ILLINOIS DEPARTMENT OF COMMERCE AND ECONOMIC OPPORTUNITY - Computer Usage Policy
It is the policy of Illinois Department of Commerce and Economic Opportunity (DCEO) that all DCEO's technology resources are:
Note: Logging onto any DCEO system constitutes agreement with this policy.
Secure from unauthorized use, removal or damage;
Protected from accidents; and
Information contained therein is secure from unauthorized or accidental disclosure, alteration or destruction.
This policy governs the security and use of DCEO technology resources. These resources include, but are not limited to, computer hardware, equipment and software, as well as information stored, processed, transmitted from, to, and through that equipment. Authorized users of DCEO ITM resources are:
DCEO Directors, Management and Supervisors;
All DCEO employees (full and part time);
All contractual employees and independent contractors who are authorized to use DCEO-owned equipment or facilities; and
All consultants or other individuals granted specific rights in connection with the performance of specific business.
Policy violations may subject the violator to civil and/or criminal penalties under the applicable laws. Violations will be considered on a case-by-case basis and could result in revocation of access and/or disciplinary actions up to and including termination of employment/contract and prosecution.
EXCEPTIONS TO THE POLICY
There shall be no departure from this policy unless the Director of the Illinois Department of Commerce and Economic Opportunity grants an exception in writing. Additionally, periodic review of exceptions will be performed by ITM as appropriate.
AUTHORIZED USE OF RESOURCES
DCEO receives, and maintains reports, data request responses, files, and other information from many sources. Much of this information is confidential, proprietary, or privileged from disclosure. Each covered user has authorized access only to that information which is necessary to perform the covered user's assigned responsibilities. Unauthorized access to information other than that stated above is strictly prohibited. All users must safeguard all DCEO information and consider it proprietary and confidential unless otherwise designated. Care must be taken to ensure that information is not disseminated to unauthorized persons, or otherwise improperly disclosed, even inadvertently. When sending confidential information to shared resources, reasonable judgment must be exercised.
IDENTIFICATION AND AUTHENTICATION
All users will be assigned one or more identifiers (user ID's), which are unique to that person. Each ID issued must have a password associated with it for authentication.
The user must log on to the appropriate DCEO technology resource with the assigned user ID, and enter an associated password for authentication. Certain critical or highly confidential resources may require additional identification and authentication, such as digital signatures.
Unique user IDs with passwords, or other authentication, controls access to DCEO technology resources. Passwords that allow access to the network shall be confidential and protected by assigned users to prevent unauthorized use and release of information. Password restrictions vary between systems.
The following requirements apply to passwords:
- Passwords may not be common words.
- Passwords must contain a combination of letters, special characters, and numbers.
- Passwords must be six characters or more in length.
- Passwords must be changed every 35 days.
- Passwords may not be reused within a 12 consecutive months period.
- User accounts will be locked after three failed password attempts.
- Passwords shall be confidential and protected by assigned users to prevent unauthorized use and release of information.
- Passwords may not be written or stored where they may be readily viewed (e.g., sticky notes on the monitor or stored in text electronically).
- Computer accounts and passwords are assigned to specific users and must not be shared with others. Users are responsible for the results of any use of their assigned accounts.
In the event that a user forgets his or her own password, the Help Desk 217-524-7474 can assign a new password, if the individual can be positively identified. The new password must be changed immediately when the covered user regains access to the password-protected technology resource.
DCEO may choose to make available certain read-only public information for access through systems that do not require identification or authentication, such as the Internet.
Technology resources, including, but not limited to the various shared network drives, local disk space (C drive), diskettes, CD ROMS and computer software may be accessed by ITM Administrators to verify compliance with DCEO Policy.
All unattended PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 20 minutes or less, or by logging-off (control-alt-delete for Windows workstation). When leaving PCs, laptops and workstations, users must ensure that the displayed information cannot be viewed and that the resource cannot be utilized for inappropriate access. Logging off or using a screen saver with a password will provide an added layer of protection to limit access. When sending confidential information to shared resources (e.g. printers, network drives, facsimile machines, etc.), the users must exercise reasonable judgment to maintain confidentiality.
Shared resources normally accessed by authorized users while performing their duties must be as physically secure as possible while permitting reasonable access.
TECHNOLOGY RESOURCE SECURITY
Electronic files may be subject to disclosure under the Freedom of Information Act or other applicable law, regardless of the storage medium. No one should look at, copy, alter or destroy the electronic files of anyone else without that person's explicit permission (unless authorized or required to do so by law or regulation). The ability to access information does not imply permission to do so.
