Department of Natural Resources Policy - Electronic Mail (E-Mail) and Internet Use

Department of Natural Resources Policy -
Electronic Mail (E-Mail) and Internet Use
POLICY NUMBER: 04:05 SUPERSEDES: 01:04
EFFECTIVE DATE: April 19, 2005

See signed policy - Adobe Acrobat file

1.0 PURPOSE

The purpose of this Policy is to describe the appropriate use of DNR e-mail, intranet, and Internet services in supporting State business.

2.0 SCOPE

Use of DNR e-mail and intranet and Internet services, hereafter referred to as “these DNR services” or “these services,” refers to the electronic transfer of data in the form of e-mail messages, data files, web pages, chat room participation, blogs, message boards, instant messages, and any other electronic files to or from DNR Information Technology (IT) systems.

This policy applies to all DNR personnel to include: DNR employees, personnel under DNR contracts, and any individual using these DNR services.

3.0 GLOSSARY OF TERMS AND ACRONYMS

Authorized DNR Supervisory Personnel: Unit Directors and above and any supervisors who report directly to the Deputy Secretary or Secretary of DNR.

Compelling Circumstances: Circumstances where failure to act may result in significant bodily harm, significant property loss or damage, loss of significant evidence of one or more violations of law or of State policies, or significant liability to the State.

Information Technology (IT) Resources: computers; networks of computers and communications equipment; associated peripheral devices; electronic data files; e-mail messages and files; computer and network activity logs; software programs; system documentation.

Emergency Circumstances: Circumstances where time is of the essence and where there is a high probability that delaying action would result in compelling circumstances.

Substantiated Reason: Reliable evidence indicating that violation of law or of policies has occurred, as distinguished from rumor, gossip, or other unreliable evidence.

System Administrators: DNR persons working under or at the direction of the DNR Chief of Information Technology (CIT) who are responsible for the operation and integrity of the DNR network of computers and communications systems. Responsibilities include performance management, security management, and failure analysis and recovery, along with other system administrative functions.

Time-dependent Critical Operational Circumstances: Circumstances where failure to act could seriously hamper the ability of the State, the DNR and/or its IT services to function.

4.0 POLICY

These DNR services are provided for the purpose of conducting DNR business. They are to be used for execution of employees’ job responsibilities in a manner consistent with State standards of business conduct. DNR personnel using these services must respect the rights of other users, respect the integrity of the IT systems used for these services, and observe all relevant laws, regulations, and contractual obligations. DNR personnel using these services should communicate, as they would in a public meeting, in a professional manner that reflects positively on themselves, DNR, and State of Maryland government. Rules of ethical conduct and non-discriminatory behavior apply.

Access to these services is a privilege and requires that individual users act responsibly. This privilege may be wholly or partially restricted by DNR without prior notice or consent of the individual when required by and consistent with law and Departmental policy, when there is substantiated reason to believe that violations of policy or law have taken place, or under compelling or emergency circumstances.

DNR personnel who abuse the privilege of authorized access to these DNR services may be subject to disciplinary action up to and including termination. The Department also reserves the right to advise appropriate legal officials of any policy violations and, where appropriate, institute legal proceedings against violators. Misuse of these services may require financial restitution to DNR or the State for funds expended and could result in civil or criminal action.

E-mail addresses, e-mail passwords, and all messages and data sent or received using these services are the property of the State. Privacy of e-mail and data electronically transferred using DNR IT systems is not guaranteed. Under certain circumstances described herein, authorized DNR employees may inspect the content of e-mail messages, electronic files, and system activity logs. In addition, inspection may be required by contracts, discovery demands in litigation, law enforcement authorities, or the Public Information Act. DNR personnel are expected to comply with requests for copies of records in their possession that pertain to the business of DNR or whose disclosure is required to comply with applicable laws, regardless of whether such records reside on a computer housed or owned by DNR or the State. Failure to comply with such requests can lead to inspection without the employee’s consent.

Incidental and occasional personal use of these services is permitted as long as it does not interfere with normal business activities, does not violate any of the prohibitions described in section 5.2, and does not potentially embarrass the State.

5.0 GUIDELINES
5.1 Acceptable Use

Use of these services to conduct DNR business is encouraged. Acceptable uses include but are not limited to the following, as necessary to conduct DNR and State business:

communications with Federal, State, or Local Government organizations;

communications with DNR vendors and other private businesses;

communications with educational institutions, state associations, government-advisory groups, and standards development activities;

communications with DNR customers and constituents;

communications for professional development or to maintain knowledge or skills; and

activities authorized in writing by the DNR CIT for security or performance testing purposes.

