Policy Title: Information Technology Acceptable Use Policy

Policy ID: OIT-AUP

Version: 2.0

Last Updated: 04/07/2022

Approver: Secretary of the CNMI Department of Finance

Scheduled Review: Annual

Purpose

To establish policy, responsibilities, and procedures to provide Authorized Users with guidelines for, restrictions upon, and standards for the acceptable use of IT Resources. Covered IT Resources include those that are connected from any location to the CNMI Department of Finance’s (DOF) computer systems including the DOF Network as well as the internet; and IT Resources that are not connected to or used in conjunction with the DOF Network.

Scope

This policy applies to all Authorized Users of all departments, boards, commissions, and councils (hereinafter referred to as “agencies”) under the DOF’s jurisdiction and contractors, consultants, volunteers, and any other Authorized User who utilizes or have access to DOF IT Resources.

Objective

To ensure that all Authorized Users that have access to IT Resources are made aware of and comply with the standards and policy set forth in this policy and in Enclosure 1, DOF Acceptable Use Standards for Information Technology (IT) Resources.

Definitions

Authorized Users: DOF employees, contractors, consultants, volunteers or any other user who utilizes or has access to IT Resources.

Electronic Communication System: Any method of electronic communication or information system that generates, stores, transmits, or displays information, including, but not limited to:

  1. The DOF Network;
  2. Local Area Networks;
  3. The Internet;
  4. News groups;
  5. Bulletin board systems;
  6. Intranets;
  7. Social media;
  8. Blogs;
  9. Computer hardware;
  10. Software programs;
  11. Applications;
  12. Voice mail systems;
  13. Telephones;
  14. Faxes;
  15. Radio;
  16. Cellular and smartphones;
  17. Electronic mail and messaging systems;
  18. Instant Messaging;
  19. Text Messaging;
  20. Cloud storage solutions;
  21. Video conferencing and transmissions; and
  22. Electromagnetic, photo-electronic, and other electronic media or devices.

IT Resource: Any DOF computer system, Electronic Communication System, or electronic resource used for electronic storage and/or communications, including, but not limited to:

  1. Servers;
  2. Laptops;
  3. Desktop computers;
  4. Copiers;
  5. Printers;
  6. Wired or wireless telephones;
  7. Cellular phones or smartphones;
  8. Tablets;
  9. Wearables;
  10. Pagers;
  11. All other mobile devices; and
  12. DOF contractor-provided IT Resources of all kinds.

