9-2 Information Technology Use and Security Policy Manual - Chapter IV: Use of Local Agency IT Resources and Data Policy
Approved by: Board of Supervisors of the County of Sonoma (“County”), and the Boards of Directors of the Northern Sonoma County Air Pollution Control District, the Russian River County Sanitation District, Sonoma Valley County Sanitation District, Occidental County Sanitation District, South Park County Sanitation District, and the Board of Directors of the Sonoma County Agricultural Preservation and Open Space District (collectively referred to hereinafter as “Special Districts”), and the Sonoma County Water Agency (“Agency”), and the Board of Commissioners of the Sonoma County Community Development Commission (“Commission”). The County, Special Districts, Agency and Commission are collectively referred to herein as “Local Agencies” or singularly as “Local Agency.”
Read next: V. Data Classification Policy
What's on this Page
This Policy establishes acceptable use of Local Agency Information Technology (IT) resources and data.
- General Use and Ownership
- IT Resource Monitoring
- User Access Monitoring
- No Expectation of Privacy
- Public Records Act Compliance and Records Retention
- Use of Sensitive Information
- User Accounts and Passwords
- Use of Electronic Messaging
- Use of the Internet
- Personal Use/Union Use
- Use of Authorized Software
- Use of Authorized Devices
- Unacceptable Use
A. General Use and Ownership
- Access to Local Agency IT resources may be provided for conducting Local Agency business. Access may be wholly or partially restricted without prior notice or consent of the User.
- The Data Owner retains the rights of ownership to all data created on IT resources, unless the legal ownership is otherwise defined by law.
- Local Agency IT resources and data are to be used for conducting business authorized by and related to Local Agency operations.
- Local Agency data must only be used for authorized purposes and must not be disclosed to anyone not authorized to receive such data.
- All Users of Local Agency IT resources and data must sign an acknowledgment of this Policy manual prior to being granted access.
B. IT Resource Monitoring
- Data Owners and/or Data Stewards with express consent of the Data Owner may monitor any and all aspects of Local Agency data access and use.
- Local Information Services Providers may monitor and log all activities on the IT resources they own, control or manage for security, network maintenance, and/or policy compliance.
C. User Access Monitoring
- Monitoring or investigating User access to Local Agency IT resources and data must be approved by the Data Owner, Data Steward or designee.
- County Counsel approval with the express consent of the Data Owner is required for monitoring of User’s work generated data files, Internet access logs, or electronic messaging (e.g., e-mail, and instant messaging).
- Upon request by the Data Owner, Data Steward or designee, Local Information Service Providers may monitor or investigate User access to Local Agency IT resources and data, without advance notice to the User.
No Expectation of Privacy
Users have no expectation of privacy when using Local Agency IT resources, or in any data they access, create, store, send or receive on any Local Agency IT resources.
E. Public Records Act Compliance and Records Retention
- Any records created while conducting Local Agency business using Local Agency IT resources, including personal and county provided mobile devices, may be subject to disclosure.
- To ensure compliance with County or Local Agency records retention policy, original Local Agency data must be stored on the Local Agency network.
F. Use of Sensitive Information
Sensitive information as defined in this Policy manual is information classified as either:
- Confidential - Information protected from use and/or disclosure by law, regulation or standard, and for which the highest level of security measures, or
- Restricted - Information that requires special precautions to protect from unauthorized use, access, or disclosure.
To protect Sensitive information against loss, unauthorized use, access, or disclosure the following must be adhered to:
- Sensitive information must only be used or disclosed as permitted by law and/or policy.
- Sensitive information that is not controlled by law or policy can only be disclosed with express consent of the Data Owner.
- Copies of Sensitive information must not be made except as required in the performance of assigned duties.
- Sensitive information must be kept out of plain sight and must not be displayed in any form when it is not being used.
- Unattended workstations must be locked or have password protected screen savers enabled in accordance with Local Information Service Provider standards.
G. User Accounts and Passwords
- User accounts and User passwords must not be shared.
- User passwords only be created, changed and stored in accordance with established policies and standards.
H. Use of Electronic Messaging
- Users must only use assigned Local Agency electronic messaging accounts conduct Local Agency business, and are prohibited from conducting Local Agency business using personal electronic messaging services, social media accounts or email accounts (e.g., texting, Twitter, Facebook Messenger, Yahoo, Gmail). Law enforcement and/or other Local Agency workforce may be exempted from these restrictions during the performance of legitimate job responsibilities.
I. Use of the Internet
- Local Agency IT resources that allow access to the Internet are provided to facilitate the effective and efficient use of Local Agency business. With Local Agency approval, Users are permitted access to the Internet to assist in the performance of their assigned duties, and must comply with all acceptable use described in this Policy and any other Local Agency or County Policy.
J. Personal Use/Union Use
Except as otherwise stated, reasonable and limited personal use of Local Agency IT resources or use of Local Agency e-mail between recognized County unions and Local Agency workforce is allowed under the following circumstances:
- Does not involve unacceptable use as defined in section IV.N of this Policy or in any other County Policy;
- Does not interfere with Local Agency IT resources and;
- Does not interfere with the User’s job performance and/or obligations as a public employee.
K. Use of Authorized Software
All software installation and use must conform to licensing restrictions. These products include those that are not appropriately licensed for use by the Local Agency or those that violate the rights of any person or organization protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software is prohibited.
- Only software that has been installed by the Local Information Services Provider or other authorized individuals may be used.
- Software purchased by the Local Agency must not be loaded on a personally owned device, unless specifically authorized by the Local Agency Department Head/General Manager and/or Designee and the manufacturers licensing agreement.
L. Use of Authorized Devices
- To maintain the security of the Local Agency network, only devices authorized by the Local Information Service Provider may be connected. Any device found to be in violation of this Policy is subject to immediate disconnection from the Local Agency network.
M. Unacceptable Use
Any use which violates federal, state, local laws, Local Agency or County policies is prohibited. Law enforcement and/or other Local Agency workforce may be exempted from these restrictions during the performance of legitimate job responsibilities.
The following activities are prohibited on Local Agency IT resources; examples include, but are not limited to:
- Representing yourself as someone else, real or fictional, or sending information anonymously;
- Sending messages or accessing data with content that violates any county policies, rules or other applicable laws;
- Sending messages or accessing data that contain inappropriate, defamatory, obscene, harassing or illegal material;
- Sending information that violates or unlawfully infringes on the rights of any other person (including but not limited to copyrights and software licenses);
- Engaging in activity that may harass, threaten or abuse others;
- Conducting political activity, business for fraudulent activity, personal profit or gain, or other improper activities as defined in Local Agencies Incompatible Activities Policy;
- Downloading, installing or running security programs or utilities such as password cracking programs, packet sniffer, or port scanners that reveal or exploit weaknesses in the security of Local Agency IT resources;
- Engaging in activity that may degrade the performance of Local Agency IT resources;
- Accessing or attempting to access Local Agency IT resources which have not been authorized;
- Restricting or denying authorized Users access to Local Agency IT resources; and Circumventing Local Agency security measures.