21.1.9              Careful control of access points to the network is vital to System security.  Unless pre-authorized by the Information Technology Department, all Users shall adhere to the following: No user shall install, or allow an outside service provider to install any software or hardware solution that allows remote access or remote control of a device within the County network.  No User shall utilize any unauthorized software package of service to gain access to a device outside the County network.  A network connected PC configured with remote access or remote control software, with or without a modem represents a significant security exposure to the entire network.  Users are not allowed to set up desktop modems to provide dial-in capabilities.  Modem access is to be coordinated with Information Technology.  Where business needs dictate, dial-up modems may be with the User to assure that required needs are met with a configuration that is consistent with System security requirements.  Users should contact Information Technology for a review of any existing modems attached to networked PCs.

21.1.10            A firewall, (the computer system which isolates the County from the Internet world), is maintained to separate the County network from the Internet.  Many web-based services offered by outside agencies, for communicating and transferring data, require modifications to the firewall.  Every modification constitutes a compromise in network security.  The County will assess requests for access through the firewall on a case-by-case basis through a formal request process.  No adjustment or modifications to the firewall will be made to accommodate any non-County related business needs.

21.1.11            No User should attempt to modify their desktop operating system or software applications installed on the System.  This includes the use of registry editors, any type of disk management software, menu systems, screen savers, music or video players or utilities, chat systems, or other software utilities not included in the standard operating system.  Users may not experiment with their PC operating system configurations using "tips and tricks" type information found in magazines, bulletin boards, user groups, etc.

21.1.12            Users are prohibited from installing or downloading any software or program onto their PC System, without first consulting with Information Technology.  In general, Information Technology is solely responsible for installation and configuration of software on PCs and the System.  Some specialized circumstances warrant users installing and maintaining their own PC provided they do so by specific pre-agreement with Information Technology.  Users should consult Information Technology prior to responding to any prompt from an Internet-based source to upgrade standard components on a County PC (ie Adobe Acrobat, Flash, Windows Update components, Internet Explorer updates, etc).

21.1.13            Users are not to install software that enables a workstation to serve as a communications host for remote access.  No User shall install or download any software or activate any service that enables a PC or any component of a User profile to communicate through the firewall to any outside service, host, remote PC, etc.  This includes "webshots" type novelty programs, "cellular" e-mail services, remote control software, streaming video and audio not related to county business, and any of the emerging products that utilize ports configured for standard browsing, file transfer, and Internet e-mail routing.

21.1.14            Information Technology relies on standard configurations when restoring systems after component failures.  Information Technology is not responsible for restoring any custom configurations implemented by end users in violation of this policy.

21.1.15            Users should not disable or modify the network security software placed on their system, including anti-virus software.  Users connecting to the network are obligated to participate in distributed updates of these software systems.

21.1.16            All programs, documents, and data generated, processed, and/or stored on the System are County property, unless otherwise specified by a license agreement.  The County licenses the use of copies of computer software from a variety of outside companies.  The County does not own the copyright to this software or its related documentation.  The County, except for copies for backup purposes or unless expressly authorized by the copyright owner(s), does not have the right to reproduce software for use on more than one computer or network.  County employees learning of any misuse of software or related documentation within the County, or with knowledge of the installation of un-licensed software, are required to notify their department management immediately, and if still unresolved, to the Information Technology Director.

21.1.17            A Users ability to send an e-mail message to a group of people should only be conducted on a limited basis.  All group e-mail messages should identify the source by department and name.  Responses to group messages should be directed to the source.  When determining whether a message should be broadcast on a group wide or department-wide basis, make sure that you know your audience.  Avoid broadcasting messages to people with whom you do not ordinarily have direct contact.  Each department is responsible for group e-mails sent by employees of their departments.  Group or broadcast e-mails should never be used to transmit non-County related information, including such things as jokes, religious messages not pertaining to County business, or advertisements.

The prohibitions for individual e-mail communications also apply to group e-mail communications.  Any departmental questions regarding a group message should be addressed to the Information Technology Director.

21.1.18            Public records are controlled by the County.  All system administrators and users must comply with public records retention laws and rules.  The County reserves sole discretion to decide what information is a public record.  The County may disclose any public record without permission or knowledge of any systems user.  Except as noted in this policy, users may not expect that any personal use of County systems is private.

21.1.19            Uses must reflect the County image, uses of County systems do not all have to be formal, but they must be professional.  For example, e-mail must look like County e-mail, not the product of a pop culture.  Authors must not use CB handles or pen names, personal symbols, ornamental quotes , or news group or chat room slang.  This rule may not apply to some devices and services designated as Public Access.

