Office of the Chief Information Officer Enterprise Policy
CIO-060: Internet and Electronic Mail Acceptable Use Policy
Effective Date: 05/15/1996
Revision Date: 12/15/2017
Reviewed Date: 12/15/2017
Policy Statement: The purpose of this enterprise policy is to define and
outline acceptable use of Internet and Electronic mail (E-mail) resources in
state government. These rules and guidelines are in place to protect both the
user and the Commonwealth.
Policy Maintenance: The Personnel Cabinet, the Commonwealth Office of
Technology (COT) Office of Infrastructure Services, and the COT Office of
Enterprise Technology share responsibility for maintenance and interpretation
of this policy. Agencies may choose to add to this policy, in order to enforce
more restrictive policies as appropriate and necessary. Therefore, staff
members are to refer to their agency’s internal acceptable use policy, which
may have additional information or clarification of this enterprise policy.
Authority: KRS 42.726 authorizes the Commonwealth Office of Technology (COT) to develop
policies that support and promote the effective application of information
technology within the executive branch of state government, as well as
information technology directions, standards, and necessary management
processes to assure full compliance with those policies.
Applicability: This policy is to be adhered to by all Executive
Branch agencies and staff, including employees, contractors, consultants,
temporaries, volunteers and other workers within state government. This policy
applies to all resources and information technology equipment owned or leased
by the Commonwealth regardless of the time of day, location, or method of access.
Responsibility for Compliance: Each agency is responsible for assuring that staff under its
authority is aware of the provisions of this policy, that compliance is
expected, and that intentional, inappropriate use of Internet and E-mail
resources may result in disciplinary action up to and including dismissal. To
demonstrate awareness and knowledge of this policy, signed acknowledgement
forms are required. It is also each Executive Cabinet’s responsibility to
enforce and manage this policy. Failure to comply may result in additional
shared service charges to the agency for COT’s efforts to remedy inappropriate
Review Cycle: This policy will be reviewed at least every two years.
Policy: As provisioned, Internet and E-mail resources, services, and
accounts are the property of the Commonwealth of Kentucky. These resources are
to be used for state business purposes in serving the interests of state
government, citizens, and customers in the course of normal business operations.
This Acceptable Use Policy represents a set of rules and guidelines to be
followed when using the Commonwealth network or any other network that is used
as a result of connecting to the Internet and E-mail.
compliance with the laws of the Commonwealth and this policy, staff members of
the Commonwealth of Kentucky are encouraged to use the Internet and E-mail to
their fullest potential to:
- Further the State’s mission
- Provide service of the highest quality to its citizens
- Discover new ways to use resources to enhance service, and
- Promote staff development
State government staff members should use the Internet and E-mail,
when appropriate, to accomplish job responsibilities more effectively and to
enrich their performance skills.
The acceptable use of Internet and E-mail represents the proper
management of a state business resource. The ability to connect with a specific
Internet site does not in itself imply that a staff member is permitted to
visit that site. Tools are in place to
monitor staff member’s use of E-mail and the Internet. Staff shall have no
expectation of privacy associated with E-mail transmissions and/or the
information they publish, store, or access on the Internet using the
Incidental personal uses of Internet and E-mail resources are
permissible, but not encouraged. Excessive personal use could lead to loss of
the resource privileges and may result in disciplinary action pursuant to KRS
18.A up to and including dismissal. Staff members are responsible for
exercising good judgment regarding incidental personal use. Any incidental
personal use of Internet or E-mail resources must adhere to the following
- It must not cause any additional expense to the Commonwealth or the staff members agency
- It must be infrequent and brief
- It must not have any negative impact on the staff members overall productivity
- It must not interfere with the normal operation of the staff members agency or work unit
- It must not compromise the staff members agency or the Commonwealth in any way
- It must be ethical and responsible
By Executive Order 2009-1198, the Governor prohibits state staff members from
text messaging while driving government-owned vehicles. Additionally, the
Commonwealth does not encourage nor support the use of any mobile communication
devices while operating non-government owned motor vehicles. This includes reading
from or entering data into any hand-held or other electronic device for
purposes such as telephone calls, emailing, navigational information, text
messaging or similar activities.
Read, acknowledge and sign an agency acceptable use policy statement before using these resources.
Use access to the Internet and E-mail in a responsible and informed way, conforming to network etiquette, customs, courtesies, and any or all applicable laws or regulation. (See also CIO-061 Social Media Policy.)
As with other forms of publications, copyright restrictions/regulations must be observed.
Staff shall be aware that their conduct or information they publish could reflect on the reputation of the Commonwealth. Therefore, professionalism in all communications is of the utmost importance.
Staff members who choose to use E-mail to transmit sensitive or confidential information should encrypt such communications using the Enterprise Standards (X.509 certificates) an approved product for secure electronic messaging services.
- Staff shall represent themselves, their agency or any other state agency accurately and honestly through electronic information or service content.
