1

Acceptable UseAcceptable UseInformation ForumInformation Forum

Theresa A. Masse, State Chief Information Theresa A. Masse, State Chief Information Security OfficerSecurity Officer

Department of Administrative ServicesDepartment of Administrative ServicesEnterprise Security OfficeEnterprise Security Office

2

AgendaAgenda Welcome and introductionsWelcome and introductions Acceptable Use Policy -- OverviewAcceptable Use Policy -- Overview Agency PanelAgency Panel

Tim Avilla, Dept. of Transportation Tim Avilla, Dept. of Transportation Mary Loftin, Lottery Mary Loftin, Lottery Doug Juergensen, Dept. of Fish and Doug Juergensen, Dept. of Fish and

Wildlife Wildlife Q&AQ&A

3

Acceptable Use Policy Acceptable Use Policy DAS Director established committee DAS Director established committee

of agency heads to develop of agency heads to develop statewide policystatewide policy

Policy 107-004-110 approved and Policy 107-004-110 approved and signed October 2007signed October 2007

Flexibility for agencies to tailor Flexibility for agencies to tailor policies to meet business needspolicies to meet business needs

4

Acceptable Use Policy Acceptable Use Policy PurposePurpose

Inform users of acceptable use of state Inform users of acceptable use of state agency information, computer systems agency information, computer systems and devicesand devices

State BusinessState Business Information, systems and devices are Information, systems and devices are

available to optimize business processesavailable to optimize business processes Agencies will establish policies to Agencies will establish policies to

enable compliance, deter misuse, and enable compliance, deter misuse, and identify violationsidentify violations

5

Acceptable Use Policy Acceptable Use Policy State Business State Business (continued)(continued)

Missions or functions Missions or functions permitted by lawpermitted by law are not prohibited by any part of the are not prohibited by any part of the policypolicy

Agencies can approve and document Agencies can approve and document exceptionsexceptions

Agencies can adopt more restrictive Agencies can adopt more restrictive policiespolicies

Users are responsible for complying Users are responsible for complying with the policywith the policy

6

Acceptable Use Policy Acceptable Use Policy Systems and Information are State Systems and Information are State

PropertyProperty Information, systems and devices are Information, systems and devices are

for business purposes onlyfor business purposes only No systems or information are the No systems or information are the

private property of any userprivate property of any user Agencies are responsible for Agencies are responsible for

controlling, monitoring, and protecting controlling, monitoring, and protecting information assetsinformation assets

7

Acceptable Use Policy Acceptable Use Policy Access and ControlAccess and Control

Agencies are responsible for giving and Agencies are responsible for giving and monitoring access only to systems and monitoring access only to systems and information users need to do their workinformation users need to do their work

Agencies are responsible for removing Agencies are responsible for removing access in a timely manneraccess in a timely manner

8

Acceptable Use Policy Acceptable Use Policy Professional ConductProfessional Conduct

Use of state information assets shall not Use of state information assets shall not be false, unlawful, offensive, or disruptivebe false, unlawful, offensive, or disruptive

Legal ComplianceLegal Compliance Use must comply with copyrights, Use must comply with copyrights,

licenses, contracts, intellectual property licenses, contracts, intellectual property rights and lawsrights and laws

SecuritySecurity Use will respect the confidentiality of Use will respect the confidentiality of

other users’ informationother users’ information

9

Acceptable Use Policy Acceptable Use Policy Data IntegrityData Integrity

Users will not knowingly destroy, Users will not knowingly destroy, misrepresent, or otherwise change data misrepresent, or otherwise change data stored in state information systemsstored in state information systems

Operational EfficiencyOperational Efficiency Use of information will be done in a way Use of information will be done in a way

that does not impair the availability, that does not impair the availability, reliability or performance of processes reliability or performance of processes or systemsor systems

10

Acceptable Use Policy Acceptable Use Policy Accounts and Account PasswordsAccounts and Account Passwords

Users will be authorized and Users will be authorized and authenticated to use information assetsauthenticated to use information assets

