User Policy
ARCHDIOCESE OF OKLAHOMA CITY
INFORMATION TECHNOLOGY USER POLICY
I. Definitions
- Ad-hoc network – A network created “on the fly,” usually by a wireless device being connected to another network.
- Archdiocese – The Roman Catholic Archdiocese of Oklahoma City
- Data Storage Device – Devices used to store data temporarily or permanently. This includes, but is not limited to internal and external hard drives, USB drives, DVD disks [DVD], compact disks [CD], magnetic disks such as floppy disks, zip disks, and Jaz disks, and magnetic tape media.
- DMZ – Demilitarized Zone. This is the public segment of the private network. It gives users access to the internet only and does not allow access to any production data.
- Foreign Device/Equipment – A device not supplied by the Archdiocese. This may be a personal device or a device supplied by a guest vendor or guest presenter.
- Hacker – Someone trying to defeat electronic security to gain access to secured data.
- Information Technology – Systems that generate, store, move, process, or manipulate data. This includes, but is not limited to firewalls, routers, switches, hubs, servers, personal computers, laptop computers, notebook computers, netbook computers, tablet computers, personal digital assistants [PDA], smartphones, phablets, all recording devices and recording media, and all data storage devices.
- IT – Information Technology
- Native Device/Equipment – A device supplied by the Archdiocese
- Phisher – A person or organization trying to solicit information that can be used for leverage or for an attack.
- Production Data – Data used to carry out everyday business and keep users productive.
- Production Network – The private segment of the private network. It houses, transmits, and processes the production data.
II. Ownership of Data
The Archdiocese retains full ownership of all information and data generated or stored on any IT system it owns or leases. The location of the device is irrelevant to the ownership of the data. Full ownership includes the right to dictate use of the owned data including, but not limited to deletion, modification, preservation, copying, and distribution. In addition, the Archdiocese claims ownership of all data used for official archdiocese purposes, regardless of its source of authorship or generation, its storage or distribution medium, or its location.
III. Connecting Hardware
No computing or communications hardware should be connected to the wired network or any device connected to the wired network without consultation and permission from the IT Department. Communication hardware includes but is not limited to modems, network cards, wireless network cards, wireless network devices, Bluetooth devices, smartphones, iPods, USB storage devices, etc.
Once a storage device has been approved by the IT Department, it is designated an “approved foreign device.” All approved foreign devices must be scanned for malware immediately upon each connection to native IT devices.
Surge suppressing power strips and uninterruptible power supplies [UPS] connected to IT equipment have been specifically provided to protect the power systems of the IT equipment. They should not be used to supply power to other devices – especially fans, and space heaters, as these devices can compromise the power quality supplied to the IT equipment, potentially causing damage to the equipment. Power extension cords should not be used between the wall outlet and the IT supplied surge strip or UPS.
Violations of this policy may result in the immediate removal of the equipment violating the policy from the power source. Repeated violations may result in permanent removal of the equipment from the area.
IV. Acceptable Use
A. Netiquette
Netiquette is the decorum used when using the Internet. The internet connection is a business tool provided by the Archdiocese to aide its employees and volunteers with ministry-related activities. Employees and volunteers using the Archdiocese’s resources to access the Internet represent the Archdiocese. As a result, users are expected to conduct all activities on the Internet in a professional business-like manner. Good Internet etiquette is essential to maintain the integrity of the Archdiocese’s public image. The Archdiocesan Code of Conduct states:
“All Archdiocesan Personnel are to uphold the standards of the Catholic Church in their day-to-day work and personal lives. Archdiocesan Personnel and leaders are expected to be persons of integrity and must conduct themselves in an honest and open way, free from deception or corruption in a manner consistent with the discipline and teachings of the Catholic Church. Archdiocesan Personnel are expected to follow rules of conduct that will protect the interests and safety of all, including the standards and policies set forth in this Code of Conduct and other policies of the Archdiocese.”
