Tenth Judicial Circuit of Florida Information Systems Acceptable Use Guidelines Polk, Hardee and Highlands Counties as of January 2014

Transcription

1 Tenth Judicial Circuit of Florida Information Systems Acceptable Use s Polk, Hardee and Highlands Counties as of January 2014 The following guidelines define the acceptable use of information technology within the Tenth Judicial Circuit for purposes of securing such technology, resources and electronic information. PHYSICAL SECURITY Users will ensure that all computer assets (computers, monitors, laptop computers, printers, etc.) that are assigned to or regularly used by them are maintained and used in a manner consistent with their job function and such that the possibility of damage and/or loss is minimized. Computer equipment should not be removed from the workplace without proper authorization. Users will not modify the court computer equipment in any manner including, but not limited to, attaching external disk drives, external hard drives, changing the amount of memory in the computer, and attaching/installing any peripheral device or software without authorization. This section shall not apply to Information Resources personnel while performing their assigned duties. A sign out sheet will be available in court administration for equipment that may be checked out for temporary use. Permanently assigned laptop and mobile devices are excluded from sign out and are the sole responsibility of the possessor. Whenever possible all portable computing equipment (laptop computers, tablets, electronic organizers, flash drives etc.) will be maintained under the direct supervision of the user to which they are issued. The equipment should never be left unattended in locations such as airports and hotel lobbies. When the equipment must be left unsupervised, it should be made as inconspicuous as possible (i.e.: do not leave the computer sitting on the seat of an unattended vehicle). Wherever practical, the computer shall be secured with the supplied security device(s). Equipment should be brought in to the Court Technology Office for regular operating system updates and patches, as well as antivirus updates at least once every 3 months. If it is heavily used and exposed to the public Internet, then this may need to be more frequent. Computer and electronic equipment are generally delicate and shall be treated accordingly. Damage to or loss of computer electronic equipment caused by negligence and/or violation of these guidelines may result in the responsible party being charged for the repair or replacement costs.

2 OWNERSHIP OF INFORMATION, DATA, AND SOFTWARE DEFINITIONS: Information: knowledge, in any form, that has value to the court. Data: any computer information, including, but not limited to, information that has been entered into a computer, stored in a computer, or retrieved from a computer. Examples would include spreadsheet and database entries. Software: computer operating systems and programs All information and data generated or gathered by a user, in the course of their employment and/or utilizing court owned assets, shall be the intellectual property of the court. All software purchased by, licensed by, or created by the Tenth Judicial Circuit is the exclusive property of the courts and may not be transferred to, given to, or loaned to any other organization or outside individual without proper authorization. DEFINITIONS INFORMATION SECURITY Sensitive or confidential: any information, in any form, that is a considered and defined by the law as not open to the public. Sensitive information may be public, but release of this information must adhere to appropriate request for information procedures. All public information requests shall go through the Court Administrators Office for review and processing. The reason for this procedure is that all public information requests are reviewed, and exemptions where requested information is excluded/redacted must be explained to the requester. This process must be done by qualified personnel familiar with the law defining those exemptions. Sensitive or confidential information may also be contained within Criminal Justice Information systems accessed by the courts in the course of work duties. Any information that is disseminated to someone outside our organization will be required to be documented in a secondary dissemination log, which is subject to internal and external audit. Secondary

