The URL can be used to link to this page

Home My WebLink AboutOCSD 04-31 (REPEALED)RESOLUTION NO. OCSD 04-31 AMENDING RESOLUTION NO. OCSD 98-33 A RESOLUTION OF THE BOARD OF DIRECTORS OF THE ORANGE COUNTY SANITATION DISTRICT AMENDING THE HUMAN RESOURCES POLICIES AND PROCEDURES ***************************** The Board of Directors of the Orange County Sanitation District, DOES HEREBY RESOLVE, DETERMINE AND ORDER: Section 1: That Exhibit "A" of Resolution No. OCSD 98-33 is hereby amended by amending Policy No. E90.00, Information Systems Management, set forth in Attachment No. 1, attached hereto and incorporated herein by reference. Section 2: That Exhibit "A" of Resolution No. OCSD 98-33 is hereby amended by adding Policy No. E91.00, End-User Policy, set fourth in Attachment No. 2, attached hereto and incorporated herein by reference. Section 3: That Exhibit "A" of Resolution No. OCSD 98-33 is hereby amended by adding Policy No. E92.00, Software Policy, set fourth in Attachment No. 3, attached hereto and incorporated herein by reference. Section 4: That Exhibit "A" of Resolution No. OCSD 98-33 is hereby amended by adding Policy No. E93.00, E-Mail Policy, set fourth in Attachment No. 4, attached hereto and incorporated herein by reference. Section 5: That Exhibit "A" of Resolution No. OCSD 98-33 is hereby amended by adding Policy No. E94.00, Internet Usage Policy, set fourth in Attachment No. 5, attached hereto and incorporated herein by reference. Section 6: That Exhibit "A" of Resolution No. OCSD 98-33 is hereby amended by adding Policy No. E95.00, Computer Incident Response Policy, set fourth in Attachment No. 6, attached hereto and incorporated herein by reference. Section 7: That Exhibit "A" of Resolution No. OCSD 98-33 is hereby amended by adding Policy No. E96. 00, Change Control Policy, set fourth in Attachment No. 7, attached hereto and incorporated herein by reference. Section 8: That Exhibit "A" of Resolution No. OCSD 98-33 is hereby amended by adding Policy No. E97.00, Remote Access Policy, set fourth in Attachment No. 8, attached hereto and incorporated herein by reference. Section 9: That Exhibit "A" of Resolution No. OCSD 98-33 is hereby amended by adding Policy No. E98.00, Special Technology Policy, set fourth in Attachment No. 9, attached hereto and incorporated herein by reference. C:\Documents and Settings\Ow-Yeang\Desktop\Resolution No. 04-31.HR Policy & Procedure re IT Policies.doc Page 1 REPEALED BY OCSD 15-18 Section 10: That all other terms and conditions of Resolution No. OCSD 98- 33, as previously recommended, shall remain in full force and effect. Section 11: That all future amendments to Resolution No. OCSD 98-33 be made by Resolution. PASSED AND ADOPTED at a regular meeting held December 15, 2004. Chair ··---... ATTEST: ,'.'. ~·. ;n.fO. scrarclsec~ry ~, ", ',I H:ldept\admin\BS\Resolutions\2004 Resolutions\Resolution No. 04-31.HRIT Policy & Procedure.doc .. .-·. -~ / ·::. . ' ... (-.. \/ ',) \ Page~ Orange County Sanitation District Information Systems Management ~'.li5,e"i11'N1Ti0N-S !i.;o··Y"''.iWVDtSl~,c-"" ~: x>@t\t·~'fitY&.:: <1 i 5:0>:~: t~RROCEDURE L.-<--~-------··-'·._.,.,.._..___, Policy Number: E90.00 Supersedes: December 18, 2002 filirtu~2§12:0:0,~ Approved by: Lisa L. Tomko 6:\tli0.~t~o;~xceptioris{aretp~rrni~e,d::toithis~~o.li§,Y:.un1~~§,,~utnorizea~~Y~!n~\§eneta1;Managet.zor; tles1gnee ·and/or·lnfermat1on technologwmanag~r-it staff1members.I .ii7.1. .. Access to au OCSmcemputer~resoutces~·,inclclCJing '.but•notllimitechto,1haraware ! . software) •+1'>~ : . .:y;;,:;:·;2files,~email,:an8.~ihte~~tsrT,iHs~iJ>ej<:!pp£~~t3Cl~~y\\lie~erTI,~109cee~sJ~!:J·lierViser~and <: · > · .··: .• · j ... ,:. 01 nforrriatieriwectin'olpg¥::~m~nag~mei:itlstaff m~mbersJ Page 1 of 2 S:cf~iRELATED .oocOMENTS ~J,_ ~fupatei-secµ_rJ!y :Ag_aft19a7jPuBli£·:~~W3.9.Q~23sJ 8:2-''Jtie Califoi:nlaf>UbilCRecoras~·Act I.:... ' :;,..,__~-.------.,,,, ~~~19·Z1~~~~~oo;;'Corn~ter;e-n~~Yi ~r4~w ~:l~~~Y.11;~Q; softWar~lRolic~ !J~~~<?!i~y~]_'.;[Q.~§1_™~~ @~:£h:EQ!@y~~;~ttifil~~~g-~Ji£~ a·:v ,; · :''.dP01icY,-~ES5~0P.~~uter:1ncldent1Res~]!e J~olifY, 8/8\~t·*<·.1po1i9Y.1E~m.:©ei,\'.Change.GontrollfiQ~ ~:::to<•~Rolicy)E98.Q.Q.;:§~egial&TecfiiiQIQiQJifolfcy 13~::-rF>o1ic~tF~q1~r0~L,fse:1ot'@TStr1C:@•9iiliY Page 2 of 2 Orange County Sanitation District Computer End-User 1.0 PURPOSE Policy Number: E91.00 Effective Date: December 15, 2004 Supersedes: Approved by: Lisa L. Tomko 1.1 To establish a uniform policy for end-user accounts and security configurations. 2.0 ORGANIZATIONAL UNITS AFFECTED 2.1 The organizational units affected are outlined in policy E90.00. 3.0 DEFINITIONS 3.1 Account -The name assigned to a computer user, which is used to control access to computer related resources. 3.2 Character Sets -There are four character sets: 1) a through z; 2) A through Z; 3) 0 through 9; and, 4) special characters such as@, #, $, %, or 11 • 3.3 Complexity Requirements -Containing members of three of the four character sets. 3.4 Network -The collective name used for all computers and computer related resources that communicate with each other. 3.5 Password - A string of characters used to verify a user's permission for an account. 3.6 Virus - A generic name that includes all computer related infectious agents. 3.7 Electronic snooping -The unauthorized use of or attempt to use another employee's password without the employee's consent, or the unauthorized entry to or attempt to enter the computer files and communications of another without that person's consent, or the unauthorized entry or attempt to enter the encrypted storage of e-mail messages. 4.0 POLICY 4.1 GENERAL INFORMATION 4.1.1 Internet services and e-mail are unique mediums that are viewed by most users as being different from traditional written correspondence or telephone communication. One of the greatest dangers of the use of Internet services and e-mail is that they are treated far more informally than other forms of business communication. Due to the perceived impermanence of Internet communications and e-mail messages, employees and other users often use them to express sentiments and opinions they would never memorialize in traditional business writing. In drafting any Internet communication or e-mail message, employees and other users shall exercise care and diligence because these communication mediums are a reflection of the Orange County Sanitation District (OCSD) and the employee's department. As such, employees and other users shall always Page 1 of 6 conduct themselves in a professional manner and refrain from sending anything by way of Internet communications or e-mail messages that would not appear in an official memorandum or letter. 