Previous Pagehome pageNext Page

Policy #:

Title:

Effective Date:

6.104

Electronic Communications

07/13/04

PURPOSE
_______________________________________________________________

To ensure that access and use of all County electronic communications (e.g., electronic mail, instant messaging, etc.) systems/applications/services are in accordance with County IT resources policies, County IT security policies, County IT security technical and operational standards, and applicable law. This policy also requires that County electronic communications systems/applications/services shall be secured to prevent unauthorized access, to prevent unintended loss or malicious destruction of data and other information, and to provide for the integrity and availability of such systems/applications/services.

 

REFERENCE
_______________________________________________________________

July 13, 2004, Board Order No. 10 – Board of Supervisors – Information Technology and Security Policies

Board of Supervisors Policy No. 3.040 – General Records Retention and Protection of Records Containing Personal and Confidential Information

Board of Supervisors Policy No. 6.100 – Information Technology and Security Policy

Board of Supervisors Policy No. 6.101 – Use of County Information Technology Resources, including Agreement for Acceptable Use and Confidentiality of County Information Technology Resources (Acceptable Use Agreement), attached thereto

Board of Supervisors Policy No. 6.105 – Internet Usage Policy

Board of Supervisors Policy No. 6.108 – Auditing and Compliance

Board of Supervisors Policy No. 6.109 – Security Incident Reporting

Board of Supervisors Policy No. 9.015 – County Policy of Equity

Board of Supervisors Policy No. 9.040 – Investigations of Possible Criminal Activity within County Government

Health Insurance Portability and Accountability Act (HIPAA) of 1996

Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009

 

POLICY
_______________________________________________________________

This policy is applicable to all County IT users.

County electronic communications are provided as a County IT resource for conducting County business purposes. Any other use must be minimal or incidental as set forth in Board of Supervisors Policy No. 6.105 – Internet Usage Policy and may not be a use which is substantial enough to result in a gain or advantage to the user or a loss to the County for which a monetary value may be estimated.

Electronic communications systems/applications/services (e.g., electronic mail, instant messaging, etc.) are provided as a County IT resource for conducting County business in accordance with Departmental policies and procedures.

The County has the right to administer any and all aspects of access to, and use of, County electronic communications systems/applications/services. Access to County electronic communications systems/applications/services is a privilege, which access may be modified or revoked at any time, without notice or consent.

County IT users cannot expect any right to privacy when using County electronic communications systems/applications/services. Having no expectation to any right to privacy includes, for example, that County IT users' access to, and use of, County electronic communications systems/applications/services may be monitored or investigated by authorized persons at any time, without notice or consent, or produced as a subject to discovery.

All electronic communications created, sent, and/or stored using County electronic communications systems/applications/services are the property of the County. All such electronic communications may be logged/stored, may be a public record, and are subject to audit, review, and discovery including, without limitation, periodic monitoring and/or investigation, by authorized persons at any time as directed by designated County Department management.

Monitoring the access to, and use of County IT resources by County IT users must be approved in accordance with applicable policies (e.g., Board of Supervisors Policies Nos. 6.108 and 9.040, and County’s Fiscal Manual) and laws on investigations. If any evidence of violation of this policy is identified, the Auditor-Controller’s Office of County Investigations must be notified immediately.

The following are examples of inappropriate access or use of County IT resources, including without limitation County electronic communication services. This is not a comprehensive list of all possible violations:

Downloading, accessing, storing, displaying or distributing software, unless approved by designated County Department management

Downloading, accessing, storing, displaying, viewing or distributing material (e.g., movies, music, software, and books) in violation of copyright laws

Downloading, accessing, storing, displaying, viewing or distributing pornography or other sexually explicit material

Soliciting participation in, or advertising scams (e.g., spamming, pyramid schemes, and “make-money-fast” schemes) to others

Posting or transmitting libelous, defamatory, fraudulent, or confidential information

Operating a private business or a non-County business related web site

Posting or transmitting to unauthorized persons any material deemed to be confidential, personal, or otherwise protected from disclosure

Participating in partisan political activities

Attempting unauthorized access to the account of another person or group on the Internet, or attempting to circumvent County security measures, or security measures taken by others connected to the Internet, regardless of whether or not such attempts are successful or result in corruption or loss of data or other information (e.g., password stealing, phishing, or whaling).

