This policy establishes standards for the proper use of DC government-provided Internet services.
Policy Number: OCTO - 2002.2
Creation Date: 4/22/2016
Approval Date: 4/22/2016
Effective Date: 4/22/2016
1. Scope/Applicability: This policy applies to all District Government agencies.
2. Authority: DC Official Code § 1-1402 et seq.
3. Purpose: This policy requires all DC Agency information assets to be identified, classified, protected, and managed from creation to disposal in a manner that ensures protection commensurate with the sensitivity and value of the information asset.
4. Roles and Responsibilities
4.1. DC Government Agencies
4.1.1. Agency Heads are responsible for the Internet activities of their users and for the implementation and enforcement of the policy. Each agency must ensure that DC government-provided Internet services are used for legitimate DC government functions and purposes. Agencies may want to add restrictions and guidelines regarding the use of the Internet by their users, based on specific business requirements and mission.
4.2.1. OCTO reserves the right to review Internet use by DC employees at any time to determine compliance with this and related policies. Use of DC government IT resources constitutes express consent to monitor those resources. OCTO must normally block an offending user account for a period of time to be determined by OCTO and must refer violations of policy to the affected agency Director for further corrective action. OCTO also reserves the right to block access to specific external Internet sites whose content is deemed inappropriate (e.g., obscene content, communications that encourage hate or violence, access to gambling) and inconsistent with DC government functions and may reflect unfavorably on the DC government image.
1. Policy Details:
1.1.1. The Internet can and should be used to help DC government serve the people in an efficient and effective manner. With such use, however, comes responsibility and each DC agency and employee is responsible for safeguarding the public trust. Each DC government agency is, therefore, responsible for control of information provided via the Internet or accessed by DC government employees over the Internet in a disciplined, managed, and consistent manner. All DC government policies relating to intellectual property protection, privacy, misuse of government resources, sexual harassment, data security, and confidentiality apply to employee conduct on the Internet. Users must prevent the introduction of computer viruses into DC government systems. Users must have virus-scanning software to check any software or documents downloaded from the Internet.
1.2. Principles for Use
1.2.1. Employee access to the Internet through established DC government facilities is offered as a tool for meeting the programmatic needs of DC government agencies. DC government-provided Internet access is therefore considered to be DC government property. All DC government Internet users are expressly prohibited from using DC government-provided Internet access for personal and/or non-DC government business. Do not visit websites that contain non-business related, discriminatory, pornographic, bandwidth-consuming, or harassing material.
1.2.2. Specifically acceptable uses of the Internet by DC government users include:
18.104.22.168. Communication and information exchange directly related to the mission, charter, or work tasks of a DC government agency
22.214.171.124. Communication and information exchange for professional development, to maintain currency of training or education, or to discuss issues related to the Internet user's DC government activities
126.96.36.199. Administration or applications for contracts or grants for DC government programs or research
188.8.131.52. Advisory capacity, standards, research, analysis, and professional society activities related to the user's governmental work tasks and duties
184.108.40.206. Announcement of DC government laws, procedures, policies, rules, services, programs, information, or activities
220.127.116.11. Other governmental administrative communications not requiring a high level of security
1.2.3. Specifically prohibited uses of the Internet include:
18.104.22.168. Any purpose which violates a federal or DC government law, code or policy, standard, or procedure
22.214.171.124. Any purposes not directly related to the mission, charter or work tasks of a DC government agency
126.96.36.199. Private business, including commercial advertising
188.8.131.52. Access to and/or distribution of:
- Indecent or obscene material
- Child pornography
- Fraudulent information
- Harassing material
- Racial information
184.108.40.206. Interference with or disruption of the network and/or associated users, services, or equipment
220.127.116.11. Any activity with religious or political purposes
18.104.22.168. Religious or political activity
22.214.171.124. Any unauthorized purchases
5. Procedures: Each DC Agency Information Security Officer (ISO) must implement security procedures in accordance with this policy.
6. Policy Maintenance: The Office of the Chief Technology Officer (OCTO) is responsible for the maintenance, administration, and publication of this policy. OCTO must annually review this policy and update as needed to ensure the policy's technical relevance and regulatory compliance.
7. Policy Enforcement: OCTO is responsible for the enforcement of this policy. Agencies must actively participate in the audit of this policy when requested by the OCTO.
8. Exemptions: None.
9. Sanctions: When OCTO discovers non-compliance with this policy, OCTO will:
9.1. Advise agency CIO of the non-compliance and assist the CIO in developing a corrective action plan and a reasonable timeframe for its implementation.
9.2. If the CIO fails to implement the corrective action plan within the stated timeframe, the CIO will be referred to the agency director for disciplinary action.
10. Supporting Laws and Regulations:
10.1. E-Government Act, (P.L. 107-347), Title III, Federal Information Security Management Act (FISMA).
10.2. Privacy Act of 1974, 5 U.S.C. § 552a, Public Law No. 93-579.
10.3. HIPAA Security Rule, 45 C.F.R. Part 164, Subpart C.
11. Reference Documents:
11.1. NIST IR 7298 Revision 2, “Glossary of Key Information Security Terms”, May 2013.
11.2. NIST SP 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, April 2013.
12. Policy Review:
|Policy Number||Action||Effective Date||Next Review Date|
|OCTO – 2002.0||Published||07/15/2009||07/15/2010|
|OCTO – 2002.0||Reviewed||12/23/2010||12/23/2011|
|OCTO – 2002.0||Reviewed||10/7/2011||10/7/2012|
|OCTO – 2002.0||Reviewed||11/1/2012||11/1/2013|
|OCTO – 2002.0||Reviewed||11/7/2013||11/7/2014|
|OCTO – 2002.1||Published||11/7/2014||11/7/2015|
|OCTO – 2002.2||Published||4/22/2016||4/22/2017|