Policy Statement: The Commonwealth Office of Technology (COT), Office of the Chief Information Security Officer (CISO), is responsible for establishing procedures for agencies to follow when requesting a review of a staff members' e-mail account.
Policy Maintenance: The COT, Office of the CISO, has the responsibility for the maintenance of this policy. Agencies may choose to add to this policy as appropriate, in order to enforce more restrictive standards. Therefore, staff are to refer to their agency’s internal policy, which may have additional information or clarification of this enterprise policy.
Authority: KRS 42.726 authorizes the COT to develop policies that support and promote the effective application of information technology within the executive branch of state government, as well as information technology directions, standards, and necessary management processes to assure full compliance with those policies.
Applicability: This policy is to be adhered to by all staff, including employees, contractors, consultants, temporaries, volunteers, vendors and other workers within the Executive Branch of state government.
Responsibility for Compliance: Agencies and staff outlined above in “Applicability” are expected to understand and follow these guidelines. Each agency is responsible for assuring that staff within their organizational authority are aware of the provisions of this policy. It is also each Executive Cabinet Agency's responsibility to enforce and manage the application of this policy.
Review Cycle: This policy will be reviewed at least every two years.
Policy: The COT Security Administration Branch within the Office of the CISO is responsible for providing documentation on the contents of a staff members e-mail account to an agency, upon receipt of a properly authorized request. The purpose of this policy is to provide procedures for cabinets/agencies to follow when requesting e-mail review documentation.
E-mail, created or maintained by public agencies, meets the statutory definition of a public record in Kentucky. E-mail is also available to appropriate agency management for review of their staff's electronic communications and activities. The process of obtaining a staff member’s e-mail account will be handled by COT with appropriate sensitivity and will be in accordance to all applicable privacy limitations in current open records statutes.
An agency may request a review of a staff members e-mail account by submitting an E-mail Review Request Form (COT-F084) to the COT Security Administration Branch (COTSecurityEmail_InternetUsageReviews@ky.gov) or the Commonwealth Service Desk
The request should be initiated by the subject staff member’s direct manager or above and must be signed by executive management within the staff member’s management chain. The request should then be sent to the requesting cabinet's Legal Office for review and approval. After obtaining the appropriate Legal Office signed approval, the E-mail Review Request Form should be forwarded to the COT Security Administration Branch at COTSecurityEmail_InternetUsageReviews@ky.gov. The Security Administration Branch will log the request and send it to the COT Chief Information Security Officer, or his designee for final approval.
Upon final approval, COT will provide the requestor or the individual identified as the Agency Legal Counsel/Contact with documentation on the staff members e-mail account. Once the documentation has been provided to the agency, it is the agency’s responsibility to maintain the documentation as an official copy. Due to the large volume of e-mail that COT manages on a daily basis, COT is not responsible for storing, retaining, or regenerating this documentation.
An agency may request two different types of e-mail access in order to review a staff member’s e-mail account:
- Export.pst file to DVD – COT can export the current contents of the mailbox to a .pst file and copy the .pst file to a DVD for the requesting agency. This will get a ‘snapshot’ of the user’s mailbox/ which is a copy of what the mailbox looks like at the point in time the snapshot was taken. These PST files are coming from the Exchange server only and also include the mailbox calendar.
- Email Forwarding – COT Enterprise Services can do mail forwarding. An out of office message can also be placed on the mailbox.
- Use a file transfer –MoveIT – The MoveIT job picks up .pst files (as scheduled) from a folder location/path and delivers them to the specified folder location/path, usually to an agency server/location. A secure messaging feature is used with the MoveIT process.
Agencies should be aware that if restoring e-mail not present in the staff members current e-mail folders (including the "Deleted Items" folder), e-mail
backups are only retained for
a period of twelve days. E-mail that was deleted (and purged) by the staff members prior to twelve days before the restore process will not be available.
In addition, if COT must restore a staff members e-mail folders from previous backups, a standard charge will be incurred by the agency for this service, per mailbox, per restore. For example, if an agency requests a user’s mailbox be restored for the last twelve days, the charges will be 12 times the rate of a single restore.