§ 6.101. Use of County Information Assets  

Effective Date: 07/13/04

PURPOSE
___________

To establish policies for the use of County Information Assets.

REFERENCE
___________

July 13, 2004, Board Order No. 10 — Board of Supervisors — Information Technology and Security Policies

Board of Supervisors Policy No. 3.401 — Protection of Records Containing Non-Public Information

Board of Supervisors Policy No. 6.100 — Information Security Policy

Board of Supervisors Policy No. 6.103 — Computer Security Incident Reporting and Response

Board of Supervisors Policy No. 6.104 — Information Classification Policy

Board of Supervisors Policy No. 9.015 — County Policy of Equity

Board of Supervisors Policy No. 9.040 — Investigations Of Possible Criminal Activity Within County Government

Agreement for Acceptable Use and Confidentiality of County Information (Acceptable Use Agreement) , attached

Comprehensive Computer Data Access and Fraud Act, California Penal Code Section 502

Health Insurance Portability and Accountability Act (HIPAA) of 1996

Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009

California Civil Code Section 1798.29

November 21, 2017, Board Order No. 19

November 7, 2018, Board Order No. 16

DEFINITIONS
___________

All capitalized terms not defined in this policy have the same meaning as set forth in Board of Supervisors Policy No. 6.100 - Information Security Policy, Board of Supervisors Policy No. 6.102 - Endpoint Security Policy, Board of Supervisors Policy No. 6.104 - Information Classification Policy and Board of Supervisors Policy No. 6.105 - Information Technology Audit and Risk Assessment.

Minimal Personal Use: use by a Workforce Member that is incidental and is not substantial enough to result in a gain or advantage to the Workforce Member or a loss to the County for which a monetary value may be estimated.

Social Media: is broadly understood for purposes of this policy to include blogs, wikis, message boards, chat rooms, electronic newsletters, online forums, social networking sites, and other sites and services that encourage users to share information with others.

POLICY
___________

General:

It is every County Workforce Member's duty to access and use County Information Assets responsibly, professionally, ethically, and lawfully.

All County Workforce Members shall acknowledge and adhere to County Information Security policies, standards, and procedures and sign the "County of Los Angeles Agreement for Acceptable Use and Confidentiality of County Information Assets" (attached to this Board of Supervisors Policy No. 6.101), prior to being granted access to County Information Assets, and annually thereafter.

No expectation of privacy is conveyed to County Workforce Members concerning their activities related to the use of County Information Assets, including, without limitation, in anything they create, store, send, or receive using County Information Assets. Having no expectation to any right to privacy includes that County Workforce Member's access and use of County Information Assets may be monitored or investigated by authorized personnel at any time, without notice or consent.

No person may possess a County Information Asset without authorization. Whenever a County Workforce Member is granted authorization to possess or access an Information Asset, such authorization does not convey any implication of property right to either the physical asset or the information it may contain. As a condition of accessing or possessing any County-owned Information Asset, a County Workforce Member consents to access of the physical asset and information pursuant to Cal. Pen. Code sec. 1546 et seq. by authorized County personnel, specifically including administration, operation, law enforcement, Countywide Computer Emergency Response Team, Auditor-Controller and Cyber Investigation Response Team personnel.

Activities of County Workforce Members may be monitored, logged, stored, made public, and are subject to Audit and review, including, without limitation, periodic monitoring and/or investigation, by authorized personnel at any time.

Monitoring the access to and use of County Information Assets by County Workforce Members must be approved in accordance with applicable policies and laws on investigations. If any evidence of violation of this policy is identified, the Auditor-Controller's Office of County Investigations must be notified immediately following proper County and Departmental procedures.

The County has the right to administer all aspects of County Information Asset access, including, without limitation, the right to monitor and restrict Internet access and use, electronic communications (e.g., email, instant messaging, etc.), and access to other Information Assets such as files, data sets, databases, etc. Access to County Information Assets is a privilege, such access may be modified or revoked at any time, without notice or consent.

