U.S. Fish and Wildlife Service's
Information Technology Appropriate Use PolicyOn June 14, 2000, the Department issued a new policy regarding the limited use of office equipment, library collections, and telephone equipment for personal purposes. The Service's Appropriate Use policy has taken the items specific to IT and IT security from the Department's memo, added them to several security issues specific to the Service and combined them to form our Bureau policy. The complete Departmental policy, as well as several other security policies and laws are referenced at the end of this document.
If you have any questions about this policy and/or its application, please contact the Bureau IT Security Manager.
1. Limited Personal Use of Government Office Equipment
a. Employees may use Government office equipment only for official business or as otherwise authorized by the Government. This policy authorizes limited personal use of certain Government property as long as it occurs on non-duty time, does not interfere with official business, is not a commercial gain activity or is otherwise prohibited, and the expense to the Government is negligible. In using Government property, employees should be mindful of their responsibility to protect and conserve such property, and to use official time in an honest effort to perform official duties.
b. Managers may place additional restrictions on the use of Government property for personal purposes only for instances of abuse of this policy or in order to meet management needs and mission objectives.
2. User Privacy
a. E-mail messages (and other electronic information) are Government resources that may be covered by the Federal Records Act and/or Freedom of Information/Privacy Acts. Employees have no expectation of privacy in these communications resources (e.g., e-mail, faxes, Internet, cell phones, or computers). By use of Government resources for personal purposes, employee consent to monitoring and recording with or without cause is implied.
b. E-mail systems within the Service are not private and should not be used to communicate sensitive information unless the information is encrypted using an approved encryption algorithm. All e-mail messages are subject to review by an individual's supervisors or by network administrators, e-mail managers or other support staff as necessary to maintain effective communications.
c. All Service systems and automated functions, including Internet access, are subject to monitoring by supervisors and/or individuals charged with the maintenance, management, and security of these systems.
3. Equipment Not Covered by This Policy
a. Government equipment excluded from this Limited Personal Use Policy includes, but is not limited to, the following equipment: color copy machines; color printers when used for color printing, scientific equipment; photographic equipment; computer projector equipment (i.e., LCD projectors); scanners; slide projectors; overhead projectors; TVs; VCRs; map reproduction machines; and any other similar equipment.
b. This policy does not apply to personal use of telephones. Such use is covered by the DOI Telephone Use Policy.
4. Penalties
Disciplinary actions for non-compliance with this policy will be handled in accordance with Departmental personnel policies and the DOI's Personnel Handbook on Charges and Penalty Selection for Disciplinary and Adverse Actions. Selection of the penalty should be the least severe penalty necessary to correct misconduct and to discourage repetition. However, it is important to note that the supervisor retains full authority to set penalties as he/she deems appropriate based on the particular circumstances and specifications of the offense. Corrective action covers a full range of remedies which may include oral and/or written warnings or reprimands, suspension without pay, or removal from Federal service. In the case of a serious offense where a formal action may be taken, supervisors should consult with their Human Resources office immediately.
5. Adherence to Statutes and Regulations
Neither the DOI policy nor the FWS policy overrides any statutes or regulations governing the use of specific Government property.
The following limited personal uses of Government office and library collections are hereby authorized for all employees. Supervisors should be consulted prior to any personal use of government office equipment if there is any question whether such use is appropriate under the terms of this policy.
6. Office Equipment
a. Employees on non-duty time are allowed limited use of office equipment for personal uses that involve only negligible expense to the Government (such as electricity, sheets of paper, ink, and ordinary wear and tear) and do not interfere with official business. For purposes of this policy, office equipment includes copy machines, computers, printers, and fax machines. Copy machines, fax machines, and printers are for official business; however, personal use of less than ten pages per week is permissible on occasion.
b. Color copiers and color printers when used to print in color, are excluded from this policy at this time due to high associated costs. Employees may not use official stationery, envelopes, or postage for personal purposes under any circumstances.
7. Software
Loading personally-owned software (such as tax preparation programs, computer games, etc.) on Government machines is prohibited.