DownloadsDownloads Non-approved software, including Non-approved software, including

screen-savers, cannot be downloaded or screen-savers, cannot be downloaded or installed from the Internet or other installed from the Internet or other sources without prior agency consentsources without prior agency consent

11

Acceptable Use Policy Acceptable Use Policy Remote LoginRemote Login

Access to agency networks from remote Access to agency networks from remote locations is not allowed except through locations is not allowed except through agency-approved and agency-provided agency-approved and agency-provided systems or softwaresystems or software

Agencies may allow access from non-Agencies may allow access from non-state devices to access e-mail through a state devices to access e-mail through a Web pageWeb page

12

Acceptable Use Policy Acceptable Use Policy Use of E-MailUse of E-Mail

State-related business use onlyState-related business use only Agencies may allow employees limited, Agencies may allow employees limited,

incidental personal useincidental personal use E-mails are public recordE-mails are public record Must comply with archiving and public Must comply with archiving and public

records lawsrecords laws Confidential information sent by e-mail Confidential information sent by e-mail

must be properly protectedmust be properly protected

13

Acceptable Use Policy Acceptable Use Policy Hardware InstallationHardware Installation

Use of personal devices is not allowed Use of personal devices is not allowed without prior agency approvalwithout prior agency approval

All hardware approved for use must be All hardware approved for use must be properly configured, protected, and properly configured, protected, and monitored so it does not compromise monitored so it does not compromise state information assetsstate information assets

14

Acceptable Use Policy Acceptable Use Policy Personal UsePersonal Use

Using the Internet increases risk of security Using the Internet increases risk of security breachesbreaches

State can only accept risk for business useState can only accept risk for business use Agencies can allow limited, incidental personal Agencies can allow limited, incidental personal

useuse Agency determines if use is personal or businessAgency determines if use is personal or business Agencies can allow use of Instant Messaging Agencies can allow use of Instant Messaging

(IM) and other alternatives for business (IM) and other alternatives for business purposespurposes

Agencies can allow use of streaming video/audio Agencies can allow use of streaming video/audio for business purposesfor business purposes

15

Acceptable Use Policy Acceptable Use Policy Personal Use Personal Use (continued)(continued)

Agencies call allow users to play CDs or Agencies call allow users to play CDs or DVDs on state equipment as long is it DVDs on state equipment as long is it does not interfere with workdoes not interfere with work

Users cannot transfer music from the Users cannot transfer music from the CD to the workstation or notebook hard CD to the workstation or notebook hard drivedrive

Audio CDs requiring software Audio CDs requiring software installation may not be playedinstallation may not be played

Peer-to-Peer (P2P) file sharing is Peer-to-Peer (P2P) file sharing is prohibitedprohibited

16

Acceptable Use Policy Acceptable Use Policy Personal Use Personal Use (continued)(continued)

Personal hardware or software cannot Personal hardware or software cannot be used to encrypt state or agency be used to encrypt state or agency owned information without prior owned information without prior permission and direction from agency permission and direction from agency directordirector

State systems cannot be used for State systems cannot be used for personal solicitationpersonal solicitation

Agency-provided e-mail systems and Agency-provided e-mail systems and Internet access for the public must be Internet access for the public must be appropriately securedappropriately secured

17

Acceptable Use Policy Acceptable Use Policy MonitoringMonitoring

Agencies are responsible for monitoring Agencies are responsible for monitoring use of information systems and assetsuse of information systems and assets

At a minimum, agencies will monitor on At a minimum, agencies will monitor on a random basis and for causea random basis and for cause

Monitoring systems or processes will be Monitoring systems or processes will be used to create reports to be reviewed used to create reports to be reviewed by agency managementby agency management

18

Agency PanelAgency PanelAcceptable Use PolicyAcceptable Use Policy

ODOT Focus GroupODOT Focus Group

Tim Avilla, ODOTTim Avilla, ODOT

19

BackgroundBackground ODOT is in the process of developing ODOT is in the process of developing

an Acceptable Use Policy that:an Acceptable Use Policy that: Supports the statewide policySupports the statewide policy Defines ODOT’s policy in areas of agency Defines ODOT’s policy in areas of agency

discretiondiscretion Clearly communicates requirements to Clearly communicates requirements to