Policy

  1. Authorized Users of IT Resources are required to understand and abide by this policy and the Acceptable Use Standards. These Acceptable Use Standards are designed to prevent use that may be illegal, unlawful, abusive, or which may have an adverse impact on the DOF or its IT Resources. In addition, they identify for Authorized Users the permissible and effective uses of IT Resources. Authorized Users are encouraged to assist in the enforcement of these Acceptable Use Standards by promptly reporting any observed violations to their supervisor, the human resources office, agency contact or contracting officer. Enclosure 1, DOF Acceptable Use Standards for Information Technology (IT) Resources, sets forth additional information about the permissible scope of usage of IT Resources.
  2. Abuse or misuse of IT Resources will have consequences. The improper use of DOF IT Resources by employees or volunteers may result in disciplinary action, up to and including termination of employment or volunteer status, depending on the circumstances of the incident. The improper use of IT Resources by contractors or consultants may result in disciplinary action that may include termination of engagement, and other formal action under the terms of the applicable contract. When warranted, the DOF or its agencies may pursue or refer matters to other appropriate authorities for investigation regarding potential violation of local, state, or federal laws through the misuse of IT Resources.
  3. Ownership of IT Resources. All data and records, including those pertaining to computer use, Internet use, email communication, voicemail communication, text messages, and other electronic communication (whether sent, received, or stored), as well as the content of such communications, are presumed to be the sole and exclusive property of the DOF. Individual Authorized Users do not control the access to or the use of such data or records. In addition, Authorized Users have no property or other rights to any or all related physical equipment, hardware, and software applications that are provided, stored, or otherwise utilized in connection with IT Resources.
  4. Authorized Users should have no expectation of privacy when using IT Resources. At its discretion, executive level or human resources staff or their authorized designees may access IT Resources in any way, including to retrieve, search, trace, audit, monitor and review any files, data, or records which are stored on or accessed through IT Resources, as well as, data or records related to IT Resource usage, including Internet records or email communications, for business purposes, or in order to determine compliance with the provisions of this policy or any other policy, personnel policy or applicable local, state, or federal law. Agency heads may determine who may access these files, data, and records, including, but not limited to, executive level staff, legal staff, human resource management staff, network or security system administrators, individuals in the Authorized User’s chain of command or others, including law enforcement. Files, data, and records which are stored on IT Resources together with records of IT Resources use may be reviewed at any time and are routinely backed up and stored without the user’s knowledge. As such, Authorized Users should have no expectation of privacy in any electronic files, data, or records stored on or accessed through IT Resources nor should an Authorized User have any expectation of privacy in any communications sent or received via, or stored within, IT Resources.
  5. IT Resources are subject to monitoring or other access by authorized DOF personnel. All IT Resources and files, data, or records stored on or accessed through IT Resources may be accessed in any way (including but not limited to being traced, audited, monitored, reviewed, logged, blocked, searched, retrieved, or recorded) by authorized DOF personnel with or without notice to the Authorized User.
  6. Use of an IT Resource by an Authorized User is deemed to be consent to all access by authorized DOF personnel. By using an IT Resource, Authorized Users consent to all access by authorized DOF personnel, including but not limited to use being traced, audited, monitored, reviewed, logged, blocked, searched, retrieved, or recorded, with or without notice.
  7. Authorized Users may not access unauthorized data and should take measures to protect the security of their data. As part of the privilege of being an Authorized User, Authorized Users may not attempt to access any data or programs contained on DOF systems for which they do not have authorization or explicit consent. Authorized Users must use passwords and/or encryption in a manner that is consistent with DOF policy. Utilization of special passwords or encryption does not, however, guarantee the confidentiality of any electronic communication or of any file, data, or record stored or accessed through IT Resources. Authorized Users must keep passwords secure and must not share them with others.
  8. IT Resources are intended for business use and should be used primarily for that purpose. IT Resources are tools that the DOF has made available for DOF business purposes. Where personal use of IT Resources does not interfere with the efficiency of operations and is not otherwise in conflict with the interests of the DOF, reasonable use for personal purposes will be permitted in accordance with standards established for business use. Such personal use shall be limited, occasional, and incidental. Any personal use which is inconsistent with DOF policy regarding availability or capability of IT Resources, or inappropriate content of communications as defined by this policy is prohibited.
  9. IT Resources must never be used in a manner that violates other DOF policies and policies. Violations of these policies through IT Resources will be treated in the same manner as other violations.
  10. All Authorized Users must be provided with this policy. All current DOF employees must be provided a copy of this policy. All new employees must review this policy during new employee orientation. All non-DOF employee Authorized Users must review this policy prior to their use of and access to DOF IT Resources. Copies may be provided either electronically or in hard copy.
  11. All Authorized Users must sign an Acknowledgement of Receipt Form. On an annual basis, agencies must obtain signed user agreements from Authorized Users prior to granting access to IT Resources. Employees or volunteers shall sign Enclosure 2 to this policy, IT Resources Acceptable Use Policy User Agreement DOF Employee or Volunteer Form. Contractors and consultants shall sign Enclosure 3 to this policy, IT Resources Acceptable Use Policy User Agreement DOF Contractor or Consultant Form.
  12. Each agency must maintain copies of the agreement signed by each Authorized User in that agency. Completed user agreements shall be maintained as part of the employee’s Official Personnel Folder. Alternately, Authorized Users may sign, and agencies may store these agreements in an electronic format consistent OIT-DPP policy. Signed agreements must be accessible to individuals who are authorized to view or use the documents.
  13. Requests for electronic records should be treated in the same manner as paper records. Requests for records pertaining to IT Resources must be addressed consistent with all laws or policies that would apply to the same information if maintained in a non-electronic format. These requests should be referred to agency legal counsel and/or the Agency Open Records Officer, as appropriate.
  14. This amended policy supersedes prior or inconsistent policies. This policy supersedes any existing IT, Internet and/or email use policy issued by agencies under the DOF’s jurisdiction that is inconsistent with this policy, unless specific exemptions are granted by the Secretary of the CNMI Department of Finance or designee. Approved labor agreements, side letters or current practices should be applied in a manner to effectuate both this policy and any such agreement, side letter or current practice. In cases where a provision of an approved labor agreement, side letter or current practice cannot be reconciled with this policy, the former shall control. Agencies may develop supplemental IT, Internet and/or email use policies only with the approval of the Secretary of the CNMI Department of Finance or designee.

