The following provides basic guidance on the appropriate use of Information Technology Resources in association with your duties as an employee of the Commonwealth of Kentucky. Information Technology Resources may include, but are not limited to the following:
· Mainframe, desktop, laptop, netbook and/or tablet computers and their associated peripherals and media
· Smart phones, cell phones and pagers
· Commonwealth provided and/or developed software
· Network resources including wireless connectivity, Local and Wide Area Networks, Internet access, servers, data storage and access, etc.
· Commonwealth-provided email services
· Social media
· Data
Summaries of the CIO Enterprise Policies associated with Information Technology Resources are listed below. Please click the available links for more information. Agency-specific policies may be more restrictive than the ones summarized here. HIPAA requirements relating to use of the Kentucky Human Resources Information System (KHRIS) is one such example. Employees are expected to familiarize themselves with these policies and document their understanding of the policies in writing when required prior to use of Commonwealth Information Technology Resources. Failure to comply with these policies could result in disciplinary action up to and including dismissal.
CIO -060 Internet and Electronic Mail Acceptable Use Policy
· State employees should use the Internet and email, when appropriate, to accomplish job responsibilities more effectively and to enrich their performance skills.
· Employees should have no expectation of personal privacy associated with email transmissions and the information they publish, store or access on the Internet using the Commonwealth’s resources.
· Employees who choose to use email to transmit sensitive or confidential information during the execution of their job duties are required to encrypt such communications using an approved product.
· Incidental personal use of Internet and email resources is permissible, but not encouraged and must adhere to the following limitations:
o It must not cause any additional expense to the Commonwealth
o It must be infrequent and brief
o It must not have any negative impact on the employee's overall productivity
o It must not interfere with the normal operation of the employee's agency or work unit
o It must not compromise the employee's agency or the Commonwealth in any way
o It must be ethical and responsible
· Without specific prior approval, the following are examples of unacceptable and/or prohibited use:
o Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, including but not limited to, the downloading, installation or distribution of pirated software, digital music and video files.
o Engaging in illegal activities or using the Internet or email for any illegal purposes,
o Using the Internet and email for personal business activities in a commercial manner such as buying or selling of commodities or services with a profit motive.
o Using resources to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws
o Using abusive or objectionable language in either public or private messages.
o Knowingly accessing pornographic sites on the Internet and disseminating, soliciting or storing sexually oriented messages or images.
o Misrepresenting, obscuring, suppressing, or replacing a user’s identity on the Internet or email. This includes the use of false or misleading subject headers and presentation of information in the distribution of email.
o Employees are not permitted to use the email account of another employee without receiving written authorization or delegated permission to do so.
o Employees are not permitted to forge email headers to make it appear as though an E-mail came from someone else.
o Sending or forwarding chain letters or other pyramid schemes of any type.
o Sending or forwarding unsolicited commercial email (spam) including jokes.
o Soliciting money for religious or political causes, advocating religious or political opinions and endorsing political candidates.
o Making fraudulent offers of products, items, or services originating from any Commonwealth account.
o Using official resources to distribute personal information that constitutes an unwarranted invasion of personal privacy as defined in the Kentucky Open Records Act, KRS 61.870.
o Online investing, stock trading and auction services such as eBay unless the activity is for Commonwealth business.
o Developing or maintaining a personal web page on or from a Commonwealth device.
o Use of peer-to-peer (referred to as P2P) networks such as Kazaa, BitTorrent, Gnutella, Ares, Limewire and similar services.
o Any other non-business related activities that will cause congestion, disruption of networks or systems including, but not limited to, Internet games, online gaming, unnecessary Listserve subscriptions and email attachments, chat rooms and messaging services such as Internet Relay Chat (IRC), I SeeK You (ICQ), AOL Instant Messenger, MSN Messenger and similar Internet-based collaborative services.
CIO-061 Social Media Policy
· All plans for new social media sites and accounts must be approved by the agency head or cabinet secretary
· The communications office in the agency will control and approve social media accounts and retain information related to those accounts (i.e., name, password, etc.)
· Content included on social media accounts should be sent by the agency communications office to the Governor’s Communications Office for approval before posting
CIO-071 Wireless Voice and Data Services Policy
· Wireless services and devices (such as cellular telephones) provided through your agency are for official use. If a state issued cellular telephone is used for personal use, the employee is expected to reimburse the state for those calls through their agency.
· The agency may allow an employee to use a personally owned wireless device for state business if it is deemed to be in the best interest of the state.
· Employees should avoid transmitting sensitive or confidential information over any wireless network without approved security services or encryption tools, if and when available.
· Employees using wireless devices are responsible for securing them at all times. For example: when leaving your vehicle, make sure that the doors are locked and the device is out of sight. All losses should be reported to the agency wireless coordinator immediately.
CIO-085 Storage of Confidential Information on Portable Devices and Media
· This policy requires all portable computing and storage devices containing confidential data to be encrypted
· Portable devices covered by this policy include but are not limited to: laptops, mobile telephones, MP3 players, netbooks, tablet computers, USB thumb drives and portable hard drives
· Portable Electronic Storage Media (Portable Storage) covered by this policy includes floppy disks, CDs, DVDs, Blu-ray disks, optical platters, flash memory drives, backup tapes, and other electronic storage media or devices that provide portability or mobility of data.
· The Commonwealth discourages the placement (download, copy or input) of confidential data on portable devices. Storage on such devices is permitted only if the following requirements have been satisfied:
o Use is restricted to specific individuals requiring such data to perform their job duties.
o Storage is for a limited, defined period of time as required to perform specific job duties.
o Approval has been obtained by the system/data owner for such
o Information should be abbreviated, if possible, to limit exposure (e.g., last 4 digits of the social security number)
o Sensitive data has been encrypted. Unencrypted storage of confidential data on portable devices and/or portable media is strictly prohibited.