ODOT staffODOT staff IT Executive Steering Committee IT Executive Steering Committee

(ESC) is responsible for recommending (ESC) is responsible for recommending a policy to all ODOT managementa policy to all ODOT management

20

BackgroundBackground ESC has been surveyed and reached ESC has been surveyed and reached

consensus in many areas, but not consensus in many areas, but not regarding personal use of Internet and e-regarding personal use of Internet and e-mailmail No personal use: There is no business reason No personal use: There is no business reason

to allow it and it exposes us to unnecessary to allow it and it exposes us to unnecessary riskrisk

Allow limited/incidental use: We want to Allow limited/incidental use: We want to attract and retain talented staff and we don’t attract and retain talented staff and we don’t need to micromanage staff; abuses of the need to micromanage staff; abuses of the privilege should be handled as a performance privilege should be handled as a performance issueissue

21

BackgroundBackground ESC wanted to gain better ESC wanted to gain better

understanding of the point of view understanding of the point of view our younger staffour younger staff ODOT staff in their twentiesODOT staff in their twenties Worked for ODOT at least 6 monthsWorked for ODOT at least 6 months Work in the Salem areaWork in the Salem area

22

Current PerceptionsCurrent Perceptions What is your understanding of What is your understanding of

allowable personal use of Internet allowable personal use of Internet access and e-mail at work?access and e-mail at work?

How did you come to this How did you come to this understanding?understanding?

What is your perception of your co-What is your perception of your co-workers’ personal use of Internet workers’ personal use of Internet access and ODOT e-mail at work?access and ODOT e-mail at work?

23

Current PerceptionsCurrent PerceptionsI am aware of the rules and expectations around

personal use of state email and the internet

0

2

4

6

8

10

12

Strongly Agree Agree Somew hat No Opinon/ Don’tKnow

DisagreeSomew hat

Strongly Disagree

DMV HQ/MC/CS/Hw y

24

Current PerceptionsCurrent PerceptionsMy coworkers follow the personal use portions of the

Acceptable Use policy

0

1

2

3

4

5

6

7

8

9

Strongly Agree Agree Somewhat No Opinon/ Don’tKnow

DisagreeSomewhat

StronglyDisagree

DMV HQ/MC/CS/Hwy

25

Work EnvironmentWork Environment How much did the policy around How much did the policy around

personal use of Internet and e-mail personal use of Internet and e-mail influence your decision to work and influence your decision to work and continue to work for ODOT? Why do continue to work for ODOT? Why do you feel that way?you feel that way?

How much do you think the policy How much do you think the policy might influence others to work and might influence others to work and continue to work for ODOT?continue to work for ODOT?

26

Work EnvironmentWork EnvironmentHow much did the policy around personal use of

internet and e-mail influence your decision to accept a position at ODOT?

0

2

4

6

8

10

12

14

16

Major influence Some influence No influence No Opinon/Don’t KnowDMV HQ/MC/CS/Hw y

27

Work EnvironmentWork EnvironmentHow will the policy around personal use of internet and e-mail

influence your decision to continue to work for ODOT?

0123456789

10

Major influence Some influence No influence No Opinon/Don’t Know

DMV HQ/MC/CS/Hwy

28

PolicyPolicy What do you think the personal use What do you think the personal use

policy should be?policy should be? What would an appropriate personal What would an appropriate personal

use policy include? Why?use policy include? Why?

29

LanguageLanguage What does “limited/incidental” What does “limited/incidental”

personal use mean to you?personal use mean to you? How can we elaborate on that How can we elaborate on that

definition to make it clearer?definition to make it clearer?

