The URL can be used to link to this page

Home My WebLink About025 03 cc: A \\ 1)!pt. t,k.,lo3 STATE OF WASHINGTON County of Jefferson In the Matter of establishing a Policy on Remote Access to Jefferson County's Computer Network RESOLUTION NO 25-03 WHEREAS, Jefferson County's information network resources are valuable to the employees, contractors, vendors and agents of Jefferson County and need to be protected from unauthorized use; and, WHEREAS, all components of the Jefferson County information network are property of the County and remain subject to County control, and successful operation of the network resources requires that users regard these resources as a shared resource and conduct themselves responsibly and courteously; and, WHEREAS, Jefferson County allows remote access to its' information network resources by employees, contractors, vendors and agents for work including, but not limited to, reading or sending electronic mail and viewing intranet, and web resources; and, WHEREAS, while the County encourages the use of the information network resource by County staff to improve communications and information exchange with citizens and others, certain restrictions are necessary to avoid improprieties and to ensure that established standards are met to reduce potential liability, the risk of inappropriate use, and possible adverse public perceptions. NOW, THEREFORE, BE IT RESOL VED, by the Board of County Commissioners that the following policy be adopted for the establishment, administration, maintenance and use of remote access services to the County's information network resources and that they hereby approve the Jefferson County Policy on Remote Access as Attachment A and the Acknowledgment of Remote Access Policy Form as Attachment H, which are hereby incorporated as part of this resolution. APPROVED AND ADOPTED this ~ day of -.JCAV'\e... ,2003. ;",,' ,-j---~:':~<'^" '\ ,,~r'~:6 " T Y C à ~,\ , " }~;,;~ v. " , ~;""," fH'~ · .,'-:' ...". 1" ~[f~<ri)··0:-~'.~:·~8··"".': "ó '.. .f" ":,'>". 4-t . -', " ~ ',' '/'''.<':;';'''j:.., ...... ,ö >~, "-:' -x-_;_;~-_:.-- j-~?:~~l:--.>-'-- .' j, :-;0 M,.- ....,' \, ...,.:.\:-;c"L",·"'*,- _ -·tI,'·:, , .. . .'...",.,", (A -(< . ',..' . ,. ... ,:,:,~l;:, ,!_",',,'~ .,." ..,,1,: .. .. . _ ~\.._ '"::':,,:C--:'''. - .. v ., "',.' " t','.---.-.' ---/" . 1# '.. ',.,',I..¡¡" ~;\ ...,> ·k~~·.... .......,. "'''-'" ... .!oI' ... .-"'t\ ATTESt:" 11 ~ C. \).\ . ~~CL{ilJ7~ Lorna Delaney, CMC G Clerk of the Board JEFFERSON COUNTY BO~ONERS Dan Titterness, Chair Vacant Commissioner District #3 RESOLUTION NO. 25-03 ATTACHMENT A Policy for Remote Access to the Jefferson County Computer Network Section 1.0 -- Subject Information network resources are available to County staff to improve communications and information exchange with citizens and others and to provide an information and research resource. While the County encourages the use of information network resources for these purposes, certain restrictions are necessary to avoid improprieties, reduce potential liability and the risk of inappropriate use, and possible adverse public perceptions. Jefferson County allows limited remote access to network resources on an as needed basis only, due to the potential for compromising the integrity of the computer network. Remote access shall be highly limited continuously monitored, and used for official County business purposes only. Section 2.0 -- Purpose The purpose of this policy is to establish, administer, maintain, and implement guidelines for the remote use of the County's information network resources including the Local Area Network/Wide Area Network (LAN/W AN), Internet, on-line services, and to define standards for connecting to Jefferson County's network fÌom a remote computer. These standards are to minimize the potential exposure to the County from damages that may result from unauthorized use of County resources. Section 3.0 - Affected Parties This policy applies to all authorized users of remote access privileges including County employees, contractors, vendors, other governmental agencies, privates agencies and agents for purposes of performing work on behalf of the County or accessing County information including reading or sending electronic mail and viewing and/or using internet/intranet web resources. Section 4.0 - References RCW 40.14 Preservation and Destruction of Public Records RCW 42.17 Open Public Records J.C. Resolution No.133-92 And Resolution No. 20-93 J.C. Resolution No. 17-98 Jefferson County Personnel Policy Manual Jefferson County Network, Internet, Intranet, and E-mail and Voice Mail Use Policy Section 5.0 - Definitions 5.1 Avproval Authority: The appropriate authorizing individual (department head, elected official, County Administrator or County Commissioner Chair and Information Services staff) as designated in Section 6.2 5.2 As Needed Basis: A set of factors for which remote access to the County network would be desirable, including but not limited to position held, percent of offsite work performed, critical nature of work performed or other factors considered by the approval authority. June 4, 2003 Remote Access Policy page 1 of 8 RESOLUTION NO. 25-03 ATTACHMENT A 5.3 Authorization: Authorization is complete when the Acknowledgement of Remote Access Policy Form (Attachment "B") is fully executed and the remote access user has been issued a valid user ID and password. 