Minimal Personal Use:

Workforce Members may use County Information Assets for Minimal Personal Use, provided that the use is not prohibited and has the appearance of professionalism, even if it is not used in a public setting.

Prohibited Use:

County Information Assets may not be used:

•

For any unlawful purpose.

•

For any purpose detrimental to the County or its interests.

•

For personal financial gain.

•

In any way that undermines or interferes with access to or use of County Information Assets for official County purposes.

•

In any way that hinders productivity, efficiency, customer service, or interferes with a County Workforce Members performance of his/her official job duties.

•

To express or imply sponsorship or endorsement by the County, except as approved in accordance with Departmental policies, standards, and procedures.

•

For personal purpose where activities are for private gain or advantage, or an outside endeavor not related to County business purpose. Personal purpose does not include incidental and Minimal Personal use of County Information Assets.

•

To represent themselves as someone else, real or fictional, or sending Information anonymously unless specifically authorized by Department management.

No County Workforce Member shall intentionally, or through negligence, damage, interfere with the operation of, or prevent authorized access to County Information Assets.

Electronic Communications:

County electronic communications are provided as a tool for conducting County business. Any other use must meet the definition of Minimal Personal Use.

County Workforce Members shall use proper business etiquette when communicating over County electronic communication systems/applications/services (e.g., electronic mail, instant messaging, etc.).

All electronic communications created, sent, and/or stored using County electronic communications systems/applications/services shall be retained in compliance with applicable County and Departmental policies, and legal requirements, but retention shall be minimized to conserve County resources and prevent Risk of unauthorized exposure and/or disclosure.

Encryption shall be used for electronic communications of Non-public Information.

Internet Use:

Access to County Internet services is provided, as needed, at the discretion of each Department. Access to County Internet services is a privilege, which may be restricted, modified or revoked at any time, without notice or consent.

Except as expressly authorized in this Policy, County Workforce Members shall not access or use County Information Assets to create, exchange, publish, or distribute through Social Media any Non-public Information or engage in political lobbying, religious promotion not specifically approved by designated County Department management.

County Departments may adopt and implement departmental policies and procedures authorizing one or more specified Workforce Members, as a part of their assigned job function, to use County Information Assets to create, exchange, publish, or distribute through Social Media Information on behalf of the County Department, that is specifically approved by designated Department management. Such departmental policies and procedures shall, at a minimum:

•

Ensure all Information created, exchanged, published, or distributed comply with all applicable aspects of County and departmental policies, standards, and procedures.

•

Designate management to regularly monitor the Information created, exchanged, published, or distributed through Social Media.

•

Address instances of non-compliance with policies, standards and procedures.

With the exception of authorized file sharing/storage services, no County Workforce Member shall store County Non-public Information on any Internet file sharing/storage site or service without prior written approval by Department management after review by the Departmental Information Security Officer (DISO).

Accessing County Information Assets Remotely:

Each County Workforce Member shall comply with, and only use Endpoints and Portable Computing Devices that comply with, all applicable County Information Security policies.

Without limiting the foregoing, County Workforce Members who are authorized to remotely access County Information Assets using personally-owned Endpoints or Portable Computing Devices shall ensure that it is appropriately maintained. At a minimum this includes:

•

Operating System software and application software are kept up-to-date (e.g., critical updates, security updates/patches, and service packs).

•

Antivirus/Anti-Malware software is installed and up-to-date.

Applicability:

All County Departments and Workforce Members.

Compliance

County Workforce Members who violate this policy may be subject to appropriate disciplinary action up to and including discharge as well as both civil and criminal penalties. Non-County Workforce Members, including, without limitation, contractors, may be subject to termination of contractual agreements, denial of access to County Information Assets, and other actions as well as both civil and criminal penalties.

Policy Exceptions

There are no exceptions to this policy.

RESPONSIBLE DEPARTMENT
___________

Chief Executive Office

DATE ISSUED/SUNSET DATE
___________