8. E-Mail
Employees on non-duty time are allowed to use Government e-mail systems and computers for limited personal use with the following restrictions:
a. The cost to the Government for the personal use of e-mail must be negligible. Personal use of e-mail also must not cause congestion, delay or disruption of service to any Government system or equipment; e.g., by transmitting large attachments. Employees must follow guidance provided by their Bureau or Office Systems Administrator.
b. Employees may use e-mail for personal point-to-point electronic transmissions or personal transmissions not to exceed 5 addressees per e-mail both as employee-generated personal messages and in response to personal messages received by the employee. Broadcast transmissions, mass mailings or bulletin boards for personal use are prohibited unless specifically authorized by the Bureau or Office Systems Administrator.
c. Employees using e-mail for personal purposes must not represent themselves as acting in an official capacity.
d. Employees are reminded to use caution when giving out their Government e-mail address for personal purposes, particularly when registering or subscribing at various Internet sites. Registering may result in the employee receiving unwanted e-mail which in turn could strain the DOI network resources with increased e-mail traffic.
9. Internet
a. Employees on non-duty time are allowed to use the Internet for personal use as set forth in and in accordance with the Department's Internet Acceptable Use Policy. Except as prohibited by this policy, employees are allowed to make some personal purchases through the Internet, but only during non-duty time. When making such purchases, however, employees must have the purchases sent to a non-Government address.
b. Purchasing activities that are prohibited, and restrictions on push technology and using the Internet as a radio or music player, are listed in Section 10.g and 10.h of this policy.
10. Improper Use of Government Equipment
This applies to all IT resources regardless of location or type.
Unauthorized or improper use of Government office equipment could result in disciplinary or adverse personnel action, as described in the DOI Personnel Handbook on Charges and Penalty Selection for Disciplinary and Adverse Actions, or loss of use or limitation on use of equipment, criminal penalties, and/or employees being held financially liable for the cost of improper use.
Managers and supervisors are responsible for knowing and enforcing these rules of behavior and protecting the Service assets from fraud, waste, and abuse. The following activities are prohibited for all Service IT resources, unless a specific exception is approved by the Director.
a. Employees are prohibited from using government office equipment and e-mail for personal uses except as authorized by this policy.
b. Employees are prohibited from using Government office equipment, at any time, for activities that are illegal (e. g., gambling) or that are inappropriate or offensive to co-workers or the public, such as the use of sexually explicit material or material or remarks that ridicule others on the basis of race, creed, religion, color, sex, disability, age, national origin or sexual orientation.
c. Employees are prohibited from using Government office equipment at any time for any outside fund-raising activity, endorsing any product or service, participating in any lobbying activity, or engaging in political activities. Note: Different rules for lobbying and political activity apply to employees appointed by the President and confirmed by the Senate. Those employees should consult the DOI Ethics web site for guidance.
d. Employees are prohibited from using Government office equipment at any time to make purchases for personal commercial gain activity.
e. Employees are not authorized to remove Government property from the office for personal use.
f. Employees are prohibited from using Government-provided access to the Internet to present their personal views in a way that would lead the public to interpret it as an official Government position. This includes posting to external news groups, bulletin boards, or other public forums.
g. Employees are prohibited at any time from using the Internet as a radio or music player. Such live stream use of the Internet could strain the DOI network and significantly slow communications, inhibiting DOI employees from conducting official business.
h. Employees are prohibited at any time from using "push" technology on the Internet or other continuous data streams, unless they are directly associated with the employee's job. Push technology from the Internet means daily, hourly or continuous updates via the Internet; e.g., news, stock quotes, weather, and similar information. Continuous data streams could degrade the performance of the entire network.
i. Employees are prohibited from engaging in any activity which would compromise the security of any Government information system.
11. General User Responsibility
Users are responsible for staying current with Service security policy, for following defined security rules and practices and for implementing appropriate controls necessary to protect resources and information for which they are responsible.
12. Supervisor, System Manager and System Owner Responsibility
Managers are responsible for ensuring that their employees are aware of the security rules and policies appropriate for the systems for which they have access, for providing necessary training in both security and system functions, for monitoring activity, and for taking appropriate and timely corrective action.
13. System Developer Responsibility
All individuals within the Service who develop or manage the development of automated information systems:
a. Are responsible for knowing the security rules, for coordinating where appropriate with the local security representatives, and for ensuring that all systems have adequate security for the protection of the information being processed. Where higher standards are not defined, the rules in this document are the minimum that shall be employed.
b. Will document the system and system process in accordance with established Service policy and guidelines.
c. Will coordinate as appropriate with the National Communications Center to ensure that the system design and operation is consistent with Service Wide Area Network design and security requirements.
d. Are responsible for assessing their system's impact on other Service systems. This includes establishing appropriate access and security relationships with all other systems that may be affected by the system under development. A system may not be developed or implemented within the Service if such a system poses an unreasonable threat.