4.1.2 OCSD's computer resources are provided for the purpose of conducting OCSD business, enhancing efficiency, and better serving the public interest. Internet services and e-mail are business communication tools that are made available to certain OCSD employees and other users in order to enhance efficiency and effectiveness in the performance of job duties and OCSD related business and are to be used in accordance with state and federal laws, and this policy. The e-mail system may not be used to solicit or persuade others for commercial ventures, religious or political causes, outside organizations, or other non-job- related solicitations or to support any profit entity. 4.1.3 OCSD's computer resources, regardless of their physical location or the form in which they are maintained, are the exclusive property of OCSD. Employees and other users are provided access to OCSD's computer resources as authorized by the General Manager, Department Directors and/or the Information Technology Director (IT Director). 4.1.4 Use of OCSD's computer resources, including all uses of the Internet and e-mail communications, are to be used for the accomplishment of business-related tasks and/or directly pertain to OCSD business, administration, or practices. Employees may use these resources for non-business research or browsing use only during their scheduled meal break, rest periods, and before or following work time; provided that all other Information Systems Management related policies are followed. 4.1.5 Employees are aware that all records, whether on paper or computerized, are subject to the mandatory public disclosure requirements of the California Public Records Act. The information created or transmitted on any OCSD computer resource, including Internet communications and e-mail messages, may be subject to public disclosure under the California Public Records Act or in connection with litigation. 4.1.6 Employees who are terminated or laid-off have no rights to the contents of their computer files or e-mail messages and are not allowed access to such systems. OCSD shall have the right to delete or retain any or all e-mail messages or computer files of any person no longer employed by OCSD. When an employee is separated from OCSD employment, it is the responsibility of the Department Director and the IT Director to ensure that access to OCSD's computer resources is terminated and all computer files are retained. 4.1.7 OCSD prohibits sexual, racial, or other forms of harassment and OCSD's computer resources shall not be used for such purposes. If you are harassed or discriminated against through the use of OCSD's computer resources, you must report the act of harassment or discrimination to your direct supervisor or Department Director immediately. If you feel uncomfortable doing so, or if your direct supervisor or Department Director is the source of the harassment, condones the problem, or ignores the problem, report the harassment to Human Resources. 4.1.8 The dissemination of derogatory, defamatory, obscene, disrespectful, sexually explicit, sexually suggestive or in any other way inappropriate Internet and/ore- mail communications is prohibited. For example, OCSD prohibits the display or transmission of sexually explicit images, messages, or cartoons or any Page 2 of 6 transmission or use of e-mail communications that contain ethnic slurs, racial epithets, or anything that may be construed as harassment or disparagement of others based on their race, national origin, color, sex, sexual orientation, age, disability, religious or political beliefs, and/or any other protected class of people. Sending or forwarding a copy of these types of offensive communications on OCSD's computer system is strictly prohibited. 4.1.9 Electronic snooping or tampering by any employee is prohibited. 4.1.1 O OCSD reserves the right for any reason to access, disclose or delete all messages and other electronic data sent over its electronic mail system or stored in its files. 4.1.11 No employee or contractor shall use OCSD's facilities or equipment to deliberately circulate a virus, Trojan horse, trap-door program, or any other malicious code. All employees and contractors must exercise due diligence not to distribute any malicious codes through e-mail communications or any other electronic format. 4.2 ACCESS TO COMPUTER INFORMATION/CONFIDENTIALITY 4.2.1 An employee's use of OCSD's computer resources, including, but not limited to, all computer files, Internet services, and e-mail, are not confidential. OCSD provides no assurance of privacy with respect to an employee or any other end- user of an OCSD computer resource. OCSD expressly reserves the right to access or monitor, with or without notice, any authorized end-user's use of OCSD computer resources. 4.2.2 OCSD reserves the right to monitor and record individual employee and other user computer files, as well as Internet and e-mail usage, at any time as allowed by the Electronic Communications Privacy Act of 1986. No employee or other user shall have any expectation of privacy as to his/her computer files, Internet communications, or e-mail messages. OCSD has software and systems in place that can and will monitor and record all usage for each and every user, including, but not limited to, all internal transmissions, Internet website visits, newsgroups, e-mail messages, computer files, and file transfers into and out of OCSD's internal network. OCSD representatives may access, audit, and review all activity and analyze usage patterns, and may, for whatever reason, disclose this data to ensure that the OCSD's computer resources are devoted to maintaining the highest level of efficiency and productivity. 4.2.3 Employees or contractors shall not attempt to defeat any connectivity, monitoring, or blocking software/hardware nor use any method that attempts to disguise one's login identity. An employee or contractor may not delete or intentionally hide or rename any files or data that are involved in any pending or anticipated matters. 4.3 ACCOUNTS 4.3.1 As directed by Information Technology management, a limited number of the technical staff will be assigned administration duties. 4.3.2 As directed, technical staff will deactivate and/or delete accounts. Steps will be taken to ensure that no files of value are deactivated or deleted. Page 3 of 6 4.3.3 Password changes will be transmitted to an end-user via secure means only. Secure methods of transmittal include voice-mail, in-person or through the end- user's manager. 4.3.4 All passwords must adhere to the complexity requirements. 4.3.5 Information Technology will force the changing of a password when the user logs on for the first time. 4.3.6 No account will be added to security or distribution groups without approval of senior technical staff, the resource owner, and/or the owner's supervisor. 