Knowingly or carelessly distributing malicious code to or from County IT resources

Accessing, creating, or distributing (e.g., via email) any offensive materials (e.g., text or images which are sexually explicit, racial, harmful, or insensitive) on County IT resources (e.g., over County-owned, leased, managed, operated, or maintained local or wide area networks; over the Internet; and over private networks), unless authorized to do so as a part of such County IT user's assigned job function (e.g., law enforcement).

County IT users shall use proper business etiquette when communicating over County electronic communications systems/applications/services.

County Departments shall take appropriate steps to protect all County electronic communication systems/applications/services from various types of security threats.

All electronic communications created, sent, and/or stored using County electronic communications systems/applications/services shall be retained in compliance with applicable Board of Supervisors policies, departmental policies, and legal requirements, but retention shall be minimized to conserve County IT resources and prevent risk of unauthorized exposure and/or disclosure.

Unless specifically authorized by designated County Department management or policy, sending, disseminating, or otherwise disclosing confidential information or personal information, is strictly prohibited. This includes, without limitation, information that is protected under HIPAA, HITECH Act, or any other confidentiality or privacy legislation.

Encryption use for email communications (e.g., create, send, store) using County electronic communications systems/applications/services may be appropriate when communicating externally to the County’s network, or required in some instances, to secure the contents of electronic communications.

Definition Reference

As used in this policy, the term “County IT resources” shall have the same meaning as set forth in Board of Supervisors Policy No. 6.100 – Information Technology and Security Policy.

As used in this policy, the term “County IT user” shall have the same meaning as set forth in Board of Supervisors Policy No. 6.100 – Information Technology and Security Policy.

As used in this policy, the term “County IT security” shall have the same meaning as set forth in Board of Supervisors Policy No. 6.100 – Information Technology and Security Policy.

As used in this policy, the term “County Department” shall have the same meaning as set forth in Board of Supervisors Policy No. 6.100 – Information Technology and Security Policy.

As used in this policy, the terms "personal information" and "confidential information" shall have the same meanings as set forth in Board of Supervisors Policy No. 3.040 – General Records Retention and Protection of Records Containing Personal and Confidential Information.

Compliance

County employees who violate this policy may be subject to appropriate disciplinary action up to and including discharge as well as both civil and criminal penalties. Non-County employees, including, without limitation, contractors, may be subject to termination of contractual agreements, denial of access to County IT resources, and other actions as well as both civil and criminal penalties.

Policy Exceptions

Requests for exceptions to this Board of Supervisors (Board) policy shall be reviewed by the Chief Information Security Officer (CISO) and the Chief Information Officer (CIO), and shall require approval by the Board. County Departments requesting exceptions shall provide such requests to the CIO. The request should specifically state the scope of the exception along with justification for granting the exception, the potential impact or risk attendant upon granting the exception, risk mitigation measures to be undertaken by the County Department, initiatives, actions and a time-frame for achieving the minimum compliance level with the policies set forth herein. The CIO shall review such requests, confer with the requesting County Department, and place the matter on the Board's agenda along with a recommendation for Board action.

 

RESPONSIBLE DEPARTMENT
_______________________________________________________________

Chief Executive Office

 

DATE ISSUED/SUNSET DATE
_______________________________________________________________

Issue Date: July 13, 2004

Sunset Date: July 13, 2008

Review Date: August 25, 2008

Sunset Date: July 13, 2012

Review Date: July 19, 2012

Sunset Date: January 13, 2013

Review Date: June 27, 2013

Sunset Date: September 30, 2013

Review Date: September 18, 2013

Sunset Date: January 30, 2014

Review Date: January 15, 2014

Sunset Date: February 28, 2014

Review Date: February 19, 2014

Sunset Date: March 19, 2014

Review Date: March 19, 2014

Sunset Date: December 31, 2014

Review Date: January 6, 2015

Sunset Date: December 31, 2018

Previous PageNext Page