31

Agency PanelAgency PanelThe Oregon Lottery®The Oregon Lottery®

Approach to Acceptable UseApproach to Acceptable Use

Mary Loftin, Public Affairs Mary Loftin, Public Affairs ManagerManager

Oregon Lottery®Oregon Lottery®

32

A Mission Driven AgencyA Mission Driven Agency

The mission of the Oregon Lottery is The mission of the Oregon Lottery is to operate a lottery with the highest to operate a lottery with the highest standards of integrity and security to standards of integrity and security to earn maximum profits for the people earn maximum profits for the people of Oregon commensurate with the of Oregon commensurate with the

public good.public good.

33

BackgroundBackground Original E-Media Policy permitted Original E-Media Policy permitted

employees to make “limited personal employees to make “limited personal use” of Lottery equipmentuse” of Lottery equipment

New Lottery Acceptable Use Policy New Lottery Acceptable Use Policy was adopted in December, taking us was adopted in December, taking us to “business use only”to “business use only”

The new policy is effective March The new policy is effective March 31, 200831, 2008

34

Why business use only?Why business use only? Security based agencySecurity based agency Unique model in state governmentUnique model in state government Protect information systemsProtect information systems Lessons learned from other agenciesLessons learned from other agencies

35

New Lottery PolicyNew Lottery PolicyIncludes:Includes: Definition of business useDefinition of business use Internet and e-mail useInternet and e-mail use

Approved Web sitesApproved Web sites Accidental accessAccidental access Emergency situationEmergency situation

Prohibited conductProhibited conduct

36

New Lottery PolicyNew Lottery PolicyIncludes Includes (continued):(continued): MonitoringMonitoring Lottery-provided terminals, Wi-Fi, Lottery-provided terminals, Wi-Fi,

and public useand public use Attachment of ORS 164.377 – Attachment of ORS 164.377 –

Computer CrimesComputer Crimes

37

Communicating to Communicating to EmployeesEmployees

CommunicateCommunicate TrainTrain Communicate againCommunicate again

38

Employee ReactionEmployee Reaction PositivePositive

Dedication to security and integrity of our Dedication to security and integrity of our agencyagency

Provided transition periodProvided transition period Provided alternative for personal useProvided alternative for personal use

NegativeNegative Removing personal photos from screen Removing personal photos from screen

saversaver Inability to listen to music through computerInability to listen to music through computer Limited access to one of the non-business Limited access to one of the non-business

terminals terminals for shift work employeesfor shift work employees

39

Other TopicsOther Topics Web filteringWeb filtering Public recordsPublic records

40

Agency PanelAgency Panel

Oregon Department of Fish and Oregon Department of Fish and Wildlife (ODFW)Wildlife (ODFW)

Acceptable Use of State Information Acceptable Use of State Information AssetsAssets

Doug JuergensenDoug Juergensen

Information Systems Division Information Systems Division Administrator, CIOAdministrator, CIO

41

BackgroundBackground Three major changes within the Three major changes within the

agency leading to current policy:agency leading to current policy: Connectivity of officesConnectivity of offices Monitoring with Websense™Monitoring with Websense™ Change in leadershipChange in leadership

42

BackgroundBackground ConnectivityConnectivity

Information Systems Division supports Information Systems Division supports 1100 user accounts at 85 offices1100 user accounts at 85 offices

All locations networked with DSL, All locations networked with DSL, cable, T1, fiber or satellitecable, T1, fiber or satellite

Previously, agency had no central Previously, agency had no central network system and no effective network system and no effective method to manage desktops or monitor method to manage desktops or monitor useuse

Unable to deploy enterprise solutionUnable to deploy enterprise solution

43

BackgroundBackground MonitoringMonitoring

Internet usage actively monitored by Internet usage actively monitored by Websense™ in real timeWebsense™ in real time

Application provides instantaneous and Application provides instantaneous and historical reportshistorical reports

Previously, agency used manual process Previously, agency used manual process of collecting proxy logs and computer of collecting proxy logs and computer historyhistory Labor intensiveLabor intensive Poor quality reportsPoor quality reports Identified IP address, not actual userIdentified IP address, not actual user

