Departmental Policy STATE RESOURCES

(revised April 2006)

Generally. All departmental assets and resources are to be used for conducting public business, in accordance with Article 18 of Title 24, C.R.S., Governors Executive Order D 001-99 establishing the Executive Department Code of Ethics (Jan. 15, 1999), and the Departments Ethics Policy. This policy applies to all State-owned or operated telephones, e-mail, computers (including hardware, software, and data files), printers, copiers, faxes, supplies, vehicles, facilities and other resources of any kind, including work product and work time. State resources may not be used to engage in or promote:

Unlawful discrimination in violation of the Departments Equal Opportunity

Policy; Indecent, obscene, or otherwise offensive matter; Political activity; Commercial activity; or Any other unlawful activity.

Incidental use for personal or other matters within the scope of employees employment, such as that related to professional associations, or incidental civic or charitable activities, such as food drives, blood drives, shared leave requests, and social events are permissible. The use of any and all state resources are subject to inspection at any time at the direction of the Executive Director, Deputy Executive Director, or Division Director. A Division Director accessing an employees telephone, e-mail, or computer records must notify the employee within 48 hours after access has been provided, unless there is a need for security because of an ongoing investigation. Employees should not expect privacy with respect to their use of state resources, which may be subject to the Colorado Open Records Act as more fully explained in the departmental policy regarding Open Records.

Telephones. Most employees have a state telephone at their work stations, and some employees may be authorized to use a state cell phone or, at the discretion of the Division Director, be reimbursed for business calls made with a personal cell phone. Employees are expected to use available online or other directories rather than incurring directory assistance charges. If personal use of a state telephone results in an additional charge, the employee must reimburse the Department upon receipt of the billing report. However, because they are widely available, employees are expected to use their own calling cards or cell phones for personal long distance calls from the office, unless alternative payment arrangements are made in advance. E-mail. Electronic mail should be used instead of paper memoranda and other documents whenever possible. Global (department-wide) e-mails, including emails to all employees at 633 17th Street, are restricted to the executive management team and such other employees as a member of the team may authorize. The executive management team is responsible for ensuring that global e-mails are only authorized where appropriate, consistent with this policy. The Department provides an electronic bulletin board through the MyDPA intranet, as well as physical bulletin boards in break rooms or other common areas. Employees may post items of general interest on the bulletin boards, subject to the limitations provided in this policy and the departmental Communications Policy. No attachments may be included with electronic postings. Bulletin board postings will be cleared after 30 days. Employees may not create or forward chain e-mails, or post them on a bulletin board. Employees may not send e-mail under another employees name without authorization. Employees shall not disclose other employees messages, internally or externally, for the purpose of embarrassing the sender or receiver. Even though an employee deletes an e-mail, it is still stored in a number of places, including other employees files and system backups. A warning will be sent to a employee when his or her mailbox storage exceeds 40 MB. When the storage reaches 50 MB, the employee will not be able to send e-mail until storage is reduced. E-mails, tasks, and calendar entries will be backed up daily, and at the end of each month all e-mails more than 30 days old will be deleted. Tasks and calendar entries may be retained for no more than one year. Employees are responsible for ensuring that important messages, tasks, and calendar entries are archived in personal folders.
2

