What expectation of privacy does a user of the DC government email system have?
The electronic mail system (email) software and hardware are the property of the District government. Messages created, received or sent on the District email system are not the private property of any person. There is no 'right to privacy' by any person using the District email. The DC government reserves the right to review, audit, intercept, access and disclose all DC government electronic and printed messages. Even when a message is erased, it is still possible to retrieve and read that message. By requesting email access, users are consenting to such monitoring of records. All District email is subject to public inspection unless otherwise protected by DC or federal law.
What are the current content filtering activities in the District (email and Internet)?
The District email system has enabled anti-spamming filters for all email accounts served by the centralized Exchange infrastructure. The District is currently evaluating the technical and legal feasibility of Internet Content Filtering.
What should an end user do if a threatening email is received from an external source?
Threatening emails should be reported immediately to management and emergency procedures followed as outlined in your agency emergency response plan. This might involve calling 911 or alerting the FBI if you think imminent danger exists (bomb threat). Follow instructions to help identify the source of the threat or to preserve evidence as needed. Also notify the District Computer Emergency Response Team (CERT) team of the incident.
What should end users do if they receive a pornographic attachment via email from an external source?
Do not open email attachments from unknown sources. It may be safer to delete them because of the potential to introduce viruses. However, after you open an email and find that it contains sexually explicit material that is considered illegal or a federal offense (e.g. child pornography), DO NOT attempt to forward the email. Immediately notify your supervisor and OCTO CERT for assistance in blocking email from the offender and cleaning up your mailbox. The District CERT will call 911 or the FBI to report the illegal incident and follow their instructions to help identify the source of the illegal material. If you believe you are the specific target of sexual harassment you should call 911 or the FBI (202) 278-2000.
Can OCTO block certain email addresses (incoming vs. outgoing)?
Yes. If you believe that you are the target of harassing emails or unwanted advertisements after you have requested the sender to stop emailing you, notify your supervisor and OCTO CERT for assistance in blocking email from the offender.
What can end users do about pop-up messages and spamming (including pornographic pictures)?
Any undesired or unknown email messages should be deleted immediately WITHOUT opening either the message or any attachments. Any recurring cases of this nature should be reported to the user's supervisor and to the OCTO DCERT team.
How should threatening emails be handled?
Threatening emails should be reported immediately to management and emergency procedures followed as outlined in your Agency Emergency response plan. This might involve calling 911 or alerting the FBI (202) 278-2000. The FBI has established a special link on the Internet to report suspected terrorism at https://www.ifccfbi.gov/complaint/terrorist.asp. If you think imminent danger exists (bomb threat), follow law enforcement instructions to help identify the source of the threat or to preserve evidence as needed. Do not hesitate to call 911 or alert the FBI if you think danger exists (bomb threat, physical harm). Also notify your supervisor immediately of the incident and the District CERT team at [email protected]
How is Internet use blocked by an agency?
The District Government Internet Access and Use policy defines conditions under which Internet use may be blocked.
Is instant messaging allowed and how is it controlled?
Instant messaging is currently allowed, however its use should be limited to business purposes only in accordance with the Internet Access and Use Policy.
Information Security FAQs
What is the District firewall policy and how does it apply to agencies connected to the DC Wide Area Network (DCWAN)?
Each agency must provide a business justification to OCTO CityWide IT Security (CWITS) as to the purpose of an internal firewall at the DCWAN connection. If approved, a Memorandum of Understanding (MOU) will be generated to document the following process: the CWITS will assist the agency in specifying the firewall, the agency will procure the firewall, and the CWITS and OCTO will assist the agency in installing the required device. The CWITS will manage the firewall in accordance with OCTO and CWITS firewall policies, standards and procedures.
What is the OCTO standard for encryption (is it OK to use PGP technology)?
OCTO uses SSL encryption for all District encryption requirements. Encryption is a technical security mechanism that can be employed when transmitting data over an open communications network.
What is DCERT?
The District of Columbia government's Computer Emergency Response Team (DCERT) serves as the centralized entity for information systems security incident response efforts to ensure effective and rapid mitigation of incidents as they occur, assisting the District Government to remain unobstructed in achieving its goals. When an incident occurs we assist in coordinating mitigation efforts between agencies, IT teams, and response personnel. Once an incident has been contained DCERT will investigate the cause, course and impact of the incident in order to provide recommendations on handling future incidents as well as reduce the number and impact of those incidents.
How are security advisories distributed?
DCERT assists to ensure the awareness of information security threats by disseminating alerts of the latest known vulnerabilities and attacks. To assist facilitating the District’s efforts in minimizing IT Security threats DCERT provides a centralized point of information sharing between agencies. This can include vulnerability and threat information as well as best practices, processes and procedures.
