letras.top
a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 #

letra de online file storage guidelines - wa office of the cio

Loading...

background
online file storage services offer powerful and convenient methods to share files among collaborators, various computers, and mobile devices. in the absence of well-defined agency policies, education of employees, and the availability of approved alternatives for sharing files securely, some employees may overlook security and records management requirements in the interests of “getting the job done” via no or low-cost consumer level services
consumer-level online storage services can pose significant risks related to the security, privacy, copyright, and retention of public records (including “data”; see definition of “state records” below). these services are typically accessed via “cl!ck-through” agreements, which are binding contracts that often contain provisions that put state agencies and their records at significant risk. with these services, agencies have little or no visibility into or control over what records are stored there, or shared with other people or devices. consequently agencies may be unable to search thoroughly when legal or business needs arise. the records stored in consumer-level services are -ssociated with individual subscribers rather than organizations. thus, if an agency employee who is a subscriber leaves the agency, the -ssociated records are likely no longer accessible to the agency
the increased use of online services, social media, mobile apps, personal devices for work, and online file storage can result in blurred lines between actions taken as a state employee and actions taken as a private individual. employees who use online tools for both personal and agency purposes should understand that the way they handle information at home may not be the way they handle agency records at work
introduction
agencies are responsible for maintaining and protecting state records as required by law. agencies should educate employees on the best uses of online file storage services and provide enterprise-cl-ss alternatives that satisfy collaboration, productivity, and records management requirements. in short, make the right thing to do the easy thing to do
these guidelines (1) offer a “refresher” on the overall guiding principles to manage state records of any type successfully and then, (2) provide information and tools related to online file storage to help agencies:
• make a deliberate and informed decision on whether to authorize use of online file storage services for agency records based on the circ-mstances
• develop agency-specific policies or guidelines for using online file storage services that satisfy business productivity, legal, public disclosure, records management, and it security concerns. agencies can select from the recommended practices to suit their particular needs and establish additional guidelines or policies as necessary
• select enterprise-cl-ss solutions for online file storage services that meet agency needs for employee file sharing and collaboration and at the same time satisfy agency records management requirements
• educate employees to realize the benefits of using online file sharing services and avoid common mistakes that may lead to increased risk or financial loss
definitions
online file storage service: a file hosting service, cloud storage service, or online file storage provider that hosts user files via the internet. users can upload files that can be accessed over the internet from other computers, tablets, smartphones or other networked devices, by the same user or other designated users

state records: for purposes of these guidelines, the term “state records” includes all public records. “public record” is defined by statute and includes any paper, correspondence, completed form, bound record book, photograph, film, sound recording, map drawing, machine-readable material, compact disc meeting current industry iso specifications, or other doc-ment, regardless of its physical form or characteristics (including copies of such records), that are made by or received by any agency of the state of washington in connection with the transaction of public business. see rcw 40.14.010. as used in these guidelines, ”agency records” and data also mean state records

mobile devices: a small-sized computing device that may have a display screen, touch input or a keyboard, and/or data storage capability. examples include laptops, smart phones, tablet pcs, accessible equipment, and portable data storage devices such as removable hard drives, and usb data storage devices

public disclosure request: a written request under chapter rcw 42.56 for the inspection and copying of a public record. an agency is prohibited from destroying or erasing a record, even if it is about to be lawfully destroyed under a retention schedule, if a public records request has been made for the record. agencies are required to retain potentially responsive records until the public record request is resolved. where notified of a public records request, employees must, with regard to potentially responsive records, suspend the destruction of records, conduct a reasonable search for records, and gather or segregate records so they may be reviewed and, if necessary, produced. like other records, records created or stored with an online file storage service are subject to the requirements of public disclosure

legal hold: a legal hold is a communication issued as a result of current or reasonably antic-p-ted litigation, audit, government investigation or other such matter that suspends the normal disposition or processing of records. legal holds may encomp-ss procedures affecting data that is accessible as well as data that is not reasonably accessible. the specific notice to agencies may also be called a “hold,” “preservation order,” “suspension order,” “freeze notice,” “hold order,” or “hold notice.” where notified of a legal hold, employees must, with regard to potentially responsive records, suspend the destruction of records, conduct a reasonable search for records, and gather or segregate records so they may be reviewed and, if necessary, produced

guiding principles for state records management

for all state records, including those stored on online file storage services, agency management and employees should apply these guiding principles:

agency
the agency, not employees, own agency records
• the agency establishes approved storage services and devices
• the agency -ssigns one or more officials to manage its various types of records
• designated agency officials are authorized to make decisions on data collection, storage methods, use, modification, sharing, protection and disposal of state records
• the agency cl-ssifies data and records into categories 1 – 4 based on sensitivity

