WDNC Appropriate Use of IT Systems Policy



Appropriate Use of IT Systems PolicyINTRODUCTIONWithin the Judiciary, information technology is not separate from the court’s mission but is a means by which the mission is completed. A critical component to ensuring the provision of ‘fair and impartial justice,’ is the protection of IT assets. Users are often the first line of defense in this effort and need to be aware of how to successfully handle that responsibility.PURPOSEThe purpose of this document is to state the policy for the acceptable use of computer equipment and systems (internet, e-mail, social media, etc.) by employees, contractors, consultants, temporary employees and other workers authorized to use Western District of North Carolina (WDNC) resources. The policy is in place to protect the WDNC personnel and the court by increasing awareness of unacceptable IT resource usage which consequentially exposes the court to risks including virus attacks, compromise of network systems and services, and legal issues. SCOPEThis policy applies to the use of information, electronic and computing devices, and network resources to conduct court business or interact with internal networks and business systems, whether owned or leased by the court, the employee, or a third party. All WDNC personnel are responsible for exercising good judgment regarding appropriate use of information, electronic devices, and network resources in accordance with WDNC policies and standards, local laws and regulations. This policy applies to employees, contractors, consultants, temporary employees, interns/externs, and other workers at WDNC, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by the court. POLICYJudiciary employees (i.e., temporary or full-time employees to include interns, externs, and contractors who perform daily tasks to support WDNC’s business operations) are responsible for adhering to WDNC’s Appropriate Use of IT Systems Policy and Procedures. These procedures address roles and responsibilities of IT staff and rules of use to include access restrictions, appropriate personal use of IT systems and office equipment, sanctions for non-compliance, acknowledgement of appropriate use, and training and awareness. 4.1General and Personal Use of Government-Owned EquipmentEmployees must acknowledge the system use notification message displayed before logging into the court’s network, which states: (a) they are accessing a U.S. Government information system; (b) system usage may be monitored, recorded, and subject to audit; (c) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and (d) use of the system indicates consent to monitoring.In accordance with §525.20 of the Guide to Judiciary Policy, employees are permitted limited use of court-owned equipment for personal needs if such use does not interfere with official business and involves minimal additional expense to the court.Employees are responsible for exercising good judgment regarding the reasonableness of personal use, which should be minimal and not interfere with employee’s ability to complete his/her work assignments in a timely manner.The court reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. 4.2Unacceptable UseUnder no circumstances is an employee of the court authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing court-owned resources. The list below is by no means exhaustive, but attempts to provide a framework for activities which fall into the category of unacceptable use. The following activities are strictly prohibited, with no exceptions: Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by WDNC.Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which WDNC does not have an active license is strictly prohibited. Accessing data, a server or an account for any purpose other than conducting WDNC business, even if you have authorized access, is prohibited.Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question. Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.Using a WDNC computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction. Making fraudulent offers of products, items, or services originating from any WDNC account. Creating security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes. Port scanning or security scanning is expressly prohibited. Executing any form of network monitoring which will intercept data not intended for the employee, unless this activity is a part of the employee's normal job/duty. Circumventing user authentication or security of any host, network, or account.Intentionally introducing viruses, malware, or similar technology on WDNC’s network. Interfering with or denying service to any user other than the employee (for example, denial of service attack). Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet. Providing information about, or lists of, WDNC employees to parties outside the court. Adding unauthorized software or modifying existing court configurations. This includes jailbreaking or modifying existing court owned hardware. 