14. User Accountability/Passwords and Log-on IDs (USERIDs)
a. Each user is accountable for all actions associated with the use of his/her Log-on ID (USERID) and password, and may be held liable for unauthorized actions found to be intentional, malicious, or grossly negligent. The user is therefore charged to know the rules for creating and managing good passwords, for protecting these passwords from compromise, and for alerting his/her supervisor immediately if a compromise is suspected.
b. Log-on IDs and passwords are required of all users for access to Service networks, the SWAN, the Internet, and other Service systems. Each user must be uniquely identifiable. Users and managers are jointly responsible for ensuring that timely notice is given to system managers when any person leaves the Service, transfers, or for some other reason should be removed from system access.
c. Passwords to all Service systems are considered private. Users will not share their passwords unless specifically directed to do so by their supervisor or other appropriate manager. Any manager who requires that an employee share a private password assumes responsibility for all activity that occurs under that password until such time as it is changed. This does not preclude a reasonable policy for password management to ensure continuity of operations. Such policies must be in writing and provide well-defined rules for use.
15. Unauthorized Access
a. All Service employees are prohibited from accessing or attempting to access systems or information for which they are not authorized or changing access controls to allow themselves or others to perform actions outside their authorized privileges. To minimize the risk of unauthorized access, users must either turn off their computer or activate some form of password protected screen saver if they will be away from their workstations for more than a few minutes. Any suspected attempt at unauthorized access must be reported to the appropriate supervisor immediately.
16. Denial of Service Actions
Users are not allowed to prevent other persons or systems from performing authorized functions by actions that deny access, impact telecommunications capability, suppress messages, or by generating frivolous or unauthorized traffic.
17. Software Control
a. All software used on Service systems must be appropriately acquired and used in accordance with the restrictions and license conditions set forth by the vendor/owner. This includes both commercial software and shareware.
b. Use of Government software on personal systems must be approved by the appropriate supervisor and reviewed by the appropriate IT Security Manager. Use of personal software on Government equipment is prohibited.
c. Users must take appropriate steps to not introduce or use malicious software such as computer viruses, Trojan horses, or worms. Users are obligated to follow established safe computing practices to reduce the risk of damage by these types of destructive agents.
18. Use of Encryption
Encryption of information for storage and transmission is supported by or will be supported by many Service systems. Any information encrypted for storage, regardless of location or media, must be recoverable by the Service. Before any encryption is authorized, there must be written procedures for key management and information recovery. A copy of this procedure must be provided to both the local IT Security Manager and the Bureau IT Security Manager. The use of encryption to secure an individual's personal files on Service computers is not authorized without express permission of the appropriate supervisor.
19. Data Collection and Availability
All data and information collected using Service resources becomes the property of the Service. Adequate instruction must be provided for each data collection effort to ensure that the information can be recovered and used as needed by the Service. If such data is of a type requiring limited access, the rules and restrictions for access and dissemination must be identified.
20. Reporting Computer Incidents
Users are required to report all computer security incidents or suspected incidents to their immediate supervisor. The supervisor is responsible for ensuring that the local or Installation IT Security Manager is informed. The IT Security Manager will determine if the event is of sufficient magnitude to warrant reporting to the Bureau IT Security Manager.
Related Authorities:
5 CFR 2635 - Standards of Ethical Conduct for Employees of the Executive Branch
Part 1 of Executive Order 12674 - Implementing Standards of Ethical Conduct for Employees of the Executive Branch
5 CFR 301 - Departmental Regulations - Authority to Establish Regulations for Management of the Department
41 CFR 101-35.201 - Telecommunications Management Policy IRM Bulletin 1997-001 - Internet Acceptable Use Policy
270 FW 7 - Service Information Technology Manual Policies on Limited Personal Use of Government Equipment and Telephone Use
Policies on Limited Personal Use of Government Equipment and Telephone Use
Definitions:Broadcast Transmission: a message or e-mail note sent at once from a single user to many users and/or sites.
Commercial gain activity: any activity involving or relating to buying, selling, advertising, leasing, or exchanging products or services for anyone's personal profit or gain. It includes day trading and buying or selling real estate for commercial purposes.
Limited personal use: activity that is conducted for purposes other than accomplishing official or otherwise authorized activities, and that does not adversely affect the employee's job performance and is further defined for each kind of equipment in the policy above.
Negligible: an amount sufficiently small that the quantity or cost may be disregarded.
Non-duty time: time when the employee is not expected to be performing official business. To the extent permitted by this policy, employees may, for example, use Government office equipment during their own off-duty hours such as before or after a workday (subject to local office hours), lunch periods, authorized breaks, weekends or holidays (if their duty station is normally available to them at such times).
