Last Time Around More than 23,000 employees electronically accepted the agreement Password issues with PeopleSoft – 2 completions, 1 HD call Your support was pivotal to the success
This Time Around Ethics and sexual harassment training experience and improvements in ELM Active Directory password integration with PeopleSoft Agency controlled reporting
IRUA V2 Removals Removal of de minimis from IRUA V2: 1a. Use for State Business. I understand that Information Resources are to be used to solely conduct the business of state government with exceptions limited to those in accordance with State Ethics Rule 42 IAC and my agency’s policy. V1: 1a. Use for State Business. I understand that Information Resources are to be used to conduct the business of state government. I understand that Information Resources may be used for de minimis, i.e., limited, personal use that cannot reasonably be handled away from work. I shall minimize personal use of Information Resources.
Sec. 12. A state officer, employee, or special state appointee shall not make use of state materials, funds, property, personnel, facilities, or equipment for any purpose other than for official state business unless the use is expressly permitted by a general written agency, departmental, or institutional policy or regulation. (Office of the Inspector General; 42 IAC ; filed Dec 7, 2005, 2:45 p.m.: 29 IR 1210) Each agency has their own personal use policy IOT’s:
IRUA V2 Removals V1 - 2a. Commercial & Politics. I shall not use Information Resources to conduct business related to an outside, for profit, commercial activity. Unless permitted by law, I shall not use Information Resources to support any political party or candidate. Covered by Ethics laws, policies and training
IRUA V2 Removals V1 – 2c. Inappropriate Material. I shall not use Information Resources to access, upload, download, or distribute any jokes, comments, messages, or any other materials that are considered pornographic, obscene, sexually explicit, discriminatory, harassing, or defamatory, to employees or third parties, including but not limited to any content that might offend someone on the basis of age, gender, race, national origin, disability, or religion. Covered by de minimis, sexual harassment, HR policies
IRUA V2 Additions Strengthening/specifying the protection of PI 2a. Unauthorized Disclosure of Confidential Information. I shall not disclose confidential information to unauthorized parties. This includes Social Security, driver's license, identification card, financial account, credit card, or debit card numbers. It also includes security and access codes, passwords of an individual's financial account or personal health information. I acknowledge that certain information is confidential or discretionary by law and it is my duty to protect that information from unauthorized disclosure.
IRUA V2 Additions V2 – 2f. Remote Control. I shall not use any remote control software or service on any internal or external host personal computers or systems not specifically approved by agency management, IOT support, and the CISO. Goal is to keep personal information in state control
IRUA V2 Additions V2 – 3. Storage of Information. I shall store state owned information only on state provided storage media. Storage of state information on non-state owned PCs, laptops, flash drives, CDs and other forms of media is prohibited. To ensure state owned data remains within state control USB sticks available via Dell QPA USB drives will have hardware encryption, more expensive
IRUA V2 Additions V2 – 4. Adherence to Security Guidance. I shall ensure that protective measures are implemented promptly as directed by IOT and that computing devices are connected to the network at least once per month to receive protective updates and patches. Intended to make clear that in urgent situations, if user assistance or attention is required, users need to be responsive. Users must connect to the network once per month to get updates
IRUA V2 Other Notes Enforcement of: 1c. Protecting from Misuse & Damage. I shall use care in protecting against unauthorized access, misuse, theft, damage, or unauthorized modification of Information Resources. I shall not leave a workstation without first ensuring it is properly secured from unauthorized access. I shall use good judgment to safely transport and store Information Resources in and away from the workplace. Many thefts reported where there is carelessness, neglect Employee reimbursement practice under consideration
IRUA V2 Other Notes V1 - 2f. Chain Letters & Spam. I shall not knowingly forward or respond to chain letters, pyramid selling schemes, marketing schemes, or unsolicited external commercial , commonly referred to as “spam.” V2 – 5. Spam Awareness and Performance. I shall be aware of the characteristics and dangers of spam messages. I shall not navigate to web links embedded in spam messages. I shall not send or reply to messages that would negatively impact the performance of the system (e.g. – “replying to all” on a message received in error). Content issues are removed – “inappropriate”, jokes, etc., increased focus on security dangers presented by Spam, performance impact.
Expectations for Roll Out All current employees and contractors will complete the training and accept the agreement New hires and contractors will take the training and accept the agreement Remember that some parts of acceptable use have been removed from the IRUA. Ethics and other policies may need to be referenced and/or enforced in disciplinary situations Long term - users will have their network access disabled if they have not completed the IRUA training and acceptance process
Planning the Rollout General rollout begin after Open Enrollment ISDH will be the pilot agency Pace of the rollout will be at the rate of calls the Help Desk can handle Please let us know if your agency would like to proceed early or of scheduling conflicts Likely to have a prep meeting with agencies prior to their rollout to provide template messages to staff, share findings of pilot, set expectations
Training Module Overview Simplified, less busy screens in the training module Similar approach to last IRUA training module, proceeds section by section Developed in flash, uses PeopleSoft ELM
Reporting Agency staff will be able to run their own reports Enables agencies to see progress on the initial mass rollout Identify those that have not agreed to the IRUA on an ongoing basis