The URL can be used to link to this page

Home My WebLink AboutComputing Devices, Electronic Mail, and Internet Use - SOPIdaho Department of Correction Standard Operating Procedure Title: Computing Devices, Electronic Mail, and Internet Use Page: 1 of 8 Control Number: 141.00.06.008 Version: 4.0 Adopted: 02/02/2001 Jeff Zmuda, deputy director, approved this document on 05/09/2019. Open to the public: Yes SCOPE This standard operating procedure (SOP) pertains to all Idaho Department of Correction (IDOC) employees. Section 4 pertains to inmates housed in IDOC facilities. Revision Summary Revision date (05/09/2019) version 4.0: Clarified section 3 regarding inappropriate downloading of attachments from unknown/unauthorized sources. Revision date (03/25/2019) version 3.0: Added section 4 prohibiting inmate use of computers or other electronic communication devices meant for staff use; also addressed inmate use of school computers. TABLE OF CONTENTS Board of Correction IDAPA Rule Number ............................................................................... 2 Policy Control Number 141 ..................................................................................................... 2 Purpose ................................................................................................................................... 2 Responsibility .......................................................................................................................... 2 Standard Procedures .............................................................................................................. 2 1. Introduction ..................................................................................................................... 2 2. Use of Computing Devices ............................................................................................. 3 3. Inappropriate Use of Computing Devices ....................................................................... 3 4. Authorized Software and Hardware ................................................................................ 4 5. Inappropriate Information and Images ............................................................................ 4 6. Internet ........................................................................................................................... 5 7. Electronic Mail ................................................................................................................ 5 8. Training ........................................................................................................................... 5 9. Confidentiality ................................................................................................................. 5 10. IT Security and Operations Access ................................................................................ 6 11. Access for Inquiry or Investigation .................................................................................. 6 Control Number: 141.00.06.008 Version: 3.0 Title: Computing Devices, Electronic Mail, and Internet Use Page Number: 2 of 8 Idaho Department of Correction 12. Violation of Policy ............................................................................................................ 7 Definitions ............................................................................................................................... 7 References .............................................................................................................................. 8 BOARD OF CORRECTION IDAPA RULE NUMBER None POLICY CONTROL NUMBER 141 Information Technology PURPOSE The purpose of this SOP is to establish standards for the use of computing devices, electronic mail, and internet for IDOC employees using department computing devices and software. The purpose of section 4 is to establish guidelines restricting inmate use of computing and other electronic communication devices. RESPONSIBILITY Director or designee The director or designee is responsible to approve this SOP and ensure its use and implementation. Chief of the Management Services Division The chief of management services or designee is responsible for overseeing and monitoring the provisions herein. IT Management The IT managers are responsible for implementing this SOP and for ensuring compliance. SIU Chief Investigator The head of the special investigations unit or designee is responsible for conducting administrative investigations regarding compliance to this policy. Deputy Attorneys General The deputy attorney general (DAG) are responsible, if authorized by the director or deputy director, to review information as described in this policy in connection with legal actions or external requests for information. STANDARD PROCEDURES 1. Introduction Technology and its applications, including the internet, continue to expand and to become more accessible. This expansion increases the opportunity for state employees to improve their productivity, effectiveness, and efficiency. However, as the use and accessibility of Control Number: 141.00.06.008 Version: 3.0 Title: Computing Devices, Electronic Mail, and Internet Use Page Number: 3 of 8 Idaho Department of Correction technology increases, so does the risk that the technology might be used inappropriately or inefficiently. Applicability These policies apply to the usage of all computing devices, peripherals, mobile devices, and software that are connected to or can be connected to the department Local Area Network (LAN), Wireless Area Network (WLAN), and/or the Wide Area Network (WAN). The management team has adopted these guidelines to govern information technology, which includes the LAN, WLAN, and WAN, to protect and prevent the abuse of state property, to ensure the continued and effective operation of the department, to promote increased employee productivity, to prevent software viruses, and to maximize the efficient use of IT staff time. 2. Use of Computing Devices IDOC staff members are encouraged to use the internet and electronic mail (e-mail) to further the mission of the department, to provide service to customers, and to promote professional development as referenced in Idaho Technology Authority (ITA) policy P1060 - Employee Personal Computer Use. Computing devices are for IDOC business use only, and staff should not expect their e-mail communications, documents, or other information to be private and should not use the e-mail system for matters that are not intended for public disclosure. Only the occasional personal use of e-mail in lieu of telecommunication is acceptable. Every employee is responsible for monitoring and prohibiting the misuse of department property. It is each employee’s responsibility to inform senders of inappropriate e-mails of the department's e-mail policy. Inappropriate use must be reported to management. 