21.1.20            Uses of County systems must not be false, unlawful, offensive, or disruptive.  No use shall contain profanity, vulgarity, sexual content, or character slurs.  No use shall make rude or hostile reference to race, age, gender, sexual orientation, religious or political beliefs, national origin, health, or disability.   Copyrighted or licensed information shall be used only with full legal right to do so.

21.1.21            All publishing is restricted to County business as defined by the County.  All publishing requires County authorization.  Employee events may be internally published with County approval.

Many Internet or e-mail groups exist to share useful information.  The County may authorize a user to post queries or to represent it by posting professional comments to useful groups.  Comments must conform to this policy.  Content and frequency of posting must reflect the County's interests; not the user's.

Internal publishing of employee events is mixed County and personal business and must conform to this policy.  Examples are charitable drives retirements, parties, or whatever the County deems suitably related to County business.

21.1.22            The County often needs people to remain at work despite personal needs and interests.  The County also needs employees to continuously develop their knowledge and skills.  For those reasons, certain personal uses are allowed.  The County shall have sole discretion to decide whether a use is personal or business.  Any personal use must satisfy the following provisions.  Except as these provisions clearly state, all personal use must also comply with the rest of this policy and any use will comply with the Employee Ethics Policy (Personnel Rule 20).  Personal use of County systems must be at virtually no cost to the County.

21.1.22.1         Examples of allowed personal uses include: a local call, a long distance call that is not charged to the County, a brief e-mail message, a short toll-free Fax, and limited use of a microcomputer.

21.1.22.2         Examples of allowed mixed County and personal uses include: printing and photo copying a County job application, a resume, personnel and benefits papers, and necessary material for County-paid courses of study.

21.1.22.3         Examples of personal uses not allowed include: toll calls, making or taking non-business calls from a County cellular phone, copying or printing, and any service for fee.  The County may opt to allow any of these uses if it sets narrow limits and requires users to repay full costs without County subsidy.

21.1.22.4         The degree or extent of personal use must always be petty or insignificant compared to use for assigned work.  Simply having idle work time does not permit or condone usage of the System or Internet for personal use.

21.1.22.5         No personal use may be made by, or on behalf of, any organization or third party, unless sanctioned by the County.

21.1.22.6         No publishing is allowed if the content or purpose is personal.  This bars personal web pages.  It bars personal postings to Internet groups, chat rooms, web pages, or list services.

21.1.22.7         No personal soliciting is allowed.  Systems may not be used to lobby, solicit, recruit, sell, or persuade for or against commercial ventures, products, religious or political causes, outside organizations, or the like.

21.1.22.8         To ensure network security, no User shall connect any device (PDA's, Pocket PC's, wireless devices, modems) to the County network or PC Workstations without prior approval by Information Technology.  A user may not put to his or her personal use any system device that the user does not employ in his or her assigned work.  No privately owned device may be connected to County systems without Information Technology authorization.  System devices taken home remain subject to this policy.

21.1.22.9         Employees may make limited personal use of their assigned microcomputers, software, and Internet access.  Example uses include brief web searches for personal research, self-study, and preparing a resume or application for a County job.  Personal use must be done during meal and rest breaks, or before or after work.  The County may permit mixed County and personal work to be done at other times.

21.1.22.10       Internet games and personally owned games may not be used at any time on County PC equipment.  Games that come with pre-loaded software (Operating System games, PDA games, etc) may be used only with County permission.  They may be permitted only during normal lunch breaks, and before or after work, not during rest breaks. They shall be used without sound and only where not visible to clients.  County owned or licensed games created to teach real, needed knowledge or skill may be used as the County allows.

21.1.22.11       Using County PCs to listen to broadcast music or videos from the Internet is strictly prohibited, except in specific instances where such material is being used for official County business.  These types of streaming broadcasts consume considerable network resources, and have considerable impact upon production usage of the network when operated.

21.1.22.12       Users are prohibited from using the County email system for subscribing to news groups or e-mail newsletters unrelated to County business.

21.1.22.13       Users are prohibited from using County systems at any time for the buying, listing, or selling of items via Internet auction sites, unless specifically related to County business.

21.1.23            The County may choose to have any users sign statements acknowledging all or parts of this policy.  The County may adopt its written policy to replace or amend this broad, County wide policy to its specific needs.  The terms of a Board policy or of a valid collective bargaining agreement shall supersede any  conflicting terms in this policy.

21.1.24            Although this rule allows de minimis use of county systems and equipment for personal use, the same may not be true under ORS Chapter 244, the Government Standard and Practices Act.  Personal use of county systems and equipment is at the user´s risk.  The County cannot indemnify nor defend a County employee accused of an ethics violation.