Responsibilities

Agency shall:

  1. Provide either a hard copy or electronic copy of this policy to Authorized Users.
  2. Ensure that Authorized Users have signed the user agreement.
  3. Maintain a copy of the signed user agreement for Authorized Users.

Authorized Users shall:

  1. Understand the permissible scope of usage of IT Resources.
  2. Sign the user agreement.

CNMI Department of Finance Office of Information Technology division may:

  1. Conduct system audits and compliance reviews of adherence to this policy.
  2. Prevent and respond to cybersecurity incidents.
  3. Assist human resources staff in conducting investigations involving the alleged misuse of IT Resources.
  4. Assist in data retrieval and analysis for any records requests.

DOF Acceptable Use Standards for Information Technology (IT) Resources

Each Authorized User must comply with the following Acceptable Use Standards when using IT Resources:

AUDITING, MONITORING AND REPORTING

All IT Resources and files, data, or records stored on or accessed through IT Resources may be accessed in any way (including but not limited to being traced, audited, monitored, reviewed, logged, blocked, searched, retrieved, or recorded) by authorized DOF personnel with or without notice to the Authorized User.

Authorized Users, therefore, should have no expectation of privacy in any files, data or records stored on or accessed through IT Resources, nor should they have any expectation of privacy in any electronic communication sent or received via, or stored within, IT Resources. By using IT Resources, the user authorizes any access to IT Resources by the DOF.

Authorized Users are encouraged to assist in the enforcement of these Acceptable Use Standards by promptly reporting any observed violations to their supervisor, the human resources office, agency contact or contracting officer.

DISCIPLINE OR OTHER CONSEQUENCES OF MISUSE

The improper use of IT Resources by employees or volunteers may result in disciplinary action, up to and including termination of employment or volunteer status, depending on the circumstances of the incident. The improper use of IT Resources by contractors or consultants may result in disciplinary action that may include termination of engagement, other formal action under the terms of the applicable contract, or suspension or debarment under the Contractor Responsibility Program. When warranted, the DOF or its agencies may pursue or refer matters to other appropriate authorities for investigation regarding potential violation of local, state, or federal laws through the misuse of IT Resources.

GENERAL IT RESOURCES USE

As part of the privilege of being an Authorized User, Authorized Users may not attempt to access any data or programs contained on DOF systems for which they do not have authorization or explicit consent.

Authorized Users are strictly responsible for maintaining the confidentiality of their DOF or agency account(s), passwords, Personal Identification Numbers (PIN), Security Tokens (i.e. Smartcard), or similar information or devices used for identification and authorization purposes (such as multi-factor authentication methods).

Authorized Users may not make unauthorized copies of software.

Authorized Users may not use non-standard shareware or freeware software without agency IT management approval.

Authorized Users may not purposely engage in activity that may: harass, threaten, or abuse others; degrade the performance of IT Resources; deprive an Authorized User of access to an IT Resource; obtain extra IT Resources beyond those allocated; or circumvent IT Resource security measures.

Authorized Users may not use IT Resources to engage in personal, for-profit transactions or business, or to conduct any fundraising activity not specifically sponsored, endorsed, or approved by the DOF.

Authorized Users may not engage in illegal activity in connection with their use of IT Resources, including, but not limited to downloading, installing, and/or running security programs or utilities that reveal or exploit weaknesses in the security of a system. For example, Authorized Users may not run password cracking programs, packet sniffers, port scanners, or any other non-approved programs on IT Resources, unless they are authorized to do so.

Authorized Users may not access, create, store, transmit, post, or view material that is generally considered to be inappropriate or personally offensive or which may be construed as discriminatory or harassing, including sexually suggestive, pornographic, or obscene material.

Authorized Users are personally responsible for the security of authorized portable and mobile IT Resources and devices. Care must be exercised to ensure these devices are secured and not lost, stolen or otherwise accessed in an unauthorized manner.