Supervisors are required to identify Internet and E-mail training needs and resources, to encourage use of the Internet and E-mail to improve job performance, to support staff attendance at training sessions, and to permit use of official time for maintaining skills, as appropriate.
Supervisors are expected to work with staff members to determine the appropriateness of using the Internet and E-mail for professional activities and career development, while ensuring that staff do not violate the general provisions of this policy, which prohibit using the Internet and E-mail for personal gain.
Managers and supervisors that need to review a staff member’s E-mail for a vacant position, such as employee Separation, employee on leave, or email forwarding due to departure are required to submit an E-mail Review Request Form (COT-F084) for a review of the e-mail account. Managers and supervisors who suspect that a staff member is using the Internet and/or E-mail inappropriately must submit a Security Investigation Request Form (COT-F182) to review the internet usage and/or E-mail.
E-mail and Internet access should be used for “appropriate business use" only. Incidental personal use is permissible, but not encouraged. This policy recognizes the specific definition of appropriate business use may differ among agencies based on their mission and functions. Therefore, each agency should define appropriate business use to ensure staff members and users are fully informed.
Create an Internet and E-mail Acceptable Use Policy statement and require a signed acknowledgement by all staff members and users before accessing these resources.
Agencies that permit the use of E-mail to transmit sensitive or confidential information should be aware of the potential risks of sending unsecured transmissions. E-mail of this nature should, at a minimum, contain a standard agency-level confidentiality statement. E-mail content and file attachments considered sensitive or confidential must be encrypted using the Enterprise Standards (X.509 certificates) approved products for secure electronic messaging services. To protect confidential data, some federal laws require the use of encrypted transmission to ensure regulatory compliance. Enterprise Standard 5100: Encryption should be observed.
Any commercial use of Internet connections by agencies must be approved by COT to make certain it does not violate the terms of COT's agreement with the Commonwealth’s Internet provider. No reselling of access is allowed.
shall not accept commercial advertising or vendor-hosted website advertising for
which the agency receives compensation. As a general practice, state agencies
should avoid endorsing or promoting a specific product or company from agency
websites, however the placement of acknowledgements, accessibility and
certification logos are acceptable.
Prohibited and Unacceptable Uses: Use of Internet
and E-mail resources are privileges that may be revoked at any time for
unacceptable use or inappropriate conduct. Any abuse of acceptable use policies
may result in notification of agency management, revocation of access and
disciplinary action up to and including dismissal. Unacceptable use of internet
and email resources includes, but is not limited to the following activities
which are, strictly prohibited.
Violating the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, including but not limited to, the downloading, installation or distribution of pirated software, digital music and video files.
Engaging in illegal activities or using the Internet or E-mail for any illegal purposes, including initiating or receiving communications that violate any state, federal or local laws and regulations, including KRS 434.840-434.860 (Unlawful Access to a Computer) and KRS 512.020 (Criminal Damage to Property Law). This includes malicious use, spreading of viruses, and hacking. Hacking means gaining or attempting to gain the unauthorized access to any computers, computer networks, databases, data or electronically stored information.
Using the Internet and E-mail for personal business activities in a commercial manner such as buying or selling of commodities or services with a profit motive.
Using resources to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws, whether through language, frequency or size of messages. This includes statements, language, images, E-mail signatures or other materials that are reasonably likely to be perceived as offensive or disparaging of others based on race, national origin, sex, sexual orientation, age, disability, religious or political beliefs.
Using abusive or objectionable language in either public or private messages.
Knowingly accessing pornographic sites on the Internet and/or disseminating, soliciting or storing sexually oriented messages or images.
Misrepresenting, obscuring, suppressing, or replacing a user’s identity on the Internet or E-mail. This includes the use of false or misleading subject headers and presentation of information in the distribution of E-mail.
Using the E-mail account of another employee without receiving written authorization or delegated permission to do so.
Forging E-mail headers to make it appear as though an E-mail came from someone else.
Sending or forwarding chain letters or other pyramid schemes of any type.
Sending or forwarding unsolicited commercial E-mail (spam) including jokes.
Soliciting money for religious or political causes, advocating religious or political opinions and/or endorsing political candidates.
Making fraudulent offers of products, items, or services originating from any Commonwealth account.
Using official resources to distribute personal information that constitutes an unwarranted invasion of personal privacy as defined in the Kentucky Open Records Act, KRS 61.870 – 61.884.
Online investing, stock trading and auction services such as eBay unless the activity is for Commonwealth business.
Developing or maintaining a personal web page on or from a Commonwealth device.
Use of peer-to-peer (referred to as P2P) networks.
Any other non-business related activities that will cause congestion, disruption of networks or systems including, but not limited to, Internet games, online gaming, unnecessary Listserve subscriptions, Chat rooms, messaging services or similar Internet-based collaborative services.
With proper exception approved, staff members may be exempt
from these prohibitions during the course of completing job requirements and
legitimate state government business.