4.3. 7 Staff with multiple accounts shall use discretion when using a particular account. The account with the lowest level of authorization needed to access information shall be used. 4.3.8. Senior Information Technology staff may create accounts for testing purposes as needed. 4.4 PASSWORDS 4.4.1 Subject to the constraints of this policy, a user will always be allowed to set and/or change their password. 4.4.2 A password must never be shared unless it is an emergency. Notify Information Technology if you share your password and change it as soon as practicable. 4.4.3 If a password has been compromised, change it immediately and notify Information Technology. 4.4.4 Enforcement of password requirements is automated. A password must meet the following complexity requirements: • A minimum of six (6) characters long. • Contain three (3) of the four (4) character sets. • Be changed at least every six (6) months. • Cannot be reused for 20 generations. 4.4.5 As desired and to minimize the number of passwords to remember, a user may manually change all of his/her passwords to match. 4.4.6 A written password must never be left in an unsecured location. 4.4.7 Never repeat a password or follow a pattern that may be easily compromised. 4.4.8 Periodically, Information Technology staff will perform password audits. 4.4.9 As determined by senior Information Technology staff, certain system-oriented accounts will be exempted from these requirements. 4.4.10 Desktop and laptop computers connected to the OCSD network will be automatically configured to lock the Computer after a predetermined inactive timeframe. Computer accounts that contain applications determined by Information Technology staff to be negatively impacted by this activity will be exempt. Under no circumstances shall this automated feature be intentionally defeated by the end-user. Page 4 of 6 4.5 ANTIVIRUS 4.5.1 Information Technology staff must install antivirus software on all production computers. 4.5.2 Information Technology staff will take measures to automatically update the antivirus software as updates are released by the manufacturer. 4.5.3 Senior Information Technology staff will subscribe to "virus warning" services. 4.5.4 At a minimum, antivirus software will be configured to scan all incoming files. 4.5.5 End-users will not interfere with the antivirus software in any manner whatsoever unless directed by Information Technology staff. In the event such directives are issued, it is Information Technology's responsibility to re-enable/re-configure the antivirus software. 4.5.6 End-users must notify Information Technology staff immediately if a virus is detected on the computer they are using. All work on that computer must be stopped until Information Technology issues a clearance. 4.5.7 In the event of an infection, Information Technology will take all possible steps to limit the spread of the infection. This includes, but is not limited to, isolation of the infected computer(s), shutting down servers or services and disconnecting OCSD's network from the Internet. 4.6 EXTERNAL DEVICES 4.6.1 No personally owned external device shall be connected to an OCSD's computer without approval from Information Technology. External devices include, but are not limited to, thumb drives, memory sticks, disk drives, and wireless access points. 4.6.2 If applicable, Information Technology is responsible for ensuring that all external devices are subject to standard anti-virus measures. 4. 7 INTELLECTUAL PROPERTY RIGHTS 4.7.1. It is OCSD's policy to retain all copyrights and other intellectual property rights of which it is the legal owner. All copyrights and other intellectual property rights, which are created by OCSD employees in the course and scope of their employment with OCSD, are the exclusive property of OCSD. 4.7.2 Transfer of Information • OCSD employees shall not post material on Internet or Intranet services or send material via e-mail, which is copyrighted by a party other than OCSD. • OCSD employees shall not download copyrighted materials from these services except where permitted for research use. Page 5 of 6 5.0 PROCEDURE 5.1 All procedures necessary for compliance with this policy will be maintained and executed by OCSD Information Technology staff. 6.0 EXCEPTIONS 6.1 Exceptions are outlined in policy E90.00. 7.0 PROVISIONS AND CONDITIONS 7.1 Provisions and conditions are outlined in policy E90.00 8.0 RELATED DOCUMENTS 8.1 Computer Security Act of 1987 (Public Law 100-235) 8.2 The California Public Records Act 8.3 Electronic Communications Privacy Act of 1986 8.4 Policy 830.00, Harassment Policy 8.5 Policy E90.00, Information Systems Management Policy 8.6 Policy E92.00, Software Policy 8.7 Policy E93.00, E-mail Policy 8.8 Policy E94.00, Internet Usage Policy 8.9 Policy E95.00, Computer Incident Response Policy 8.10 Policy E96.00, Change Control Policy 8.11 Policy E97.00, Remote Access Policy 8.12 Policy E98.00, Special Technology Policy 8.13 Policy F40.00, Use of District's Property Page 6 of 6 Software Orange County Sanitation District Policy Number: E92.00 Effective Date: December 15, 2004 Supersedes: Approved by: Lisa L. Tomko 1.0 PURPOSE 1.1 To establish a uniform method for software copyright enforcement, software selection, and maintenance. 2.0 ORGANIZATIONAL UNITS AFFECTS 2.1 The organizational units affected are outlined in policy E90.00. 3.0 DEFINITIONS 3.1 Copyright -The exclusive legal rights to copy, reproduce, or sell a software package or document. 3.2 Software - A set of related programs, procedures, and documentation. 4.0 POLICY 4.1 Orange County Sanitation District (OCSD) staff are expected to rigorously observe and enforce copyright laws. In particular: • Copyrighted software installation is only authorized to be used on the computer for which it was purchased and intended. • No software distribution media will be copied except in the following instances: backup; disaster recovery; and/or as determined by senior Information Technology staff. • Electronic copyrighted documents used as reference material must contain a credited statement acknowledging the source. • All violations of copyright laws and this policy must be reported to an employee's supervisor or to Information Technology management immediately after it is known. 