Authorized Users may not store non-public information on IT Resources, if those IT Resources may be removed from DOF facilities without prior approval from the agency Secretary or designee.

Authorized Users shall use DOF approved electronic communication systems primarily for DOF business.

Authorized Users shall use only DOF approved encryption methods to encrypt information, as appropriate.

Authorized Users shall use only DOF approved storage devices or storage solutions.

Authorized Users may only store or transmit DOF content, files, data or any other type of information on or through an IT Resource that is DOF-provided or DOF-approved.

INTERNET USE

All security policies of the DOF and its agencies, as well as policies of Internet websites being accessed, must be strictly adhered to by Authorized Users.

Software

In connection with Authorized Users’ use of and access to IT Resources:

  1. All software used to access IT Resources must be part of the agency’s standard software suite or approved by the agency IT department. This software must incorporate all vendor provided security patches.
  2. All files downloaded from the Internet must be scanned for viruses using the approved DOF distributed software suite and current virus detection software.
  3. All software used to access the Internet shall be configured to use an instance of the DOF’s standard Internet Access Control and Content Filtering solution.
Access Control and Authorization

Agencies should authorize access to the Internet using DOF IT Resources through the utilization of a user ID/password system. Security violations can occur through unauthorized access, and all possible precautions should be taken to protect passwords. Authorized Users are responsible for activity and communications, including but not limited to email, voicemail, text messages, data, and any other electronic communications transmitted under their account.

Incidental Use
  1. IT Resources are communication tools that the DOF has made available for DOF business purposes. Where personal use of these resources does not interfere with the efficiency of operations and is not otherwise in conflict with the interests of the DOF, reasonable use for personal purposes will be permitted in accordance with standards established for business use. Such personal use shall be limited, occasional, and incidental.
  2. Incidental personal use of Internet access is restricted to Authorized Users; it does not extend to family members, other acquaintances, or any other persons.
  3. Access to IT Resources that are home-based, e.g., accessing the Internet from an agency owned, home-based computer, must adhere to all the same policies that apply to use from within agency facilities.
  4. Employees may not allow family members or other non-employees to access DOF provided home-based IT Resources.
  5. Incidental use must not result in direct costs to the DOF.
  6. Incidental use must not interfere with the normal performance of an Authorized User’s work duties.
  7. Incidental use may not risk legal liability for, or embarrassment to, the DOF.
  8. All files and documents located on IT Resources, including personal files and documents may be accessed and retrieved in accordance with this policy. In addition, it should be understood that such documents may be subject to disclosure under the Right-to-Know, and other laws.
Acceptable Use of the Internet

Accepted and encouraged use of the Internet for Authorized Users on IT Resources includes, but is not limited to, the following:

  1. Access, research, exchange, or posting of information that relates to the assigned job duties of an Authorized User for carrying out DOF business.
  2. Promotion of public awareness in regard to DOF law, agency services, and public policies.
  3. Posting of agency information that has been authorized by appropriate management.
Acceptable use of Instant Messaging (IM)
  1. Only Authorized Users who have been granted agency level approval to utilize IM technology may use IM software, and they may use it only to communicate internally across the DOF network in a manner directly related to an Authorized User’s job responsibilities.
  2. IM software that is utilized by DOF Authorized Users must be part of the determined enterprise standard software solution.
  3. IM software is only to be used to conduct state business that produces records that have little or no documentary or evidentiary value and that need not be set aside for future use.
Acceptable use of Social Media
  1. Social Media may include, but are not limited to, blogs, RSS, discussion boards, social networking, wikis, video sharing sites, mashups, and social tagging.
  2. Only Authorized Users who have been granted agency level approval to do so may utilize Social Media, and only if the use is directly related to an Authorized User’s job responsibilities.
  3. Social Media may be used only to conduct DOF business that produces records that have little or no documentary or evidentiary value and that need not be set aside for future use.
Acceptable Use of Mobile Technologies

Authorized Users shall ensure that information on mobile devices is not compromised by:

