Ohio IT Policy |
||||||||||||||||||
|
|
|||||||||||||||||
| Q | Is there a state policy regarding e-mail retention or is this left to the agency’s discretion? |
|||||||||||||||||
| A | There are no Ohio IT policies that specifically set requirements for e-mail retention. We suggest that agencies focus on the records retention aspect of the question. E-mail, like other types of electronic documents, can be a record if it meets certain criteria. Section 149.011(G) of the Ohio Revised Code provides the following definition: | |||||||||||||||||
| "'Records' includes any document, device, or item, regardless of physical form or characteristic, created or received by or coming under the jurisdiction of any public office of the state or its political subdivisions, which serves to document the organization, functions, policies, decisions, procedures, operations, or other activities of the office." | ||||||||||||||||||
| E-mail messages that meet the criteria of a record should be retained for the appropriate time period before disposition. The retention time period should be based upon the agency's records retention schedule and the content, not the format, of the record. | ||||||||||||||||||
| As with any format, an e-mail record is considered a public record unless it falls under one of the exceptions listed in Section 149.43 or is otherwise excepted by the ORC. Public records must be maintained and made accessible to the public upon request throughout the appropriate retention period. | ||||||||||||||||||
| Agencies are also required to comply with Ohio IT Policy ITP-E.30, “Electronic Records.” The purpose of the electronic records policy is to establish uniform electronic records guidelines for all state agencies and support the creation and maintenance of electronic records to ensure integrity, usability and survivability. | ||||||||||||||||||
| Q | My agency wants to link from our Web site to other Web sites that provide additional information that could be helpful to our customers. Is this okay? | |||||||||||||||||
| A | Links to other Web sites, also known as external links, that serve as a source of additional information to Web site visitors, fall under the classification of a Web Directory as described in Ohio IT Policy ITP-F. 35, "Moratorium on the Use of Advertisements, Endorsements and Sponsorships on State-Controlled Web Sites." Web Directory links are permitted if the agency complies with the following requirements: | |||||||||||||||||
|
||||||||||||||||||
|
||||||||||||||||||
|
||||||||||||||||||
|
||||||||||||||||||
| Q | My agency has anti-virus software and always keeps it up to date. Are we still vulnerable to “phishing” attacks? | |||||||||||||||||
| A | Yes. Although anti-virus, e-mail filtering and firewall software may lessen the likelihood of a user receiving a phishing e-mail or visiting a fraudulent site, they are not a fail-proof defense. | |||||||||||||||||
| Phishing is a form of deception used to acquire sensitive information from a user by imitating a trustworthy person or business in an apparently official electronic communication, such as an e-mail or instant message. A phishing attack typically has two steps: a) a user receives a message that appears legitimate and b) the user is enticed to provide personal information to a supposedly legitimate Web site or representative. Merely visiting a supposedly legitimate Web site may be enough to expose the victim to spyware and key-logger technologies. | ||||||||||||||||||
Agencies should review the requirements outlined in Ohio IT Policy ITP-B.4, “Malicious Code Security,” to ensure that they have a security program capable of protecting assets against viruses, spyware, and other technical threats. In addition, an awareness program that demonstrates how public servants validate requests for information – whether the request is electronic or in person – should form a part of agency security practices. Agencies should review Ohio IT Policy ITP-B.8, “Security Education and Awareness,” for further guidance on how to promote greater awareness of IT security practices. |
||||||||||||||||||
| Q | What are the symptoms of spyware? | |||||||||||||||||
| A | Spyware is broadly considered to be software that impedes a user's control over their personal information or interferes with system security and resources. Spyware often “infects” a computer through the installation of a seemingly harmless program. The potential damage associated with information exposed by spyware may be quite serious, however. | |||||||||||||||||
| Spyware may be present on your computer if the following occurs: | ||||||||||||||||||
|
||||||||||||||||||
|
||||||||||||||||||
|
||||||||||||||||||
|
||||||||||||||||||
|
||||||||||||||||||
| If you think you have spyware on your computer, contact your network administrator immediately. Spyware can be detected and removed through anti-spyware software and other means. | ||||||||||||||||||
| Q | My agency would like to use Instant Messaging to communicate more easily with the public. What issues should I take into consideration in selecting or designing an Instant Messaging application? | |||||||||||||||||
| A | Instant Messaging is an Internet-based form of communication that allows users to send messages in an environment more immediate than e-mail. Unfortunately, Instant Messaging clients are susceptible to network snooping, hijacking and other impersonation attacks that can create significant security risks for organizations. They may also increase the risk of transmitting malicious code. | |||||||||||||||||
| Instant Messaging solutions must align with Ohio IT policies in three respects: security, maintenance of electronic records, and employee participation. | ||||||||||||||||||
| Security: An agency that plans to deploy an Instant Messaging solution should perform a risk assessment as described in Ohio IT Policy ITP-B.1, “Information Security Framework,” to determine if the vulnerabilities introduced by the technology are permissible in the agency’s environment. Popular Instant Messaging clients such as Yahoo Internet Messenger and Microsoft Messenger do not use encryption and may expose sensitive information. | ||||||||||||||||||
| Electronic Records: State agencies should review Ohio IT Policy ITP-E.30, “Electronic Records,” when considering the use of Instant Messaging. Instant Messaging chat sessions may be defined as electronic public records subject to audit and legal proceedings such as discovery and subpoena. Chat sessions classified as public record will need to be maintained with the context of the communication (i.e., the participants in the session), the content (the actual data) and the structure or format of the electronic records. | ||||||||||||||||||
| Employee Participation: If an agency permits the use of instant messaging, individuals approved to participate shall fulfill agency-defined security education and awareness requirements for proper use before participating as required in Ohio IT Policy ITP-B.6, “Internet Security.” | ||||||||||||||||||
| Q | What is blogging? Can state employees participate in blogging at work? | |||||||||||||||||
| A | A blog, also known as a “Web log,” consists of Web-based content typically in the form of periodic articles, essays and even photos, with the latest entry featured at the top. Due to the ease of Internet publishing, many amateur and professional commentators have turned to blogging to produce personal diaries or political and industry analysis. Traditional publications also use blogging for informal editorializing. Some blogs permit visitors to contribute comments to its content, thus encouraging online discussions. | |||||||||||||||||
| Ohio IT Policy ITP-E.8, “Use of Internet, E-mail and Other IT Resources,” states that operating or participating in a blog using state-provided information technology resources is strictly prohibited unless organized or approved of by the agency. | ||||||||||||||||||
| Q | Is there any type of peer-to-peer software that my agency can use? Software such as Skype allows us to transfer files and use Voice over Internet Protocol for very little cost. | |||||||||||||||||
| A | Peer-to-peer is a way for two or more computers to communicate without the need for a central server. This technology permits users to very easily and cheaply transfer files over the Internet and, with applications such as Skype, to use Voice over Internet Protocol at a minimal cost. Some peer-to-peer networks are commonly used for sharing illegal copies of copyrighted music or malicious code. | |||||||||||||||||
| If an agency permits peer-to-peer file sharing it is strongly recommended that they familiarize themselves with the ease through which peer-to-peer allows users to expose internal data or download illegal files, even malicious code. Agencies need to weigh the benefits of a peer-to-peer service against these potential security risks. | ||||||||||||||||||
Statewide IT Policy Home - Statewide IT Policy News - IT Policy Management Section - IT Standards Management Section - IT Law & Policy Section - Rules, Policies, Standards, Procedures & Bulletins Legislation Tracker - Statewide IT Policy News - IT Policy FAQs - IT Rule FAQs - Contact Us |
||||||||||||||||||
