Privacy and Security
Acceptable Use for DHHS Information Systems
Current Effective Date:
2/1/16, 11/15/15, 6/15/05
11/15/15, (former DHHS Policies and Procedures name and location: Computer Use Policy, Section III: Communications, dated 4/1/04)
Original Effective Date:
Each DHHS Division/Office shall be responsible for ensuring that every individual seeking access to DHHS network and/or information systems reviews this policy and signs an acceptable use agreement based upon the terms specified in this policy. Users must sign the agreement form included herein before permission is granted to use the DHHS systems.
All information and data processing systems to which users are given access are to be used only to conduct the activities authorized by the department. The use of these resources must be conducted according to the policies, standards, and procedures instituted by the department or on its behalf. The unauthorized use or disclosure of information provided by these data processing systems may constitute a violation of department, state, and/or federal laws which will result in disciplinary action consistent with the policies and procedures of the department (see Enforcement section below).
DHHS Divisions/Offices may require additional agreements regarding the confidentiality of specific types of information; for example, medical records, client case files, personnel records, financial records, etc. This policy may augment such division/office policies, but is not intended to replace such policies, which remain in effect.
The department and its divisions/offices retain the rights of ownership to all ITS resources including hardware, software, functionality, data, and related documentation developed by the department’s information systems users on behalf of the department. All department IS resources remain the exclusive property of the State of North Carolina (NC) and/or the department, unless otherwise prescribed by other contractual agreements.
The Internet is a world-wide collection of interconnected computer networks. The state’s wide area network, NCIIN, is the NC controlled network connected to the Internet.
Following is a list of policies regarding the use of NCIIN and the Internet:
Users are responsible for protecting DHHS sensitive information by following the DHHS policies and DHHS division/office policies and procedures.
Users have a responsibility to ensure, to the best of their ability, that all public information disseminated via NCIIN and the Internet is accurate. Users shall provide in association with such information the date at which it was current and an e-mail address allowing the recipient to contact the public staff responsible for making the information available in its current form.
Users shall avoid unnecessary network traffic and interference with other users, including but not limited to:
These requirements apply to office, home or other remote access locations if utilized for DHHS business.
Classified information stored on external media (e.g., diskettes or CDs) must be protected from theft and unauthorized access. Such media must be appropriately labeled so as to identify it as classified information.
The use of removable storage devices or external devices (e.g., USB Flash Drives) shall be restricted to authorized personnel in order to safeguard and protect confidential data and information technology assets. Authorization for the use of removable storage devices must be granted by the user’s supervisor in writing and specify the intended use of the device. The division/office security official shall maintain an inventory of all authorizations and use of removable storage devices. Any use must meet DHHS security policies and standards.
Users shall request the use of state owned storage devices. Division/offices shall strive to provide state owned-storage devices to staff and there by limit the use of any personal device used to conduct any state business. Any use of personal devices must be disclosed to the supervisor and be approved.
Mobile computing devices and removable storage devices (e.g., laptops, PDAs, USB flash drives, etc.) must never be left in unsecured areas and their use must meet DHHS Security Policies and Standards. Any incidents of misuse, theft or loss of data must be reported to the supervisor and to the division security official. The incident should be reviewed and reported in accordance with the DHHS Incident Management Policy and Procedures.
DHHS sensitive or confidential information shall not be stored at home without appropriate authorization from the user’s supervisor/manager, in consultation with the division/office security official. Users shall follow appropriate physical safeguards for offsite use. Documentation of authorization and storage of sensitive information in the home shall be maintained in accordance with the division/office’s procedures.
All users of the department's information systems are advised that their use of these systems may be subject to monitoring and filtering. DHHS reserves the right to monitor – randomly and/or systematically - the use of Internet and DHHS information systems connections and traffic. Any activity conducted using the state's information systems (including but not limited to computers, networks, e-mail, etc.) may be monitored, logged, recorded, filtered, archived, or used for any other purposes, pursuant to applicable departmental policies and state and federal laws or rules. The department reserves the right to perform these actions with or without specific notice to the user.
Software License Agreements
Computer Viruses: Malicious Code
It is the responsibility of each user to help prevent the introduction and spread of computer viruses and other malicious code. All personal computers in the department must have virus detection software running at all times. All files received from any unknown source external to the department, including those on storage on media and electronically downloaded or received as e-mail attachments, except for attachments received via internal mail system, must be scanned for computer viruses before opening or using the files. (Attachments received via internal mail system are automatically scanned.)
Users should immediately contact their manager or supervisor, other appropriate designated staff or the division/office security official when a virus is suspected or detected, so that it may be confirmed and removed by the appropriate staff.
Users must report all information security violations to the division/office security official, who will notify the DHHS Privacy and Security Office in accordance with the DHHS Incident Management Policy and Procedures. The DHHS Security Officer shall be responsible for notification of the ITS Security Office.
Installation of Hardware or Software
DHHS information system hardware and software installations and alterations are handled by authorized DHHS employees or contractors only. Users shall not install new or make changes to existing information system hardware or software.
Users shall not download software from the Internet unless specifically approved by the user’s supervisor and the designated IT personnel. Downloading audio or video stream for a work-related webinar or audio conference is permissible without prior authorization.
Authorized users of DHHS’s computer systems, networks and data repositories may be permitted to remotely connect to those systems, networks and data repositories to conduct state-related business only. Users will only be granted remote access through secure, authenticated and managed access methods and in accordance with the ITS and DHHS Remote Access Security Policy and Standard.
Users shall not access agency networks via external connections from local or remote locations, including homes, hotel rooms, wireless devices, and off-site offices without knowledge of and compliance with the User Access Responsibilities section described above within this policy.
USER CERTIFICATION OF NOTIFICATION AND AGREEMENT OF COMPUTER USE POLICY
I certify that I am an employee, volunteer, guest, vendor or contractor working for or on behalf of the Department of Health and Human Services and that I have read this “Acceptable Use Policy” and understand my obligations as described herein. I understand that this policy was approved by the Secretary of the Department of Health and Human Services and these obligations are not specific to any individual Division or Office of the Department, but are applicable to all employees, volunteers, and contractors of the Department. I understand that failure to observe and abide by these obligations may result in disciplinary action, which may include dismissal and/or contract termination. I also understand that in some cases, failure to observe and abide by these obligations may result in criminal or other legal actions. Furthermore, I have been informed that the Department will retain this signed Agreement on file for future reference. A copy of this Agreement shall be maintained in the personnel file and/or in the contract administration file.
Employee, Volunteer, Guest, Vendor or Contractor Signature _________________________________________ Date ________________
Supervisor’s Signature ______________________________________________________________________ Date _________________
For questions or clarification on any of the information contained in this policy, please contact DHHS Privacy Officer. For general questions about department-wide policies and procedures, contact the DHHS Policy Coordinator.