Date post: | 23-Dec-2015 |
Category: |
Documents |
Upload: | helen-griffith |
View: | 215 times |
Download: | 0 times |
1
Acceptable UseAcceptable UseInformation ForumInformation Forum
Theresa A. Masse, State Chief Information Theresa A. Masse, State Chief Information Security OfficerSecurity Officer
Department of Administrative ServicesDepartment of Administrative ServicesEnterprise Security OfficeEnterprise Security Office
2
AgendaAgenda Welcome and introductionsWelcome and introductions Acceptable Use Policy -- OverviewAcceptable Use Policy -- Overview Agency PanelAgency Panel
Tim Avilla, Dept. of Transportation Tim Avilla, Dept. of Transportation Mary Loftin, Lottery Mary Loftin, Lottery Doug Juergensen, Dept. of Fish and Doug Juergensen, Dept. of Fish and
Wildlife Wildlife Q&AQ&A
3
Acceptable Use Policy Acceptable Use Policy DAS Director established committee DAS Director established committee
of agency heads to develop of agency heads to develop statewide policystatewide policy
Policy 107-004-110 approved and Policy 107-004-110 approved and signed October 2007signed October 2007
Flexibility for agencies to tailor Flexibility for agencies to tailor policies to meet business needspolicies to meet business needs
4
Acceptable Use Policy Acceptable Use Policy PurposePurpose
Inform users of acceptable use of state Inform users of acceptable use of state agency information, computer systems agency information, computer systems and devicesand devices
State BusinessState Business Information, systems and devices are Information, systems and devices are
available to optimize business processesavailable to optimize business processes Agencies will establish policies to Agencies will establish policies to
enable compliance, deter misuse, and enable compliance, deter misuse, and identify violationsidentify violations
5
Acceptable Use Policy Acceptable Use Policy State Business State Business (continued)(continued)
Missions or functions Missions or functions permitted by lawpermitted by law are not prohibited by any part of the are not prohibited by any part of the policypolicy
Agencies can approve and document Agencies can approve and document exceptionsexceptions
Agencies can adopt more restrictive Agencies can adopt more restrictive policiespolicies
Users are responsible for complying Users are responsible for complying with the policywith the policy
6
Acceptable Use Policy Acceptable Use Policy Systems and Information are State Systems and Information are State
PropertyProperty Information, systems and devices are Information, systems and devices are
for business purposes onlyfor business purposes only No systems or information are the No systems or information are the
private property of any userprivate property of any user Agencies are responsible for Agencies are responsible for
controlling, monitoring, and protecting controlling, monitoring, and protecting information assetsinformation assets
7
Acceptable Use Policy Acceptable Use Policy Access and ControlAccess and Control
Agencies are responsible for giving and Agencies are responsible for giving and monitoring access only to systems and monitoring access only to systems and information users need to do their workinformation users need to do their work
Agencies are responsible for removing Agencies are responsible for removing access in a timely manneraccess in a timely manner
8
Acceptable Use Policy Acceptable Use Policy Professional ConductProfessional Conduct
Use of state information assets shall not Use of state information assets shall not be false, unlawful, offensive, or disruptivebe false, unlawful, offensive, or disruptive
Legal ComplianceLegal Compliance Use must comply with copyrights, Use must comply with copyrights,
licenses, contracts, intellectual property licenses, contracts, intellectual property rights and lawsrights and laws
SecuritySecurity Use will respect the confidentiality of Use will respect the confidentiality of
other users’ informationother users’ information
9
Acceptable Use Policy Acceptable Use Policy Data IntegrityData Integrity
Users will not knowingly destroy, Users will not knowingly destroy, misrepresent, or otherwise change data misrepresent, or otherwise change data stored in state information systemsstored in state information systems
Operational EfficiencyOperational Efficiency Use of information will be done in a way Use of information will be done in a way
that does not impair the availability, that does not impair the availability, reliability or performance of processes reliability or performance of processes or systemsor systems
10