5.2 Prohibitions

These DNR services may not be used for unlawful activities; commercial purposes not under the auspices of the DNR; personal financial gain; personal use inconsistent with guidelines contained in this policy; or uses that violate other State policies or guidelines. Unacceptable types of uses include but are not limited to:

private for-profit activities including but not limited to solicitation of non-State business, private consulting for pay, sale of goods, and charity fundraising that does not have documented approval by the Secretary of DNR. The DNR Intranet Bulletin Board, however, may be used to post announcements for the incidental sale or rent of personal property of DNR personnel);

illegal or wrongful conduct, including communications which violate any laws or regulations, copyrights, patent protections, license agreements, or other intellectual property rights;

transfer of material that is threatening, obscene, pornographic, defamatory, fraudulent, or racially, ethnically, or sexually harassing, including sexually-explicit messages, jokes, or any material that can be construed to be harmful to morale or harassment or disparagement of others based on their gender, race, age, national origin, ethnicity, or religious beliefs;

use for political campaigns or other partisan political purposes;

unauthorized seeking, using, or disclosing personal or confidential information, to include specific medical information about DNR personnel which is confidential even if known to co-workers of the affected personnel;

disclosing information proprietary to any public or private organization or individual;

use for any purpose that is against State or public policy or contrary to the State’s best interest;

intentional seeking of information about, obtaining copies of, or modifying files or other data belonging to other users, unless explicitly authorized to do so by those users;

attempts to gain unauthorized access to any IT facility within or outside DNR, whether successful or not, including the execution of programs which attempt to calculate or guess passwords, trick other users into disclosing their passwords, electronically eavesdrop on communications, or gain unauthorized access to computers or networks;

any action that invades the privacy of individuals or entities that are the creators, authors, users, or subjects of information resources accessed through these services;

misrepresenting in any manner a user’s identity, system account or computer in an e-mail message or other electronic communication, to include giving the impression that the user is representing, giving opinions, or otherwise making statements on behalf of DNR or any unit of the State;

sending chain letters, advertisements, or personal solicitations of any type;

sending mass mailings to individuals who have expressly asked not to be contacted in this manner;

knowingly sharing password access to one’s own personal account or attempting to gain password access to another’s account;

interfering with IT services by intentionally running or installing or giving another user a program intended to damage or place excessive load on IT resources, which includes but is not limited to:

o propagation of computer viruses, Trojan horses, worms and any other agents engineered to damage system resources or cause excessive strain on them;

exploitation of list servers or similar broadcast systems to amplify the widespread distribution of unsolicited e-mail;

re-sending the same e-mail repeatedly to interfere with recipients’ use of information resources.

5.3 Encryption of individual electronic files

DNR personnel may encrypt their files only with software approved by the DNR Chief of Information Technology (CIT). This software may provide for retention by the DNR of any key necessary to access encrypted messages or may otherwise limit the degree of protection provided by encryption. The use of publicly or commercially available compression techniques used for the efficient transport of messages is not restricted by this policy.

6.0 Procedures

6.1 Allegations of Misuse

Authorized DNR supervisory personnel and system administrators who have substantiated reason to believe that misuse has occurred shall submit substantiated allegations in writing to the DNR Chief of Information Technology (CIT), and may do so without notifying the individual suspected of misuse. Allegations must be submitted directly to, and only to, the CIT on paper or via e-mail. Knowledge of the fact that allegations have been submitted to the CIT must be limited to personnel in the individual’s supervisory chain and any system administrative personnel who may have identified the alleged misuse.

Authorized DNR supervisory personnel may suspend privileges for access to these services until the alleged misuse has been investigated and resolved. DNR system administrators may also suspend privileges for access to these services, but only under compelling or emergency circumstances or time-dependent critical operational circumstances. When privileges are suspended, the employee shall be advised by authorized supervisory personnel that the reason for the suspension is under investigation and confidential.

6.2 Investigation of Alleged Misuse

On receiving an allegation of misuse, the CIT will consult with the DNR Office of the Attorney General (OAG) to determine whether:

the substantiation is adequate to begin an investigation;

the appropriate investigative methods which can be used;

who will review the results of investigative activities; and

whether the individual’s consent must be sought prior to any inspection of the individual’s e-mail or electronic files.

On determination that an investigation is needed, the CIT will provide written authorization to system administrators for the appropriate investigative actions. This authority may not be further delegated. Authorization shall be limited to the least perusal of contents and the least action necessary to resolve the allegation.

