Douglas County Personnel Rules

Douglas County Personnel Rule #21


21.1     Purpose. The purpose of this policy is to inform users of the appropriate and acceptable use of County information, computer systems and devices. Except as allowed under this policy, systems are for business purposes only. This policy applies to all "users" who have access to any County system. It is the responsibility of all users to know these rules and to conduct their activities accordingly. These rules are in place to protect users and Douglas County from being exposed to virus attacks, compromises of the network systems and services, and legal issues. All users play a crucial role in the overall protection of our systems, equipment, networks and information.

21.2      Definitions

Computer or computing device means any programmable electronic device that accepts data such as a server, personal computer (PC), laptop, notebook, netbook, tablet, personal digital assistant (PDA) or smartphone.

County means Douglas County acting through each of its department heads, boards, or commissions.

County systems or systems refers to all Douglas County assets owned, leased or operated by the County, used to process, compute, communicate or store information. This includes other systems accessed by or through those devices, such as the Internet and email. Examples include computing devices, software, storage devices, telephones (landline and VoIP), cellular phones, routers, network, wireless access points, voice mail systems, email systems, fax machines, pagers, copiers, recorders, transmitters, printers, scanners, and any similarly connected, or related devices. It also refers to designs, specifications, passwords, access codes, encryption codes, and any identifier for devices, users or accounts.

Encryption  is the use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without the use of a confidential process or key.

External Storage Device  is any device that is not inside a computer that may be used to store digital data. Devices may include CDs, DVDs, external hard drives, USB flash drive (thumb drive), memory card, etc.

Information  is any kind of data in any form which is created, processed or stored in County systems. No matter what form information takes, it needs to be physically or systematically protected, especially if the information is confidential. Examples include communication, emails, files, records, recordings, images, graphics, transmissions, signals, programs, macros, and software.

Information Classification  is a classification given to information to promote proper controls for safeguarding the confidentiality of information. Information is typically classified as one of the following: Confidential (this includes Protected Health Information (PHI) and other sensitive information), Public Information and if not one of these categories it is considered Internal Information. These classifications will assist the County in the organization and storage of its data, for both retention and security purposes.

Information Technology Department means any person under the direction of the Information Technology Director, either staffed within the Information Technology Department, or a designee outside of the Information Technology Department approved by the respective department head and the Information Technology Director.

User means any person who has been authorized by the County to access County systems. This includes employees, contractors, consultants, vendors, temporary staff, volunteers, interns, and other authorized individuals.

21.3     Ownership Systems and information are County property. All systems and information are, and shall remain, the property of the County, subject to its sole control. No part of systems or information is, or shall become, the private property of any system user. The County owns all legal rights to control, transfer, or use of all or any part or product of its systems. All uses must comply with this policy and with all other County policies and rules that apply. Nothing in this policy shall be construed to abridge any rights of the County to control its systems, their uses, or information they contain.

21.4     No Expectation of Privacy Although users are expected to maintain the privacy and confidentiality of information to which they have access, they have no entitlement to, and should have no expectation of, privacy for any activity (business or personal) in which they engage utilizing County computing resources. The County reserves, and intends to exercise, all rights relating to information used in its systems. The County reserves the right to trace, review, audit, access, intercept, block, restrict, screen, delete, recover, restore, publish, or disclose any information, at any time without notice.

21.4.1            All information created or kept on County systems, including email, is subject to review and possible disclosure in compliance with applicable laws, including the Oregon Public Records Law, regardless of whether the content is business-related or personal.

21.4.2             County information stored on personally owned devices is also subject to the Oregon Public records Law. The use of personally owned electronic devices such as home computers, laptops, smart phones and tablets to access County internal networks may subject the device to review and possible disclosure; it is thus highly discouraged and requires explicit authorization.

21.4.3             The County may monitor all electronic communications and information contained on its systems, including all email traffic passing through its email systems, website visits, other computer transmissions, and any stored information created or received using County systems.

21.4.4               The County reserves sole discretion to decide what information is a public record. The County may disclose any public record without permission or knowledge of any systems user.