Acceptable Use Policy Acceptable Use Policy Accounts and Account PasswordsAccounts and Account Passwords
Users will be authorized and Users will be authorized and authenticated to use information assetsauthenticated to use information assets
DownloadsDownloads Non-approved software, including Non-approved software, including
screen-savers, cannot be downloaded or screen-savers, cannot be downloaded or installed from the Internet or other installed from the Internet or other sources without prior agency consentsources without prior agency consent
11
Acceptable Use Policy Acceptable Use Policy Remote LoginRemote Login
Access to agency networks from remote Access to agency networks from remote locations is not allowed except through locations is not allowed except through agency-approved and agency-provided agency-approved and agency-provided systems or softwaresystems or software
Agencies may allow access from non-Agencies may allow access from non-state devices to access e-mail through a state devices to access e-mail through a Web pageWeb page
12
Acceptable Use Policy Acceptable Use Policy Use of E-MailUse of E-Mail
State-related business use onlyState-related business use only Agencies may allow employees limited, Agencies may allow employees limited,
incidental personal useincidental personal use E-mails are public recordE-mails are public record Must comply with archiving and public Must comply with archiving and public
records lawsrecords laws Confidential information sent by e-mail Confidential information sent by e-mail
must be properly protectedmust be properly protected
13
Acceptable Use Policy Acceptable Use Policy Hardware InstallationHardware Installation
Use of personal devices is not allowed Use of personal devices is not allowed without prior agency approvalwithout prior agency approval
All hardware approved for use must be All hardware approved for use must be properly configured, protected, and properly configured, protected, and monitored so it does not compromise monitored so it does not compromise state information assetsstate information assets
14
Acceptable Use Policy Acceptable Use Policy Personal UsePersonal Use
Using the Internet increases risk of security Using the Internet increases risk of security breachesbreaches
State can only accept risk for business useState can only accept risk for business use Agencies can allow limited, incidental personal Agencies can allow limited, incidental personal
useuse Agency determines if use is personal or businessAgency determines if use is personal or business Agencies can allow use of Instant Messaging Agencies can allow use of Instant Messaging
(IM) and other alternatives for business (IM) and other alternatives for business purposespurposes
Agencies can allow use of streaming video/audio Agencies can allow use of streaming video/audio for business purposesfor business purposes
15
Acceptable Use Policy Acceptable Use Policy Personal Use Personal Use (continued)(continued)
Agencies call allow users to play CDs or Agencies call allow users to play CDs or DVDs on state equipment as long is it DVDs on state equipment as long is it does not interfere with workdoes not interfere with work
Users cannot transfer music from the Users cannot transfer music from the CD to the workstation or notebook hard CD to the workstation or notebook hard drivedrive
Audio CDs requiring software Audio CDs requiring software installation may not be playedinstallation may not be played
Peer-to-Peer (P2P) file sharing is Peer-to-Peer (P2P) file sharing is prohibitedprohibited
16
Acceptable Use Policy Acceptable Use Policy Personal Use Personal Use (continued)(continued)
Personal hardware or software cannot Personal hardware or software cannot be used to encrypt state or agency be used to encrypt state or agency owned information without prior owned information without prior permission and direction from agency permission and direction from agency directordirector
State systems cannot be used for State systems cannot be used for personal solicitationpersonal solicitation
Agency-provided e-mail systems and Agency-provided e-mail systems and Internet access for the public must be Internet access for the public must be appropriately securedappropriately secured
17
Acceptable Use Policy Acceptable Use Policy MonitoringMonitoring
Agencies are responsible for monitoring Agencies are responsible for monitoring use of information systems and assetsuse of information systems and assets
At a minimum, agencies will monitor on At a minimum, agencies will monitor on a random basis and for causea random basis and for cause