3. Inappropriate Use of Computing Devices It is unacceptable for department employees to use the facilities and capabilities of the computing devices and/or systems to:  Conduct any non-approved business  Solicit the performance of any activity that is prohibited by law  Transmit materials, information, images, or software in violation of any local, state, or federal law  Conduct any political activity  Conduct any non-department supported fund raising or public relation activity  Engage in any activity for personal gain or personal business transactions  Make any unauthorized purchases  Use any games on state government-provided computing devices and/or equipment  Place advertisements or commercial enterprises including but not limited to: goods, services, or property Control Number: 141.00.06.008 Version: 3.0 Title: Computing Devices, Electronic Mail, and Internet Use Page Number: 4 of 8 Idaho Department of Correction  Abuse electronic mail privileges  Download attachments from unknown and/or unauthorized sources  Share IDOC accounts and passwords. Do not allow someone to use your login and password and/or use someone else’s logon session  Utilize network bandwidth for non-department activities that cause slowness or disruption such as, but not limited to, streaming non-work related media, downloading music, gaming, etc. 4. Prohibited Computing/Electronic Device Usage by Inmates Inmates may not use any computer or other electronic devices meant for staff use. Any such use may result in disciplinary action. The only exception is inmate use of computers or other electronic communication devices for class or school in which case the inmate must adhere to all school and facility rules regarding their use. 5. Authorized Software and Hardware Authorized software/hardware is that which is approved/purchased by the IDOC information technology (IT) staff. Unauthorized software/hardware is that which is installed without information technology’s approval or knowledge. End users are only allowed to install authorized software from the IDOC self-service repository. Only IT staff members are authorized to:  Approve new hardware or software  Install or remove software applications  Install, remove, or change the configuration of hardware 6. Inappropriate Information and Images It is unacceptable to knowingly or intentionally submit, publish, display, transmit, retrieve, or store, on the department's network or on any department computing device and/or system, any information or image which is for non-IDOC business and:  Violates or infringes on the rights of any other person, including the right to privacy  Contains defamatory, false, inaccurate, abusive, obscene pornographic, profane, sexually oriented, threatening, racially offensive or other biases, discriminatory, or illegal materials  Violates any law, regulation, or department policy  Restricts or inhibits other users from using the system, or the efficiency of the computing device and/or systems Control Number: 141.00.06.008 Version: 3.0 Title: Computing Devices, Electronic Mail, and Internet Use Page Number: 5 of 8 Idaho Department of Correction  Encourages the use of controlled substances or uses the system for criminal or any illegal purpose  Contains statements, which might incite violence or which describe or promote the use of weapons or devices associated with terrorist activities (See section 12 for the protocol used to save inappropriate content for investigative purposes.) 7. Internet Uses of the internet must comply with appropriate laws and regulations reflective of the department’s values and integrity. Users should identify themselves properly when using the internet and conduct themselves as professional representatives of Idaho state government. Each user is individually responsible for the content of any communication sent over or placed on the internet. 8. Electronic Mail Employees are reminded that electronic mail (e-mail):  Can and probably will, be copied, saved, or seen by third parties, both internal and external to state government, so care should be given regarding content of the communication  May be monitored  Is subject to disclosure under the Idaho Public Records Act and any other department policies pertaining to records as described in the Idaho Technology Authority (ITA) policy P1040 – Employee Electronic Mail and Messaging Use Agency-Wide Distribution List Criteria and Process: E-mails sent to agency-wide distribution lists are moderated to prevent misuse, ensure relevant use for agency business, and for disk space considerations. A group of moderators are assigned the task of approving e-mails to be sent to agency-wide distribution lists. Approved e-mails sent to distribution lists are defined as agency-wide communications for business and safety concerns. E-mail sent to distribution lists that do not meet these criteria will be denied. 9. Training There will be mandatory IT training and education for all employees working at an IDOC facility. Trainings will consist of, but are not limited to: computer basics, acceptable use policy, cybersecurity awareness training as outlined by the Idaho Technology Authority ITA policy P4505 and executive order 2017-02 – Findings of the Idaho Cybersecurity Cabinet Task Force. Employees should expect training when hired and on an annual basis, randomly throughout the year, and if necessary outside training to cover security basics. 