4.2 No software is to be purchased or installed without Information Technology approval. • Employees are prohibited from installing or allowing the installation of any software that has not been authorized by Information Technology. This includes, but is not limited to, personally owned, "free", licensed and hacking software. • Employees are prohibited from installing or using software which provides encryption, wipes programs, personal firewalls, or similar products unless a particular use has been authorized by Information Technology staff. • Employees are prohibited from installing or using software originating from the Internet and must notify Information Technology management if such software exists. Page 1 of 2 4.3 Information Technology will act as a clearing-house for all software and will perform the following: • Maintain a secure library of all software and accompanying documentation. • Maintain records detailing software usage and installations on OCSD computers. • Perform software inventories. • Provide software consulting to OCSD. • Perform all software installations. • Review the need for any new software and, if possible, present alternatives. 4.4 Employees are expected to maintain the confidentiality of all in-house and contractor authored software unless approved by management. 5.0 PROCEDURE 5.1 All procedures necessary for compliance with this policy will be maintained and executed by OCSD Information Technology staff. 6.0 EXCEPTIONS 6.1 Exceptions are outlined in policy E90.00. 7.0 PROVISIONS AND CONDITIONS 7.1 Provisions and conditions are outlined in policy E90.00. 8.0 RELATED DOCUMENTS 8.1 Computer Security Act of 1987 (Public Law 100-235) 8.2 All Federal and State Copyright laws 8.3 Policy E90.00, Information Systems Management Policy 8.4 Policy E91.00, Computer End-User Policy 8.5 Policy E93.00, Email Policy 8.6 Policy E94.00, Internet Usage Policy 8.7 Policy E95.00, Computer Incident Response Policy 8.8 Policy E96.00, Change Control Policy 8.9 Policy E97.00, Remote Access Policy 8.10 Policy E98.00, Special Technology Policy 8.11 Policy F40.00, Use of District's Property Policy Page 2 of 2 E-mail Orange County Sanitation District Policy Number: E93.00 Effective Date: December 15, 2004 Supersedes: Approved by: Lisa L. Tomko 1.0 PURPOSE 1.1 To establish guidelines for the use of e-mail with Orange County Sanitation District (OCSD) computer resources. 2.0 ORGANIZATIONAL UNITS AFFECTED 2.1 The organizational units affected are outlined in policy E90.00. 3.0 DEFINITIONS 3.1 Attachments -As defined and related to this policy are as follows: • An application specific file, such as a Word or Excel document that is transported with an e-mail message. The recipient must have suitable software for viewing the attachment. • A self-executing file such as an exe, com, or bat file 3.2 E-mail - A message, possibly with attachments, composed on a computer and received by a computer. A network, including the Internet, is the transmission medium. 3.3 Internet - A worldwide network of computers, adhering to universal standards that are capable of exchanging data with each other. 3.4 Confidential Information -Information that requires a "need-to-know", restricted use, or is sensitive in nature is considered confidential information. Generally, OCSD technical data, proprietary, customer, and personnel related information is confidential. Personnel related information includes, but isn't limited to; medical, recruitment, disciplinary, and performance information. Once information becomes generally available to the public, it is no longer considered confidential. Contact the Human Resources Department if there are questions. 4.0 POLICY 4.1 E-MAIL USAGE 4.1.1 E-mail, used by those affected parties in this policy through the course of their duties and/or while using OCSD computer related resources, shall always be used with the assumption that a message will be read by someone other than the intended recipient. When transmitting e-mail messages, employees and other authorized users should consider that the message, even though "deleted," may later be disclosed to outside parties, members of the public, or in connection with litigation. Due to these concerns, employees and other users are required to Page 1 of 5 maintain the highest standards of courtesy and professionalism when sending e-mail messages. 4.1.2 Employees shall have no right or expectation of privacy or confidentiality in any e-mail messages created, sent, received, deleted, or stored using OCSD's computer resources. Management and supervisors have the right to read and review any e-mail message created, sent, received, deleted, or stored of any employee at any time and for any reason. 4.1.3 Employees are expected to exercise good judgment in sending any e-mail communication, especially if such communication is deemed sensitive. All confidential communications shall be in hard copy form and be filed and retained in accordance with OCSD Records Retention Policies and procedures. 4.1.4 The sending of mass e-mailings on a "District-wide" basis to all employees without the prior authorization of a Department Director or the Director of Administration is prohibited. 4.1.5 Always err on the side of caution. Whenever an e-mail is written, assume the message is permanent and that it will be retrieved and/or printed-out. 4.1.6 All employees are representatives of OCSD and will always use appropriate language. E-mail is a unique medium that is unlike traditional written correspondence, in that, composed e-mail transmission statements, despite the intended number of recipients, can be viewed globally. 4.1. 7 Transmitting a message under another employee's name or password without their permission is prohibited. Any employee who obtains a password or user identification must keep that password confidential. 4.1.8 Employees should regularly change their individual passwords. Employees shall not share individual passwords with other individuals except for legitimate OCSD business reasons. 4.1.9 A password must never be shared unless it is an emergency. Notify Information Technology if you share your password and change it as soon as practicable. 4.1.10 All communications should follow proper etiquette, such as: • Materials posted by employees shall professionally represent OCSD. The transmission of defamatory, obscene, offensive or harassing messages or messages, which disclose personal information without authorization, is prohibited. • E-mail messages and electronic postings may be read by people beyond the addressee, and upon request, may be produced to a court in connection with litigation and should be composed accordingly. 4.1.11 Employees should carefully consider who is used on an e-mail as addressees or courtesy copies. Some employees may not want their e-mail addresses to be widely known or to receive responses from widely distributed messages. 