Accordingly, employees are prohibited from using the Internet, including but not limited to e-mail, social media, and blog sites, for the following:
• intentionally accessing pornographic or obscene materials
• expressing personal opinions on political, social, inflammatory, or volatile subjects
• sending or posting chain letters, solicitations or advertisements not related to business purposes or activities
• promoting political causes or activities
• promoting any sort of gambling
• sending or posting messages that disparage another individual or another organization
• presenting personal views as representing those of the Archbishop or Archdiocese
• sending or posting messages or material that could damage the Archbishop or Archdiocese’ image or reputation
• exchanging language that is racist, sexist or inappropriately sexually explicit
Discussing confidential or sensitive information should be avoided. It is important to remember that in the event of litigation any and all e-mail messages are subject to discovery and may be collected and reviewed by people within and outside of the organization.
B. Illegal Use
No information technology owned or possessed by the Archdiocese or located at the Catholic Pastoral Center should be used for illegal use, including but not limited to violation of copyrights, software licensing rules, property rights, or privacy of others. The technology owned by the Archdiocese is not to be used to violate any federal, state, or local laws, rules, or statutes. It is the employee’s responsibility to ensure that the materials they send and receive using the internet or other sources do not violate this policy.
C. Software/Hardware Procurement
Any software or hardware needs that a user may encounter should be referred to the IT department for evaluation and acquisition. The IT Department has partners that are able to acquire many of these services at a discounted rate from the retail price.
D. Downloading
In addition to ascertaining that no copyright, licensing, etc. restrictions are being violated, all users must take great care when downloading information from the Internet. Any files downloaded should be subjected to a virus scan before use. Users must take reasonable precautions to ensure that the integrity of the system is not compromised by downloading information and applications.
E. Data Storage
All files used or created by an employee should be saved in an appropriate network drive location, either in the user’s personal network drive or in the department’s shared network drive. When needing to collaborate with other users, OneDrive and SharePoint can be used. Once the need for collaboration is complete, the final document should be stored in the network drives. All files are to be retained in accordance with the current document retention policies.
F. Personal Use
Personal use of the Archdiocese’s systems is permitted provided that the use does not violate any part of the Information Technology Policy, interfere with the Archdiocese’s functions, hinder the Archdiocese’s productivity, or affect the productivity of the user during normal business hours.
G. Unauthorized Applications
Installation of unauthorized applications is a potential source of spyware, computer viruses, malware, and data corruption. The Archdiocese provides applications to its employees sufficient to perform the duties they are assigned. If additional applications are needed, a request is to be submitted to the IT department. Only after the IT department approves an application and has a copy of a valid license for that application is it to be installed on a computer attached to the network.
H. Reporting
To prevent the dissemination or corruption of sensitive information, any user that suspects that a computer may be infected by spyware, a virus, or any other form of malware, must contact the IT department immediately, unplug the network cable connecting the computer to the network, and cease use of that computer until it has been declared safe.
I. Enforcement
Violations of the acceptable use of the Archdiocese’s IT systems may result in disciplinary action, up to, and including, termination of employment. Employees may also be held liable for infractions of applicable local, state, federal or international laws.
V. Security
A. Login IDs, Passwords, and Encryption Keys
Each user should have a unique network login ID and a unique password that is unknown to any other person. Users should not share their passwords with anyone else. If sharing a password becomes necessary, such as with personnel performing maintenance with the permission of the IT Department, the password is considered compromised and should be changed by the user immediately after the sharing becomes unnecessary.
All user passwords are required to be changed every 365 days. Passwords should be at least fourteen characters long and should be sufficiently complex, containing at least three of the following four types of characters:
• capital letters
• lower case letters
• numerals
• symbols
Passwords suspected of compromise must be changed immediately.
Cryptographic keys used for encryption should be protected from disclosure and misuse just like passwords. Any compromised passwords or encryption keys should be reported to the IT Department as soon as possible.