Computers. Each personal computer shall be configured and maintained in accordance with technical standards established by the department Chief Information Officer (CIO). No personal software applications may be installed on machines without the approval in advance of the CIO, who may have any unauthorized software removed. Employees may not connect any personallyowned equipment to department computers. Remote access to any information technology system must be approved by the Division Director and the CIO. Each employee must create a confidential nine-character password consisting of a combination of letters, numbers, and symbols, which must be changed every 30 days. Employees must take security precautions including protecting their password and logging off computers before leaving the office. Employees shall not access another employees computer, data, e-mail, or other files without a legitimate business purpose. Employees should store critical data on their divisions shared information drive or their assigned network drives, because routine backups are performed on network drives. Employees should routinely review e-mails, files, and documents deleting those that are no longer needed. Employees should not contact repair technicians or companies, or hardware and software technical support personnel. Reports of potential viruses should be sent to the Help Desk at DPAdesktopsupport@state.co.us or 303 239 HELP (4357). Vehicles. State vehicles may not be used for recreation, personal errands, or in support of any other private purpose, including transporting persons or things unrelated to state business, except where public safety is a concern or where the use is reasonably related to state business but is so incidental that accounting for it would be unreasonable or administratively impractical, as provided in State Fleet Management rules. In addition, in some circumstances, an employees use of a state vehicle may be taxable commuting under the federal Internal Revenue Code. Such circumstances may include employees whose primary place of work is an assigned vehicle, or taking a vehicle home the night before an official state business trip if the trip will not begin by 7:00 the next morning, or taking a vehicle home after an official state business trip if the employee would not be returning to his or normal work location after 5:00 that evening. The Department will use the criteria established by State Fleet Management to determine when a particular use is considered commuting. No employee may use a state vehicle for commuting purposes without the prior approval of the Executive Director or Deputy Executive Director.
3

Facilities. Non-governmental organizations may be granted permission to use state facilities when the use relates to the mission of the Department and its employees and does not conflict with the Departments operations, policies, or any applicable law. A non-governmental organization may be charged for the use of facilities and related expenses such as air conditioning, heating, lighting, janitorial services, or other support services, and shall be liable for any and all damages associated with its use of the facilities. No organization may use the Departments facilities without the prior written approval from the Executive Director or Deputy Executive Director.

STATE OF COLORADO
Department of Personnel & Administration

COMPUTER STANDARDS
October 26, 2006

General Ownership and Use

Ownership and Use of Computer Equipment. While the Department provides a personal computer to most employees, this computer is a business computer and is subject to all standards of care and use for Departmental computer equipment. The Departments computer systems are state resources and should be used only as permitted by the DPA State Resources Policy. Computer Equipment Moves. Office moves and individual moves requiring the relocation of computer equipment should be scheduled a minimum of 10 days in advance with the Information Technology Unit. Only Desktop Support personnel are authorized to disconnect and move computer equipment including PCs, monitors, printers, scanners and other peripherals. The supervisor or manager in the unit that is moving will work with the Information Technology Unit to ensure the network and electrical wiring changes are ordered and complete before any move. Computer Equipment Inventory. The Information Technology Unit maintains the inventory of computer equipment in the Department. Purchase of computer equipment requires the use and approval of appropriate procurement forms which are used by the Information Technology Unit for tracking inventory. These forms are posted on the MyDPA Employee Intranet site. Surplusing of Computer Equipment. Each Division is responsible for the cost of surplusing of computer equipment through the State Surplus Property Program. Prior to surplusing computer equipment, the Information Technology Unit must purge the hard drive of any data and reduce the Departments computer equipment inventory. The Information Technology Unit will then make arrangements for State Surplus Property to pick up the equipment. Inactively Used Computer Equipment. Computer equipment assigned to an employee who terminates or is on extended leave will be collected from the Division work units and brought to the Information Technology Unit for storage until the position is filled or the employee returns to work. Unused computer equipment should be returned to the Information Technology Unit inventory.

State Equipment on Department Network. Only State-owned computer equipment may be used on the Departments network. Employees may not connect any personally owned equipment to the Departments network or computer systems, including but not limited to laptops, notebooks, desktop computers, monitors, printers, external drives, jump drives, cables, PDAs, cell phones, or other devices, except as approved by the Division Director and authorized by the CIO. Contractors and vendors are required to use state owned equipment on the Departments network and to have a DPA network login account. These arrangements are made through the Information Technology Unit. After Hours and Flex-place Computing Support. Support outside of normal business hours (Monday through Friday 7 AM 5 PM) is limited to emergencies and the urgent needs of employees who normally work swing, graveyard, or weekend shifts. State equipment used for after hours or flex-place computing will be brought to the Information Technology Unit for repair during normal business hours. Use of the Remedy Help Desk System for Desktop Support. Employees must submit requests for desktop support assistance through the Remedy Help Desk system. Requests are prioritized and handled based on severity of impact to the employee and the Department.