Monitoring systems or processes will be Monitoring systems or processes will be used to create reports to be reviewed used to create reports to be reviewed by agency managementby agency management
18
Agency PanelAgency PanelAcceptable Use PolicyAcceptable Use Policy
ODOT Focus GroupODOT Focus Group
Tim Avilla, ODOTTim Avilla, ODOT
19
BackgroundBackground ODOT is in the process of developing ODOT is in the process of developing
an Acceptable Use Policy that:an Acceptable Use Policy that: Supports the statewide policySupports the statewide policy Defines ODOT’s policy in areas of agency Defines ODOT’s policy in areas of agency
discretiondiscretion Clearly communicates requirements to Clearly communicates requirements to
ODOT staffODOT staff IT Executive Steering Committee IT Executive Steering Committee
(ESC) is responsible for recommending (ESC) is responsible for recommending a policy to all ODOT managementa policy to all ODOT management
20
BackgroundBackground ESC has been surveyed and reached ESC has been surveyed and reached
consensus in many areas, but not consensus in many areas, but not regarding personal use of Internet and e-regarding personal use of Internet and e-mailmail No personal use: There is no business reason No personal use: There is no business reason
to allow it and it exposes us to unnecessary to allow it and it exposes us to unnecessary riskrisk
Allow limited/incidental use: We want to Allow limited/incidental use: We want to attract and retain talented staff and we don’t attract and retain talented staff and we don’t need to micromanage staff; abuses of the need to micromanage staff; abuses of the privilege should be handled as a performance privilege should be handled as a performance issueissue
21
BackgroundBackground ESC wanted to gain better ESC wanted to gain better
understanding of the point of view understanding of the point of view our younger staffour younger staff ODOT staff in their twentiesODOT staff in their twenties Worked for ODOT at least 6 monthsWorked for ODOT at least 6 months Work in the Salem areaWork in the Salem area
22
Current PerceptionsCurrent Perceptions What is your understanding of What is your understanding of
allowable personal use of Internet allowable personal use of Internet access and e-mail at work?access and e-mail at work?
How did you come to this How did you come to this understanding?understanding?
What is your perception of your co-What is your perception of your co-workers’ personal use of Internet workers’ personal use of Internet access and ODOT e-mail at work?access and ODOT e-mail at work?
23
Current PerceptionsCurrent PerceptionsI am aware of the rules and expectations around
personal use of state email and the internet
0
2
4
6
8
10
12
Strongly Agree Agree Somew hat No Opinon/ Don’tKnow
DisagreeSomew hat
Strongly Disagree
DMV HQ/MC/CS/Hw y
24
Current PerceptionsCurrent PerceptionsMy coworkers follow the personal use portions of the
Acceptable Use policy
0
1
2
3
4
5
6
7
8
9
Strongly Agree Agree Somewhat No Opinon/ Don’tKnow
DisagreeSomewhat
StronglyDisagree
DMV HQ/MC/CS/Hwy
25
Work EnvironmentWork Environment How much did the policy around How much did the policy around
personal use of Internet and e-mail personal use of Internet and e-mail influence your decision to work and influence your decision to work and continue to work for ODOT? Why do continue to work for ODOT? Why do you feel that way?you feel that way?
How much do you think the policy How much do you think the policy might influence others to work and might influence others to work and continue to work for ODOT?continue to work for ODOT?
26
Work EnvironmentWork EnvironmentHow much did the policy around personal use of
internet and e-mail influence your decision to accept a position at ODOT?
0
2
4
6
8
10
12
14
16
Major influence Some influence No influence No Opinon/Don’t KnowDMV HQ/MC/CS/Hw y
27
Work EnvironmentWork EnvironmentHow will the policy around personal use of internet and e-mail
influence your decision to continue to work for ODOT?
0123456789
10
Major influence Some influence No influence No Opinon/Don’t Know
DMV HQ/MC/CS/Hwy
28
PolicyPolicy What do you think the personal use What do you think the personal use
policy should be?policy should be? What would an appropriate personal What would an appropriate personal
use policy include? Why?use policy include? Why?
29
LanguageLanguage What does “limited/incidental” What does “limited/incidental”
personal use mean to you?personal use mean to you? How can we elaborate on that How can we elaborate on that
definition to make it clearer?definition to make it clearer?
