| |
13.1. Overview
..........13.1.a. The Department's
technology and communications systems (including e-mail and voicemail)
are the property of the State of West Virginia and the West Virginia
Department of Agriculture.
....................13.1.a.A.
Computing resources shall be used to carry out the legitimate business
of the State and the Department only.
....................13.1.a.B.
The sole purpose for which users may access the Internet through
the Department is to carry out the Department's legitimate business
purposes.
....................13.1.a.C.
Viewing, downloading, copying, sending, or processing information
outside the scope of Department business is prohibited.
....................13.1.a.D.
Access to the Department system is a privilege and not a right,
conditioned upon adherence to the Department's policies and rules
regarding Internet access, and access or privileges to any system
may be denied or revoked at any time for any reason without notice.
....................13.1.a.E.
Internet access through the Department network is limited to Department
employees and such other persons as the Department may specifically
authorize.
..........13.1.b. Since all
Internet transactions conducted from the Department network could
be perceived as authorized Department or State activities, Department
users must follow all applicable laws, regulations, and policies
when accessing the Internet.
..........13.1.c. Such laws
and regulations, include, without limitation, those governing copyright,
defamation, privacy, publicity, and the access or use of other's
computer or communication systems.
..........13.1.d. There is no
right to privacy in the Department's technology and communications
systems.
....................13.1.d.A.
Any information placed in the system may be monitored, used, or
disclosed by authorized personnel.
....................13.1.d.B.
The Department reserves the right to access and disclose, for any
purpose the contents of any Internet communication, sent to and
from the Department's computer equipment including, but not limited
to, e-mail.
....................13.1.d.C.
All Department users, including employees, waive any right to privacy
in Internet communications, and consent to access and disclosure
of Internet communications by authorized Department personnel.
13.2. Internet (Web) Use Policy
..........13.2.a. Guiding Principles:
....................13.2.a.A.
Information mounted on the Agriculture web-server always remains
the property and therefore responsibility of the person/group concerned.
....................13.2.a.B.
Information has a defined life requiring a "review at"
date and a "remove on" date before public release.
....................13.2.a.C.
It is the responsibility of the information owner to ensure that
their information remains current; always contact web administration.
....................13.2.a.D.
Information owners will be notified on the "review date"
that access to their information will be disabled at the "remove
on" date unless the currency is reviewed and amended.
....................13.2.a.E.
Appropriate approvals are required before information will be mounted.
....................13.2.a.F.
It is the owner's responsibility to present their information in
a form accessible from web browsers.
....................13.2.a.G.
Information system release procedures will apply ensuring that
information cannot be altered without the formal approval of the
information owner.
..........13.2.b. Web Controller
(Person who controls web server at www.wvagriculture.com):
....................13.2.b.A.
Ensuring that the information is mounted according to the owner's
requirement.
....................13.2.b.B.
Notifying the information owner that their review date has passed.
....................13.2.b.C.
Make resources available for orderly development of information.
..........13.2.c. Information
Owners:
....................13.2.c.A.
The content is maintained to ensure that it is current and accurate.
..........13.2.d. Procedures:
....................13.2.d.A.
The information must be converted to a format capable of being
accessed by a standard browser, either on the web server or other
facilities.
....................13.2.d.B.
All information to be placed on the web server must have "review
at" and "remove on" dates agreed by the organizational
head or his/her nominee.
....................13.2.d.C.
At the "review on" date, the information owner will be
notified that the information requires review.
....................13.2.d.D.
At the "remove on" date, if no action has occurred, access
to the information will be disabled.
....................13.2.d.E.
At the "review on" date or before as agreed with the information
owner, access to the information will be again permitted by the
Web Administrator.
....................13.2.d.F.
Modifications or entirely new versions will be accepted after appropriate
testing.
..........13.2.e. General Issues:
....................13.2.e.A.
The visually impaired, and/or partially visually impaired must be
kept in mind when documents are prepared.
....................13.2.e.B.
The advisability of using techniques such as Java plug-ins.
....................13.2.e.C.
All official HTML format documents must be formatted using a variant
of HTML publishing by a recognized international standards body.
....................13.2.e.D.
