Information Technology Acceptable Use An Overview CSTMC All Staff Meeting February 10, 2014

Our goals for today > Review policies related to IT acceptable use > Explain how monitoring and follow-up work > Look at your role as an employee > Look at some practical tips (do’s and don’ts) > Q and A

Policies > Guideline 400-A Information Technology Objectives > Guideline 400-B Information Technology Standards > Guideline 400-C Corporate Internet Use > Guideline 400-D Use and Management of Electronic Mail > Guideline 400-E Information Technology Security > Guideline 401-C Security of Information > Policy 550 Code Of Ethics > Policy 700 Risk Management Policy > Policy 900 Policy on Information Management

Acceptable use > IT tools are intended for you to do your work > “All informatics assets are to be used for corporate business activities…” (400-E, 3.0) > Limited personal use is allowed… > “…employees are allowed limited personal use provided such use is conducted on personal time… all personal use of informatics assets should be cleared by the employee’s supervisor” (400-E, 3.0) > “Personal browsing of the Internet is allowed provided it is conducted during personal time, no additional costs are incurred by the Corporation, and the usage remains compliant with this guideline.” (400-C, 5.0)

Changing expectations…

Social media

Streaming audio and video

Everything in the cloud

Bandwidth

Why limitations on how we use IT? > Resources are limited > Bandwidth > Storage > Wi-Fi > Etc... > Safeguarding corporate assets > IT security > Managing information > Productivity and operational requirements

Monitoring “Infrastructure components will be monitored to ensure their smooth operation and to detect any problems” (Guideline 400-A, 4.1)

Monitoring Why? > To ensure normal operation of systems > To follow up on anomalies or “incidents” > To assist managers in their responsibilities > As part of a formal investigation

Monitoring Examples of what is monitored > Internet use > Logs, reports, alerts > Devices on our networks (including Wi-Fi) > Computers and other devices > Running programs, files, screen views, etc. as warranted > Software > What is installed on all computers > Anti-virus > On computers, servers, mail system, anti-spam system, firewall > Detections, alerts

Monitoring and follow-up “Incidents” “An incident is an unplanned interruption to an IT service or reduction in the quality of an IT service.” (ITIL version 3)

Monitoring and follow-up Examples of “Incidents” > Issues reported to the Computer Helpline > Questions and queries > System failures > Web site blocked by the firewall > High bandwidth use > Virus infection > Policy breach > Patterns in system reports > Events automatically detected by monitoring tools

Monitoring and follow-up Who? > Computer Helpline is our main point of contact for any issues > All Informatics Services staff play a role > Each system has a “prime” and one or more backups > IT Security Coordinator

Monitoring and follow-up Process > IT Staff first follow-up with employee > IT include manager if it is a repeat or serious issue > IT advise HR if issue persists or if there is a serious issue related to breach of Corporate policy

Trust > Expect employees to be professional and ethical > Encourage employees to experiment and innovate > Internet access is more open than at most Federal institutions

Tools are intended to help us do our work…

Your Role > Respect policies on ethics, IT, and IM > Help us use resources efficiently > Keep your manager informed > Report IT and IT security issues to the “Computer Helpline” > Report IM issues to the “IM Office” > Disclose wrongdoing

Do’s and Don’ts Streaming audio and video > Stream audio and video only for work purposes > YouTube, Vimeo, Internet radio, etc. > This also includes use of public Wi-Fi

Do’s and Don’ts Web sites blocked by the firewall > Let us know if you need a blocked site for work > Default filters are not perfect > You can send requests to the Computer Helpline

Do’s and Don’ts Personal files > Personal audio and video files > Don’t store your music and movie collection on Corporate resources, including your PC > Personal photos > Don’t put these on the O-Drive, Y-Drive or work computers and devices

Do’s and Don’ts Personal devices > Personal thumb drives and hard drives > Do not connect these to work computers > Personal computers and devices > Don’t bring your home computer to work > If you use a personal smart phone or tablet, remember our Information Management Policy > Managers have responsibility for their operations and must exercise their discretion

Do’s and Don’ts Software > Advise the Computer Helpline of all non-standard software > Maintainability > Ask Computer Helpline to help you with software installations > Avoid exposure to malicious code (viruses, Trojan horses, etc) > Never install unlicensed software > Legal exposure

Do’s and Don’ts Consumer cloud services > Respect our Information Management Policy > Corporate documents and records must be stored in OpenText Enterprise > Never place sensitive or Protected documents in the cloud > Advise your manager on how you are working with information > You and your manager must work together to safeguard Corporate information assets > Do not synchronize personal files > Music, movie collections, photos > Do not synchronize large amounts of data > Video, large numbers of files

Q & A