Employee Network Accounts and Privileges

Employee Network Accounts Required. Employees, contractors, vendors, volunteers and others who need DPA network access are required to have an individual employee network login account. This account is requested with the DPA Login Request form and requires approval by the employees manager or supervisor. Accounts are created by the Information Technology Unit only. Requests for generic or guest logon accounts will not be approved. Special User Privileges. Employees performing specialized work may need special user privileges on their personal computer. These privileges are requested by the employees supervisor and are authorized by the Department CIO only if warranted by the employees job assignment. Equipment issued to employees that are granted special user privileges will be audited from time to time to ensure that the device is secure and being used appropriately. Authorized Access. Numerous computer applications and systems exist within the Department. Employees should access only files, data, and protected accounts for which they hold account logons or to which authorized access has been specifically granted. Computer Maintenance and File Clean Up. Employees may be asked to perform minimal maintenance on their computers as needed, limited to cleaning the monitor and keyboard, deletion of cookies and temporary work files, and other maintenance and clean up tasks as recommended by the Information Technology Unit. Employees should routinely review email messages, data files and other documents and delete those that are no longer needed. Archiving techniques can be provided by the Information Technology Unit. Hardware and Software Installation. Only Information Technology Unit staff are authorized to install hardware and software in the DPA computing environment. Employees should submit a desktop support request if hardware or software is needed. Prior to any installation, licensing and inventory will be checked for compliance and availability. If a license or hardware purchase is needed, the Information Technology Unit will provide a quote from an approved vendor to the employee who will be advised to work with the Division purchasing agent. Hardware and Software Trial Use. Trial use of hardware, software, or systems requires approval by the Information Technology Unit and a trial agreement approved by the DPA Procurement Manager. Conservation of Computing Resources. Employees are expected to conserve computing resources and avoid unnecessary expense in use of computer equipment,

such as keeping printing to a minimum, not using the email system for unnecessary mass communications, and not abusing Internet access privileges with unnecessary and non-business related browsing. Employees are expected to use computing resources in a fair, considerate and appropriate manner so that the use of resources by one employee does not cause degradation of performance for another employee. The Information Technology Unit may set limits on an employees use of a shared resource to ensure that resources are available for others. Remote Computing. Working from a remote site or traveling with a laptop is a privilege approved by the employees Division Director and authorized by the Department CIO. Remote access can be terminated at any time for misuse. Remote computing requires the use of DSL or wireless connectivity and VPN or other technology approved by the Department CIO to access the Departments network. In some cases access to specific applications will also require the approval of a security variance.

Data Retention, Backup, and Recovery

Data Retention. Files created in the course of an individuals employment are the property of the Department and should be retained appropriately based on records retention schedules consistent with DPAs Record Retention Policy. Employees are responsible for deleting unneeded or duplicate files and maintaining definitive copies of records or files of enduring value. Storage and Backup of Files. Employees are assigned a designated file server for storage of their data. The Departments file servers are routinely backed up to tape or disk, eliminating the need for additional back up of employee data onto the C:\ drive or onto other devices, such as CD-ROM. Data should never be stored on the C:\ drive of a computer. Employees should avoid storing unnecessary data or nonbusiness related data on state equipment. Reviewing, Purging, and Archiving of Files. Space on servers for file storage is limited and management of backup is both complex and expensive. When an employees file storage becomes excessive or if files have not been modified in a long time, the Information Technology Unit will contact the employee to request clean-up of unnecessary files or archiving. Recovery of Deleted Files. A desktop support request can be submitted for recovery of a deleted file. Files that have been saved to network file servers are backed up on a routine basis. A file can only be recovered within 5 business days of deletion and must have been saved on the network at least 1 day prior to deletion. Email can only be recovered within 7 calendar days of deletion. Disaster Recovery of Systems and Services. In the event of a disaster the Information Technology Unit will recover systems and services in order of priority as set forth in the Departments Continuity of Operations Plan or COOP or by any emergency directive from the Executive Director of Deputy Executive Director that supersedes the COOP.