employee
employees are custodians of agency records, and should:
• store records only on agency-approved storage services or devices
• minimize the number of copies and storage locations
• be accountable to use, store, share, and protect agency records according to agency direction and applicable statues, policies, contracts, and data cl-ssification
• keep the records as long as required to meet records retention schedules, then delete them as directed by the agency unless they are subject to public disclosure or legal hold

records management requirements are listed in the related laws and resources section
guidelines
guidelines for agency and employee use of online file services follow below:
agency guidelines
q1: how does an agency initiate use of an online file storage service?
a1.1: use of online file storage services should be expressly authorized by appropriate agency action

a1.2: following authorization agencies should select and approve, according to state procurement policies, one or more online file services for agency use

a1.3: the agency should communicate the approved storage services (and, if applicable, mobile devices) to employees who are authorized to use them

a1.4: agencies are encouraged to include in the selection criteria the items in appendix a on security, agency administration, and terms of service (tos), ensuring that enterprise-grade and not consumer-grade online file storage services are approved

q2: what are the contractual considerations?
a2.1: prior to authorizing the execution of a “cl!ck-through” agreement, if used for such services, agencies should review the applicable terms of service, which const-tute a binding contract between the service provider and the agency
a2.2: agencies are encouraged to consult their -ssistant attorney general before executing such an agreement. certain terms may preclude an agency from using a particular service
a2.3: agencies should -ssess terms of service for risk, for critical terms that may be missing, and for unacceptable terms in light of the intended use and type of records to be stored

q3: how should agencies treat original records vs. copies?
a3.1: agencies should ensure that online file storage services are used as temporary storage to share copies of records for collaboration and access by other computers and mobile devices. in summary, use approved services as “systems of engagement” rather than ”systems of record”
a3.2: original or official records should be stored on agency or state computer systems serving as systems of record
a3.3: if a record has been modified in the collaboration process, the agency should sync interim versions with the system of record if the service allows, because the modified record is no longer a “copy”. in any case, the agency must ensure that the final version is stored back on the system of record
a3.4: unneeded copies and outdated versions of records on the online file storage system, the system of engagement, should be deleted in accordance with records management policies. agencies are required to provide originals and all copies of relevant records in response to public disclosure requests and legal holds. keeping too many records that are scheduled for destruction, as well as keeping multiple unneeded copies of records, significantly increases agency costs and administrative burdens for complying with public records requests or legal hold notices
a3.5: whether or not they are considered copies, records potentially responsive to a public disclosure request or legal hold must be preserved and not deleted until the hold is lifted with regard to those records

q4: is central administration of an online file storage service necessary? who does it and what do they do?
a4.1: agencies should centrally administer the online file service similar to the way they administer agency-operated computing and storage services
a4.2: at a minimum, administrators should create and de-activate employee accounts using existing agency approvals and processes, -ssist employees with use as needed, and access, search, and manage all records as needed across employee accounts belonging to the agency on the service
a4.3: agencies are expected to ensure that online storage of state records is expressly authorized and is in compliance with these guidelines. agencies may want to determine which types of data are authorized for storage in online file services or mobile devices, regardless of data category. online storage may not be appropriate even for some category 1 or 2 records
a4.4: agencies should use periodic audits, training, data loss prevention tools, etc., to detect and prevent the misconfiguration or misuse of approved services. one example is storing unapproved data or confidential category 3 and above data in online file storage services approved only for category 1 and 2 data

q5: how should agencies educate employees to use online file storage services?
a5: agencies should educate employees on appropriate use of online file services, addressing the following points at a minimum:
• the benefits and opportunities of using online file storage services
• the services approved for agency use
• the types of agency records that can and cannot be stored on the service
• the agency official(s) that direct the use of each type of agency record
• the employee’s role and responsibilities as custodian of agency records, and how this may differ from how they handle information as private individuals
• recommended ways to configure and use the service to obtain expected benefits, locate or produce agency records when requested, and avoid risks from unauthorized data access, change, or disclosure
• avoiding the co-mingling of agency records and personal data on online storage services, mobile devices, personal email systems, home computers, etc
• the risks to the state for misuse or misconfiguration of online storage services

employee guidelines

employees can make good use of online file storage services by applying the guidelines below:

q6: can employees use online file storage services to share agency records?
a6: as approved by the agency, employees may use online file storage services to share agency records
q7: what type of records can be shared?