31
Agency PanelAgency PanelThe Oregon Lottery®The Oregon Lottery®
Approach to Acceptable UseApproach to Acceptable Use
Mary Loftin, Public Affairs Mary Loftin, Public Affairs ManagerManager
Oregon Lottery®Oregon Lottery®
32
A Mission Driven AgencyA Mission Driven Agency
The mission of the Oregon Lottery is The mission of the Oregon Lottery is to operate a lottery with the highest to operate a lottery with the highest standards of integrity and security to standards of integrity and security to earn maximum profits for the people earn maximum profits for the people of Oregon commensurate with the of Oregon commensurate with the
public good.public good.
33
BackgroundBackground Original E-Media Policy permitted Original E-Media Policy permitted
employees to make “limited personal employees to make “limited personal use” of Lottery equipmentuse” of Lottery equipment
New Lottery Acceptable Use Policy New Lottery Acceptable Use Policy was adopted in December, taking us was adopted in December, taking us to “business use only”to “business use only”
The new policy is effective March The new policy is effective March 31, 200831, 2008
34
Why business use only?Why business use only? Security based agencySecurity based agency Unique model in state governmentUnique model in state government Protect information systemsProtect information systems Lessons learned from other agenciesLessons learned from other agencies
35
New Lottery PolicyNew Lottery PolicyIncludes:Includes: Definition of business useDefinition of business use Internet and e-mail useInternet and e-mail use
Approved Web sitesApproved Web sites Accidental accessAccidental access Emergency situationEmergency situation
Prohibited conductProhibited conduct
36
New Lottery PolicyNew Lottery PolicyIncludes Includes (continued):(continued): MonitoringMonitoring Lottery-provided terminals, Wi-Fi, Lottery-provided terminals, Wi-Fi,
and public useand public use Attachment of ORS 164.377 – Attachment of ORS 164.377 –
Computer CrimesComputer Crimes
37
Communicating to Communicating to EmployeesEmployees
CommunicateCommunicate TrainTrain Communicate againCommunicate again
38
Employee ReactionEmployee Reaction PositivePositive
Dedication to security and integrity of our Dedication to security and integrity of our agencyagency
Provided transition periodProvided transition period Provided alternative for personal useProvided alternative for personal use
NegativeNegative Removing personal photos from screen Removing personal photos from screen
saversaver Inability to listen to music through computerInability to listen to music through computer Limited access to one of the non-business Limited access to one of the non-business
terminals terminals for shift work employeesfor shift work employees
39
Other TopicsOther Topics Web filteringWeb filtering Public recordsPublic records
40
Agency PanelAgency Panel
Oregon Department of Fish and Oregon Department of Fish and Wildlife (ODFW)Wildlife (ODFW)
Acceptable Use of State Information Acceptable Use of State Information AssetsAssets
Doug JuergensenDoug Juergensen
Information Systems Division Information Systems Division Administrator, CIOAdministrator, CIO
41
BackgroundBackground Three major changes within the Three major changes within the
agency leading to current policy:agency leading to current policy: Connectivity of officesConnectivity of offices Monitoring with Websense™Monitoring with Websense™ Change in leadershipChange in leadership
42
BackgroundBackground ConnectivityConnectivity
Information Systems Division supports Information Systems Division supports 1100 user accounts at 85 offices1100 user accounts at 85 offices
All locations networked with DSL, All locations networked with DSL, cable, T1, fiber or satellitecable, T1, fiber or satellite
Previously, agency had no central Previously, agency had no central network system and no effective network system and no effective method to manage desktops or monitor method to manage desktops or monitor useuse
Unable to deploy enterprise solutionUnable to deploy enterprise solution
43
BackgroundBackground MonitoringMonitoring
Internet usage actively monitored by Internet usage actively monitored by Websense™ in real timeWebsense™ in real time
Application provides instantaneous and Application provides instantaneous and historical reportshistorical reports
Previously, agency used manual process Previously, agency used manual process of collecting proxy logs and computer of collecting proxy logs and computer historyhistory Labor intensiveLabor intensive Poor quality reportsPoor quality reports Identified IP address, not actual userIdentified IP address, not actual user
44
BackgroundBackground LeadershipLeadership
Roy Elicker, ODFW Director, supports Roy Elicker, ODFW Director, supports new policy within the context of an new policy within the context of an employee privilege, not a requirementemployee privilege, not a requirement
Previously, agency lacked necessary Previously, agency lacked necessary controls and business practices for the controls and business practices for the director to allow personal usedirector to allow personal use Business practices not well establishedBusiness practices not well established