5.4 Cable Modem: Cable companies such as AT&T Broadband provide Internet access over Cable TV coaxial cable. A cable modem accepts this coaxial cable and can receive data from the Internet. 5.5 Damages: Damages include the loss of sensitive or county confidential data, intellectual property, damage to public image, damage to critical County internal systems, etc. 5.6 Dial-in Modem: A peripheral device that connects computers to each other for sending communications via the telephone lines. 5.7 Digital Subscriber Line (DSL): DSL is a form of high-speed Internet access competing with cable modems. DSL works over standard phone lines and supports data speeds of over 2 Mbps downstream (to the user) and slower speeds upstream (to the Internet). 5.8 Frame Relav: A method of communication that incrementally can go ftom the speed of an ISDN to the speed of a Tl1ine. Frame Relay has a flat-rate billing charge instead of a per time usage. Frame Relay connects via the telephone company's network. 5.9 Integrated Services Digital Networks (ISDN): There are two types ofISDN: BRI and PRI. BRI is used for home office/remote access. BRI has two "Bearer" channels at 64kbit (aggregate 128kb) and 1 D channel for signaling information. 5.10 Remote Access: Access to the County's network through a non-County controlled network, device, or medium. 5.11 Svlit tunneling: Simultaneous direct access to a non-County network (such as the Internet, or a home network) ftom a remote device (PC, PDA, W AP phone, etc.) while connected into the County's network via a VPN tunnel. 5.12 Telecommuting: The type of work situation when an employee works at home and communicates with the employer by telephone, often including the transfer of computerized data. 5.13 VPN Virtual Private Network (VPN): A method for accessing a remote network via "tunneling" through the Internet. Section 6.0 - General 6.1 - Authorization: Authorization is required for all remote access to the County computer systems. An individual request is required for each position and the incumbent employee. The request shall include a brief description of the need for remote access. June 4, 2003 Remote Access Policy page 2 of 8 RESOLUTION NO. 25-03 ATTACHMENT A 6.2 - Authorizing Authority: The appropriate authorizing authority depends on the Department and/or position ofthe person seeking remote access. 6.2.1. - County Administrator/Commissioners: The Chair of the Board of County Commissioners shall be the appropriate authorizing individual for any Commissioner or the County Administrator. 6.2.2. - Non-Elected Department Heads: The County Administrator shall be the appropriate authorizing individual for any non-elected department director. 6.2.3 - County employees: Employees seeking remote access must receive authorization from the Department Head/Elected Official of the department of assignment. 6.2.4. - Vendors, consultants, or other outside entities: Vendors, consultants, or other outside entities who request remote access in order to conduct business with, or on behalf of, a County department must receive authorization from the Department Head/Elected Official of that department. 6.3 -- Privacy: An employee's rights while using remote access to the County's computer network does not include the right to privacy. 6.4 - Monitoring: All electronic communications and content presented to and/or passed to and from remote access connections, may be monitored, examined, saved, read, transcribed, stored or retransmitted in the course of daily operations by any duly authorized employee or agent of the County in the exercise of their duties. 6.4.1 Electronic Monitoring: Electronic communications and content may be examined by automated means. The County retains the right to keep, retrieve and monitor all records of access to County information systems. 6.4.2 Communications may be Rejected: The County reserves the right to reject from the network, electronic communications and content deemed not to be in compliance with the policy(ies) governing the use of information systems at the County. 6.4.3 Implied Consent: By using remote access service, users give the County permission to conduct each of the operations described above. 6.5 - Time Period of Remote Access: Remote access service is only authorized for the period of time the authorized user remains associated with the County. Authority ends at the termination of employment, termination of a contract, or when remote access is no longer offered by the County. 6.6 - Exceptions to the Policy: This policy is not applicable to remote access provided to third parties through agreements approved by the Board of County Commissioners, either already existing or in the future, which mayor may not involve a fee for the access the County's computer system. Such agreements shall delineate the terms, conditions and nature of the access provided and shall supersede any provisions in this policy. June 4, 2003 Remote Access Policy page 3 of 8 RESOLUTION NO. 25-03 ATTACHMENT A 6.7 - Restrictions on Remote Access: In order to protect the County and its resources restrictions will be placed on the use of remote access dependent on level and duration of access requested 6.8 - Limit, Suspend or Terminate: Remote access service may be limited, suspended or terminated in cases of suspected or known wrongdoing, with or without notice to a user. 6.8.1 Limitation on Duration and Number of Sessions: The County reserves the right to limit the duration and number of available remote access sessions. In all cases, the sole discretion of the County shall apply. 