No. 27119 (New Rule): R365-7. Acceptable Use of Information Technology Resources  

DAR File No.: 27119
Filed: 04/28/2004, 08:23
Received by: NL

 

RULE ANALYSIS

Purpose of the rule or reason for the change:

This proposed new rule implements the existing acceptable use policy into rule. Substantial editing of content has been implemented, but intent and substance are the same.

 

Summary of the rule or change:

The proposed new rule defines the acceptable use for information technology (IT) related resources by employees of the Executive branch of State Government.

 

State statutory or constitutional authorization for this rule:

Section 63D-1a-101 et seq. and Section 63-46a-3

 

Anticipated cost or savings to:

the state budget:

This rule should have no cost or savings impact to agencies affected because the practices related to the existing policy will substantially conform to this rule.

 

local governments:

No impact--This rule applies to Executive Branch Agencies of State Government only.

 

other persons:

No impact--This rule applies to Executive Branch Agencies of State Government only.

 

Compliance costs for affected persons:

There are no expected compliance costs for affected persons.

 

Comments by the department head on the fiscal impact the rule may have on businesses:

This rule converts existing policy for acceptable use of information technology resources into rule from policy. It is not expected that there will be any fiscal impact on businesses.

 

The full text of this rule may be inspected, during regular business hours, at the Division of Administrative Rules, or at:

Governor
Planning and Budget, Chief Information Officer
Room 116 STATE CAPITOL
350 N STATE ST
SALT LAKE CITY UT 84114-1103

 

Direct questions regarding this rule to:

Randy Hughes at the above address, by phone at 801-537-9071, by FAX at 801-538-1547, or by Internet E-mail at randyhughes@utah.gov

 

Interested persons may present their views on this rule by submitting written comments to the address above no later than 5:00 p.m. on:

06/15/2004

 

This rule may become effective on:

07/02/2004

 

Authorized by:

Val Oveson, Chief Information Officer

 

 

RULE TEXT

R365. Governor, Planning and Budget, Chief Information Officer.

R365-7. Acceptable Use of Information Technology Resources.

R365-7-1. Purpose.

Information technology resources are provided to state employees to assist in the efficient day to day operations of state agencies. Employees shall use information technology resources in compliance with this rule.

 

R365-7-2. Application.

All agencies of the executive branch of state government including its administrative sub-units, except the State Board of Education and the Board of Regents and institutions of higher education, shall comply with this rule.

 

R365-7-3. Authority.

This rule is issued by the Chief Information Officer under the authority of Section 63D-1a-305 of the Information Technology Act, Utah Code, and in accordance with Section 63-46a-3 of the Utah Rulemaking Act, Utah Code.

 

R365-7-4. Employee and Management Conduct.

(1) Providing IT resources to an employee does not imply an expectation of privacy. Agency management may:

(a) View, authorize access to, and disclose the contents of electronic files or communications, as required for legal, audit, or legitimate state operational or management purposes;

(b) Monitor the network or email system including the content of electronic messages, including stored files, documents, or communications as are displayed in real-time by employees, when required for state business and within the officially authorized scope of the person's employment.

(2) An employee may engage in incidental and occasional personal use of IT resources provided that such use does not:

(a) Disrupt or distract the conduct of state business due to volume, timing, or frequency;

(b) Involve solicitation;

(c) Involve for-profit personal business activity;

(d) Involve actions, which are intended to harm or otherwise disadvantage the state; or

(e) Involve illegal or other activities prohibited by this rule.

(3) An employee shall:

(a) comply with the Government Records Access and Management Act, as found in Section 63-1-101 et seq., Utah Code, when transmitting information with state provided IT resources.

(b) Report to agency management any computer security breaches, or the receipt of unauthorized or unintended information.

(4) While using state provided IT resources, an employee may not:

(a) Access private, protected or controlled records regardless of the electronic form without management authorization;

(b) Divulge or make known his/her own password(s) to another person;

(c) Distribute offensive, disparaging or harassing statements including those that might incite violence or that are based on race, national origin, sex, sexual orientation, age, disability or political or religious beliefs;

(d) Distribute information that describes or promotes the illegal use of weapons or devices including those associated with terrorist activities;

(e) View, transmit, retrieve, save, print or solicit sexually-oriented messages or images;

(f) Use state-provided IT resources to violate any local, state, or federal law;

(g) Use state-provided IT resources for commercial purposes, product advertisements or "for-profit" personal activity;

(h) Use state-provided IT resources for religious or political functions, including lobbying as defined according to Section 36-11-102, Utah Code, and rule R623-1;

(i) Represent oneself as someone else including either a fictional or real person;

(j) Knowingly or recklessly spread computer viruses, including acting in a way that effectively opens file types known to spread computer viruses particularly from unknown sources or from sources from which the file would not be reasonably expected to be connected with;

(k) Create and distribute or redistribute "junk" electronic communications, such as chain letters, advertisements, or unauthorized solicitations.

(5) Once agency management determines that an employee has violated this rule, they may impose disciplinary actions in accordance with the provisions of DHRM rule R477-11-1.

 

KEY: information technology resources, acceptable use

2004

63D-1a-305