4.1.12 Non-exempt OCSD employees are prohibited from accessing their e-mail accounts from home. If extenuating circumstances apply (i.e., lead worker "acting" as supervisor), HR will evaluate the situation on a case-by-case basis. Page 2 of 5 4.2. RETENTION OF E-MAIL 4.2.1 E-mail generates correspondence and other documentation, which may be recognized as Official OCSD Records in need of protection/retention in accordance with the California Public Records Act and as evidence in connection with litigation. Although the use of e-mail is primarily for official OCSD business, the e-mail system is intended as a medium of communication. Therefore, the e-mail system should not be used for the electronic storage or maintenance of documentation, including, but not limited to, Official OCSD Records. 4.2.2 E-mail messages sent and received, including any attachments, which are considered as Official OCSD Records, are to be stored in computer files or printed as a hard £QQY. and filed in accordance with their department's filing policy. Generally, the sender of the e-mail shall be the person responsible for storing or printing and filing it accordingly. The persons responsible for a particular program or project file shall be responsible for retaining all e-mail they send or receive related to that program or project. 4.2.3 Individual employees are responsible for the management of their mailboxes and associated folders. In order to assure maximum efficiency in the operation of the e-mail system, employees are encouraged to delete e-mail messages that are not Official OCSD Records from their in-boxes once they are no longer needed. If a hard copy of data, which constitutes an Official OCSD Record, has been printed and filed in accordance with OCSD's Record Retention Policy and Schedule, the e-mail may be deleted. 4.2.4 It is the responsibility of individual employees and their Department Heads to determine if e-mail is an Official OCSD Record, which must be retained in accordance with OCSD's Record Retention Policy and Schedule. OCSD's Records Management Specialist will assist in making such a determination. Preliminary drafts, notes, or interagency or intra-agency memoranda, which are not retained by OCSD in the ordinary course of business, are generally not considered to be Official OCSD Records subject to disclosure. Employees are encouraged to delete documents, which are not otherwise required to be kept by law or whose preservation is not necessary or convenient to the discharge of OCSD duties or the conduct of OCSD business. 4.2.5 A record of additions and deletions made in the course of creating a draft letter or memorandum need not be saved. 4.2.6 Periodically, OCSD receives requests for inspection or production of documents pursuant to the California Public Records Act, as well as demands by subpoena or court order for the production of evidence in connection with litigation. In the event of such a request, the applicable Department Head shall require all employees to make available relevant e-mail files to the extent e-mail is stored in the computer and not printed and filed. The employee having control over e-mail files, once he/she is made aware of the request, shall immediately print and transmit a hard copy of any computer files that either are or may be responsive to the request or subpoena to his/her Department Head. 4.2.7 E-mail records that are Official OCSD Records must be kept for the minimum retention periods identified in OCSD's Record Retention Disposition Schedule. Such e-mail records may not be destroyed except after approval of the Division Manager, Records Management Specialist, and General Counsel. Page 3 of 5 4.2.8 E-mail messages are subject to the same disclosure requirements as other public records. Requests from the public for e-mail records must be honored in the same manner as for other public records. E-mail messages, which are determined to be Official OCSD Records must be accessible and retrievable during their entire retention period and are to be maintained in a manner which permits easy and timely retrieval. 4.3. ATTORNEY-CLIENT PRIVILEGED COMMUNICATIONS 4.3.1 Some messages sent, received or stored on OCSD e-mail systems will constitute confidential, privileged communications between OCSD and its attorneys. Attorney-client communications should not be forwarded without consulting the General Manager's office and/or the General Counsel's office. 4.4. CONFIDENTIAL INFORMATION 4.4.1 Most communications among OCSD employees are not considered confidential. However, certain communications, such as law enforcement investigations and personnel records, may be confidential or contain confidential information. Questions about whether communications are confidential should be discussed with the employee's supervisor. 4.4.2 Employees shall exercise caution in sending confidential information on the e- mail system as compared to written memoranda, letters or phone calls, because of the ease with which such information may be retransmitted or accessed. 4.4.3 Confidential information should not be sent or forwarded to individuals or entities not authorized to receive that information and should not be sent or forwarded to other OCSD employees not directly involved with the specific matter. 4.4.4 Steps must be taken while using e-mail to ensure messages are not inadvertently sent to the wrong individual. In particular, exercise care when using distribution lists to make sure all addressees are appropriate recipients of the information. Lists are not always current and individuals using lists should take measures to ensure lists are up-to-date. 4.4.5 Employees shall not discuss confidential information outside of the workplace. 4.4.6 Confidential information should not be reproduced unnecessarily. 4.4.7 Employees shall return all tangible forms of confidential information to OCSD upon termination of employment or upon OCSD's request. 5.0 PROCEDURE 5.1 All procedures necessary for compliance with this policy will be maintained and executed by OCSD Information Technology staff. 6.0 EXCEPTIONS 6.1 Exceptions are outlined in policy E90.00. 7.0 PROVISIONS AND CONDITIONS 7.1 Provisions and conditions are outlined in policy E90.00. Page 4 of 5 8.0 RELATED DOCUMENTS 8.1 Computer Security Act of 1987 (Public Law 100-235) 8.2 The California Public Records Act 8.3 Policy E90.00, Information Systems Management Policy 8.4 Policy E91.00, Computer End-User Policy 8.5 Policy E92.00, Software Policy 8.6 Policy E94.00, Internet Usage Policy 8.7 Policy E95.00, Computer Incident Response Policy 8.8 Policy E96.00, Change Control Policy 8.9 Policy E97.00, Remote Access Policy 8.10 Policy E98.00, Special Technology Policy 8.11 Policy F40.00, Use of District's Property Page 5 of 5 Orange County Sanitation District Internet Usage 1.0 PURPOSE Policy Number: E94.00 Effective Date: December 15, 2004 Supersedes: Approved by: Lisa L. Tomko 1.1 To establish acceptable use guidelines of the Internet with Orange County Sanitation District (OCSD) computer resources. 