44

BackgroundBackground LeadershipLeadership

Roy Elicker, ODFW Director, supports Roy Elicker, ODFW Director, supports new policy within the context of an new policy within the context of an employee privilege, not a requirementemployee privilege, not a requirement

Previously, agency lacked necessary Previously, agency lacked necessary controls and business practices for the controls and business practices for the director to allow personal usedirector to allow personal use Business practices not well establishedBusiness practices not well established

45

Why allow personal use?Why allow personal use? Allowed by statewide policyAllowed by statewide policy

Technically, an improved and more directed policyTechnically, an improved and more directed policy Agency director’s decisionAgency director’s decision Management aware of pitfallsManagement aware of pitfalls

Agency better able to cope with the changeAgency better able to cope with the change Director in favor of ‘work friendly’ workplaceDirector in favor of ‘work friendly’ workplace Previously not able to monitor or support activityPreviously not able to monitor or support activity Limited and incidental use of telephonesLimited and incidental use of telephones Had pledged to review the policy in years beforeHad pledged to review the policy in years before

46

Why allow personal use?Why allow personal use? Feedback from departing employeesFeedback from departing employees

Employee friendlyEmployee friendly ‘‘Trust’Trust’ Generational – ‘it’s how we communicate’Generational – ‘it’s how we communicate’ Working familiesWorking families

Allows for tighter IT controlAllows for tighter IT control Becomes a trade-off to implement better Becomes a trade-off to implement better

systems control and security practicessystems control and security practices Align to common industry practiceAlign to common industry practice

47

Policy CreationPolicy Creation Current policy was well formed and Current policy was well formed and

contained no surprises. Agency was contained no surprises. Agency was moving away from a very restrictive moving away from a very restrictive policy to one with limited, incidental policy to one with limited, incidental use.use. Started with existing policy on Started with existing policy on

acceptable computer useacceptable computer use DAS statewide policy served as templateDAS statewide policy served as template Retained original wording from DAS Retained original wording from DAS

policy as much as possiblepolicy as much as possible

48

Policy CreationPolicy Creation Enhanced definitions section (Internet Enhanced definitions section (Internet

definition)definition) Reviewed for consistency in wording and Reviewed for consistency in wording and

terms (information asset, user)terms (information asset, user) Draft sent to Human Resources and Draft sent to Human Resources and

executive leadershipexecutive leadership Draft sent to technology mangers and Draft sent to technology mangers and

staffstaff Draft reviewed by labor management Draft reviewed by labor management

committeecommittee Discussion at leadership meetingDiscussion at leadership meeting

49

Policy CreationPolicy Creation Final draft created based on inputFinal draft created based on input Redefined any terms in response to Redefined any terms in response to

questionsquestions Final review by Human Resources and Final review by Human Resources and

executive leadershipexecutive leadership Announcement made by agency director Announcement made by agency director

via e-mail to entire agencyvia e-mail to entire agency Implemented February 1, 2008Implemented February 1, 2008

Total turn-around 2 to 3 monthsTotal turn-around 2 to 3 months

50

Personal UsePersonal UseODFW policy Section R, Personal Use:ODFW policy Section R, Personal Use: In general, any personal use of agency In general, any personal use of agency

information assets is:information assets is: For viewing purposes only and not For viewing purposes only and not

transacting personal business or purchasestransacting personal business or purchases Permitted during breaks or lunch periods Permitted during breaks or lunch periods

but not before or after scheduled work but not before or after scheduled work timestimes

Does not negatively reflect on the agency Does not negatively reflect on the agency or otherwise hamper productivityor otherwise hamper productivity

51

Personal UsePersonal Use Incidental and respectful of co-workersIncidental and respectful of co-workers A public record and open to discovery A public record and open to discovery

and auditand audit Permitted on systems that are not in Permitted on systems that are not in

direct view by the publicdirect view by the public Allowed only as defined by policyAllowed only as defined by policy