An indication of size of files such as image, sound, and digital
video should be clearly stated to indicate the download time for
a particular file.
13.3. Email Policy
..........13.3.a. Do:
....................13.3.a.A.
Use personal and professional courtesy and considerations in email.
....................13.3.a.B.
Comply with all state and federal laws.
....................13.3.a.C.
Check twice before you send.
..........13.3.b. Do Not:
....................13.3.b.A.
Send or forward chain letters or unsolicited email ("spam").
....................13.3.b.B.
Access or disclose other people's email without authorized permissions.
....................13.3.b.C.
Use email for personal financial gain (except where permitted by
academic policy).
....................13.3.b.D.
Use email to violate laws (such as unauthorized computer access
or copyright infringements).
....................13.3.b.E.
Let personal email burden IT resources.
..........13.3.c. Cautions:
....................13.3.c.A.
The department cannot, in general, protect users from receiving
electronic email they may find offensive.
....................13.3.c.B.
The security and confidentiality of email cannot be guaranteed.
Password protections are not foolproof.
....................13.3.c.C.
The department may access or disclose your email under specific
circumstances described in the policy.
....................13.3.c.D.
Back up copies may be retained for periods of time and in locations
unknown to senders and recipients for security reasons. Please create
a personal folder to store back up to your email that is older than
80 days.
....................13.3.c.E.
Messages that are not archived will be removed every 90 days.
....................13.3.c.F.
Mail box size will be set at 75MB, and a warning level at 50MB.
....................13.3.c.G.
Email will be filtered for pornography, jokes and any other
non business related SPAM mail.
....................13.3.c.H.
Surf Control software will determine what mail is SPAM, not WVDA
IT Department.
..........13.3.d. Data Storage
Policy:
....................13.3.d.A.
Users are responsible for their data; maintenance will be performed
by IT Dept.
....................13.3.d.B.
All security practices will be followed as stated in the security
policy.
13.4. Unacceptable Use
..........13.4.a. The creation
or transmission (other than for properly supervised and lawful research
purposes) of any offensive, obscene or indecent images, data or
other material, or any data capable of being resolved into obscene
or indecent images or material.
..........13.4.b. The creation
or transmission of material which is designed or likely to cause
annoyance, inconvenience or needless anxiety.
..........13.4.c. The creation
or transmission of defamatory material.
..........13.4.d. The transmission
of unsolicited commercial or advertising material either to other
User Organizations, or to organizations connected to other networks,
save where that material is embedded within, or is otherwise part
of, a service to which the member of the User Organizations has
chosen to subscribe.
..........13.4.e. Deliberate
activities with any of the following characteristics:
....................13.4.e.A.
Wasting staff effort or networking resources, including time
on the end system accessible and the effort of staff involved in
the support of those system.
....................13.4.e.B.
Corrupting or destroying other users' data.
....................13.4.e.C.
Violating the privacy of other users.
....................13.4.e.D.
Disrupting the work of other users.
....................13.4.e.E.
Introduction of viruses.
....................13.4.e.F.
Denying service to other users.
..........13.4.f. Transmission
of material that infringes on copyrights, or deliberate unauthorized
access to facilities or services accessible via WVDA network.
..........13.4.g. Compliance:
....................13.4.g.A.
It is the responsibility of WVDA IT to take steps to ensure compliance.
....................13.4.g.B.
When necessary, services may be taken from users or result in suspensions.
....................13.4.g.C.
If violation is illegal or unlawful, proper authorities will be
contacted.
13.5. Security Policy
..........13.5.a. Administration:
....................13.5.a.A.
All information resources, regardless of medium, will be used, maintained
disclosed, and disposed of according to law, regulation, or policy.
....................13.5.a.B.
All employees and others who access computer system will be provided
with sufficient training in policies and procedures, including security
requirements, correct use of information resources, and other organizational
controls.
....................13.5.a.C.
A document risk analysis program will be implemented and a risk
analysis will be conducted periodically.
....................13.5.a.D.
A cost effective incident response/business recovery plan will
be maintained providing for prompt and effective continuation of
critical missions in the event of a security incident.
....................13.5.a.E.
Procedures, guidelines, and mechanisms that are utilized during
a security incident, along with the roles and responsibilities of
the incident management teams, must be established and reviewed
regularly.