2.0 ORGANIZATIONAL UNITS AFFECTED 2.1 The organizational units affected are outlined in policy E90.00. 3.0 DEFINITIONS 3.1 Internet - A worldwide network of computers, adhering to universal standards that are capable of exchanging data with each other. 4.0 POLICY 4.1 INTERNET ACCESS 4.1.1 Use of the Internet is becoming increasingly necessary for OCSD employees to provide effective and efficient public services. The efficient utilization of the Internet for communications and research can improve the quality, productivity, and general cost- effectiveness of the OCSD's work force. Internet capability and employee access is provided by OCSD on an "as needed" basis and is a revocable privilege. 4.1.2 Internet access and use of online services are business communication tools, which are made available to certain OCSD employees and other authorized users in order to enhance efficiency and effectiveness in the performance of job duties and OCSD related business and are to be used in accordance with generally accepted business practices and current laws. Use of the Internet or on line services should be predominantly for the purpose of OCSD business activities or contain information essential for OCSD employees to accomplish business related tasks, and/or communication directly related to business, administration, or practices of OCSD. 4.1.3 OCSD reserves the right to monitor individual Internet access and use of online services for any purpose including, but not limited to, review, audit, and disclosure of all matters transmitted over OCSD computer resources or placed in its network storage. 4.1.4 Downloaded information including e-mail attachments shall be checked for virus contamination. The Information Technology Department has information available on how to scan for viruses. 4.1.5 Downloading large data images, video and graphics shall be timed so as not to impact the performance of OCSD network. Very large files shall be downloaded after normal working hours. Page 1 of 3 4.2 ACCEPT ABLE USE OF THE INTERNET 4.2.1 Specifically acceptable uses of the Internet includes: • Communication and information exchange that is directly related to the mission, objectives, and business activities of OCSD. • Communication and exchange of information for professional development, to maintain current training and education, or to discuss issues related to the employee or other job-related activities. • Use for advisory, standards, research, analysis, and professional society activities related to the employee or other end-user work tasks or job-related duties. • Announcement of new OCSD procedures, policies, rules, services, programs, information, or activities. • Communication with professional associations, public agencies, universities, businesses, and/or individuals associated with the facilitation of OCSD related business, research, and/or continuing education. • Authorized procurement of goods or services in accordance with applicable delegation of authority. 4.3 UNACCEPTABLE USE OF THE INTERNET 4.3.1 Specifically unacceptable uses of the Internet include: • Downloading any program, software, or application from the Internet or online services without prior written approval from both a Department Director and the IT Director and without scanning such applications for viruses before they are run, stored, or accessed. • Downloading or distributing pirated software or data. • Deliberately propagating any virus or any other destructive programming. • Downloading entertainment software or games. • Uploading any software licensed to OCSD or data owned or licensed by OCSD without the prior written authorization from both a Department Director and the IT Director. • Releasing and/or disseminating any OCSD confidential information. • Intentionally introducing OCSD's computer systems to, or experimenting with, malicious computer code(s), such as computer worms or viruses. • Transmitting any material or information on the Internet or through the use of online services in violation of applicable copyright laws or patents. Page 2 of 3 5.0 PROCEDURE • Using any Internet access or online services that are likely to result in the loss of any recipients' work or which could cause congestion on OCSD's electronic network or which could otherwise interfere or disrupt OCSD's local area network users, services, or equipment. 5.1 All procedures necessary for compliance with this policy will be maintained and executed by OCSD Information Technology staff. 6.0 EXCEPTIONS 6.1 Exceptions are outlined in policy E90.00. 7 .0 PROVISIONS AND CONDITIONS 7.1 Provisions and conditions are outlined in policy E90.00 8.0 RELATED DOCUMENTS 8.1 Computer Security Act of 1987 (Public Law 100-235) 8.2 The California Public Records Act 8.3 Electronic Communications Privacy Act of 1986 8.4 All Federal and State Copyright laws 8.5 Policy 830.00, Harassment Policy 8.6 Policy E90.00, Information Systems Management Policy 8. 7 Policy E91.00, End-User Policy 8.8 Policy E92.00, Software Policy 8.9 Policy E93.00, E-mail Policy 8.10 Policy E95.00, Computer Incident Response Policy 8.11 Policy E96.00, Change Control Policy 8.12 Policy E97.00, Remote Access Policy 8.13 Policy E98.00, Special Technology Policy 8.14 Policy F40.00, Use of District's Property Page 3 of 3 Orange County Sanitation District Policy Number: E95.00 Effective Date: December 15, 2004 Computer Incident Response Supersedes: Approved by: Lisa L. Tomko 1.0 PURPOSE 1.1 Establish uniform policies and procedures for response to computer-related incidents. 1.2 Establish escalation policies. 2.0 ORGANIZATIONAL UNITS AFFECTED 2.1 The organizational units affected are outlined in policy E90.00 3.0 DEFINITIONS 3.1 Escalation -Providing additional resources (managerial or technical) in order to solve a problem. 3.2 Digital Signature - A technical means by which computer-readable files can be shown as unmodified by the collection time. 3.3 Intrusion -Gaining access by unauthorized means. 3.4 Sabotage -Deliberate destruction of data or property. 4.0 POLICY 4.1 All collected information regarding Computer Incident Response activities must be kept confidential. 4.2 All media inquires will be directed to the Communications Division regarding any incident. 4.3 The Computer Incident Response Team (CIRT) will consist of: • Information Technology management or designees. • Human Resources management or designees. • Other staff and/or agencies may be involved as needed. 4.4 It is the CIRT's responsibility to communicate status and information to Orange County Sanitation District (OCSD) management. 