2024 Information Technology Policy Training
Joint Committee on Government and Finance – Policies for IT Privacy, Security, & Acceptable Use
Employee Responsibilities
Employees are expected to guard against unauthorized access to printed and electronic data and take precautions to protect data and electronic devices from unauthorized access and use.
Workstation Security
Before leaving your workstation, you must take the following steps:
- Log off of your computer;
- Lock your computer; and
- Lock file cabinets containing sensitive information.
Passwords
Passwords are confidential and must not be shared under any circumstances!
Employee Password Requirements
- Employees must change passwords every 3 months;
- Passwords must be at least 8 characters long; and
- Passwords must contain at least one upper case letter, one lower case letter, one number, and one special character.
Responsible Use of System Capacity
Employees are prohibited from monopolizing systems, by:
- Overloading networks with excessive data.
- Wasting computer time, connect time, bandwidth, disk space, printer paper, or other IT resources.
Personal Data
- Personal data (i.e. pictures, music, documents not work-related) of more than a de minimus amount (meaning very minor or trivial) may not be stored on network devices.
- The Joint Committee is not responsible for the destruction, corruption or disclosure of personal material on or by its IT resources.
Termination/Transfer of Employee
- Division Directors must immediately notify the IT Division (LASD) and the Fiscal Office upon termination or transfer of an employee.
- When an employee is terminated, all access to IT resources will be disabled immediately, unless otherwise approved in writing by management.
- When an employee transfers divisions, IT access will be modified to accommodate new roles and responsibilities.
Personally Identifiable Information
- Personally Identifiable Information (PII) is information that identifies, or can be used to uniquely identify, locate, contact or impersonate a particular individual.
- Examples include: social security numbers, health information, credit card numbers, or log-on credentials.
- Personally Identifiable Information must be encrypted or disassociated from any individual prior to transmission through any public data communications infrastructure, such as a network or the Internet.
- Before establishing a new practice of collecting personally identifiable information, a Division Director should notify the Legislative Manager.
Incident Response
Procedure for Breaches of Security/Confidentiality
Employees are expected to report to their supervisor or director, if they:
- Become aware of possible breaches of security or confidentiality policies; or
- Know of any inappropriate use of Joint Committee provided IT resources; and
- Employees should contact an immediate supervisor if there is doubt concerning authorization to access any Joint Committee IT resource, or if questions arise regarding acceptable or unacceptable uses.
Criminal Activity
If criminal activity is suspected or detected, reporting should occur up the supervisory or management chain without delay.
Public Use of IT Resources
- Use of Joint Committee resources (employee computers, telephones, copiers, etc.) by members of the public is prohibited.
- Individuals not employed by the West Virginia Legislature may not use employee computers, or download information from the internet or from mobile media, of any kind, to employee computers.
ACCEPTABLE USE
Joint Committee Policy for Acceptable Use of I/T Resources
Personal Use Policy
- IT resources are designated for authorized purposes.
- Minimal personal use of State-provided IT resources is allowed if it does not interfere with the legitimate business of the State.
- Employees may use Internet facilities for non-business research or browsing during meal-time or other breaks, or outside of normal work hours yet within their usual building access times, provided that they adhere to all other usage policies.
Authority to Monitor
- The Joint Committee reserves the right to filter Internet site availability, and monitor and review employee use as required for legal, audit, or legitimate authorized State operational or management purposes.
- The Joint Committee reserves the right to inspect any and all files stored in private areas of the network, or on employee assigned devices (computer, tablet, external storage devices, etc.) to assure compliance with this policy.
Authority Over IT Resources
- The Joint Committee reserves the right to remove, replace or reconfigure IT resources without formal notice to employees (despite the fact that formal notice will normally be given).
Unacceptable Use of IT Resources
Joint Committee provided IT resources may NOT be used to (1/3):
- Engage in or support illegal activities.
- Engage in commercial activities, product advertisement, or for-profit personal activities.
- View, transmit, receive, save, or print sexually explicit materials.
- Store, print or view any graphic file that is not directly related to one’s job or the activities of Joint Committee.
- Misrepresent oneself or the State of West Virginia.
- Promote political or religious positions or causes.
- Distribute incendiary statements which might incite violence or describe or promote the use of weapons or devices associated with terrorist activities.
- Harass or discriminate on the basis of age, race, color, creed, religion, sex, sexual orientation, national origin, disability, veteran status, or other protected class
- Propagate any virus, worm, Phishing, Trojan horse, or trap-door program code.
Joint Committee provided IT resources may NOT be used to (2/3):
- Access or attempt to access records within or outside Joint Committee’s local area network for which the employee is not authorized.
- Bypass Joint Committee security and access control systems.
- Conduct any form of network monitoring, such as port scanning or packet filtering unless expressly authorized by the Joint Committee.
- Violate the privacy of individual users by reading e-mail or private communications without authority.
- Send or share unencrypted confidential information.
- Engage in unauthorized peer-to-peer networking or peer-to-peer file sharing.
- Commit security violations related to electronic communications, including participation in chain letters or unauthorized chat programs, or forwarding or responding to SPAM.
- Send unsolicited commercial e-mail messages, including the distribution of “junk mail” or other advertising material to individuals who did not specifically request such material.
Joint Committee provided IT resources may NOT be used to (3/3):
- Forge e-mail header information.
- Solicit e-mail for any other e-mail address, other than that of the poster’s account, with the intent to harass or to collect replies.
- Post messages to large numbers of users (over 50) without authorization.
- Post from an agency e-mail address to newsgroups, blogs, or other locations without a disclaimer stating that the opinions expressed are strictly the employee’s own and not those of the State or the Joint Committee or the Legislature, unless posting is in the fulfillment of business duties.
- Engage in pyramid selling schemes, multi-marketing schemes, or fundraising for any purpose, unless sanctioned by Joint Committee.
- Store any unauthorized data, information, or software on IT resources that are provided by the Joint Committee.
- Download software not having a direct, authorized business use.
- Download entertainment software, games, music, or streaming content.
- Watch television programs and movies, play games, or participate in gaming or gambling over the Internet.
EMPLOYEE HANDBOOK
- The Joint Committee’s “Employee Policies and Procedures Handbook” contains the full and official policies related to IT acceptable use and security.
- Every employee is required to read and regularly review the Employee Policies and Procedures Handbook and adhere to the most up-to-date IT policies contained in the Handbook.
- The handbook is available on the Joint Committee’s Staff Page.
Questions or Concerns
- If you have any questions or concerns about the information in this training, please contact Legislative Services (ext. 4800).