CODE NO. 913 SUPERSEDES: NEW SECTION: POLICY & PROCEDURE MANUAL 900 – IT SECURITY SUBJECT: E-MAIL USAGE POLICY Rationale An Email Usage Policy is required to maintain a high level of IT Enterprise services and availability to customers and to the IT Enterprise. This policy is essential for Jackson Health System (JHS) to promote its primary goal of being a patient-focused organization by supporting a secure, reliable, robust, and interoperable computing environment. Scope This policy applies to all personnel, including but not limited to Jackson Health System staff, agency partners, vendors, and contractors who provide Jackson Health System services while involved in activities related to providing those services. Exemptions Exemptions can be applied if the security protection mechanisms or processes exceed those communicated in this policy. For any other exemptions to this policy, contact the office of the Chief Information Security Officer. Definitions The definitions for terminology in this document can be found in the Enterprise Glossary. Policy Language Personal Use Jackson Health System electronic messaging systems generally must be used primarily for business activities. Incidental personal use is permissible so long as: (a) it does not consume more than a small amount of system resources, (b) does not interfere with worker productivity, and (c) does not preempt any business activity. All email messages are deemed Jackson Health System records. Personal electronic messages will be treated no differently from other messages. The Jackson Health System has the right to access all messages and to monitor the system to enforce policies regarding business use and appropriateness. Access Access to the electronic messaging system and use of external email is granted by Jackson Health System designated personnel. Access can be limited by time and site. The amount of access is dependent on the approval granted by an employee’s manager. Internet electronic messaging requires approval by authorized personnel. DATE: 2/1/08 Page 1 of 7 CODE NO. 913 SUPERSEDES: NEW SECTION: POLICY & PROCEDURE MANUAL 900 – IT SECURITY SUBJECT: E-MAIL USAGE POLICY The use of electronic messaging should only be performed through Jackson Health System approved equipment and software. Explicitly Denied Access Workforce members of Jackson Health System must not use their personal electronic mail accounts with an Internet Service Provider (ISP), webmail accounts or any other third party to send Jackson Health System business messages. To do so would circumvent logging and backup controls that Jackson Health System has established. Users of the Jackson Health System email infrastructure must not automatically forward jhsmiami.org addresses to a third party address. E-Mail Attachments Attachments to e-mail are the number one way to spread worms, viruses and other attacks on computer systems. In order to limit the exposure of the Hospital’s computer systems to such attacks, certain attachments will not be permitted into the environment. If an e-mail message is sent with a questionable attachment to an internal mail recipient, the attachment will be removed from the message and the message will be sent on to the recipient. The message will indicate that there was an attachment, but was removed, due to policy restrictions. Any e-mail message that is sent or received to or from a Jackson Health System workforce member is limited to a Jackson Health System standard. This size limit is the total size of the message plus all attachments accompanying the message. This limit will be imposed on all messages whether it is being sent or received from external sources or from within the Jackson Health System organization. Responsible Use of Computer Resources Electronic messaging systems must employ personal user-IDs and associated passwords to isolate the communications of different users. Workforce members must not employ the user-ID or other identifier of any other user. These and all other prudent and reasonable steps must be taken to prevent unauthorized access. Malware Code Protection Malware code protection will be provided by the Hospital. Protection from Viruses, Worms and other attacks will be performed at multiple levels, included servers, gateways, routers and workstations. Even though these services are provided, workforce members should still follow the policies and practices so as not to bring in or expose Jackson Health System to such attacks. DATE: 2/1/08 Page 2 of 7 CODE NO. 913 SUPERSEDES: NEW SECTION: POLICY & PROCEDURE MANUAL 900 – IT SECURITY SUBJECT: E-MAIL USAGE POLICY If an attack or infection is detected, any combination of the following will be notified: the sender, the recipient and the proper incident handling personnel. Once the notification is sent action will be taken to correct the issue. Monitoring of Email Use Employees should have no expectation of personal privacy rights in any materials created, received or sent through the Jackson Health System’ provided electronic messaging systems. Consistent with generally accepted business practice, Jackson Health System collects statistical data about its electronic communication systems. Using such information, technical support personnel monitor the use of electronic communications to ensure the ongoing availability and reliability of these systems. It may be necessary for Information Security personnel to review the content of an individual worker's communications during the course of problem resolution. Monitoring of Mail Content is only performed by the authorized personnel with approval of the Chief Information Security Officer, or delegate. Monitoring shall include, but is not limited to: viruses, inappropriate content, profanity, private health information, Jackson Health System confidential material and spam. Harassment Acceptable use of computing resources requires respect of the individual's right to privacy and to freedom from intimidation, harassment and unwarranted annoyance. The use of insulting, obscene, offensive, derogatory remarks or suggestive e-mail or news, tampering with others' files or any invasive access to others' equipment is forbidden. It is possible that such remarks would later be taken out of context and used against the Health System. As a matter of standard business practice, all Jackson Health System electronic communications must be consistent with conventional business standards of ethical and polite conduct. Computer and communications systems are not intended to be used for, and must not be used for the exercise of the workforce members' right to free speech. These systems must not be used as an open forum to discuss Jackson Health System organizational changes or business policy matters. Likewise, as a further restriction of free speech, sexual, ethnic, and racial harassment -including unwanted electronic mail -- is strictly prohibited. Workers who receive offensive unsolicited material from outside sources must not forward/redistribute it to either internal or external parties. DATE: 2/1/08 Page 3 of 7 CODE NO. 913 SUPERSEDES: NEW SECTION: POLICY & PROCEDURE MANUAL 900 – IT SECURITY SUBJECT: E-MAIL USAGE POLICY Accessing