45
Why allow personal use?Why allow personal use? Allowed by statewide policyAllowed by statewide policy
Technically, an improved and more directed policyTechnically, an improved and more directed policy Agency director’s decisionAgency director’s decision Management aware of pitfallsManagement aware of pitfalls
Agency better able to cope with the changeAgency better able to cope with the change Director in favor of ‘work friendly’ workplaceDirector in favor of ‘work friendly’ workplace Previously not able to monitor or support activityPreviously not able to monitor or support activity Limited and incidental use of telephonesLimited and incidental use of telephones Had pledged to review the policy in years beforeHad pledged to review the policy in years before
46
Why allow personal use?Why allow personal use? Feedback from departing employeesFeedback from departing employees
Employee friendlyEmployee friendly ‘‘Trust’Trust’ Generational – ‘it’s how we communicate’Generational – ‘it’s how we communicate’ Working familiesWorking families
Allows for tighter IT controlAllows for tighter IT control Becomes a trade-off to implement better Becomes a trade-off to implement better
systems control and security practicessystems control and security practices Align to common industry practiceAlign to common industry practice
47
Policy CreationPolicy Creation Current policy was well formed and Current policy was well formed and
contained no surprises. Agency was contained no surprises. Agency was moving away from a very restrictive moving away from a very restrictive policy to one with limited, incidental policy to one with limited, incidental use.use. Started with existing policy on Started with existing policy on
acceptable computer useacceptable computer use DAS statewide policy served as templateDAS statewide policy served as template Retained original wording from DAS Retained original wording from DAS
policy as much as possiblepolicy as much as possible
48
Policy CreationPolicy Creation Enhanced definitions section (Internet Enhanced definitions section (Internet
definition)definition) Reviewed for consistency in wording and Reviewed for consistency in wording and
terms (information asset, user)terms (information asset, user) Draft sent to Human Resources and Draft sent to Human Resources and
executive leadershipexecutive leadership Draft sent to technology mangers and Draft sent to technology mangers and
staffstaff Draft reviewed by labor management Draft reviewed by labor management
committeecommittee Discussion at leadership meetingDiscussion at leadership meeting
49
Policy CreationPolicy Creation Final draft created based on inputFinal draft created based on input Redefined any terms in response to Redefined any terms in response to
questionsquestions Final review by Human Resources and Final review by Human Resources and
executive leadershipexecutive leadership Announcement made by agency director Announcement made by agency director
via e-mail to entire agencyvia e-mail to entire agency Implemented February 1, 2008Implemented February 1, 2008
Total turn-around 2 to 3 monthsTotal turn-around 2 to 3 months
50
Personal UsePersonal UseODFW policy Section R, Personal Use:ODFW policy Section R, Personal Use: In general, any personal use of agency In general, any personal use of agency
information assets is:information assets is: For viewing purposes only and not For viewing purposes only and not
transacting personal business or purchasestransacting personal business or purchases Permitted during breaks or lunch periods Permitted during breaks or lunch periods
but not before or after scheduled work but not before or after scheduled work timestimes
Does not negatively reflect on the agency Does not negatively reflect on the agency or otherwise hamper productivityor otherwise hamper productivity
51
Personal UsePersonal Use Incidental and respectful of co-workersIncidental and respectful of co-workers A public record and open to discovery A public record and open to discovery
and auditand audit Permitted on systems that are not in Permitted on systems that are not in
direct view by the publicdirect view by the public Allowed only as defined by policyAllowed only as defined by policy
52
Personal UsePersonal Use ODFW does ODFW does notnot allow allow personal usepersonal use of: of:
Instant MessengerInstant Messenger Contributing to a Chat room or Blog Contributing to a Chat room or Blog Downloading files, pictures, music, videoDownloading files, pictures, music, video Agency applications or installed Microsoft Agency applications or installed Microsoft
products (other than viewers)products (other than viewers) State assets other than expressly allowed State assets other than expressly allowed
by policy (USB keys, cameras, PDAs, and by policy (USB keys, cameras, PDAs, and others)others)
53
What is incidental?What is incidental? Incidental is defined as “happening, Incidental is defined as “happening,
as an occasional event, without as an occasional event, without regularity, occurring as a chance or regularity, occurring as a chance or consequence.”consequence.”