4.5 CIRT's primary duties are: • Establish governing security procedures for all computer-related resources. • To minimize damage to OCSD internal and external computer related resources. • Assist and/or marshal resources sufficient to recover from an incident. Page 1 of 3 • Gather evidence and preserve it for future analysis and possible legal action. • In conjunction with senior management and other staff, create and prioritize a list of possible contingencies and create a plan that addresses each contingency. • Perform risk and cost-benefit analysis for prevention and/or remediation of typical computer-related incidents. These include but are not limited to: o Local disasters including earthquakes, floods, fire and terrorist activity. 0 Denial of service attacks. 0 External and internal intrusion. 0 External site vandalism. 0 Internal virus or worm attack. 0 Theft of proprietary information. 0 Sabotage. • Ensure appropriate resources such as staff and parts are readily available to deal with any computer incident contingency. 4.6 The GIRT is expected to follow chain-of-evidence procedures. These include but are not limited to: • Electronic records and logs must include a time stamp and be digitally signed. • All evidence must be documented in the appropriate log. • Document all relevant conversations. • All documents and other relevant material must be stored in a secure location under lock and key. • If necessary, seek guidance from legal counsel. 5.0 PROCEDURE 5.1 All procedures necessary for compliance with this policy will be maintained and executed by OCSD Information Technology staff. 6.0 EXCEPTIONS 6.1 Exceptions are outlined in policy E90.00. 7.0 PROVISIONS AND CONDITIONS 7.1 Provisions and conditions are outlined in policy E90.00 Page 2 of 3 8.0 RELATED DOCUMENTS 8.1 Computer Security Act of 1987 (Public Law 100-235) 8.2 The California Public Records Act 8.3 Electronic Communications Privacy Act of 1986 8.4 Policy E90.00, Information Systems Management Policy 8.5 Policy E91.00, End-User Policy 8.6 Policy E92.00, Software Policy 8.7 Policy E93.00, E-mail Policy 8.8 Policy E94.00, Internet Usage Policy 8.9 Policy E96.00, Change Control Policy 8.10 Policy E97.00, Remote Access Policy 8.11 Policy E98.00, Special Technology Policy 8.12 Policy F40.00, Use of District's Property Page 3 of 3 Orange County Sanitation District Change Control 1.0 PURPOSE Policy Number: E96.00 Effective Date: December 15, 2004 Supersedes: Approved by: Lisa L. Tomko 1.1 To establish a uniform method for Orange County Sanitation District's (OCSD) computer- oriented change control. 2.0 ORGANIZATIONAL UNITS AFFECTED 2.1 The organizational units affected are outlined in policy E90.00. 3.0 DEFINITIONS 3.1 Change control -The planned process of modifying computer-related hardware or software. 3.2 Backup - A copy of a disk image. 3.3 Patch -A "small" fix that targets a "few" operating systems or application problems. 3.4 Server - A large computer, resident on the network, that supports shared resources. 3.5 Service Pack - A "large" fix that targets multiple problems. 4.0 POLICY 4.1 Only authorized Information Technology staff will initiate or perform any upgrades or changes to any computer or networking system. 4.2 Information Technology staff must verify that all patches and service packs are digitally signed or originate from a vendor's distribution media. 4.3 Prior to installation on production computers, patches and services packs must be evaluated on test computers. As much as practicable, test computers must duplicate the production environment. Detailed notes will be kept in a log book. If required, formal installation procedures may need to be created and/or modified. 4.4 Except in emergencies or with the approval of Information Technology management, a full backup is required before any patches or service packs are installed on any production server. Detailed notes of the operation will to be kept in a log book. 4.5 Log entries must contain the following information: date, time, person, problem description, change/fix description, and the results. Anything else deemed useful should also be noted. Page 1 of 2 5.0 PROCEDURE 5.1 All procedures necessary for compliance with this policy will be maintained and executed by OCSD Information Technology staff. 6.0 EXCEPTIONS 6.1 Exceptions are outlined in policy E90.00. 7 .0 PROVISIONS AND CONDITIONS 7.1 Provisions and conditions are outlined in policy E90.00 8.0 RELATED DOCUMENTS 8.1 Computer Security Act of 1987 (Public Law 100-235) 8.2 The California Public Records Act 8.3 Electronic Communications Privacy Act of 1986 8.4 Policy E90.00, Information Systems Management Policy 8.5 Policy E91.00, End-User Policy 8.6 Policy E92.00, Software Policy 8.7 Policy E93.00, E-mail Policy 8.8 Policy E94.00, Internet Usage Policy 8.9 Policy E95.00, Computer Incident Response Policy 8.10 Policy E97.00, Remote Access Policy 8.11 Policy E98.00, Special Technology Policy 8.12 Policy F40.00, Use of District's Property Page 2 of 2 Orange County Sanitation District Remote Access 1.0 PURPOSE Policy Number: E97 .00 Effective Date: December 15, 2004 Supersedes: Approved by: Lisa L. Tomko 1.1 Establish uniform policies and methods for all types of computer-to-computer connections for Orange County Sanitation District (OCSD) computer resources using a variety of techniques. 2.0 ORGANIZATIONAL UNITS AFFECTED 2.1 The organizational units affected are outlined in policy E90.00. 3.0 DEFINITIONS 3.1 Authentication -The act of verifying the identity of a user or computer. 3.2 Encrvption -The coding or scrambling, using sophisticated techniques, of information to prevent third parties from "reading" it. 3.3 Modem - A device used to access remote computers or networks utilizing a phone line as the transmission media. Note that a modem has the potential to bypass all network- edge security measures. 3.4 VPN -Functionality that allows the accessing of remote networks utilizing the Internet as the transmission media. 3.5 Vetting -The procedural process of appraising or examining access. 4.0 POLICY 4.1 MODEMS 4.1.1 Modems must always be the last solution to consider due to the inherent lack of security. 4.1.2 No modem shall be connected to any OCSD computer without the express approval of Information Technology management. 4.1.3 No modem will be configured to auto-answer without the express approval of Information Technology management. 4.1.4 External modems will be used with desktop computers. 4.1.5 It is the end-user's responsibility to ensure the external modem is always turned off when not in use. 4.1.6 Unless directed by Information Technology, end-users will never modify a Page 1 of 3 modem or an associated software configuration. 4.1. 7 A modem shall never be installed on any OCSD computer that does not have functioning and recently updated antivirus software. 