Email Usage
Email Box Size. The Departments State Resources Policy describes an employees responsibilities for use of the email system. Email box size is limited to 50 Megabytes because of system resource limitations. Employees are required to use personal folders rather than the email box for storage of email messages of enduring value. Email in your inbox, sent mail, and tasks that are over thirty days old are purged once a month. Calendar entries over one year old are purged once a year. Automatic Forwarding of Email. In order to prevent unauthorized or inadvertent disclosure of sensitive information, automatic forwarding of email is not allowed unless approved by an employees Division Director and authorized by the Department CIO. Sensitive information should be encrypted using encryption software installed only by the Information Technology Unit. Email Monitoring. Anti-spam, anti-virus, and content filtering technologies are used to monitor inbound and outbound email and block or quarantine undesirable messages. IT systems and security personnel on occasion must view and analyze email messages during monitoring or investigation of system failures or security events. Employees should have no expectation of privacy for any email message and should ensure all content in email is appropriate. Email Attachments Blocked File Extensions. Viruses and malware are easily spread through email, especially in spam, advertisements, chain email messages, and messages from non-governmental sources, such as messages from friends and family members. Because the mere act of opening the attachment can infect a computer, systems administrators have blocked several file extensions for audio files, video/movie files, executables, and scripts. Assistance with the electronic transfer of business related files may be obtained from the Information Technology Unit. Email Accounts of Terminated Employees: Accounts for terminated employees are suspended and any existing or incoming message held for 30 days. An auto response message will be placed on the account advising the sender that the employee no longer works in the Department and asking the sender to resend the message to a person designated by the terminated employees Division Director. Non-State Email Systems. Use of external email systems such as Hotmail, G-Mail or Yahoo expose the Departments computing resources to viruses and malware because they bypass the States spam filtering, content filtering and anti-virus protection systems. An employee using state owned computer equipment is permitted to use the Departments email system only. Exceptions are made only by the Department CIO upon request of a Division Director.

Internet Usage
Internet Use and Appropriate Web Content. Employee use of the Internet is monitored by the Department to ensure appropriate use. Employees may use the Internet to access appropriate content and business related web sites. Access to inappropriate web content, such as gambling and pornography, is controlled by URL filtering software. Sometimes URLs are blocked in error. The Department CIO will unblock a specific URL upon request of the Division Director. Streaming Audio/Video. Use of streaming or live audio/video is limited to business use only. Provision of streaming resources to others requires permission from the Department CIO. Owners of streamed content must demonstrate adherence to copyright laws and licensing terms to the Department CIO. Downloading of files, photos, wallpapers, programs, and other data is not permitted without special authorization from the Department CIO. IT systems personnel in the Department manage bandwidth and fair use of resources as equitably as possible. In most work sites bandwidth is insufficient to support multiple employees using Internet radio, a form of streaming audio, except for business related purposes. Should bandwidth monitoring show degradation of network speed due to the excessive use of Internet radio, employees will be notified to stop using Internet radio.

Security
Workstation Anti-Virus Protection. All DPA computers have Norton Anti-Virus software installed and configured to receive updates from the Departments Norton Anti-Virus server. Employees should not disable the anti-virus software and should periodically check to ensure that virus definition files are up to date. If the employee is granted permission to use removable media the employee must scan the files immediately after connecting the removable media using the Norton virus scanning feature. An employee authorized to use removable media must receive training in its use from the Information Technology Unit. Workstation Patch and Update Management. The LANDesk patch, update, and security management system is installed on DPA computers for the maintenance of a secure and functional computing environment in the Department. Employees should take the time to allow the automatic installation of patches and updates when first notified by LANDesk but may in some cases delay the installation up to three times if the installation is disruptive to the employees work. Any computer that is not kept up to date will be taken to the Information Technology work room for manual application of updates. Workstation Security. When leaving the workstation unattended employees should lock their machine by pressing CTRL-ALT-DEL and clicking on lock computer or by holding the Windows key and pressing the L key. This action prevents unauthorized use of a machine and secures the machine more quickly than waiting for the 15 minute screensaver password to activate on an idle machine. Laptop Physical Security. Laptops should be physically secured with a laptop cable or other mechanism to prevent theft. Laptops are subject to the same computer standards as desktops and may only have settings modified by the Information Technology Unit. Laptops issued in lieu of desktop PCs as well as shared laptops must be connected to the network at least once per week to receive patches and updates. Shared laptops must be brought to the Information Technology Unit on a set schedule for auditing. Specifically Prohibited Software. Applications and software that have been determined to pose a security risk are specifically prohibited and may not be installed on DPA computer equipment. Instant messaging, chat, and games are categorically prohibited. Requests for installation of any application or software must be approved by a Division Director and authorized by the Department CIO. Peer-to-Peer File Sharing Prohibited. Applications that allow file sharing using peer-to-peer access of the hard drive pose several risks to the Department including violation of copyright law, degradation of network performance, unintended access 8