21.5     User Responsibilities

21.5.1              Read, understand and follow this policy

21.5.2             Use good judgment in applying this policy and in making decisions about the use of County systems, understanding that examples provided are to assist with interpretation and are not all-inclusive. Always seek clarification when needed.

21.5.3              Use assigned computing devices to access only information which you are specifically authorized to access as part of your job functions, communicate and collaborate with co-workers, access Internet and Intranet in order to fulfill job duties, and improve work-related skills when approved by supervisor.

21.5.4              Take reasonable steps to ensure the physical security of County systems. Report any unauthorized access, or missing, lost or stolen devices to supervisor immediately.

21.5.5              Limit personal use of computing resources to minimal, incidental use consistent with the terms of this policy not resulting in any additional costs or loss of time or resources to the County.

21.5.6              Use only County systems that you are authorized to use and only in the manner and to the extent authorized. Ability to access County systems and information does not, by itself, imply authorization to do so.

21.5.7              Protect user assigned accounts, passwords, and County systems from unauthorized use.

21.5.8              Connect portable devices to a County system only if they have been purchased by designated Department staff and are clearly marked as County property. Do not connect County devices to personal equipment.

21.5.9              Obtain prior authorization from IT to purchase, install, or download any software applications.

21.5.10              Use extreme caution when opening email from unknown sources, opening email attachments, and web browsing to protect against cyber attacks.

21.5.11            Never create, access, display, or transmit sexually explicit, indecent, offensive, harassing or intimidating, obscene, pornographic, defamatory, libelous material or material that could reasonably be considered discriminatory, offensive threatening, harassing, or intimidating, except as a necessary part of work- related activities.

21.5.12             Comply with records retention laws, rules, and County policies.

21.5.13             Comply with copyrights, licenses, contracts, intellectual property rights and laws associated with data, software programs, media, and other materials made available through County systems.

21.6     Physical Security Physical security of County information systems is important. Because of this, no member of the general public should be provided access to any County system unless that system has been configured for public access.

21.6.1              Office doors should be closed or locked, when appropriate to keep areas secure, especially those areas that are left unattended.

21.6.2              Visitors should be appropriately monitored and escorted, to ensure that they do not access restricted areas.

21.6.3              Position workstations to minimize unauthorized viewing of information.

21.6.4              Users are required to log out of the network and turn off personal computers when not in use overnight and over weekend periods, unless there is a business necessity for leaving the computer on.

21.7     User Accounts. Individual user accounts are given to a unique authorized person. Users are given role-based access to data systems based upon the necessary duties of their job or contractual obligation. It is the goal to give users access only to the minimum necessary county data to fulfill their job functions. The County may withdraw permission for any or all personal or business uses of its systems at any time without cause or explanation. No one shall grant access to systems without County authorization. Departments are responsible to define the type of information users need and work with IT to ensure appropriate controls are in place.

21.7.1            Sharing of individual user accounts by multiple people is prohibited, unless specifically authorized. Generic accounts may be created for specific approved purposes including, but not limited to, training, testing, or public workstations.

21.8     Passwords. Many County systems require passwords which are key elements of the System security strategy. Strong network passwords are required of all users. System defined requirements for minimum password length, password renewal, and password reuse applies to all users of the System. Users are responsible to protect their passwords and share them only as needed by Department management or by IT to provide system support. Users must immediately change passwords which may have become known to others or are otherwise compromised or vulnerable to being compromised.

21.8.1            Passwords are not to be posted or stored in any manner that causes them to be potentially visible or accessible to persons other than the User, including on or around a computer workstation. Devices designated as Public Access may be excluded from these requirements where business practices make it impractical.

21.8.2            Do not send passwords through email, because email is not secure. Network passwords are required to be a minimum of eight characters long and contain two of the following three criteria: capital letter; number; special character.

21.8.3            Passwords should not contain any variation of the user name, real name, or email name.

21.9     Remote Access. Remote access is restricted to business purposes only. Users may access County systems from outside the main County network only with proper authorization and through the use of County-approved remote access systems and software. Typically, Virtual Private Networking (VPN) is used, to allow the user to securely connect using the Internet, but other solutions may be authorized by IT when needed. Various programs allow remote control of computers across a network. Remote control tools are used by IT staff to support County systems, but these tools are not to be used by others unless it is authorized by IT and part of a managed solution for remote access.