4.3Internet/Email/Social Media, and Remote Access UseResponsibilitiesExperience in the private sector and in other government agencies has revealed four principal areas of concern associated with uncontrolled access to the Internet for employees: institutional embarrassment, misperception of authority, lost productivity, and capacity demand. When accessing the Internet from a judiciary gateway, users need to keep in mind several points:Use discretion and avoid accessing Internet sites which may be inappropriate or reflect badly on the judiciary;Those not authorized to speak on behalf of their units or the judiciary should avoid the appearance of doing so;Exercise judgment in the time spent on the Internet to avoid an unnecessary loss of productivity or inappropriate stress on capacity.Access(A)General UseThe Internet is an informal collection of government, military, commercial, and educational computer networks. It is an unsecured network of which information and Internet e-mail can be read, broadcast or published without the knowledge or consent of the author. Most sites maintain records of all users or entities accessing their resources. These records may be open to inspection and publication without the user's knowledge or consent. If the activity of the user is for a purpose other than official business, the publication of that activity could prove to be an embarrassment to the court and perhaps the entire federal judiciary. Staff should always use good judgment and remember the "Code of Conduct" when using the Internet. (B) Acceptable UseIntentional transmission of or receipt of any material in violation of this policy or any applicable United States or state law or regulation is prohibited. Such prohibition applies to, but is not limited to, copyrighted material, threatening or obscene material, and material protected as a trade secret. Employees are expressly forbidden from creating unauthorized satellite home pages or other similar works and are cautioned to use great care that no statements are made which may appear to express court policy or positions in an unauthorized manner.These guidelines apply to all Internet services, including but not limited to electronic mail and Social Media. Employees are specifically prohibited from using the Internet, Social Media or e-mail for the following purposes:transmitting confidential information (such as that relating to sealed cases, ongoing investigations, or procurement)transmitting information protected by copyright or as a trade secretadvertising a productpolitical lobbyingmaking unauthorized commitments or promises which might be perceived as binding the governmentusing subscription accounts or commercial services that are not expressly authorizedposting an unauthorized home page or similar web sitesending or displaying messages or pictures which may be perceived as offensive, harassing or discriminatory or of an obscene or sexually explicit natureusing the network connection for commercial purposes or private gainusing the network for illegal activitiesusing the network in a manner which could reflect poorly or cause embarrassment to the judiciaryInternet e-mail is inherently unreliable, and frequently an Internet user's e-mail reading software will not be able to process attachments to the e-mail. Delivery and delivery times are not guaranteed because of unpredictable intermediary system and network outages and slowdowns. Receipt or non-receipt can only be confirmed through confirmation, such as a phone call or other direct communication. The "Receipt Requested" feature may not be honored by some systems on the Internet.Users are encouraged to use discretion when forwarding large e-mail messages to group addresses or distribution lists. Congestion on the network can be caused by the propagation of "chain letters". Internet e-mail access grants users the ability to subscribe to a variety of e-mail news groups, list servers, and other sources of information. These services are a potentially valuable information tool. In general, low-volume business related lists are not a problem.MonitoringThe court, acting through either the Judges or the Unit Executive, reserves the right to review any material on user accounts and to monitor fileserver space to ensure acceptable use of IT resources. Such monitoring may be conducted without the knowledge or consent of individual users. However, no computer files of individual Judges or Magistrate Judges will be accessed without prior knowledge or permission of that Judge or Magistrate Judge. Unit Executives' files can be accessed without prior knowledge or permission ONLY on approval of the Chief Judge. Exceptions may be permitted for purposes of a formal investigation by law enforcement officials or by the Fourth Circuit Judicial Council prompted by alleged criminal or ethical violations.All persons utilizing or accessing the court's computer system expressly consent to this monitoring. If monitoring reveals a violation of this policy or of other applicable guidelines or statutes, disciplinary action including termination of employment, where appropriate, may result. If such monitoring reveals possible criminal activity, the Chief Judge of the affected court may direct that such evidence be provided to law enforcement personnel.Social MediaGenerally, what you do on your own time is your own business. However, the court has the right to be concerned about your activities outside of work if those activities could adversely affect the interests of the court. Participation in “social media” is such an activity. The phrase “social media” refers to activities that integrate technology, telecommunications, and social interaction with words, pictures, videos, and/or audio. It includes participation in social networking sites such as Classmates, Facebook, Flickr, LinkedIn, Twitter, YouTube, personal blogs, personal websites, and many others. It also includes activities on wikis, blogs, microblogs, file-sharing sites, podcasts, vodcasts, and virtual worlds. The challenges and risks of the social media environment are acute for persons, such as you, who work in positions where discretion and confidentiality are imperative.The principles and guidelines applicable to the conduct of employees of the federal judiciary are set out in the Guide to Judiciary Policy and the Code of Conduct for Judicial Employees. You should be familiar with and comply with the rules and policies set out in these documents, as well as those set out in the court’s Appropriate Use of IT Systems, when participating in social media. Under these principles, you are expected to conduct yourself in a manner that does not detract from the dignity of the court, and to avoid even the appearance of impropriety. If you act contrary to these principles, you