ODFW allows incidental personal use ODFW allows incidental personal use of the Web browser and e-mail with of the Web browser and e-mail with certain expectations/libertiescertain expectations/liberties For business purposes only unless For business purposes only unless
explicitly allowed by policyexplicitly allowed by policy Can be every day – breaks and lunch Can be every day – breaks and lunch
regardless of shiftregardless of shift
54
What is incidental?What is incidental? Does not use a consumable resource Does not use a consumable resource
such as printers, CDs/DVDssuch as printers, CDs/DVDs Satellite connectivity is a measured fee-Satellite connectivity is a measured fee-
based service and may be limitedbased service and may be limited Requires no support by the technical Requires no support by the technical
staffstaff
55
What is incidental?What is incidental? Other restrictionsOther restrictions
Computers that are clearly visible to the Computers that are clearly visible to the publicpublic
Special purpose equipment (expensive, Special purpose equipment (expensive, fragile)fragile)
May create a negative perception of the May create a negative perception of the agencyagency
Impacts agency businessImpacts agency business
56
Policy SupportPolicy Support Understand and support of policy is Understand and support of policy is
required; otherwise the policy is not required; otherwise the policy is not effectiveeffective
Director’s OfficeDirector’s Office ““Please be mindful that personal use of Please be mindful that personal use of
state information assets is a privilege – not state information assets is a privilege – not a requirement. If, as an agency, we are not a requirement. If, as an agency, we are not able to successfully implement and follow able to successfully implement and follow this new policy, my decision to allow this new policy, my decision to allow personal use may have to be revisited.” personal use may have to be revisited.” -- Director Roy Elicker -- Director Roy Elicker
57
Policy SupportPolicy Support Agency ManagersAgency Managers
Executive level dialogExecutive level dialog Q&A sessionQ&A session
IT Managers and staff (not above IT Managers and staff (not above policy)policy) Set expectationsSet expectations Involve employees in policy creationInvolve employees in policy creation
EmployeesEmployees TrainingTraining Ongoing clarification (Q&A)Ongoing clarification (Q&A)
58
EducationEducation User training is essential for User training is essential for
compliancecompliance Message from the Director to set Message from the Director to set
expectationsexpectations Posting of Q&APosting of Q&A All-staff e-mails explaining policy in All-staff e-mails explaining policy in
common terms (no geek speak)common terms (no geek speak) Team training for IT staffTeam training for IT staff
59
EducationEducation Team training for employeesTeam training for employees
At unit or division meetingsAt unit or division meetings Nobody voluntarily talks about policy Nobody voluntarily talks about policy
training; offer opportunitiestraining; offer opportunities One-on-one / opportunistic trainingOne-on-one / opportunistic training
Use current examplesUse current examples
60
ChallengesChallenges Implementing Web monitoringImplementing Web monitoring
Employee’s don’t think they are trusted; you’re Employee’s don’t think they are trusted; you’re watching everything they dowatching everything they do
Once monitoring is implemented, you will be Once monitoring is implemented, you will be disappointed by some employees (vice addicts)disappointed by some employees (vice addicts)
Implementing policyImplementing policy Employees are not technology experts; many Employees are not technology experts; many
don’t understand the terms or issues don’t understand the terms or issues (streaming video/audio, downloading (streaming video/audio, downloading applications)applications)
Without management support, policy is Without management support, policy is ineffectiveineffective
61
ChallengesChallenges Most challenging question – State Most challenging question – State
policy allows access to information policy allows access to information related to state employment and related to state employment and rights per the union contractrights per the union contract Does this allow unlimited use of the Does this allow unlimited use of the
computer for job searching?computer for job searching? Can I print my resume and other Can I print my resume and other
documents on state assets?documents on state assets? Can I use agency applications (Word) to Can I use agency applications (Word) to
create my resume?create my resume?
