DEPARTMENT OF ENVIRONMENTAL PROTECTION

OFFICE OF INFORMATION TECHNOLOGY

INTERNET ACCEPTABLE USE POLICY

I. PURPOSE
To ensure secure access and proper usage of the Internet for the Department of
Environmental Protection.

The Department of Environmental Protection (DEP) and the City of New York
encourage its employees to use creativity and innovation in the performance of
their duties and delivery of services. Use of the Internet for purposes of
researching, gathering and the dissemination of information can be an effective
tool for personnel in improving the speed and quality of our work and services. If
approved by management, the Internet will be accessible via your desktop
browser. The Internet should be used only in connection with City business and
should not be used in connection with any non-City business or personal matters.
Please be aware that both DEP and DoITT have installed content management
software that will track the Web sites visited and length of time spent at each site
by each user.

II. POLICY
Use of the Internet is solely for agency related purposes. All users of City network
resources have a responsibility to use their Internet access in an informed and
professional fashion. Failure to adhere to this Policy exposes DEP and the City to
increased vulnerability from threats of unauthorized access, theft of information,
theft of services, and malicious disruption of services.

Use of Internet access for activities that are unacceptable under this Policy
may subject a user to disciplinary action, including the removal of a users
access from the system and/or appropriate legal action, including criminal
prosecution, and/or discipline up to and including termination of
employment.
Internet Usage
Use of the public Internet by DEP employees is permitted and encouraged only
where such use is suitable for DEP business purposes and where it supports the
goals and objectives of the Agency.

Users shall not:

Post, transmit or introduce in any way material considered indecent, offensive, or
is in any way related to the production, use, storage, or transmission of sexually
explicit or offensive items on the DEP network or systems.
Post material in violation of U.S. copyright and/or trademark laws.
Use software files, images, or other information downloaded from the Internet
that has not been released for free public use.
Use the City logos or the City materials in any web page, Internet or Intranet
posting unless DEP management has approved such use, in advance.
Enter into contractual agreements via the Internet, e.g. enter into binding contracts
on behalf of DEP over the Internet.
Attempt to gain illegal access to systems.
Attempt to inappropriately telnet to or port scan remote systems on the Internet.
Use or possess Internet scanning or security vulnerability assessment tools, such
as SATAN or ISS without the approval of the Office of Information Technology.
Establish Internet or any other external network connections that could allow non-
City users to gain access into DEP systems and information assets.
Indicate an affiliation with the City, if possible, in any communication including
bulletin board discussions or chat sessions, while using a City owned computer
system unless approved by DEP management. In instances where an affiliation
may be assumed or is established, users must clearly indicate that the opinions
expressed are those of the employee, and are not necessarily those of the City.
Publicly disclose internal City information via the Internet that may have any
negative affect on the Citys public image.
Allow active content (e.g. Active X, Java) on Internet browsers. If a legitimate
Agency business need exists, protective methods and software must be installed
on the users workstation.
Install or use instant messaging (IM) or other chat (IRC) software over the
Internet.

Internet Security
1. Users must not knowingly disable, defeat or circumvent any security hardware or
software utilized by DEP to protect our network from Internet hackers and
unauthorized access.
2. All information downloaded to a DEP workstation via the Internet must be
screened with virus detection software prior to use.
3. Users must not place DEP material (software, internal memos, etc.) on any
publicly accessible Internet computer, which supports anonymous FTP or similar
services, unless the posting of these materials has first been approved by DEP
management.
 4. DEP internal information must never be placed in any location, on computers
connected to the City internal networks or on the Internet, unless the persons who
have access to that location have a legitimate need for such information. Anyone
posting information must ensure the information has been adequately protected.
5. DEP information considered sensitive and/or confidential information must never
be sent over the Internet unless it has first been encrypted by approved methods.
Also, unless specifically known to be in the public domain, source code must
always be encrypted before being sent over the Internet.
6. Credit card numbers, telephone calling card numbers, login passwords, and other
parameters must not be sent over the Internet in readable form. An encryption
algorithm must be used to protect this information.
7. The installation and use of PC modems to obtain access to an Internet service
provider on any computer connected to the DEP network must be reviewed and
approved by the Office of Information Technology to ensure utilization of
appropriate security measures.

System Security
It is the responsibility of all users to help maintain the highest possible degree of
system security. If a user discovers a system security problem, that user should
immediately report the problem to the system administrator or his/her supervisor.

Any wireless connections to DEP networks or systems must be reviewed and

approved by the Office of Information Technology to ensure utilization of appropriate
security measures.

Passwords
Your user ID identifies you as an authorized user of the DEP network and provides
you access to intranet applications and the Internet. In addition, your ID will be
tracked by content management software and will be stored in most database
applications if the user makes any additions or changes to the information. Therefore
it is important to make sure that you are the only user of this identifier.

Password security can be ensured by four simple rules:

1. Dont tell anyone your password. Keep it private. If you need to share computer-
resident data, use electronic mail, public directories on local area network servers,
and other mechanisms (please contact your IT staff for assistance).
2. Dont write your password down anywhere (file, program, paper, etc.) without
proper protection. Keep it secret. If you must write it down, store the paper in a
secure, locked place.
3. Make sure your password cannot be guessed by any human or program in a
reasonable time.
4. If you think theres even a chance someone else might know your password,
change it. (Currently DEP requires a password change every 90 days).
 INTERNET ACCEPTABLE USE POLICY

Expectation of Privacy
At any time and without prior notice, DEP reserves the right to examine any information
stored on their computers. Internet usage will be monitored by both DEP and DoITT on a
regular basis. Accordingly, Internet users should not assume a right to privacy in
electronic communications at this agency. In addition, users should be aware that City
electronic communications might be subject to the New York State Freedom of
Information Law. DEP reserves the right to monitor and delete Internet access in the
event of a violation of this policy or other City policy or guideline. DEP system
administrators and certain other agency staff have access to records, files and data
belonging to our personnel. The system administrator and staff shall take reasonable
precautions to avoid invading the privacy of individuals without their knowledge; they
shall not divulge or disclose any such information to others, unless disclosure is required
by department policy or by City, State or Federal law.

Policy Acceptance
I have read the above and understand the Internet Acceptable Use Policy.

EMPLOYEE:

Print Name ___________________ Signature ___________________ Date __________

Bureau ______________________ Division __________________________________

Location ________________________________________________________________

SUPERVISOR:

Print Name ___________________ Signature ___________________ Date __________

Signature of this document does not entitle the employee to Internet access. Access
will be made by management on an as need basis to meet the needs of the
Department.

Please return the signed form (last page only) to the OIT Service Desk, 10th floor.
Thank you.

DEP: Office of Information Technology Issued: July 30, 2003

Internet Acceptable Use Policy Number: 1.1