  1. Securing mobile devices from access by unauthorized persons, through the use of locking devices, passwords, or other appropriate protection;
  2. Ensuring that unauthorized persons do not view information on the display screen;
  3. Refraining from checking devices into airline luggage systems, with hotel porters, or from using other unsupervised handling or storage processes;
  4. Securing or maintaining possession of mobile devices at all times; and
  5. Immediately reporting a lost or stolen mobile device to their supervisor.
Acceptable Use of Cloud Storage Solutions
  1. Cloud storage solutions enable convenient, on-demand network access to a shared pool of configurable computing resources such as storage that can be rapidly provisioned and released with minimal management effort or service provider interaction. Cloud storage solutions are intended for business use and shall be used primarily for that purpose.
  2. Cloud storage solutions must never be used in a manner that violates other DOF policies. Violations of DOF policies through IT Resources will be treated in the same manner as other violations.
  3. All files and documents located in cloud storage solutions are generally owned by the DOF and may be accessed and retrieved in accordance with this policy. In addition, it should be understood that such documents may be subject to requests for disclosure under the Right to Know Law and other similar laws.
  4. Users will only access those cloud storage solutions which have been authorized for their use.
  5. Users who obtain a password and ID for a cloud storage solution shall keep that password confidential. DOF policy prohibits the sharing of user IDs or passwords obtained for access to network and cloud storage resources.
  6. Users are responsible for the use of their individual cloud storage accounts and should take all reasonable precautions to prevent others from being able to use their account, including coworkers, friends, or family.
  7. Any user placing sensitive data into Cloud Storage Solutions must (in concert with his or her chain of command and/or Chief Counsel’s Office, as appropriate) evaluate the risk to the data’s security, privacy, and availability. No DOF policy or procedure may be violated via use of a Cloud Storage Solution unless that policy or procedure is itself explicitly waived.

EMAIL USE

Usage
  1. When sensitive material is sent electronically via email, it is important to verify that all recipients are authorized to receive such information and to understand that email is not fully secure and/or private, except where appropriate security applications are used, e.g. data encryption.
  2. Users should understand that messages can be quickly and easily copied and may be forwarded inappropriately.
  3. Where it is necessary to transmit DOF proprietary or restricted information beyond the DOF email network, the messages should be protected by encryption. Authorized Users should contact the CNMI Department of Finance Office of Information Technology (OIT) for assistance if encryption is needed.
  4. Email messages to be transmitted outside of the United States should comply with local laws governing international transmission of data as well as United States export control regulations. For assistance, Authorized Users should contact OIT.
  5. The agency head or designee should determine specific agency policy regarding business information which is determined to be too confidential or sensitive to be transmitted via email.
  6. All user activity and electronic communication, including the contents of such communication, including but not limited to, email, voicemail, text messages and data, on IT Resources is subject to access, including tracking, blocking, logging, auditing, monitoring, retrieving, and reviewing as described more fully in this policy.
  7. Authorized Users shall use email addresses assigned to them primarily for work-related purposes. Authorized Users may not use their DOF e-mail address to register or subscribe for any product or service that is not work-related.
  8. Authorized Users shall not forward work related emails, calendar items or documents to their personal non-DOF email addresses. In the event that a provision of an approved labor agreement, side letter or current practice cannot be reconciled with this policy, the former will control.
Access Control and Authorization
  1. Only Authorized Users may use IT Resources to send or view email or access the DOF’s email systems.
  2. Only after agreement to abide by all applicable rules of the system, including this policy and its related Acceptable Use Standards, shall access to DOF email be granted to DOF employees, contractors, consultants, and volunteers, in their capacity as Authorized Users.
  3. An Authorized User may not access the email or account of another Authorized User. This restriction does not apply to system administrators and management staff in the Authorized User’s chain of command authorized to access email for legitimate business purposes.
  4. In accordance with agency policy, Authorized Users shall use password protection to limit access to email files. Authorized Users shall safeguard their passwords so that unauthorized users do not have access to their email. Authorized Users are responsible for all messages transmitted and originating under their account.
Message Retention

All messages, including email, text messages, and voicemail messages are subject to the appropriate records retention and disposition schedules and the provisions outlined in DOF Records Retention policies.

Email Security Issues, Worms, and Viruses

Email and attachments to email are sources of computer security issues. All Authorized Users should act in accordance with the latest IT Policies regarding containment methods for computer viruses and any security alert emails from agency HR or IT.