52

Personal UsePersonal Use ODFW does ODFW does notnot allow allow personal usepersonal use of: of:

Instant MessengerInstant Messenger Contributing to a Chat room or Blog Contributing to a Chat room or Blog Downloading files, pictures, music, videoDownloading files, pictures, music, video Agency applications or installed Microsoft Agency applications or installed Microsoft

products (other than viewers)products (other than viewers) State assets other than expressly allowed State assets other than expressly allowed

by policy (USB keys, cameras, PDAs, and by policy (USB keys, cameras, PDAs, and others)others)

53

What is incidental?What is incidental? Incidental is defined as “happening, Incidental is defined as “happening,

as an occasional event, without as an occasional event, without regularity, occurring as a chance or regularity, occurring as a chance or consequence.”consequence.”

ODFW allows incidental personal use ODFW allows incidental personal use of the Web browser and e-mail with of the Web browser and e-mail with certain expectations/libertiescertain expectations/liberties For business purposes only unless For business purposes only unless

explicitly allowed by policyexplicitly allowed by policy Can be every day – breaks and lunch Can be every day – breaks and lunch

regardless of shiftregardless of shift

54

What is incidental?What is incidental? Does not use a consumable resource Does not use a consumable resource

such as printers, CDs/DVDssuch as printers, CDs/DVDs Satellite connectivity is a measured fee-Satellite connectivity is a measured fee-

based service and may be limitedbased service and may be limited Requires no support by the technical Requires no support by the technical

staffstaff

55

What is incidental?What is incidental? Other restrictionsOther restrictions

Computers that are clearly visible to the Computers that are clearly visible to the publicpublic

Special purpose equipment (expensive, Special purpose equipment (expensive, fragile)fragile)

May create a negative perception of the May create a negative perception of the agencyagency

Impacts agency businessImpacts agency business

56

Policy SupportPolicy Support Understand and support of policy is Understand and support of policy is

required; otherwise the policy is not required; otherwise the policy is not effectiveeffective

Director’s OfficeDirector’s Office ““Please be mindful that personal use of Please be mindful that personal use of

state information assets is a privilege – not state information assets is a privilege – not a requirement. If, as an agency, we are not a requirement. If, as an agency, we are not able to successfully implement and follow able to successfully implement and follow this new policy, my decision to allow this new policy, my decision to allow personal use may have to be revisited.” personal use may have to be revisited.” -- Director Roy Elicker -- Director Roy Elicker

57

Policy SupportPolicy Support Agency ManagersAgency Managers

Executive level dialogExecutive level dialog Q&A sessionQ&A session

IT Managers and staff (not above IT Managers and staff (not above policy)policy) Set expectationsSet expectations Involve employees in policy creationInvolve employees in policy creation

EmployeesEmployees TrainingTraining Ongoing clarification (Q&A)Ongoing clarification (Q&A)

58

EducationEducation User training is essential for User training is essential for

compliancecompliance Message from the Director to set Message from the Director to set

expectationsexpectations Posting of Q&APosting of Q&A All-staff e-mails explaining policy in All-staff e-mails explaining policy in

common terms (no geek speak)common terms (no geek speak) Team training for IT staffTeam training for IT staff

59

EducationEducation Team training for employeesTeam training for employees

At unit or division meetingsAt unit or division meetings Nobody voluntarily talks about policy Nobody voluntarily talks about policy

training; offer opportunitiestraining; offer opportunities One-on-one / opportunistic trainingOne-on-one / opportunistic training

Use current examplesUse current examples

60

ChallengesChallenges Implementing Web monitoringImplementing Web monitoring

Employee’s don’t think they are trusted; you’re Employee’s don’t think they are trusted; you’re watching everything they dowatching everything they do

Once monitoring is implemented, you will be Once monitoring is implemented, you will be disappointed by some employees (vice addicts)disappointed by some employees (vice addicts)

Implementing policyImplementing policy Employees are not technology experts; many Employees are not technology experts; many

don’t understand the terms or issues don’t understand the terms or issues (streaming video/audio, downloading (streaming video/audio, downloading applications)applications)

Without management support, policy is Without management support, policy is ineffectiveineffective

61

ChallengesChallenges Most challenging question – State Most challenging question – State

policy allows access to information policy allows access to information related to state employment and related to state employment and rights per the union contractrights per the union contract Does this allow unlimited use of the Does this allow unlimited use of the

computer for job searching?computer for job searching? Can I print my resume and other Can I print my resume and other

documents on state assets?documents on state assets? Can I use agency applications (Word) to Can I use agency applications (Word) to

create my resume?create my resume?