..........13.5.b. Access Controls:
....................13.5.b.A.
Access controls must be consistent with all state, federal, and
local laws and statutes and will be implemented in accordance with
this policy.
....................13.5.b.B.
Procedures must be implemented to protect information resources
from accidental, inadvertent, unauthorized, or malicious disclosure,
modification, or destruction.
....................13.5.b.C.
Appropriate controls must be established and maintained to protect
the confidentiality of passwords used for authentication.
....................13.5.b.D.
Individual users must have unique user ids and passwords.
....................13.5.b.E.
All employees are accountable for maintaining the security of their
user ids and passwords. In the event their employment is terminated,
user ids and authorizations will be disabled immediately.
....................13.5.b.F.
Confidential or sensitive data (i.e., credit card numbers, calling
card numbers, log on passwords, etc.) must be encrypted before being
transmitted though the Internet.
....................13.5.b.G.
The network access firewall and/or secure gateway must be configured
to deny all incoming service unless explicitly permitted.
....................13.5.b.H.
Data and supporting software necessary for the continuation of agency
functions will be periodically backed up at a frequency determined
by risk analysis.
....................13.5.b.I.
All information assets must be accounted for and will have an
assigned owner.
....................13.5.b.J.
Owners, custodians, and users of information resources must be identified
and their responsibilities defined and documented.
....................13.5.b.K.
All access to computing resources will be granted on a need-to-use
basis.
....................13.5.b.L.
Each owner or custodian of information will determine its classification
based on the circumstances and the nature of the information.
....................13.5.b.M.
The owner or custodian will determine the protective guidelines
that apply for each level of information. They include the following:
........................................13.5.b.M.(a).
Access
........................................13.5.b.M.(b).
Distribution within WVDA
........................................13.5.b.M.(c).
Distribution outside WVDA
........................................13.5.b.M.(d).
Electronic distribution
........................................13.5.b.M.(e).
Disposal/Destruction
....................13.5.b.N.
All programmable computing devices must be equipped with up-to-date
virus protection software, if available.
....................13.5.b.O.
Virus protection procedures will be developed to address system
protection.
..........13.5.c. Personnel
Practices:
....................13.5.c.A.
All IT assets, including hardware, software, and data are owned
by WVDA unless excepted by contractual agreement.
....................13.5.c.B.
Information resources are designed for authorized purposes only.
WVDA reserves the right to monitor and review employees' use as
required for legal, audit, or legitimate authorized State operational
or management purposes.
....................13.5.c.C.
All employees must sign a confidentiality statement indicating that
they have read, understand, and will abide by agency policies and
procedures regarding IT security.
....................13.5.c.D.
All employees must abide by the policies regarding acceptable and
unacceptable uses of IT resources.
..........13.5.d. Physical and
Environment Security:
....................13.5.d.A.
Information resources facilities will be physically secured by appropriate
measures. IT personnel will respond to threats to facilities and
physical resources.
....................13.5.d.B.
Security vulnerabilities will be determined and controls will be
established to detect and respond to threats to facilities and physical
resources.
....................13.5.d.C.
Critical or sensitive data handled outside of secure areas will
receive the level of protection necessary to ensure integrity and
confidentially.
....................13.5.d.D.
Equipment will be secured and protected from physical and environmental
damage.
....................13.5.d.E.
Equipment used outside State premises will be given the same degree
of security protection as that of on-site information resource equipment.
13.6. Telephone
..........13.6.a. Purpose:
....................13.6.a.A.
To keep WVDA telephone lines open for necessary business calls.
..........13.6.b. Policy:
....................13.6.b.A.
WVDA recognizes that there may occasionally be times when personal
calls must be made or received during business hours. Such calls
must be held to a minimum, however, and must not interfere with
the employee's work. Employees are encouraged to make such calls
during their breaks or at lunchtime.
....................13.6.b.B.
When a long-distance call results in a charge, the call must be
billed to the caller's home phone number or charges reimbursed to
WVDA.
13.7. Enforcement
..........13.7.a. Any employee
found to have violated this policy may be subject to disciplinary
action, up to and including discharge.
|
