CIO-060 Internet and Electronic Mail Acceptable Use Policy

Office of the Chief Information Officer Enterprise Policy

CIO-060: Internet and Electronic Mail Acceptable Use Policy

Effective Date: 05/15/1996
Revision Date: 12/15/2017
Reviewed Date: 12/15/2017

Policy Statement: The purpose of this enterprise policy is to define and outline acceptable use of Internet and Electronic mail (E-mail) resources in state government. These rules and guidelines are in place to protect both the user and the Commonwealth.

Policy Maintenance:  The Personnel Cabinet, the Commonwealth Office of Technology (COT) Office of Infrastructure Services, and the COT Office of Enterprise Technology share responsibility for maintenance and interpretation of this policy. Agencies may choose to add to this policy, in order to enforce more restrictive policies as appropriate and necessary. Therefore, staff members are to refer to their agency’s internal acceptable use policy, which may have additional information or clarification of this enterprise policy.
Authority: KRS 42.726 authorizes the Commonwealth Office of Technology (COT) to develop policies that support and promote the effective application of information technology within the executive branch of state government, as well as information technology directions, standards, and necessary management processes to assure full compliance with those policies.
Applicability: This policy is to be adhered to by all Executive Branch agencies and staff, including employees, contractors, consultants, temporaries, volunteers and other workers within state government. This policy applies to all resources and information technology equipment owned or leased by the Commonwealth regardless of the time of day, location, or method of access.

Responsibility for Compliance: Each agency is responsible for assuring that staff under its authority is aware of the provisions of this policy, that compliance is expected, and that intentional, inappropriate use of Internet and E-mail resources may result in disciplinary action up to and including dismissal. To demonstrate awareness and knowledge of this policy, signed acknowledgement forms are required. It is also each Executive Cabinet’s responsibility to enforce and manage this policy. Failure to comply may result in additional shared service charges to the agency for COT’s efforts to remedy inappropriate usage.

Review Cycle: This policy will be reviewed at least every two years.
Policy: As provisioned, Internet and E-mail resources, services, and accounts are the property of the Commonwealth of Kentucky. These resources are to be used for state business purposes in serving the interests of state government, citizens, and customers in the course of normal business operations. This Acceptable Use Policy represents a set of rules and guidelines to be followed when using the Commonwealth network or any other network that is used as a result of connecting to the Internet and E-mail. In compliance with the laws of the Commonwealth and this policy, staff members of the Commonwealth of Kentucky are encouraged to use the Internet and E-mail to their fullest potential to:
  • Further the State’s mission
  • Provide service of the highest quality to its citizens
  • Discover new ways to use resources to enhance service, and
  • Promote staff development
State government staff members should use the Internet and E-mail, when appropriate, to accomplish job responsibilities more effectively and to enrich their performance skills.
The acceptable use of Internet and E-mail represents the proper management of a state business resource. The ability to connect with a specific Internet site does not in itself imply that a staff member is permitted to visit that site.  Tools are in place to monitor staff member’s use of E-mail and the Internet. Staff shall have no expectation of privacy associated with E-mail transmissions and/or the information they publish, store, or access on the Internet using the Commonwealth’s resources.
Incidental personal uses of Internet and E-mail resources are permissible, but not encouraged. Excessive personal use could lead to loss of the resource privileges and may result in disciplinary action pursuant to KRS 18.A up to and including dismissal. Staff members are responsible for exercising good judgment regarding incidental personal use. Any incidental personal use of Internet or E-mail resources must adhere to the following limitations:
  • It must not cause any additional expense to the Commonwealth or the staff members agency
  • It must be infrequent and brief
  • It must not have any negative impact on the staff members overall productivity
  • It must not interfere with the normal operation of the staff members agency or work unit
  • It must not compromise the staff members agency or the Commonwealth in any way
  • It must be ethical and responsible

By Executive Order 2009-1198, the Governor prohibits state staff members from text messaging while driving government-owned vehicles. Additionally, the Commonwealth does not encourage nor support the use of any mobile communication devices while operating non-government owned motor vehicles. This includes reading from or entering data into any hand-held or other electronic device for purposes such as telephone calls, emailing, navigational information, text messaging or similar activities.

Staff/User Responsibilities:

  • Read, acknowledge and sign an agency acceptable use policy statement before using these resources.
  • Use access to the Internet and E-mail in a responsible and informed way, conforming to network etiquette, customs, courtesies, and any or all applicable laws or regulation. (See also CIO-061 Social Media Policy.)
  • As with other forms of publications, copyright restrictions/regulations must be observed.
  • Staff shall be aware that their conduct or information they publish could reflect on the reputation of the Commonwealth. Therefore, professionalism in all communications is of the utmost importance.
  • Staff members who choose to use E-mail to transmit sensitive or confidential information should encrypt such communications using the Enterprise Standards (X.509 certificates) an approved product for secure electronic messaging services.
  • Staff shall represent themselves, their agency or any other state agency accurately and honestly through electronic information or service content.