6.8.2 - Unlawful Use: Unlawful use of remote access to the County's network may result in disciplinary action and/or criminal action against the offender. 6.9 - Ownership of Work Products: Work done at a remote location is official County business. All work products such as files, tables, reports, databases, programs and other content created during remote access are considered official records, and are the property of the County, except as stipulated in Intellectual Property or other formal legal agreements that may exist between a user and the County. 6.10 - Public Disclosure: Electronic records created by users ofthe County's network are generally considered public records under Washington State's Public Disclosure Act (Ch. 42.17 RCW) and as such are subject to the law governing retention (Ch. 40.14 RCW) of public records. 6.10.1- Electronic Mail: Electronic mail communications constitute public records and the County has the right to access or monitor messages for work-related purposes, security or to respond to records requests. Therefore, no assumption should be made as to privacy on the County's electronic mail system. 6.10.1- Offsite Copies: Offsite printed copies of remotely accessed information must be protected from unauthorized access or disclosure. Proper protective measures include securing materials when unattended and shielding materials from unauthorized viewing. Proper disposal procedures include shredding or obliteration of sensitive information prior to disposal. 6.11 - Policy Violations: Any Employee who willfully or knowingly violates this policy may be subject to disciplinary action, up to and including termination of employment. Where a possible or actual policy violation is identified, the appropriate department head/elected official will undertake a review and initiate appropriate action in accordance with County policy. The County may provide evidence of possible illegal or criminal activity to law enforcement authorities. 6.12 - Liability: The County assumes no liability or responsibility for any damages or losses of any kind to personally owned property or the property of parties other than the County that may occur as a result of, or incident to, the use of remote access. Remote access users agree to accept responsibility for all transactions conducted under their user ID. June 4, 2003 Remote Access Policy page 4 of 8 RESOLUTION NO. 25-03 ATTACHMENT A Section 7.0 - Procedures 7.1 -- Conduct of Official County Business: Remote access is provided by the County solely for the conduct of County related business. 7.1.1. - Personal Use Prohibited: Personal, family, private or commercial use of remote access is prohibited. 7.1.2 -- Telecommuting: This policy is not an authorization to engage in telecommuting, but is intended to allow limited off-site or mobile computing by providing varied levels of access when it is in the best interests of the County. 7.1.3 - Time Worked: Time spent by a non-exempt employee working by remote access is to be included in the employees time worked. Non-exempt employees will receive prior approval for work outside their normal schedule and must provide proof of time spent on remote access for payroll purposes. 7.2 - Initial Access: Each request will be approved for a specific initial period of access. The need for continued access will be reviewed 30 days prior to the expiration of the approved access period. 7.3 - Copying Data to Remote Computer: Data obtained from the County information system may be temporarily copied via remote access to remote computers, only to the extent necessary to fulfill the officially designated job responsibilities of the user. 7.3.1 - Return of County Data: Users agree to immediately return all County data at termination of employment or role or upon expiration of authorized remote access use. 7.3.2 - Access to Stored County Data: Users agree not to provide access to County data stored on remote computers with anyone, except as explicitly authorized in writing by their department head or elected official. 7.4 - Storage of Private or Personal Data on County System: Remote access service may not be used to copy private or personal information such as information residing on privately owned computers to County files or other County-owned information systems. SECTION 8.0 - Responsibilities 8.1 Elected Official/Department Head Responsibilities: Elected Official/Department Heads are responsible for determining which employees, vendors, contractors, or others require remote access to the County information network resources and for coordinating the authorization and installation with the Information Services Division. 8.1.1 Licensing/Copyright Acknowledgements: The Department Head/Elected Official is responsible to assure that the remote access user has fulfilled all licensing requirements and copyright acknowledgement of files downloaded from the internet. June 4, 2003 Remote Access Policy page 5 of 8 RESOLUTION NO. 25-03 ATTACHMENT A 8.2 Information Services Division of Central Services Responsibilities: The Information Services staff is responsible for securing all of the County networks and computers against unauthorized access and abuse. 8.2.1 Information Services Approval: Information Services Division must approve before remote access can be established. The Information Services staff must ensure that the security and integrity of the County's information systems are maintained, and that the computer system has the capacity and ability to accommodate such requests. 