62
ChallengesChallenges Can I send my documents home using Can I send my documents home using
my state e-mail?my state e-mail? Can I bring my personal USB to Can I bring my personal USB to
transfer files?transfer files?
63
MonitoringMonitoring Websense™Websense™
Maintains a log of all Internet activityMaintains a log of all Internet activity Implemented with ‘corporate risk’ Implemented with ‘corporate risk’
policy (out of box functionality)policy (out of box functionality) Works with our proxy server, not in Works with our proxy server, not in
place of itplace of it Logs activity based on user login name, Logs activity based on user login name,
not computer IPnot computer IP Canned reportsCanned reports Custom HR reportsCustom HR reports
64
MonitoringMonitoring Random reportsRandom reports Everyone is accountable, even ITEveryone is accountable, even IT
Set expectations when first Set expectations when first implementing monitoring softwareimplementing monitoring software Discuss the outcome with HR and Discuss the outcome with HR and
managementmanagement Don’t let a novice misinterpret Web Don’t let a novice misinterpret Web
logslogs Learn to identify the difference between Learn to identify the difference between
normal Web use and abusenormal Web use and abuse
65
Employee ResponseEmployee Response Employee feedback has been Employee feedback has been
positive and supportivepositive and supportive Web activity slightly higher than Web activity slightly higher than
previous monthsprevious months No serious offenses so farNo serious offenses so far Some are still reluctant based on Some are still reluctant based on
previous policy restrictions and fearsprevious policy restrictions and fears
66
SummarySummary Need the support of the Director and Need the support of the Director and
managementmanagement IT staff must appreciate and support IT staff must appreciate and support
policy by examplepolicy by example Most users are not technology experts; Most users are not technology experts;
use common terms and phrasesuse common terms and phrases Be repetitive and consistent with your Be repetitive and consistent with your
message, especially on key policy pointsmessage, especially on key policy points Monitor regularly using a simple Monitor regularly using a simple
processprocess
67
SummarySummary Use opportunities to teach and/or Use opportunities to teach and/or
enforce policyenforce policy Involve others, gain supportInvolve others, gain support Explain why; acceptance is higher Explain why; acceptance is higher
when you know the reasonwhen you know the reason Think through your policy creation and Think through your policy creation and
avoid future changes and confusionavoid future changes and confusion What is incidental to youWhat is incidental to you Clearly define personal useClearly define personal use
68
Questions?Questions?
69
For further information For further information ……
Theresa Masse, DAS Enterprise Security Theresa Masse, DAS Enterprise Security OfficeOffice(503) 378-4896, (503) 378-4896, [email protected]@state.or.us
Tim Avilla, ODOTTim Avilla, ODOT(503) 986-3231, (503) 986-3231, [email protected]@state.or.us
Mary Loftin, Oregon LotteryMary Loftin, Oregon Lottery(503) 540-1014, (503) 540-1014, [email protected]@state.or.us
Doug Juergensen, ODFWDoug Juergensen, ODFW(503) 947-6261, (503) 947-6261, [email protected]@state.or.us
70
Next Forum …Next Forum …
Mobile DevicesMobile DevicesPolicy OverviewPolicy Overview
Panel PresentationPanel Presentation
April 21, 2008April 21, 2008