Obscene or Offensive Materials The Health System’s electronic messaging system shall not be used to send, post, or download information that contains obscene, derogatory, suggestive or offensive language or images, unless it is considered part of a job responsibility (evidence gathering, research, etc). It is forbidden to access or display material that is prurient, lewd, or lascivious in content. Care should be taken to avoid accessing or displaying any material that may be offensive to others. Prevention of Corporate Liability Jackson Health System employees and business associates must avoid sending electronic mail, bulletin board messages, or discussion group messages that could cause legal exposures to Jackson Health System based on their content. Additionally, Jackson Health System employees and business associates may not download any documents or files that may violate any proprietary rights of any third party, including but not limited to intellectual property rights. Privacy All electronic mail containing non-public data must be encrypted before leaving the Jackson Health System network. Release of Proprietary or Confidential Information Information and data that can be exchanged over the Internet needs to be appropriately protected from unauthorized access. Exchanges of personally identifiable or confidential information or data between Jackson Health System and third parties will not proceed without Business Associate Agreements having first been executed. Such exchanges will abide to the terms of the agreement. Libel Jackson Health System does not accept responsibility for the personal opinions expressed by its electronic messaging systems users. Jackson Health System does not act as a publisher, but allows the means to distribute statements made by its employees. However, Jackson Health System takes the issue of libel seriously, and prohibits the distribution of false or harmful text regarding a specific individual, entity, or corporation to another party. DATE: 2/1/08 Page 4 of 7 CODE NO. 913 SUPERSEDES: NEW SECTION: POLICY & PROCEDURE MANUAL 900 – IT SECURITY SUBJECT: E-MAIL USAGE POLICY Conducting Business Online Generally, business with clients and/or business partners online should be restricted to those with proper authorization and training. If there is doubt, such business should be conducted through other means. Contracts Electronic mail addresses do not satisfy the requirement for a legal signature. In any electronic communication, in which the possibility of contracting exists, a disclaimer must be included indicating that official approval must be obtained prior to agreement. Electronic Mail (E-Mail) Electronic mail on the Internet is not secure. Information that must be kept private and confidential should never be included in an e-mail message unless security mechanisms have been utilized. Secure Electronic Mail The process is detailed in the Encryption and Digital Signature Standards and Procedures documents. Reporting Users must promptly report all information security alerts, warnings, and reported vulnerabilities. Apparent Authority and Submission to a Foreign Jurisdiction Any false representation of authority or engagement in unauthorized business is strictly prohibited. Jackson Health System operates under the jurisdiction of the locations where its Internet transmissions commence and shall not be subject to the jurisdiction of foreign judicial systems or to taxation by foreign governments. Policy Enforcement Electronic Messaging use at Jackson Health System is monitored. Any information obtained during the course of monitoring will be forwarded to management as appropriate. Management may review the electronic mail communications, by personnel using Jackson Health System facilities assigned to them for any reasonable business purpose, including, but not limited to, breaches of security, violations of Jackson Health DATE: 2/1/08 Page 5 of 7 CODE NO. 913 SUPERSEDES: NEW SECTION: POLICY & PROCEDURE MANUAL 900 – IT SECURITY SUBJECT: E-MAIL USAGE POLICY System policy, or unauthorized actions on the part of the employee, consultant, or business associate. The Jackson Health System reserves the right to disclose any electronic mail message, attachments or other data obtained via Jackson Health System electronic messaging usage, to law enforcement agents without any prior notice to personnel who may have sent or received such data. Employees who abuse or violate this electronic messaging policy are subject to discipline up to and including termination. Jackson Health System will assure Email Usage mechanisms are in place and effective by assuring these processes are conducted: Perform regular quality assurance checks of applications & systems to assure the Email Usage mechanisms are effective at least once per year Produce reports, both regular and ad hoc, to fulfill associated processes and management’s needs Jackson Health System’s Email Usage policies, processes, procedures and standards: Gather pertinent data that will benefit the Hospital’s collection of configuration and asset information. Support all the other service management processes (e.g., Change Management, Incident Management, and Problem Management). Are flexible enough to respond to the customer’s business needs. Minimize effort to maintain data through automation, consolidation and sharing of data sources. Are readily accessible and available to JHS customers and staff. Are written to be understandable to its audience. Are regularly updated based on customer feedback, new business needs and changing practices to ensure continual quality improvement and those changes communicated to Jackson Health System customers and staff. Human Resource Implications In order to provide exemplary Email Usage standards, Jackson Health System management must: Offer initial and continuing training to Jackson Health System staff in Email Usage policy, processes, procedures and standards. DATE: 2/1/08 Page 6 of 7 CODE NO. 913 SUPERSEDES: NEW SECTION: POLICY & PROCEDURE MANUAL 900 – IT SECURITY SUBJECT: E-MAIL USAGE POLICY Ensure documentation for Email Usage policy, processes, and procedures documentation is accessible to all staff. Ensure all Jackson Health System staff consistently follows the Email Usage policy, processes, procedures, and standards. Assist staff to understand Email Usage policy, processes, procedures, and standards, and enforce compliance with the policy, processes, procedures, and standards. Related Policies, Processes, Procedures, Standards, or Best Practices Jackson Health System Acceptable Use Jackson Health System Asset & Classification Jackson Health System Asset Protection Jackson Health System Configuration/Asset Management Jackson Health System Incident Management Jackson Health System Information Security Staff Jackson Health System Threat Assessment & Monitoring Jackson Health System Vulnerability Assessment & Risk Management NIST Special Publication 800-45, “Guidelines on Electronic Mail Security” Timeline Effective Date: Effective upon implementation. Review Date: Within one year from the effective date. Authorization: Marvin O’Quinn, President, Public Health Trust DATE: 2/1/08 Page 7 of 7