21.9.1            Remote access capabilities are assigned to specific individuals and are non-transferable between users.

21.9.2            Remote access to County systems should be limited to only the minimum duration in which such access is needed, and should be immediately removed when no longer needed.

21.9.3            No user shall install, or allow an outside service provider to install any software or hardware solution that allows remote access or remote control of a device within the County network, unless authorized by IT.

21.9.4            Do not allow another user to remotely control any County system using remote meeting technology (i.e. GoToMeeting or Team Viewer). Use of any remote meeting technology should be understood, controlled, and compliant with all policies.

21.9.5            No user shall utilize any unauthorized software package or service to gain access to a device outside the County network.

21.10    Use of Computer. All computing devices are critical to daily operations and must be protected from the risks that can accompany the use of these devices. All devices are delivered to users with approved pre-installed software. Certain software components are critical to the secure operation, including anti-virus, firewalls, and computer management tools.

21.10.1            Data should be stored on network drives and not locally on a computer or on a portable device. Network drives are backed up to allow for data recovery. Local or portable devices are not backed up and data cannot be recovered in case of device failure.

21.10.2            No user should attempt to modify their desktop operating system or software applications installed on the System. This includes the use of registry editors, any type of disk management software, menu systems, screen savers, music or video players, chat systems, or other software utilities not included in the standard operating system.

21.10.3            Users are prohibited from installing or downloading any software or program onto their computing devices, without first consulting with Information Technology. In general, Information Technology is solely responsible for installation and configuration of software on computing devices. Some specialized circumstances warrant users installing and maintaining their own computer provided they do so by specific pre-agreement with Information Technology.

21.10.4            Users should consult Information Technology prior to responding to any prompt from an Internet-based source to upgrade standard components on a County computing device (i.e. Adobe Acrobat, Flash, Windows Update components, Internet Explorer updates, etc.).

21.10.5             Information Technology relies on standard configurations when restoring systems after component failures. Information Technology is not responsible for restoring any custom configurations implemented by end users in violation of this policy.

21.10.6             Users should not disable or modify the network security software placed on their system, including anti-virus software. Users connecting to the network are obligated to participate in distributed updates of these software systems.

21.10.7             Many sophisticated system monitoring and diagnostic tools are readily available through the Internet. Implementation of any of these types of system monitoring and/or diagnostic tools, such as keyboard capture, network diagnostic, scanning, "sniffing", password cracking or testing, or port mapping tools by users is prohibited, unless pre-authorized by the Information Technology Department.

21.11     Use of Portable Devices. Portable devices are any external storage device, smart phone, tablet, laptop or other mobile computing device that can connect or disconnect to network resources. Because of their portability, these devices are popular targets of theft and can become infected with viruses. A virus can infect your device and any other computer or network you are attached to and potentially damage the device and send confidential information back through the Internet. All portable devices must be purchased by IT or a designated individual in the Department and clearly marked as County property for easy identification.

21.11.1            No personal or randomly acquired (i.e. from business conference) device may be connected to County systems or VoIP telephone without first being scanned for viruses by Information Technology and then clearly marked for County use.

21.11.2            No County-owned or -approved device is to be connected to non-County equipment.

21.11.3            Use caution when traveling with a portable device, as you are responsible for the security of the device and the information stored on it. Do not leave unattended, to minimize risk of theft and unauthorized use of data. If the device must be left in a vehicle, ensure that it is not visible from the outside and that the vehicle is locked.

21.11.4            County data should not be stored on external storage devices unless specifically needed for business purposes. Only store a copy of data, not original data, since this data is not backed up and increases the chance of its being lost. Store the least data needed to perform work.

21.11.5            Confidential data should not be stored on external storage devices. If needed for business purposes the device must be encrypted using software approved by IT, to protect data from unauthorized disclosure. This is particularly true of any confidential information that could be construed to include protected health information ("PHI"), the loss of which can result in liability for multimillion-dollar administrative sanctions.

