RSM 3, Section 2400: Internet & Email Policies & Procedures

Updated: 03/21

2401 Purpose of Internet Access and Email

The Maryland Department of Information Technology (DoIT) provides and maintains computer and telecommunications technologies, including internet access and email, in support of the mission of the Division. These systems are intended to enhance communication and access to rehabilitation resources, and be used to enhance business operations.

2402 MSDE and DORS Telecommunications Policies

Staff are responsible for complying with the MSDE Telecommunications Policy, and confirming that intent by signing the MSDE Telecommunications Policy Acknowledgement form at the end. See Attachment 2400-1, MSDE Telecommunications Policy.

Staff are also responsible for complying with DORS internet and email policies and procedures contained in this RSM section, and documenting intent to comply by signing the **DORS Internet and Email Policy Acknowledgement**.

New staff orientation conducted by the MSDE Human Resources Office will include review of these policies and completion of the required Acknowledgement forms which will be retained in the official personnel file of the employee.

2403 Responsible Use of the Internet and Email

Effective and responsible use the internet and email requires an understanding of some basic facts, including the following:

1. The use of the internet and email is not private. It is possible to reconstruct sites visited on the internet and content of emails even when the user may believe such information has been deleted.

2. Email messages constitute "public information" and may become part of records or otherwise shared. The content of email messages should be carefully considered.

3. Each employee is responsible for the content of all text, audio or images that he/she places or sends over the Division's email/internet system.

4. Each employee is responsible to encrypt emails and disable forwarding of emails containing Personally Identifiable Information (PII) or other confidential information when those emails are sent to non-DORS staff.

5. Employees shall not use the content, including tag lines, of email correspondence to promote personal religious or political views.

2403.01 Encrypting Confidential Information through Email

In 2015 DoIT developed Email Encryption guidelines in regards to emailing confidential information which must be adhered to by all employees and contractors working for the State. DoIT supports Virtru email encryption service for State-wide use. Because of privacy and confidentiality considerations, staff shall adhere to the following:

1. Employees and contractors shall obtain an encryption license if they have a business need that requires sending confidential data by email to an email address that is external to the Maryland.gov email system.

2. Employees and contractors shall not place confidential information in the "Subject" line of any email message.

3. Employees and contractors that receive confidential information from a citizen by email shall not reply to the message unless they utilize encryption or remove the confidential information from the reply message.

4. Employees and contractors that receive confidential information from a citizen by email that is listed in the "Subject" line of the message will redact the information from the "Subject" line prior to replying and use encryption as appropriate.

2403.02 Common Internet and Email Work-Related Issues

While the internet and email can be a valuable tool in completing many work tasks, access to these resources brings the possibility of misuse or abuse in several areas. The following is expressly prohibited:

1. Using the agency’s internet or email for non-work-related purposes. This includes but is not limited to playing games, non-rehabilitation-related surfing of the web, participation in chat rooms, and conducting commercial activities.

2. Engaging in activities that threaten the integrity or capacity of the system. This includes downloading programs without express authorization; broadcasting personal messages over the email system; using email to promote personal political or religious views; launching viruses or other attacks on computers; altering or attempting to alter system hardware or account configurations; giving out a password or using the password of another individual; "hacking" into the system; sending chain letters; or any use which may cause a system to crash.

3. Engaging in unauthorized or illegal activities via the system. This includes accessing obscene material or pornography, violating copyright laws, violating harassment laws, or otherwise engaging in activities that would bring disrepute to the state.

2404 Monitoring and Filtering

1. DORS management holds the right to monitor all Internet traffic originating for any DORS location. DORS management also holds the right to filter Internet activities by denying access to specific unauthorized content.

2. Internet filtering blocks certain websites based on categories/subcategories built into the program. Examples of sites intended to be blocked include pornographic and gambling sites. Occasionally, a business-related site may be inadvertently blocked by the software. A staff member who finds a business-related site blocked can request the site to be unblocked. An email request identifying the site with a brief justification for access should be routed via management to the appropriate Office Director. The Office Director will confer with DORS MIS to have the site unblocked, as appropriate.

3. DORS utilizes the State’s Security as a Service (SECaaS) for its firewall and filtering services. In addition to DORS specific filtering requirements DoIT applies its own set of rules which apply to all State agencies using SECaaS.