Does one email list exist of all IT administrators to ensure they receive OCTO broadcasts and alerts?
Yes, the DCERT has a distribution list for this purpose. Please send a message to [email protected] to be added to this list.
How do you report a security incident?
To report security issues or suspected viruses please contact [email protected].
What is Public Key Infrastructure (PKI)?
Public Key Infrastructure is a framework that defines authentication, data and message integrity, and non-repudiation processes through the use of shared public keys.
What are the criteria to establish an extranet and what happens if agencies decide to connect in-house?
The standard for Internet based Virtual Private Networks (VPNs) is the Internet Protocol Security (IPSec) standard. Requirements are evaluated on a case-by-case basis. Agencies are not to connect external partners, customers or suppliers without review and approval from CityWide Information Technology Security Program (CWITS). Any undocumented and/or unapproved connections will be considered to be a security breach to the DCWAN, and will be disconnected immediately pending a vulnerability review by the CWITS.
How can agencies obtain information about Virtual Private Networks (VPN)?
There are three primary categories of VPN implementations, depending on a specific set of technology requirements:
• Intranet VPNs between internal District agencies and offices
• Remote access VPNs between District network and remote or mobile employees
• Extranet VPNs between District and its business partners, customers and suppliers
Agencies with special needs for VPNs must document their requirements and submit to the CityWide IT Security team for review and support ([email protected]).
Do formal information security policies exist? How will they be distributed?
Yes. Current policies are posted on the intranet and the Internet and can be accessed through the OCTO homepage.
Is it possible for legal counsel to be present to ensure advice given is consistent for criminal activity and law enforcement issues (e.g. federal communications)?
OCTO will solicit legal review of answers to questions where directions are not documented in existing policy or procedures.
Are there plans to communicate new policies to agencies?
Yes, the intranet and email will be used as primary vehicles to announce and communicate important information.
Does agency management reserve the right to access data stored on individual desktops during employee absences?
Yes, under the conditions of procedures documented for that agency or office.
Do CIOs have the ability to defeat enforced security controls?
Agency CIOs can request exemption from enterprise security policies from the Chief Technology Officer (CTO) and the Chief Information Security Officer (CISO).
Is a theft recovery software standard being considered for laptops (e.g. computrace)?
OCTO has standardized on an Encryption technology for laptops. Please reach out to the OCTO PMO office for additional information.
Will information security policy affect contractors who bring in their own PCs and software?
All contractor staff must comply with OCTO’s network and security policies for use on the District’s network.
Do you contact the agency director or the IT manager when there is a problem or breach of policy?
It would be preferable if you contacted the IT manager instead of the agency director because we are responsible for this. You are asking us to be responsible for the integrity of the network email and Internet access, so it seems you should come to us instead of the agency director to resolve problems. The agency director will have the authority, but we have been given the responsibility. The OCTO CWITS will notify the agency director as the official point of contact for security issues requiring immediate attention. The agency IT manager will be contacted simultaneously whenever possible. However, all agencies do not have CIO or IT management authority in place to respond appropriately to security events.
If a machine is identified as troublesome, do you take it off the network?
Depending on the circumstances, the machine can be removed immediately from the network.
Is any anti-virus software available to agencies?
Yes, a citywide license exists for McAfee anti-virus software.
What if policies we already have in place are more secure than these policies?
OCTO policies govern District IT resources to establish a baseline for enterprise-wide information security. Generally they are not intended to supersede more stringent policies and standards developed by an agency to meet specialized security requirements.
What happens to agencies that promulgate viruses?
Agencies must comply with the OCTO and CWITS anti-virus software standard, which requires specific anti-virus clients to be installed on all agency servers and workstations. If an agency is in compliance with the anti-virus software standard, and a virus event occurs, then the CWITS will assist the agency in isolating and removing the virus. If an agency is not in compliance with the anti-virus software standard, and a virus event occurs, then the agency may be disconnected from the DCWAN while anti-virus measures are performed by OCTO and the CWITS. The agency may be required to execute an MOU stipulating compliance with the OCTO CWITS anti-virus standard PRIOR to re-establishment of connectivity to the DCWAN.
Is any anti-virus software available to agencies?
Yes, a citywide license exists for McAfee anti-virus software.
How soon will McAfee anti-virus software be rolled out to all District agencies?
OCTO provides Antivirus as the standard software for all machines that are supported by ITServUS. Agencies that are not supported by ITServUS can also avail of the software by contacting [email protected] for licensing terms and use.
Frequently Asked Questions About Email, Security and Internet Access