to sensitive data, and exposure to viruses, malware and other activities of hackers. Because of these risks P2P file sharing and downloading is prohibited. Removable Media. Use of removable media, such as external disk drives, jump drives, CDs, diskettes, Blackberries, or PDAs must be approved by a Division Director and authorized by the Department CIO. Only state-owned equipment may be used. All external storage devices must be scanned using the anti-virus software before any files are used. Employees must be trained to use the approved device by the Information Technology Unit. Blackberry Security. Blackberries should be password protected and the employee should make every attempt to secure the device from physical loss or theft. An employee should report a theft or loss immediately. Wireless Devices. Use of wireless devices to access the Departments network is strictly controlled and authorized by the Department CIO upon request of the Division Director. VPN Services. VPN services may be used after an employee is approved for use of VPN by the Division Director and authorized by the Department CIO. Use of VPN is a privilege and can be terminated at any time for misuse. Only the DPA standard client software may be used and will be installed on the workstation by the Information Technology Unit. Incident Reporting. All DPA employees should remain alert for and aware of suspicious activity on their computers. Extreme slowness, uncontrolled mouse movement, and changes in font or formatting may be indicative of an intrusion or virus on the machine. An urgent desktop support work request should be initiated whenever suspicious activity is noted on a computer. Incident Response. As a result of security monitoring the Information Technology Unit may contact an employee or the employees supervisor by phone or email and ask for various urgent tasks to be performed. In most cases, the Desktop Support technician will take control of the machine using the LANDesk remote console and clean the machine of viruses, code, malware, or spyware. In some cases, the technician will ask the employee to disconnect the machine from the network, or to stop using the machine and power it off. The machine will then be transported to the Information Technology Unit for diagnosis and repair. Secure Transmission of Sensitive and/or Confidential Email and Files. Ensuring the secure transmission of sensitive and/or confidential email and files is critical to the Departments credibility. Sensitive and/or confidential email and files must be

encrypted prior to sending in an email message or must be transferred with secure FTP software approved and installed by the Information Technology Unit. Password Protected Screensaver. Activation of a password protected screensaver after fifteen minutes of idle time is required. The password protected screensaver protects against passersby inadvertently viewing sensitive information and prevents misuse of a machine by a hacker or another employee. Passwords for Employee Network Accounts and Applications. A minimum nine character password or passphrase composed of letters, numbers, and special characters is required for the employee network login account. The password expires every 30 days. The network accounts are set to lock after the third incorrect password attempt. Passwords for DPA and statewide applications have varying requirements which as a user, the employee agrees to follow. Passwords should never be shared. Power Off Computers at End of Business Day. Turning off your computer at the end of the business day or when you will be away from your desk for more than four hours helps prevent the spread of viruses, malware, and other works of hackers while the machines are unattended at night. Exceptions to this requirement are granted by the Department CIO only upon request of a Division Director.

DPA Information Technology Unit Contact Information

Email or call in requests: DPA Desktop Support (DPA Global Address Book) DPADesktopSupport@state.co.us 303-239-HELP (4357) from a 303 or 720 area code 1-877-632-2487 from any other area code

10