B. Remote Access
Although remote access is an incredible convenience, it also creates significant security concerns. Since remote access to an individual networked workstation grants the remote user rights to the network, remote access must be rigorously restricted. No one is to grant remote access or install remote access software without explicit permission from the IT department. If remote access is allowed, it should be restricted to a limited period of time and secured with a strong, complex password so the workstation and our network is less likely to be exploited by a malicious outside entity.
Remote access granted to an outside vendor is to be strictly restricted in scope and duration. Any remote access may be monitored and there will be no expectation of privacy by any party for the duration remote access is being granted.
All users, upon request, will be granted access to our Virtual Desktop Infrastructure. This allows users to access our local infrastructure through a virtual desktop interface securely in any location. This should fulfill almost any need of remote access with very few exceptions.
C. Wireless Networking
Wireless networking, like many other conveniences, introduces additional security concerns for the production network. No wireless products should be connected to the production network. For the DMZ network, wireless access should be encrypted with at least 128-bit encryption. Ad-Hoc wireless network devices are strictly prohibited unless they are disconnected from the production network and contain no production data. Wireless passwords to a production segment of the network are subject to all qualifications and restrictions of passwords found in the “Login IDs, Passwords, and Encryption Keys” section of this document.
D. Workstation Security
When unauthorized personnel enter a user’s work area and the monitor or display is viewable, all open documents and applications displaying information that is proprietary, confidential, personal, or otherwise of a private nature should immediately be minimized to prevent the information from being disclosed.
When users leave their work area, even briefly, they should lock their system in order to secure them from unauthorized access.
It is good practice to log out of the workstation at the end of the day and to reboot your system at the end of the week. This will allow any necessary changes and updates to be pushed to your workstation on a regular basis.
E. Information Leaks
Users should not share any information about their computer system or any of the archdiocese’s IT systems with unauthorized users. Even seemingly innocuous information about a system, such as a model number or an IP address, can be used by a skilled hacker or phisher to exploit its weaknesses. All outside IT systems queries should be redirected to the IT Department. Additionally, except for backup media, presentation media, laptop and notebook PCs, PDAs, and smart phones, no data should leave the Archdiocese’s locality without explicit permission from the IT Department. When possible, all data leaving the physical location of the Catholic Pastoral Center should be encrypted.
F. Protection of Cardholder Data
Credit card information including the Primary Account Number [PAN], sensitive authentication data (CAV2/ CID/CVC2/CVV2), and PIN must never be transmitted over the network or stored on the network in an unencrypted form. This includes transmission in a file, document, or e-mail. E-mails received with this information must (1) be transcribed to an encrypted form and the original permanently deleted immediately or (2) printed and permanently deleted immediately before hand delivering to the credit card processor. Printed information containing such information should be hand delivered to the credit card processor for storage or shredding. Credit cardholder data that has been compromised or is suspected of being compromised must be reported to the compliance officer immediately.
G. Equipment Disposal
No equipment disposal should take place until the IT Department releases the equipment or media for disposal. IT equipment and used media shall be thoroughly destroyed or wiped with a Department of Defense (DoD) wipe of any data beyond the chance of recovery before leaving the Archdiocese. This process may be contracted to an outside vendor if the vendor has reasonable security and provides a proof of destruction certificate.
H. Environment
Environment is important to data integrity. Faulty power, excessive heat, excessive humidity, static discharge, smoke and other pollutants, or excessive vibration can cause data corruption or hardware failure. The environment of critical systems should be kept in a cool, dry environment, with conditioned power and no vibration. The ideal environment for end user systems is identical, but much more difficult to maintain. Power should always be conditioned with an uninterruptible power supply or surge strip. Systems should be kept in a cool environment while operating. Humidity should be kept as low as possible. Computers, including portable computers in a home environment, should be kept away from active smokers and smoky environments.
I. Training
In order to better protect the organization from cyber attacks, all users are assigned security training. Users who have not completed their assigned training may have their accounts disabled until the training is completed.
VI. Enforcement
Violations of the archdiocesan Information Technology User Policy may result in disciplinary action, up to, and including, termination of employment.