62

ChallengesChallenges Can I send my documents home using Can I send my documents home using

my state e-mail?my state e-mail? Can I bring my personal USB to Can I bring my personal USB to

transfer files?transfer files?

63

MonitoringMonitoring Websense™Websense™

Maintains a log of all Internet activityMaintains a log of all Internet activity Implemented with ‘corporate risk’ Implemented with ‘corporate risk’

policy (out of box functionality)policy (out of box functionality) Works with our proxy server, not in Works with our proxy server, not in

place of itplace of it Logs activity based on user login name, Logs activity based on user login name,

not computer IPnot computer IP Canned reportsCanned reports Custom HR reportsCustom HR reports

64

MonitoringMonitoring Random reportsRandom reports Everyone is accountable, even ITEveryone is accountable, even IT

Set expectations when first Set expectations when first implementing monitoring softwareimplementing monitoring software Discuss the outcome with HR and Discuss the outcome with HR and

managementmanagement Don’t let a novice misinterpret Web Don’t let a novice misinterpret Web

logslogs Learn to identify the difference between Learn to identify the difference between

normal Web use and abusenormal Web use and abuse

65

Employee ResponseEmployee Response Employee feedback has been Employee feedback has been

positive and supportivepositive and supportive Web activity slightly higher than Web activity slightly higher than

previous monthsprevious months No serious offenses so farNo serious offenses so far Some are still reluctant based on Some are still reluctant based on

previous policy restrictions and fearsprevious policy restrictions and fears

66

SummarySummary Need the support of the Director and Need the support of the Director and

managementmanagement IT staff must appreciate and support IT staff must appreciate and support

policy by examplepolicy by example Most users are not technology experts; Most users are not technology experts;

use common terms and phrasesuse common terms and phrases Be repetitive and consistent with your Be repetitive and consistent with your

message, especially on key policy pointsmessage, especially on key policy points Monitor regularly using a simple Monitor regularly using a simple

processprocess

67

SummarySummary Use opportunities to teach and/or Use opportunities to teach and/or

enforce policyenforce policy Involve others, gain supportInvolve others, gain support Explain why; acceptance is higher Explain why; acceptance is higher

when you know the reasonwhen you know the reason Think through your policy creation and Think through your policy creation and

avoid future changes and confusionavoid future changes and confusion What is incidental to youWhat is incidental to you Clearly define personal useClearly define personal use

68

Questions?Questions?

69

For further information For further information ……

Theresa Masse, DAS Enterprise Security Theresa Masse, DAS Enterprise Security OfficeOffice(503) 378-4896, (503) 378-4896, theresa.a.masse@state.or.ustheresa.a.masse@state.or.us

Tim Avilla, ODOTTim Avilla, ODOT(503) 986-3231, (503) 986-3231, timothy.c.avilla@state.or.ustimothy.c.avilla@state.or.us

Mary Loftin, Oregon LotteryMary Loftin, Oregon Lottery(503) 540-1014, (503) 540-1014, mary.loftin@state.or.usmary.loftin@state.or.us

Doug Juergensen, ODFWDoug Juergensen, ODFW(503) 947-6261, (503) 947-6261, douglas.juergensen@state.or.usdouglas.juergensen@state.or.us

70

Next Forum …Next Forum …

Mobile DevicesMobile DevicesPolicy OverviewPolicy Overview

Panel PresentationPanel Presentation

April 21, 2008April 21, 2008