4.2 VENDOR CONNECTION 4.2.1 Approved and authorized vendors may remotely connect to OCSD's network after vetting by Information Technology. 4.2.2 Vendors must submit a statement detailing the antivirus and firewall software installed on the computer being used to connect to OCSD's network. Information Technology staff shall review the submitted document before allowing access. 4.2.3 OCSD managers must request remote access and Information Technology staff must determine if the vendor meets OCSD's security requirements. 4.3 GENERAL 4.3.1 Accessing outside e-mail services from any computer connected to OCSD's network is strictly prohibited. 4.3.2 Non-OCSD computers and/or computer equipment are never to be connected to OCSD's network without the express written permission of Information Technology management. 4.3.3 Non-OCSD computers or computer equipment are not to be stationed at any OCSD facility without the express written permission of Information Technology management. 4.3.4 All computers connecting to the network from external locations must have current antivirus and firewall software installed. 4.3.5 With managerial approval, staff requiring access to OCSD's network will be issued laptops. 4.3.6 OCSD managers must request remote access for their staff. 4.3.7 If required by an investigation, any computer used to access OCSD's network, by any means, may be impounded for an indefinite period. 4.3.8 Computers connecting to OCSD's network must be configured in a manner such that the networking password must be entered immediately prior to each connection. Do not allow the password to be saved. 4.4 INFORMATION TECHNOLOGY 4.4.1 Consistent with recommended security practices, the needs of OCSD and the capability of the involved hardware and software, the highest level of authentication and data encryption methods shall used. 4.4.2 Routinely, the remote access logs will be examined for unusual activity. 4.4.3 OCSD-resident remote access servers will be set to a "default deny" configuration. Page 2 of 3 5.0 PROCEDURE 5.1 All procedures necessary for compliance with this policy will be maintained and executed by OCSD Information Technology staff. 6.0 EXCEPTIONS 6.1 Exceptions are outlined in policy E90.00. 7.0 PROVISIONS AND CONDITIONS 7.1 Provisions and conditions are outlined in policy E90.00 8.0 RELATED DOCUMENTS 8.1 Computer Security Act of 1987 (Public Law 100-235) 8.2 The California Public Records Act 8.3 Electronic Communications Privacy Act of 1986 8.4 Policy E90.00, Information Systems Management Policy 8.5 Policy E91.00, End-User Policy 8.6 Policy E92.00, Software Policy 8.7 Policy E93.00, E-mail Policy 8.8 Policy E94.00, Internet Usage Policy 8.9 Policy E95.00, Computer Incident Response Policy 8.10 Policy E96.00, Change Control Policy 8.11 Policy E98.00, Special Technology Policy 8.12 Policy F40.00, Use of District's Property Page 3 of 3 Orange County Sanitation District Special Technology 1.0 PURPOSE Policy Number: E98.00 Effective Date: December 15, 2004 Supersedes: Approved by: Lisa L. Tomko 1.1 To establish configuration/deployment policies for families of technology that, if mis-configured, would expose Orange County Sanitation District's computer resources to a high level of risk. 2.0 ORGANIZATIONAL UNITS AFFECTED 2.1 The organizational units affected are outlined in policy E90.00. 3.0 DEFINITIONS 3.1 Access Point (AP) - A device that connects wireless computers together and may also connect to the corporate network. 3.2 Content Creator -Any staff member that creates, makes available, or publishes information on an Internet-facing server. 3.3 Domain -A logical grouping of computers that share security information and resources. 3.4 Internet-Any computer network external to OCSD's network. 3.5 Internet-Facing - A computer that is directly connected to the Internet. 3.6 WLAN -Wireless Local Area Network. 3.7 Scanning -The act of using an instrument to detect WLANs. 3.8 Server - A computer that shares a resource. 3.9 Standalone -A computer that is NOT part of OCSD's domain but is connected to OCSD's network. 3.10 Wireless -A family of technologies that enable networking between devices using radio signals as the medium. 4.0 POLICY 4.1 INTERNET-FACING SERVERS 4.1.1. Internet facing servers are to be configured with the highest priority placed on security configurations. 4.1.2. If possible, all Internet-facing servers are to be configured as standalone servers. Page 1 of 3 4.1.3. All contractor-produced software is to be reviewed by Information Technology staff before being placed in service on all Internet-facing servers. 4.1.4. Confidential materials of any type are never to be placed on any Internet-facing Server and are the responsibility of the content creator. 4.1.5. No database is to be installed on any Internet-facing server unless approved by Information Technology management. 4.1.6. All applicable laws and regulations shall be followed while using OCSD computer resources. 4.2. WIRELESS 4.2.1. No access point shall be connected to OCSD's network without approval from Information Technology management. 4.2.2. No device shall be connected to any access point without approval from Information Technology management. 4.2.3. Never deploy an access point with the default configuration. 4.2.4. Information Technology shall configure all access points. 4.2.5. Periodically, Information Technology will "sweep" the plant areas to ensure that no "rogue" access points are functioning. 4.2.6. All wireless equipment must be approved by Information Technology staff. 4.2.7. Given the nature of wireless technology and the potential for bypassing standard security measures, Information Technology will ensure that all wireless equipment is well maintained and inspected frequently. 4.2.8. No computer connected to a home-based wireless LAN will access any OCSD computer or network-hosted resource without approval by Information Technology management. 5.0 PROCEDURE 5.1 All procedures necessary for compliance with this policy will be maintained and executed by OCSD Information Technology staff. 6.0 EXCEPTIONS 6.1 Exceptions are outlined in policy E90.00. 7 .0 PROVISIONS AND CONDITIONS 7.1 Provisions and conditions are outlined in policy E90.00 8.0 RELATED DOCUMENTS 8.1 Computer Security Act of 1987 (Public Law 100-235) 8.2 Electronic Communications Privacy Act of 1986 Page 2 of 3 8.3 Policy E90.00, Information Systems Management Policy 8.4 Policy E91.00, End-User Policy 8.5 Policy E92.00, Software Policy 8.6 Policy E93.00, E-mail Policy 8. 7 Policy E94.00, Internet Usage Policy 8.8 Policy E95.00, Computer Incident Response Policy 8.9 Policy E96.00, Change Control Policy 8.10 Policy E97.00, Remote Access Policy 8.11 Policy F40.00, Use of District's Property Page 3 of 3