Maintaining Professionalism

Every Authorized User who uses IT Resources is responsible for ensuring posted messages and other electronic communications are professional and businesslike. As a way to impose personal restraint and professionalism, all Authorized Users should assume that whatever they write may at some time be made public. Authorized Users should follow the following guidelines:

  • Be courteous and remember that you are representing the DOF with each email message sent.
  • Review each email message before it is sent and make certain that addresses are correct and appropriate. Use spell check before sending.
  • Consider that each email message sent, received, deleted, or stored has the potential to be retrieved, seen, and reviewed by audiences, including the general public, who were not the intended recipients of the message.
  • Ensure that content is appropriate and consistent with business communication; avoid sarcasm, exaggeration, and speculation which could be misconstrued. Remember that intonation and inflection are lost in email.
  • Be as clear and concise as possible; be sure to clearly fill in the subject field so that recipients of email can easily identify different email messages.
Electronic Message Distribution, Size, and Technical Standards
  1. Authorized Users should receive authorization from their supervisors before wide scale “broadcasting” an email bulletin to groups of employees.
  2. The use of “reply to all” should be avoided unless it is appropriate to respond to all addressees.
  3. Authorized Users wishing to send email bulletins to all DOF or agency employees must first obtain authorization from agency management.
  4. Email messages should be brief, and attachments to email messages should not be overly large. Agency IT staff will inform Authorized Users of limitations on the size of email messages and attachments. OIT periodically will provide technical standards and guidance to agencies through IT Policies on the technical capacities of the DOF email system and limitations on email message size. Technical standards will be provided in areas such as file size and backup procedures, and will be available from OIT upon request.

UNACCEPTABLE USES OF IT RESOURCES

The following are examples of impermissible uses of IT Resources. This list is by way of example and is not intended to be exhaustive or exclusive. Authorized Users are prohibited from:

  • Accessing, creating, storing, transmitting, posting, or viewing material that is generally considered to be inappropriate or personally offensive or which may be construed as harassing, including sexually suggestive, pornographic, or obscene material.
  • Accessing, creating, storing, transmitting, posting, or viewing material that expresses or promotes discriminatory attitudes toward race, gender, age, nationality, religion, or other groups.
  • Engaging in personal, for-profit transactions or business, or conducting any fundraising activity not specifically sponsored, endorsed, or approved by the DOF.
  • Participating in Internet activities that inhibit an employee’s job performance or present a negative image to the public, such as auctions, games, or any other activity that is prohibited by policy, policy, or law.
  • Attempting to test or bypass the security (“hacking” or “cracking”) of IT Resources or to alter internal or external IT Resource security systems.
  • Participating in or promoting computer sabotage through the intentional introduction of computer viruses, worms, or other forms of malware, i.e. malicious software.
  • Promoting, soliciting, or participating in any activities that are prohibited by local, state, or federal law or the DOF rules of conduct.
  • Violating or infringing the rights of any other person.
  • Using any other Authorized User’s password and/or equipment to conduct unacceptable activities on IT Resources.
  • Harassing or threatening activities including, but not limited to, the distribution or solicitation of defamatory, fraudulent, intimidating, abusive, or offensive material.
  • Transmitting or soliciting any proprietary material, such as copyrighted software, publications, audio, or video files, as well as trademarks or service marks without the owner’s permission.
  • Promoting or participating in any unethical behavior or activities that would bring discredit on the DOF or its agencies.
  • Downloading and/or installing any unapproved software.
  • Transmitting or posting any messages that intentionally misrepresent the identity of the sender, hide the identity of the sender, or alter a sender’s message.
  • Sending or forwarding DOF information or records through non-DOF email or webmail accounts. Examples of non-DOF email accounts include, but are not limited to, Hotmail, Yahoo mail, Gmail, or email provided by other Internet service providers.
  • Sending, forwarding, or storing DOF information or records utilizing non-DOF accredited mobile devices. Examples of mobile devices include, but are not limited to:
    • tablets, smart phones, pagers, wearables, and cellular telephones.
  • Participating in any other Internet or email use that is deemed inappropriate by the DOF and/or its agencies and is communicated as such to Authorized Users.
  • Using or disclosing confidential material covered by law or DOF policy.

The Official Website of the CNMI Department of Finance