will be subject to the full range of disciplinary actions, including termination. The court establishes the following guidelines for employees to follow as they navigate social media technologies and applications:Think before you post. A posting on the Internet—whether in the form of text, photos, videos, or audio—can remain accessible long after it is forgotten by the user. You cannot be sure that anything you post on the Internet will be “private” even with your best efforts to ensure privacy. You should not post anything on the Internet unless you would be comfortable reading about it on the front page of the newspaper.Speak for yourself, not the court. When you post on the Internet and identify yourself as an employee of the court, whatever you say or do will reflect on the court even if you specifically state you are not speaking for the court. Even if you do not identify yourself as an employee of the court, others may realize that you are and assume you are speaking for the court, so when you post on the Internet you always should use good judgment and careful discretion.You should not post on social media sites anything that discloses the workings of the court or relates to issues that either are before the court or are likely to come before the court. If you become aware that you have participated in discussions about such matters, you should withdraw from the discussions and contact your supervisor immediately.Confidentiality. In all interactions and communications via the Internet, make sure you abide by all of the court’s confidentiality and disclosure policies. To be safe, you should not disclose anything relating to court business. This includes non-confidential matters relating to the court’s internal processes and procedures. You also should make certain you respect copyright, fair use, and financial disclosure laws.Security. You must take care to avoid posting anything on the Internet that would compromise the security of the courthouse or its personnel. You should not post pictures of court personnel or of the interior of a courthouse. You should use care when disclosing your place of employment. Do not post anything that could put you in a situation where pressure could be applied to you to corrupt the integrity of the judicial system. For example, never post anything that would give private information to the public, such as posting that a judge is on vacation and where.Do not forget your day job. You should make sure that your on-line activities do not interfere with your job or work commitments. You should keep in mind that, although you may participate in social media, your obligation to the court’s values and ethical standards continues after your scheduled work day.Judges, US Probation Officers and other staff members in performance of official duties, may access social networking sites for the purpose of monitoring defendant/offender activities.The Judicial Conference Committee on Codes of Conduct issued Advisory Opinion No. 112 with regard to social media, ethics and judicial conduct, and we incorporate this Advisory Opinion into our Social Media Policy to further clarify and enhance our policy. To summarize the opinion:Ethical Implications of Social MediaThe use of social media by judges and judicial employees raises several ethical considerations, including:confidentiality;avoiding impropriety in all conduct;not lending the prestige of the office;not detracting from the dignity of the court or reflecting adversely on the court; not demonstrating special access to the court or favoritism;not commenting on pending matters; remaining within restrictions on fundraising;not engaging in prohibited political activity; and avoiding association with certain social issues that may be litigated or with organizations that frequently litigate.Conclusion In light of the reality that users of social media can control what they post but often lack control over what others post, judges and judicial employees should regularly screen the social media websites they participate in to ensure nothing is posted that may raise questions about the propriety of the employee’s conduct, suggest the presence of a conflict of interest, detract from the dignity of the court, or, depending upon the status of the judicial employee, suggest an improper political affiliation. We also note that the use of social media also raises significant security and privacy concerns for courts and court employees that must be considered by judges and judicial employees to ensure the safety and privacy of the court. 4.4Remote Access/VPN WDNC’s IT Director ensures remote access security measures are in place for the protection of the organization’s information systems. To maintain a safe and protected environment on the DCN this policy must be followed when connecting remotely.A Virtual Private Network (VPN) must be used when connecting any remote device to the DCN. Only VPN clients running on a device provided by the IT department are approved. Personally owned devices are prohibited from connecting to the DCN.Support for remote access should be provided by the IT staff. While IT staff will install appropriate software and provide set-up instructions, the user is responsible for setting up, maintaining, and removing the equipment from his/her residence. The court cannot provide Internet service in a personal residence for any reason. IT staff will not work on equipment in a user's residence. Users must test using the VPN client and be familiar with the process prior to a required work related VPN session.VPN connections should be terminated when not in use. Family members or any other non-judicial employee are prohibited from accessing the DCN.Eligible for Remote AccessPermanent employees and retired bankruptcy and magistrate judges eligible for recall.Court contractors who perform work requiring access to the DCN.Official court reporters