21.12     Use of Email. Email is a critical communication mechanism. Communication via email is usually less formal than other form of written correspondence, but still requires professionalism. The County email system is intended for business use only and is not intended to be used for personal communications. Information Technology Department uses tools to filter email to try to detect and block malicious software and threats to network stability. These tools, although helpful in reducing exposure to these attacks, do not catch everything.

21.12.1            Email is not secure. Any email communication containing confidential information, including protected health information must be sent using approved encryption or secure email solutions and must be authorized by the County.

21.12.2            Do not open email attachments or select a link in an email from an unknown, suspicious, or untrustworthy source. Delete these emails immediately, then delete them from your trash.

21.12.3            Accessing personal email web sites (Hotmail, Yahoo Mail, Gmail, etc.) from County systems is discouraged, but limited use is permitted if used in accordance with this policy. Personal email which traverses the County network does become subject to the same monitoring, controls, and public records rules as County email.

21.12.4            Personal email accounts should never be used for County business purposes. Use of any personal email account for business purposes may cause that account to be subject to public records laws and rules.

21.12.5            Users shall not send email or other electronic communication that attempts to hide the identity of the user or represent the user as someone else. Users shall not utilize proxy devices or servers to hide their identity or to circumvent existing security. No use of scramblers, encryption methods, remailer services, drop-boxes or identity-stripping methods is permitted without County approval, access, and control.

21.12.6            No user may attempt to access, copy, forward, delete, or alter the messages of any other user without County authorization.

21.12.7             Do not send unsolicited non-business-related email to other users. The forwarding of chain letters, junk mail, jokes and other non-County business- related information is strictly forbidden.

21.12.8            Personal devices (i.e. smart phones, tablets, computers) may be used to connect to County web mail using public Internet only if approved by the County IT Director. Use caution to not download attachments to your private device, especially confidential information. Any use of a personal device to access County email could subject the device to public records laws and rules.

21.12.9            Users are prohibited from using the County email system for subscribing to news groups or email newsletters unrelated to County business.

21.12.10            Emails directed to all County employees are only to be sent from the Information Systems director or designee. Do not "reply all" to these messages, reply to email address designated within the email, or reply directly to the sender if no alternative email is provided.

21.13     Use of Internet and Network. Access to the Internet from the County network is provided for business purposes. In order to maintain and ensure system stability as well as compliance with policies, IT uses products and processes to secure all network traffic (including Internet traffic). The purpose of these products is to filter network traffic for patterns or content that may reveal the existence of malicious software activity, attempts to gain unauthorized access to the County network, and threats to the stability, performance and availability of County systems.

21.13.1            Web browsers are pre-configured to use specific security settings. Any attempt to circumvent these settings by modifying the browser configuration is not permitted.

21.13.2            Never download files from unknown or suspicious sources to protect against malicious attacks.

21.13.3            Do not use public web calendars for County business, unless hosted on County websites.

21.13.4            Do not use third-party personal file hosting/online file transfer sites like Drop Box to transfer County information. If there is a business requirement to use this type of service to send and receive large data files, contact IT for authorization and installation.

21.13.5            Do not use Social Media for personal purposes from County-owned devices.

21.13.6            Do not use Social Media for business purposes without authorization by IT.

21.13.7            Users are prohibited from using County systems at any time for the buying, listing, or selling of items via Internet auction sites, unless specifically related to County business.

21.13.8            Using County computers to listen to broadcast music or videos from the Internet is strictly prohibited, except in specific instances where such material is being used for County business purposes. These types of streaming broadcasts consume considerable network resources and can cause significant performance problems for critical business applications.

21.14     Use of Cellular Phone. Some designated employees may be authorized to be issued a cellular phone (either cell phone or smart phone), based on business needs. Users are responsible for safe use of cellular phones.

21.14.1            Smart phones must be password-protected to avoid unauthorized use and access to data and systems.

21.14.2            No County cell phone or smart phone shall be used for personal calls, except in an emergency. Any personal calls should be limited, infrequent, and of short duration.

21.14.3            Do not use cell phones while driving (this includes all uses-text, email, talking, etc.) unless using voice-activated dialing, blue tooth, or other hands-free device.

21.14.4            Do not use cell phones while operating any moving motorized off-road equipment. Hands-free is not authorized unless equipment has been properly stopped and taken out of gear or turned off.