Supervisor Responsibilities:

  • Supervisors are required to identify Internet and E-mail training needs and resources, to encourage use of the Internet and E-mail to improve job performance, to support staff attendance at training sessions, and to permit use of official time for maintaining skills, as appropriate.
  • Supervisors are expected to work with staff members to determine the appropriateness of using the Internet and E-mail for professional activities and career development, while ensuring that staff do not violate the general provisions of this policy, which prohibit using the Internet and E-mail for personal gain. 
  • Managers and supervisors that need to review a staff member’s E-mail for a vacant position, such as employee Separation, employee on leave, or email forwarding due to departure are required to submit an E-mail Review Request Form (COT-F084) for a review of the e-mail account.
  • Managers and supervisors who suspect that a staff member is using the Internet and/or E-mail inappropriately must submit a Security Investigation Request Form (COT-F182) to review the internet usage and/or E-mail.

Agency Responsibilities:

  • E-mail and Internet access should be used for “appropriate business use" only. Incidental personal use is permissible, but not encouraged. This policy recognizes the specific definition of appropriate business use may differ among agencies based on their mission and functions. Therefore, each agency should define appropriate business use to ensure staff members and users are fully informed.
  • Create an Internet and E-mail Acceptable Use Policy statement and require a signed acknowledgement by all staff members and users before accessing these resources.
  • Agencies that permit the use of E-mail to transmit sensitive or confidential information should be aware of the potential risks of sending unsecured transmissions. E-mail of this nature should, at a minimum, contain a standard agency-level confidentiality statement. E-mail content and file attachments considered sensitive or confidential must be encrypted using the Enterprise Standards (X.509 certificates) approved products for secure electronic messaging services. To protect confidential data, some federal laws require the use of encrypted transmission to ensure regulatory compliance. Enterprise Standard 5100: Encryption should be observed.
  • Agencies are responsible for the content of their published information and for the actions of their staff, including the proper retention and disposal of E-mail records. Enterprise Standard 4060: Recordkeeping – Electronic Mail should be observed.
  • Any commercial use of Internet connections by agencies must be approved by COT to make certain it does not violate the terms of COT's agreement with the Commonwealth’s Internet provider. No reselling of access is allowed.
  • Agencies shall not accept commercial advertising or vendor-hosted website advertising for which the agency receives compensation. As a general practice, state agencies should avoid endorsing or promoting a specific product or company from agency websites, however the placement of acknowledgements, accessibility and certification logos are acceptable.

Prohibited and Unacceptable Uses:   Use of Internet and E-mail resources are privileges that may be revoked at any time for unacceptable use or inappropriate conduct. Any abuse of acceptable use policies may result in notification of agency management, revocation of access and disciplinary action up to and including dismissal. Unacceptable use of internet and email resources includes, but is not limited to the following activities which are, strictly prohibited 


  • Violating the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, including but not limited to, the downloading, installation or distribution of pirated software, digital music and video files.
  • Engaging in illegal activities or using the Internet or E-mail for any illegal purposes, including initiating or receiving communications that violate any state, federal or local laws and regulations, including KRS 434.840-434.860 (Unlawful Access to a Computer) and KRS 512.020 (Criminal Damage to Property Law). This includes malicious use, spreading of viruses, and hacking. Hacking means gaining or attempting to gain the unauthorized access to any computers, computer networks, databases, data or electronically stored information.
  • Using the Internet and E-mail for personal business activities in a commercial manner such as buying or selling of commodities or services with a profit motive.
  • Using resources to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws, whether through language, frequency or size of messages. This includes statements, language, images, E-mail signatures or other materials that are reasonably likely to be perceived as offensive or disparaging of others based on race, national origin, sex, sexual orientation, age, disability, religious or political beliefs.
  • Using abusive or objectionable language in either public or private messages.
  • Knowingly accessing pornographic sites on the Internet and/or disseminating, soliciting or storing sexually oriented messages or images.
  • Misrepresenting, obscuring, suppressing, or replacing a user’s identity on the Internet or E-mail. This includes the use of false or misleading subject headers and presentation of information in the distribution of E-mail.
  • Using the E-mail account of another employee without receiving written authorization or delegated permission to do so.
  • Forging E-mail headers to make it appear as though an E-mail came from someone else.
  • Sending or forwarding chain letters or other pyramid schemes of any type.
  • Sending or forwarding unsolicited commercial E-mail (spam) including jokes.
  • Soliciting money for religious or political causes, advocating religious or political opinions and/or endorsing political candidates.
  • Making fraudulent offers of products, items, or services originating from any Commonwealth account.
  • Using official resources to distribute personal information that constitutes an unwarranted invasion of personal privacy as defined in the Kentucky Open Records Act, KRS 61.870 – 61.884.
  • Online investing, stock trading and auction services such as eBay unless the activity is for Commonwealth business.
  • Developing or maintaining a personal web page on or from a Commonwealth device.
  • Use of peer-to-peer (referred to as P2P) networks.
  • Any other non-business related activities that will cause congestion, disruption of networks or systems including, but not limited to, Internet games, online gaming, unnecessary Listserve subscriptions, Chat rooms, messaging services or similar Internet-based collaborative services.
With proper exception approved, staff members may be exempt from these prohibitions during the course of completing job requirements and legitimate state government business.
This page was last modified 8/6/2019 5:37 PM

Return to CIO Policies Home Page.