3 dissemination may only be conducted as an authorized part of an employee s work duties. Please contact Court IT to receive a secondary dissemination log. Login credentials to the network and specialized clerk/court applications allow access to critical court information. Therefore login credentials shall be secured and treated as confidential information. Passwords will be a minimum of eight (8) characters and should contain both letters and numbers. Words, names, birth dates, addresses, zip codes, telephone numbers, social security numbers, or any other easily guessed combination should not be used. User IDs and/or passwords should not be written down and kept within the general area of the computer. Users should not utilize internal passwords or substantially similar passwords on external systems (i.e.: websites, web based , etc.). The network will ask user to change their passwords every 90 days, and will not allow the user to reuse the past 10 passwords. Please report to Court Technology if you feel your password(s) has been compromised, and we will assist you in changing it and taking other security measures if necessary. Computers access will be automatically locked at a minimum of 30 of inactivity. The user must then reenter their authentication credentials to unlock the device. This process only locks the screen, and does not take the user out of any active programs. The user may lock their screens at any time by pressing ctrl-alt-delete and selecting lock computer. The loss of any computer equipment or any of the court s information will be immediately reported to the Court Technology Office who will ensure that all possible steps are taken to protect the court from further information loss. Any attempt by another person to obtain a login ID and/or password, or any other suspicious activity, will be immediately reported to Court Administration and/or the Court Technology Office. Unless specifically designated otherwise, all information is considered to be confidential. Information that is sensitive or confidential will never be disseminated, by any means, to persons outside of the court unless all of the following conditions are met: 1) The Chief Judge, Court Administrator, or other authorized Administrator expressly approves the dissemination, in advance. 2) The Sensitive, or Confidential information is: a. Encrypted, hand delivered or personally picked up by the party if a computer file, otherwise b. Sealed in an envelope or other appropriate container 3) The transmittal letter or (this does not include CJI data which must never be sent with court , but a secure CJNet account) text includes a warning to the recipient that the material is Sensitive, or Confidential and is the property of the court.

4 4) The transmittal letter or text contains a specific statement of why the recipient is receiving it, what they may do with the information, and who, if any one, they may disclose it to Sensitive/confidential information placed on flash drives or other portable devices must at a minimum be password protected and encrypted, and such device shall be work issued. No personal portable storage shall be used for this type of information. Non sensitive data may be placed on non-secured media, such as PowerPoint presentations or general non-secure information. All users should ensure that their computer files are properly backed up. A user share will be established on the court s network file server for storage of files to be automatically backed up daily. In the event the user needs to regularly back up data at the local pc, the Court Technology Office will install an appropriate backup solution, and it will be the responsibility of the user to back up the local files and the restoration thereof. All users will ensure that any material to be discarded that contains Sensitive, or Confidential information, in whole or part, will be properly and immediately destroyed. Printed material should be shredded before discarded. Computer equipment that is to be disposed of will be properly wiped of its data contents or physically destroyed by the Court Technology Office. All computers will have antivirus software installed. This software is to remain activated at all times. The Court Technology Office will ensure that the software is updated on a regular basis consistent with best business practices. The computers should be left on as virus software is updated every evening on each PC on the court s network. Any machines not left on will not receive the updates and will be at risk. The Court Technology Office will ensure that all security updates for operating systems, web browsers, server applications, and clients are installed as soon as resources allow. PERSONALLY OWNED DEVICES Access to the Court s network by personally owned devices is limited based on employee role. Most personally owned devices may be configured to receive work . Please see section on containing Criminal Justice Information (CJI). According to the new FBI standards, any portable electronic device contaminated with CJI data must be physically destroyed when the employment is terminated or the device is replaced. This includes personally owned devices by employees. Please make sure that no CJI data is flowing through to avoid risking the loss of a personally owned device once employment is terminated. This is a Federal Security Standard that does not allow exceptions. Employees can be held responsible for the leaking of any confidential CJI data on their personally owned devices. Please use a secure CJNet assigned encrypted account if job duties require transmission of CJI data. Do not copy CJI data onto personally owned devices.

5 INSTALLATION AND USE OF SOFTWARE DEFINITIONS: Software Piracy: Software piracy is utilizing software in violation of its licensing agreement. Without the prior approval of the Court Technology Office, users should not: 1) install any software on court owned computer equipment. 2) install court owned software on any non-court owned computer equipment. 3) provide copies of court owned or licensed software to unauthorized personnel. Users should not engage in any acts of software piracy The Court Technology Office shall ensure that all software installed or utilized on court equipment is properly licensed. Unlicensed software may be subject to removal, especially if it creates as security risk or interferes with business related functions on the computer. PERSONAL USE OF COMPUTER HARDWARE AND SOFTWARE DEFINITIONS: Incidental Use: Incidental use means occasional personal use that does not interfere with the court s needs or operation. Court owned computer hardware and software should be utilized for business purposes. Personal use of company assets should be limited; this includes the court's system and Internet access. Personal use should not subject the courts to civil liability, should never interfere with the court s needs, cause the courts public embarrassment, and must comply with all laws and regulations.