21.14.5            Cellular phone usage statements are subject to audit and are considered public records subject to release upon appropriate request.

21.14.6            Do not use a County cellular phone to make a call if land line phone service is available. There is no charge for a local call made from a land line phone, while local calls made or received on a cellular phone may incur charges.

21.15     Text and Instant Messaging. Text and Instant messages allow for real-time communication between devices. These methods do not provide transmission security and are not to be used to exchange confidential information, including protected health information. For business-related communication, use of County email is preferred. Policies and restrictions that apply to use of email generally also apply to the use of text and instant messaging.

21.16     Professional/Ethical Conduct. Employees are expected to reflect the County image and comply with normal standards of professional and personal courtesy and conduct in their use of email and other electronic communications. Users must abide by this rule as well as the Douglas County Employee Ethics policy (Rule #20). Uses of County systems must not be false, unlawful, offensive, or disruptive. No use shall contain profanity, vulgarity, sexual content, or character slurs. No use shall make rude or hostile reference to race, age, gender, sexual orientation, religious or political beliefs, national origin, health, or disability.

21.17     Publishing. Any dissemination of information to the public or beyond the user's area of authority must be authorized. All publishing is restricted to County business only.

21.17.1            Employee events such as charitable drives, retirements, and parties may be published with County approval.

21.17.2            No publishing is allowed if the content or purpose is personal. No personal web pages, personal postings to Internet groups, chat rooms, web pages, or list services are allowed.

21.17.3            The County may authorize a user to post queries or responses to Internet or email groups for business purposes. Comments must conform to this policy, be professional, and reflect the County's interests.

21.18     Limited Personal Use. County systems are provided to support the business of the County. Limited and reasonable use of equipment for occasional personal use is allowed to provide flexibility for users to effectively balance the demands of work with their personal needs. Personal use should not interfere with work, should be limited to infrequent incidental use, and not result in additional costs to the County. All use of County systems including personal use must be in compliance with this policy, State ethics regulations, and other County and departmental policies and guidelines.

21.18.1            Mixed County and personal uses are allowed and include, but are not limited to printing and photocopying a County job application, a resume, personnel and benefits papers, and material necessary for County-paid courses of study.

21.18.2            The degree or extent of personal use must always be petty or insignificant compared to use for assigned work. Simply having idle work time does not justify usage of the System or Internet for personal use.

21.18.3            No personal use may be made by, or on behalf of, any organization or third party, unless sanctioned by the County.

21.18.4            No personal soliciting is allowed. Systems may not be used to lobby, solicit, recruit, sell, or persuade for or against commercial ventures, products, religious or political causes, or outside organizations.

21.18.5            Internet games and personally owned games may not be used at any time on County systems.

21.19     Responsibility for Loss or Damage. You may be held personally responsible for the loss or damage of Douglas County electronic information systems due to your negligence or intentional acts. The County may, at its discretion, require you to pay the full cost of repair or replacement of the equipment. Notify IT immediately of any lost or damaged equipment.

21.20     Disposal of Systems. All County systems that can store data (i.e. computers, copiers, fax machines, cell phones, smart phones, etc.) must be appropriately "wiped" of data prior to disposal. Coordination with the Information Technology Department is required for any system disposal. Items will either be returned to IT or arrangements will be made with a certified contractor for proper disposal.

21.21     Acknowledgement. Any user that logs onto the County network, will be presented with an acknowledgement message that refers to this policy. Once accepted, the user agrees to abide by these rules and acknowledges the ramifications of violation of this policy. The terms of a more limiting Department policy, a Board policy, a valid collective bargaining agreement, or applicable law shall supersede any conflicting terms in this policy.

21.22     Government Ethics. Although this rule allows de minimis use of county systems and equipment for personal use, the same may not be true under ORS Chapter 244, the Government Standards and Practices Act. Personal use of County systems and equipment is at the user's risk. The County cannot indemnify or defend a County employee accused of an ethics violation.

21.23     Enforcement. Any violation of this policy may result in access limitation or revocation, civil or criminal prosecution, or corrective or disciplinary action up to and including termination.