Computer software includes commercial off-the-shelf packages (e.g. word processing, spreadsheet, etc.) as well as fully or partially developed custom-designed applications. All resources owned or controlled, developed or maintained by DCEO are for official business use only. Before software is installed on DCEO computers, it must be reviewed and approved by ITM to ensure the software is compatible with other existing software and does not pose a security risk (e.g., free from computer viruses.). Call ITM's Help Desk regarding software installation (217-524-7474).
USE OF COPYRIGHTED MEDIA
Users must adhere to all terms and conditions of licensing agreements governing distribution and use of media (software, audio, video, text, graphics, photographs, etc.). Violation of media license agreements and copyright laws may subject the offender to criminal prosecution and civil damages, monetary charges as well as disciplinary action up to and including discharge, where appropriate. Under no circumstance will violation of copyrights be tolerated.
PC BACKUP RESPONSIBILITIES
Network security and nightly backups protect user files stored on local area network drives. It is highly recommended that important files be stored on the network to ensure appropriate backup. It should be noted that files left open after normal work hours (8a.m to 5p.m.) cannot be backed up.
Laptop users are responsible for the security and integrity of those units. Responsibility includes making regular backups of important files stored on the laptop's local disk drives, and controlling physical access to them.
The following guidelines should be followed when using laptops:
- Do not store IDs and passwords on the laptop's local drive.
- Laptops should be password protected.
- Laptops should not be left on desks after business hours unless physically secured.
- When traveling do not leave laptops unattended.
- When at the airport, never check a laptop with luggage and when passing through security checkpoints, remain alert, as many laptops are stolen during the security process.
- Laptops should never be left unattended in an unlocked vehicle. Reasonable care should be exercised to ensure that laptops left in vehicles are not visible from the outside.
- Store ID, passwords, and access tokens separately from laptop.
- Store written instructions on how to logon to networks separately from laptops.
It is the user's responsibility to ensure any device that is not DCEO owned that is used to access DCEO technology resources has adequate security controls in place prior to accessing DCEO technology resources. This includes, but is not limited to, ensuring that the client's device (the device used to access DCEO technology resources) has the latest anti-virus software and anti-virus signatures, a firewall, the latest security-related operating system and software service packs installed.
Laptops and removable media (such as CDs and diskettes) should be maintained in a secure area and safe environment. Magnetic fields, temperature extremes, high humidity, radio frequency interference, static electricity, and contamination via particles of food, drink and smoke should be avoided at all times. Furthermore, users should safeguard informational content stored on removable media and laptops to prevent unauthorized use.
Users shall maintain a clean work area and guard against potential damage to hardware or destruction of data through spillage, carelessness, etc. Users shall exercise reasonable care to protect DCEO computing resources when traveling.
All DCEO relocation of computing resources shall be coordinated in advance through ITM's Technical Services Group. ITM's Technical Service Group is responsible for the receipt and installation of all hardware including upgrades and repossessed and returned hardware.
USE OF PERSONAL HARDWARE
When circumstances warrant, a user may bring their personally owned hardware to DCEO offices. The user is responsible for:
- Obtaining approval from the user's immediate Supervisor
- Contacting DCEO's Property Control Officer, and
- Contacting ITM to ensure that the hardware is compatible with DCEO hardware.
Employee owned hardware should only be connected to the DCEO network with appropriate approvals. Personally owned hardware should be installed and connected to the network by ITM staff only. Hardware DCEO assumes no responsibility for employee owned equipment.
EMPLOYEE RESIGNATION/TERMINATION/LEAVE OF ABSENCE
Access to DCEO computing resources will be immediately deactivated when a user terminates employment at DCEO. Access to DCEO's network will be removed at the beginning of any leave of absence, unless a written request for an exception is submitted to and approved by the employee's supervisor and ITM. A user must return any technology resources, including hardware software and data files that are in his or her possession prior to leaving the employment of DCEO. This includes deleting any DCEO software and data files that have been installed on or copied on to non-DCEO equipment.
USING THE INTERNET
The Internet is limited to State business, and reasonable use as described below. The Internet is a tool to be used in helping meet job requirements and in completing assigned tasks (e.g., obtaining information from a reliable Internet source to perform assigned duties, conduct research directly related to an assigned task, or interface with organizations who use the Internet for the dissemination of useful information).