10. Confidentiality Employees who send e-mail messages containing confidential and/or privileged information must include the following statement in the body of the message: Control Number: 141.00.06.008 Version: 3.0 Title: Computing Devices, Electronic Mail, and Internet Use Page Number: 6 of 8 Idaho Department of Correction “The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete this message and any attachments from your computing device.” 11. IT Security and Operations Access IT team members have the right and responsibility (as it relates to their role/job function) to access/inspect any file stored on any electronic device that has the ability to be connected to the IDOC network (directly or indirectly) or connected to IDOC equipment. This access is required to preserve and address any immediate danger/impact to IDOC. 12. Access for Inquiry or Investigation Use of computing devices must comply with all executive orders, department policies, standard operating procedures, and state, federal, and local laws. Inappropriate use may be investigated in accordance with this SOP. The department has the right to inspect any and all files stored in secured areas of state networks, on any computing devices, or on any other storage medium that has the ability to connect to the State network (such as flash drives or external hard drives, CDs, DVDs, and other social media) in order to monitor compliance with this SOP. Inappropriate content (as described in section 6 of this SOP) used for investigation purposes must be saved on a site-specific “Investigations” directory located on the network or an external hard drive rather than the investigator’s own C or H drive. Consult your information technology department or your local investigations supervisor to find the proper location to store such content. Authorization No IDOC staff member or other individual is authorized to access files or otherwise inspect or investigate IDOC computing devices and/or storage mediums without proper authorization. Authorization to access IDOC computing devices, computing device files, storage medium, etc. must be obtained from the director or deputy director. Investigation With approval from the director or deputy director, SIU may search or review contents of state authorized electronic devices. Advanced technical computing device forensic previews, computing device, cellular telephone examinations, and real-time information is available, in conjunction with an approved investigation for the following:  Presence of inappropriate information and images (as defined in section 6) on a department computing device  Detailed methodical examination of the hard drive or media upon submittal of a department computing device to a certified computing device forensics laboratory. Control Number: 141.00.06.008 Version: 3.0 Title: Computing Devices, Electronic Mail, and Internet Use Page Number: 7 of 8 Idaho Department of Correction This also includes extremely comprehensive forensic examinations when looking for difficult-to-find evidence or for specific exculpatory or incriminating evidence.  Access to an employee’s e-mail account activity through the e-mail archive server Inquiries Based on Legal Actions and External Requests The lead deputy attorney general (DAG) assigned to the department may approve searches for litigation needs. The lead DAG will act as approver for requests submitted by his/her legal team to review information obtained from computing devices, storage medium, e-mail, computing device files, text messages, and cellular telephone data in connection with legal actions or other external requests for information. HR Inquiries The director or deputy director may authorize the HR manager or designee to review information obtained from computing devices , storage medium, e-mail, computing device files, text messages, and cellular telephone data in connection with performance, disciplinary, or legal actions or other external requests for information. Information Technology Before providing any information or assistance to the SIU, or any other person, IT staff must confirm that the director or deputy director has approved the investigation, inquiry, or access. Evidence of this approval is provided through the Investigation and Information Request electronic form process. 13. Violation of Policy Employees violating this policy are subject to disciplinary action up to and including dismissal in accordance with SOP 205.07.01.001, Corrective and Disciplinary Action and/or investigation referral to law enforcement. DEFINITIONS Computing Devices: Electronic devices controlled by a central processing unit (CPU) that can accept software, such as a computer, laptop, tablet, mobile phone, etc. Local Area Network (LAN): A network of personal computers in a small area (such as an office) that are linked by cable, can communicate directly with other devices in the network, and can share resources. Peripheral: An input device that sends data or instructions to the computer, such as a mouse, keyboard, printer, etc. Wide Area Network (WAN): A network of personal computing devices in a large area (such as statewide) that are linked by cable, can communicate directly with other devices in the network, and can share resources. Wireless Local Area Network (WLAN): A network of personal computing devices in a larger area (such as statewide) that are linked wirelessly, can communicate directly with other devices in the network, and can share resources. Control Number: 141.00.06.008 Version: 3.0 Title: Computing Devices, Electronic Mail, and Internet Use Page Number: 8 of 8 Idaho Department of Correction REFERENCES Executive Order No. 2005-22, Establishing Statewide Policies on Computer, Internet, and Electronic Mail Usage by State Employees State of Idaho, Information Technology Resource Management Council (ITRMC) Policy P1040, Employee Electronic Mail and Messaging Use State of Idaho, Information Technology Resource Management Council (ITRMC) Policy P1050, Employee Internet Use Idaho Technology Authority (ITA) policy P1060 – Employee Personal Computer Use Idaho Technology Authority (ITA) policy P4505 – Cybersecurity Awareness Training Executive Order No. 2017-02 – Findings of the Idaho Cybersecurity Cabinet Task Force – End of Document –