8.2.1.1 Remote Access Implementations: Remote access implementations include but are not limited to dial-in modems, frame relay, ISDN, DSL, VPN, SSH, and cable modems. Information Services staff will determine the best implementation method for each request. 8.3 Remote Access User Responsibilities: All remote access users are responsible for adhering to local, State and federal and international laws and regulations. Remote access users must ensure that their remote access connection is used in compliance with the applicable sections of the Jefferson County Personnel Manual. 8.3.1 Proper Use of Electronic Mail (E-mail): The remote access user of electronic mail will not send harassing, obscene or other threatening material; send messages selling personal items and services; solicit for non-County sponsored activities or distribute for and/or promote outside organizations, pursuant to Resolution No. 17-98 Jefferson County Network, Internet, Intranet, and E-mail and Voice Mail Use Policy. 8.3.1.1 Remote access users shall not use non-County e-mail accounts (i.e., Hotmail, Yahoo, AOL), or other external resources to conduct County business to ensure that official business is never confused with personal business. 8.3.2 Proper Use of User ID: All remote access users are responsible for the activity performed with their personal user Ids. 8.3.2.1 User Id's must never be shared with associates, friends, family members, or others. 8.3.2.2 User-Ids may not be utilized by anyone but the individuals to whom they have been issued. Similarly, users are forbidden ITom performing any activity with user Ids belonging to other individuals. 8.3.3 Use by Others: General access to the Internet for recreational use by immediate household members through the County Network on a personal computer is not permitted. 8.3.4 Split Tunneling: Remote access users must ensure that their County owned or personal computer or workstation, which is remotely connected to County's network, is not connected to any other network (split tunneling) at the same time, with the exception of personal networks that are under the complete control of the user. 8.3.5 Minimum Authentication Requirements: PC's with VPN connections configured for access to the County network must meet minimum authentication requirements of Smart Cards. June 4, 2003 Remote Access Policy page 6 of 8 RESOLUTION NO. 25-03 ATTACHMENT A 8.3.6 Anti-Virus Protection: Remote access users must use the most up-to-date anti-virus software and repair program and an active personal firewall system for personal computers. 8.3.7 Expenses Incurred: Expenses incurred by users in connecting to remote access services is the sole responsibility of the remote access user except to the extent such expenses are incurred during approved County related business travel. 8.3.8 Software Licenses: All off-site use of County software will be under proper license in accordance with County policies. Fulfilling all licensing requirements and copyright acknowledgement of files downloaded from the Internet is the responsibility of the remote access user and the Department Head/Elected Official. 8.3.8.1 The copying of copyrighted materials, such as third-party software, without the express written permission of the owner or the proper license is prohibited. 8.3.9 Confidentiality: All remote access users are required to honor and observe the rules of confidentiality and protection of privacy when accessing and using any information that resides on the County's information system. All disclosures of information must be in compliance with established County policies. 8.3.10 Incidents of Unauthorized Use: Remote access users agree to immediately report all incidents involving suspected or actual unauthorized access, disclosure, alteration, loss, damage or destruction of data to the Information Services Division of Central Services. 8.3.10.1 Any deliberate action that damages or disrupts a computer system, or causes it to malfunction is prohibited. 8.3.10.2 The use of systems or networks in the attempt to gain unauthorized access to remote systems is prohibited. 8.3.10.3 Intentional attempts to "crash" Network systems or programs are prohibited. 8.3.10.4 Willfully introducing a computer "virus" or other disruptive or destructive program into the County's networks or into external networks is a punishable disciplinary offense. June 4, 2003 Remote Access Policy page 7 of 8 RESOLUTION NO. 25-03 ATTACHMENT B ACKNOWLEDGMENT OF REMOTE ACCESS POLICY Acknowledgment of Remote Access Policy 1. Please read the Remote Access Policy regarding use of County network resources. 2. Complete the form. 3. Obtain required departmental/company approvals. 4. Return this page to: Jefferson County Information Services Division. P.O. Box 1220 Port Townsend, W A 98368 I have read and agree to abide by the terms of the Remote Access Policy regarding use of the County network resources. Printed Name User ID Title Phone Department/Company Phone Signature Date Supervisory Approval Supervisory approval is required for all remote access requests. Department Head/Elected Official Title Signature Date Information Services Approval Information Services Signature Date Remote access effective from , _, through This Agreement shall be effective upon execution of the Agreement by both parties. It is understood and agreed by the parties that this Agreement may be terminated by the County at any time it determines it is in the best interest ofthe County to do so.