authorized by the chief judge or his designee. Contract court reporters are prohibited from having access to the DCN.Temporary employees, contractors and interns can only be given access with an expiration date.RestrictionsAccess is restricted only to those users with legitimate work-related needs.Vendor access is only available if it is needed to perform the required work and must be terminated once that work is complete.PROCEDURESWDNC’s procedures for policy implementation consist of the following components:5.1RolesThe following WDNC IT staff members perform tasks that facilitate the appropriate use of IT systems: Court Unit Information Technology Security Officer (ISO)/IT Director: Responsible for ensuring that the rules of use for WDNC IT systems are documented, maintained and distributed to all WDNC personnel. System Administrator: Responsible for ensuring that system access safeguards are in place in accordance with WDNC’s system access requirements and the Guide, Vol. 11, Chapter 6, Section 660: Access Restrictions. Network Administrator: Responsible for ensuring that network components are securely configured for local and remote access in accordance with WDNC’s Secure Network Configuration Guidelines and the Guide, Vol. 11, Chapter 6, Section 660: Access Restrictions. Help Desk Representatives: Responsible for helping users resolve problems with accessing WDNC’s systems and serving as a resource for questions concerning how to ensure rules of use are observed. Information Technology Trainer: Responsible for ensuring that WDNC’s rules of use for its IT Systems are a part of the organization’s IT training and awareness program in accordance with the Guide, Vol. 15, Ch. 3, Section 340: IT Security Training and Awareness. 5.2Rules of UseUsers must follow password protection requirements in accordance with WDNC’s Password Policy (i.e., users not sharing their login IDs and passwords, and setting complex passwords).Users follow remote access requirements in accordance with WDNC’s Remote Access Policy.Users are not allowed to use third-party instant messaging, chat room, peer-to-peer file sharing, or personal email accounts (i.e., Yahoo, Gmail). Users must use the internet in accordance with this policy.Users may not remove any WDNC resource from the premises without first having it assigned out to them by the custodial officer. Users are responsible for the resources assigned to them and must take reasonable steps to protect them. Devices should never be left in automobiles unattended. Appropriate Personal Use of WDNC’s IT Systems and Office Equipment WDNC allows limited and appropriate personal use of its IT systems and office equipment. Appropriate personal use consists of activities conducted by judiciary WDNC employees for reasons other than official government business that: Use WDNC’s government equipment, software, and business tools to include personal computers, printers and peripheral equipment (i.e., external hard drives); tablets and related applications; telephones (i.e., cell phones, office phones); facsimile machines and photocopiers; office supplies; library resources (i.e., librarian, research assistant); internet connectivity and email; Are not considered to be inappropriate personal use outlined in the Guide, Vol. 15, Ch. 5, Section 525.50: Inappropriate Personal Use; Are performed during what is considered non-work hours, such as, before or after the employee’s official workday (i.e., Monday thru Friday, 8:00am to 5:30pm), on non-workday weekends or holidays, and during lunch or other authorized breaks; andCost WDNC minimal additional expense, examples include: occasional use of the telephone; using the copier to make a limited number of copies; printing a limited number of pages on office printers; limiting the use of the internet; and sending a limited number of emails.Sanctions for Non-Compliance The inappropriate use of WDNC’s IT systems and office equipment may result in the following sanctions in accordance with the Guide to Judiciary Policy: Loss or limitation of the privilege For example, the employee is prohibited from using WDNC’s IT systems or office equipment for personal use or the employee is only allowed limited use of the phone and email for personal business.Disciplinary or adverse actions The employee’s supervisor and WDNC’s human resources department will determine the disciplinary or adverse action on a case by case basis.Criminal penalties Criminal penalties will be levied in accordance with statutory regulations.Civil penalties Civil penalties will be levied as dictated by statutory regulations, including financial responsibility for the costs of improper use (i.e., paying for the cost of paper and a new toner cartridge for the copier after printing 2000 copies of a flyer for a personal fundraising event).6.Acknowledgement of Appropriate UseWDNC users must acknowledge that they have read and understand this Appropriate Use of IT Systems Policy and Procedures by signing the Appropriate Use Agreement as documented in Appendix A.7.Awareness TrainingWDNC users are trained on the information contained in the policy and procedures sections of this document when first hired, during the new employee orientation process, and thereafter once a year during WDNC’s annual security training and awareness exercise. 8.POLICY REVIEWWDNC’s IT Director reviews the Appropriate Use of IT Systems Policy at least annually to determine if updates are needed. This review includes an analysis of all procedures to verify their continued effectiveness. Any changes to procedures are updated and used to identify new role-based training needs.9.REVISION HISTORYDate of ChangeResponsibleSummary of ChangeApril, 2017Kent Creasy, WDNC ISOInitial CreationNovember, 2018Kent Creasy/Eric HowardAdding wording to prohibit loading software and jailbreaking hardware. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download