6 ELECTRONIC MAIL DEFINITIONS System: all means of sending and receiving electronic mail ( ), including internal and Internet (web) INCIDENTAL USE: occasional personal use that does not interfere with the court s needs or operation. GUDELINE This guideline shall apply to anyone having access to the Tenth Judicial Circuit s systems. The Tenth Judicial Circuit s system is intended for business use for the courts operations; incidental personal use of the system is permissible, but should not interfere with the operations of the court or cause undue strain upon the technology resource. The court will disclose to any party that it may be required to by law or regulation. This may include law enforcement search warrants and discovery requests in civil litigation. While a user may delete an message, copies of the may still remain on servers and backup tapes. Only court authorized encryption may be utilized. All passwords/encryption keys must be on file with the Court Technology Office prior to their utilization. Due to the potential for security breaches, users will exercise extreme caution in downloading and executing any files attached to . If the attachment is not clearly business related and/or expected from a known source, it should never be opened or executed. Such s and attachments may contain viruses. The Court Technology Office shall maintain antivirus software on the server to minimize damage from viruses and attachments. Users should not globally distribute any non-work related such as chain letters or nonwork related advertisements. The system should not be used for any purpose in violation of law or regulation. Users should not reveal their passwords to anyone. Excluding members of the Court Technology Office, users will not utilize or access accounts belonging to any other user unless they are authorized to do so by the user or other proper authority. Upon request and appropriate authorization, the Court Technology Office can allow access to accounts to more than one user. attachments will be limited to 10mb for incoming and outgoing mail. will be rejected or not send if the attachment exceeds this limit. This limit may be changed on individual accounts. Any requests for changes to the attachment limit should be sent to the Court Administrators Office.

7 Containing Criminal Justice Information User may not use any webmail or our internal mail to distribute any Criminal Justice Information (CJI). CJI data may only be transmitted using a secure encrypted assigned by the Criminal Justice Network (CJNet). Transmitting CJI data by any other means is a violation of state and federal security guidelines and may result in the removal of access to criminal justice information sources. If your job requires you to transmit CJI data, please contact Court Technology to have a CJNet setup for this purpose. DEFINITIONS INTERNET USAGE INCIDENTAL USE: occasional personal use that does not interfere with the court s needs or operations. This guideline shall apply to anyone utilizing Tenth Judicial Circuit s Internet access systems. The Florida Court s Internet access is intended to assist with the business of the courts; incidental personal use of the Internet access is permissible. Due to the drain on resources, users should minimize the use of any services that "broadcast" material via the Internet. Due to the potential for security breaches, users should not download software from the Internet unless prior approval has been obtained. Users should be mindful that Internet sites they visit collect information about visitors. This information will link the user to Tenth Judicial Circuit. Users should not visit any site that might in any way cause damage to Florida Court s image or reputation. Users should be aware that much of the material available on the Internet is copyrighted or trademarked. Other than viewing publicly available material, users will not use any material found on the Internet in any manner without first establishing that such use would not be in violation of a copyright or trademark. Internet radio and video should not be accessed unless they are for business purposes. Audio and video over the Internet uses a tremendous amount of bandwidth resources and negatively impacts the performance of the Internet for all users. FTP (File Transfer Protocol) shall only be used by the Court Technology Office or by authorized users. Internet bandwidth on the court s network is a secure connection, and therefore more restrictive than public Internet. This is required in order for our agency to access Criminal Justice Information Systems at the State, National, and International levels. We are audited annually on

8 the security of this resource. This may mean that some Internet resources may not be accessible or allowed. These guidelines are in accordance with the Federal Information Processing Standards (FIPS) 71A-1 Subsections , and the U.S. Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Security Policy Sections 4.3, Personally Identifiable Information, and Section 5 regarding securing technology that accesses, stores, transmits, and logs Criminal Justice Information governed by this referenced policy.

9 Tenth Judicial Circuit of Florida USER ACKNOWLEDGMENT I have read the technology guidelines, and agree to abide by them. I further understand that these guidelines apply to me regardless of my work location and even though the computer equipment I use for work purposes may not belong to my employer (contracted/leased). Signature Printed Name Title Date **These guidelines are intended to assist the courts and court staff with outlining responsible technology.