The Internet is inherently not a secure network. Covered users must not put sensitive, privileged, proprietary or confidential information on the Internet. Such information must be protected by encryption methods approved by DCEO.
Internet usage will be considered reasonable and sufficiently related to State business if it meets all of the following criteria:
Note: Contact ITM Help Desk (Springfield 217-524-7474; Chicago 312-814-1297) if you have questions related to transmitting sensitive, privileged, proprietary or confidential information via Email and/or the Internet.
- Web sites visited do not contain content that may be reasonably considered unlawful, offensive or disruptive,
- Use does not adversely affect the performance of DCEO technology resources or the official duties of the user,
- It is of reasonable duration and frequency,
- It is in the best interest of the State in that it allows an employee to conduct reasonably necessary communications in a way that minimizes disruption of State work.
Covered users are prohibited from sending or requesting information which includes offensive or harassing statements or language, including, but not limited to, disparagement of others based on their race, national origin, sex, sexual orientation, age, disability, religious or political beliefs, etc.
ITM executes Internet blocking programs on a regular and ongoing basis. Internet blocking software denies access to websites believed to be illegal or otherwise inappropriate. Failure of the blocking program to block access to a particular web site does not necessarily imply approval of viewing the site. If access to a necessary site is blocked, the user should contact the Help Desk, and ITM will assess the request for access.
In the event that ITM finds it necessary to remove an individual's Internet privilege, the covered user is prohibited from re-enabling their Internet access. Policy violations will subject the violator disciplinary actions up to and including termination of employment/contract
Using state electronic mail (email) is limited to state business, and reasonable use as described below. All messages composed, sent, and received are and remain the property of the State of Illinois and as such may be viewed or accessed by appropriate Administrators at any time without consent or knowledge of the sender or receiver. If email is sent via the Internet or other unprotected network, confidential or sensitive information must be protected by encryption methods approved by DCEO.
Reasonable use of the state email is permitted. Email use will be considered reasonable if it meets all of the following criteria:
Users are prohibited from sending or requesting information which includes offensive or harassing statements or language, including, but not limited to, disparagement of others based on their race, national origin, sex, sexual orientation, age, disability, religious or political beliefs, etc.
- Messages do not contain content that may be reasonably considered unlawful, or that an individual might reasonably consider offensive or disruptive.
- Use does not adversely affect the performance of DCEO technology resources or the official duties of the covered user.
- It is of reasonable duration and frequency.
- It is in the best interest of the State in that it allows a State employee to conduct reasonably necessary communications in a way that minimizes the inconvenience to the employee and the disruption of State work.
Anyone that observes or discovers a theft or deliberate damage to DCEO technology resources must immediately notify the supervisor responsible for the equipment involved, and if that is not practical or appropriate, then higher management. The incident should be reported to the Help Desk (Springfield 217-524-7474; Chicago 312-814-1297). The Help Desk will refer the incident to the Compliance Officer for immediate investigation.
The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).
The list below are by no means exhaustive, and is an attempt to provide a framework for activities, which fall into the category of unacceptable use.
Under no circumstances is an employee authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing DCEO-owned resources. The following activities are strictly prohibited, with no exceptions:
- Users are prohibited from installing and/or playing games on DCEO technology resources, whether loaded on the PC or over the Internet.
- Viewing or listening to non-business related Internet sites that provide a stream of data (including but not limited to music and video data streams) degrades system performance for all users and is prohibited.
- Downloading non-business related music or video files and storing them on the LAN consumes valuable network storage space and is prohibited.
Except as authorized by DCEO management, users may not use ITM resources to engage in any fund raising activity, endorse any product or services, or participate in any lobbying activity.
- Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by DCEO. This type of violation may be subject to legal action.
- Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which the end user does not have an active license is strictly prohibited. This type of violation may be subject to legal action.
- Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. ITM should be consulted prior to export of any material that is in question. This type of violation may be subject to legal action.
- Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, email bombs, etc.).
- Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.
- Using a DCEO computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction. This type of violation may be subject to legal action.
- Making fraudulent offers of products, items, or services originating from any DCEO network. This type of violation may be subject to legal action.
- Hacking or the process of gaining unauthorized access to computer systems or networks is expressly prohibited. Circumventing user authentication or security of any host, network or account. Users may not run or configure software or hardware to allow unauthorized access.
- Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
- Port scanning or security scanning is expressly prohibited unless prior notification and authorization is made.
- Executing any form of network monitoring which will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty.
- Interfering with or denying service to any user other than the employee's host (for example, denial of service attack).
- Using any program/script/command, any means, and/or sending messages of any kind, with the intent to interrupt DCEO user's productivity via the Internet/Intranet/Extranet or locally.
- Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam).
- Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages. This type of violation may be subject to legal action.
- Unauthorized use, or forging, of email header information.
- Creating or forwarding "chain letters," or other "pyramid" schemes of any type.
Covered users may not use ITM resources to engage in any political activity, which includes utilizing the Internet in any fashion to promote or support a candidate for political office. This activity may be distinguished from accessing a Web page that may be sponsored by a political organization to obtain information relevant to an employee's duties.
Directors Managers and Supervisors are responsible for:
- Determining which covered users should have access to DCEO data files and applications, and what type of access (for example, the ability to change files or merely the ability to read or copy information) different covered users should have with respect to such data files and applications.
- Ensuring that all covered users understand their obligation to protect DCEO technology resources.
- Support of the Internet, Email and Computer Use Policy.
- Reporting noncompliance, that one becomes aware of, to Personnel.
SYSTEM OWNER RESPONSIBILITIES
Each application developed by ITM staff or consultants will be assigned a "System Owner." The Division representing the primary users of its informational content should be assign as System Owners. System Owners have authority over and are responsible for:
- Identifying system requirements, security needs, availability and recovery requirements for that system.
- Ensuring that the only current users are granted access to the system and appropriate notification to ITM is distributed.
SECURITY OF COMPUTER SYSTEMS AND NETWORK RESOURCES
ITM is responsible for the overall network security, reliability, and recoverability of Department's computer systems, informational content, and associated network resources. This includes responsibility for all system, network and workstation administration activities. Covered users are responsible for any informational content stored on their local hard drive(s) or on removable media.
The Security Officer is authorized to take immediate action upon any event that he or she feels significantly jeopardizes DCEO information systems. This includes but is not limited to utilizing security "best practices" in response to alerts issued by the Federal Bureau of Investigation, CERT Coordination Center or the Systems and Network Attack Center.
USE OF PRIVILEGED ACCESS
ITM members must, at times, have access to information stored on a user's storage resources on the LAN and to workstation's hard disk (e.g. C drive) to provide user support or to assist in monitoring or security reviews. ITM Support staff must not use that privilege for any other purpose. Any support person who uses his or her authority for other purposes, divulges confidential information, or fails to comply with the principles set forth in DCEO policy is subject to disciplinary action up to and including discharge.
LOCAL AREA NETWORK BACK-UP AND RECOVERY
ITM is responsible for backing up all data stored in the network room to facilitate recovery in the event of a malfunction or disaster. A full backup is performed weekly (on Fridays), with a differential backup every workday (Monday through Thursday).
On confirming that a security breach has occurred, the Security Compliance Officer will conduct a discreet and professional security investigation.
EMPLOYEE AND CUSTOMER IDENTITY
In the performance of its legislatively mandated duties, the Department of Commerce and Economic Opportunity (DCEO) collects and utilizes sensitive information concerning the identities of employees, vendors, and agency customers. Employees 'Identity information' includes, but is not limited to: Name; Address; Phone Number; Social Security Number; and Date of Birth. Additionally, vendors 'Identity information' includes, but is not limited to: Name; Address; Phone Number; Federal Employer Identification Number; and Social Security Number.
Sharing information regarding economic development activities is a major function of DCEO. The challenge for the Department (DCEO) is to utilize and share this information in a responsible manner.
It is the policy of DCEO that all employee, contractors, vendor, and customer identity information be used for official State of Illinois business. Under no circumstance shall DCEO employees, vendors, or customers identity information be utilized for personal profit or entertainment.
- Identity Theft: Employees, vendors, and customers with access to identity information are explicitly prohibited from disseminating such data if the intentional or unintentional result of their activity is 'identity theft'.
- Appropriate Stewardship of Identity Information: Documents and electronic media, which contain identity information, shall be stored, transported, and disposed of in a secure manner.
- Disciplinary Action: Individuals who violate the Department's policy entitled "DCCA Employee and Customer Identity Policy" are subject to disciplinary action, up to and including termination.
I have reviewed the computer Usage Policy and agree to comply in all respects with this Policy.
Printed Name Signature Date