Investigative actions shall be in full compliance with the law, including the Law Enforcement Officer’s Bill of Rights. Investigative actions may include monitoring, inspection, and disclosure of the content of the individual’s e-mail and other electronic files and Internet access. Investigative actions without the consent of the individual are authorized only when there is substantiated reason to believe that violations of law or State or DNR policies have taken place or under compelling or emergency circumstances.
In the event an investigation discloses evidence of criminal activity, the CIT shall immediately consult with the OAG in order to assure agency compliance with Executive Order 01.01.2003.13, entitled, “Public Corruption and Misconduct.”

Copies of all materials which result from investigative actions, including but not limited to print-outs or electronic copies of e-mail, electronic files, and system activity logs, will be provided to authorized DNR supervisory personnel, the Director of Human Resources, and the OAG.

DNR personnel whose e-mail or other electronic files were examined without their consent shall be notified by authorized supervisory personnel of the action(s) taken and the reasons for the them at the earliest opportunity consistent with law, State or Departmental policy, and investigative requirements.

6.3 Determination of Misuse and Disciplinary Action

Authorized supervisory personnel and the Director of Human Resources in consultation with the OAG will make a determination as to whether there has been misuse of these services. DNR personnel who have misused these services will be given the opportunity to explain their actions. Disciplinary action will be determined by authorized supervisory personnel and the Director of Human Resources, in consultation with the OAG, taking into consideration the individual’s explanation of his/her actions and using the appropriate disciplinary procedures provided by law.

6.4 Incidental Inspection of Electronic Data

Except as authorized elsewhere in this policy, DNR system administrative personnel are prohibited from intentionally inspecting the content of e-mail or electronic files of other DNR personnel without the permission of those personnel.

DNR system administrators may need to inspect the addresses of e-mail messages to ensure proper functioning of the e-mail system and may inadvertently see the content of e-mail messages under these circumstances. This inspection is authorized only for the purpose of re-routing or disposing of otherwise undeliverable e-mail and is limited to the least invasive level of inspection required to perform such duties.

DNR system administrators may need to examine system activity logs in the process of ensuring system performance and security. If this examination indicates possible misuse, the information shall be submitted to the CIT in accordance with section 6.1 above.

DNR system administrators are prohibited from using or disclosing personal or confidential information in DNR e-mail messages, DNR electronic files, or system activity logs except insofar as such disclosure relates to proper e-mail distribution or to managing system security and performance. Re-routed email is to be accompanied by notification to the recipient that the e-mail has been inspected for such purposes.

7.0 Roles and Responsibilities

7.1 DNR personnel

All DNR personnel are responsible for:

understanding what constitutes misuse of DNR’s e-mail, intranet and Internet services;

properly using these services;

communicating in a professional manner via e-mail;

protecting passwords to their personal accounts;

taking precautions against introducing malicious code such as viruses and worms into their workstations or the DNR network;

following all security guidance issued by system administrative organizations;

reporting suspected unauthorized use of DNR IT resources to appropriate supervisory personnel.

7.2 DNR Supervisory Personnel

DNR supervisory personnel are responsible for:

ensuring that subordinates are aware of this policy;

being alert to and notifying authorized supervisory personnel of possible misuse of these services by DNR personnel;

submitting written substantiation of possible misuse of these services to the DNR CIT via authorized supervisory personnel;

responding as appropriate to possible misuse of these services as identified by system administrators;

working in consultation with the Director of Human Resources and the OAG to determine if misuse of these services has occurred and the appropriate disciplinary action.

7.3 DNR Chief of Information Technology (CIT)

The CIT is responsible for:

managing the security and performance of DNR IT resources, to include protecting these resources and services from disruption by misuse;

backup and storage of DNR electronic files within operational and budgetary constraints;

responding to allegations of misuse of these DNR services;

consulting with the OAG to determine if there is substantiated reason to believe that misuse has occurred and the appropriate investigative actions;

authorizing system administrators to carry out appropriate investigative actions within their IT responsibilities;

providing the results of investigative activities to authorized supervisory personnel, the Director of Human Resources and/or OAG as appropriate;

responding to any disciplinary actions which require changes in the access privileges of DNR personnel.

7.4 DNR Office of the Attorney General (OAG)

The OAG is responsible for:

advising the CIT on:

whether the substantiation of possible misuse is adequate to justify an investigation;

the appropriate investigative methods which can be used;

whether the individual’s consent must be sought prior to any inspection of the individual’s e-mail or electronic files; and

who should review investigative results;

advising authorized supervisory personnel and/or the Director of Human Resources on the appropriate disciplinary actions in response to abuses.

7.5 DNR Director of Human Resources

The Director of Human Resources is responsible for working in coordination with authorized supervisory personnel and/or the OAG to determine appropriate disciplinary actions in response to abuses of these services.

Posted April 29, 2005