a7.1: employees may share data and records cl-ssified as category 1 or 2 as defined below, subject to additional direction from the agency:

category 1 – public information: public information is information that can be or currently is released to the public. it does not need protection from unauthorized disclosure, but does need integrity and availability protection controls

category 2 – sensitive information: sensitive information may not be specifically protected from disclosure by law and is for official use only. sensitive information is generally not released to the public unless specifically requested
a7.2: employees may share copies of category 1 or 2 agency records using an approved service for temporary storage to share files among collaborators, various computers, and mobile devices. this is using the service as a “system of engagement” rather than a “system of record”. original records must be stored on agency operated systems. other policies and standards may apply as directed by the agency

q8: what type of records must not be shared?
a8: employees must not share records cl-ssified as category 3 or 4, as defined below, unless an online file service is expressly approved by the agency for such use. as an alternative however, when approved by the agency, employees may share category 1 – 4 records using the secure email service that is available today as part of the cts shared email service
category 3 – confidential information: confidential information is information that is specifically protected from disclosure by law. it may include but is not limited to:
• personal information about individuals, regardless of how that information is obtained
• information concerning employee personnel records
• information regarding it infrastructure and security of computer and telecommunications systems
other examples include, but are not limited to:
• hipaa information – any health related information including diagnosis, dates of service, doctor visits, treatments, provider information, etc
• ferpa information – student records, grades, cl-ss enrollment, etc
• payment card industry information – credit card numbers, pins, verification codes, etc

category 4 – confidential information requiring special handling: confidential information requiring special handling is information that is specifically protected from disclosure by law and for which:
• especially strict handling requirements are dictated, such as by statute, regulation, or agreement
• serious consequences could arise from unauthorized disclosure, such as threats to health and safety, or legal sanctions

also, please note that employees must not store category 3 or higher data on mobile devices unless it is authorized by the agency and encrypted on the device

q9: can employees use personal storage accounts to share state records?
a9.1: employees must only use agency-approved online file storage services, and agency-provided accounts on those services, to share state records or access them from other computers and mobile devices. employees are not permitted to use personal accounts, even on approved services, for state business. likewise, employees must not use personal email accounts to transfer or share state records. this enables the employee and agency to manage state records according to state law and agency policy
a9.2: employees that store agency records in personal accounts may make those accounts discoverable. the same could apply to personal devices based on the circ-mstances
a9.3: employees must not cl!ck to accept cl!ck-through agreements when acting as a state employee, unless specifically authorized by the agency, because this may bind the agency to a contract that has not been evaluated or approved. some cl!ck-through agreements on consumer services allow the service to access and use data stored there or delete it
a9.4: employees must promptly move any state records stored on personal accounts or unapproved services to agency-owned file storage or to an approved service / employee account, and completely dispose of any copies of state records in the unapproved service / account. the same principles apply to state records stored on unapproved mobile devices, and to personal devices as directed by the agency
q10: how can i avoid losing track of original state records and copies that i am responsible for?
a10.1: use the fewest number of online storage services needed to meet agency needs. this reduces the complexity and effort of managing and locating state records, and reduces the risk of missing records subject to public disclosure or legal hold. (this principle also applies to mobile devices and home computers)
a10.2: establish automatic expiration periods for files at the time they are stored on the online service. files should not remain online, on mobile devices, or home computers for longer than necessary. delete online files no longer used or no longer subject to records retention requirements. this does not apply to files subject to a public records request or legal hold
a10.3: establish procedures to (1) turn off automatic expiration periods for files subject to a public records request or legal hold, (2) preserve such files in their existing state and (3) preserve any relevant files later created
a10.4: ensure that synchronizing features of the online storage service only access the intended files and folders. this avoids storing records on the online service that belong only on the internal systems of record
a10.5: ensure that files stored online remain usable, searchable, retrievable, and authentic for their designated retention period as required by wac 434-662-040
a10.6: when leaving the agency, the employee must ensure all employee managed records are transferred to an appropriate custodian and shared folder owners and appropriate agency officials are notified
q11: how can i protect the confidentiality of records i store on an online file service?
a11.1: ensure that sharing records with the public at large complies with the ocio public records privacy protection policy and other applicable statutes or regulations
a11.2: use shared folders, not public folders, authorizing access to specifically identified individuals or groups
a11.3: frequently review usage events and shared folder membership. update permissions and make other changes as needed
related laws and resources
agencies are required to create, retain, manage, and dispose of public records according to:
• chapter 40.14 rcw (preservation and destruction of public records)
• chapter 42.56 rcw (public disclosure)
• wac 434-662 (preservation of electronic public records)
• state it security standards 141.10 – securing information technology -ssets
http://ofm.wa.gov/ocio/policies/doc-ments/141.10.pdf
• definition and cl-ssification of public records
http://apps.leg.wa.gov/rcw/default.aspx?cite=40.14.010
• public records act – definitions
http://apps.leg.wa.gov/rcw/default.aspx?cite=42.56.010
• records management and retention schedules
http://www.sos.wa.gov/archives/recordsmanagement/records_state.aspx
• unique agency schedules
• use of state resources: wac 292-110-010
• preservation of electronic public records: wac 434-662-040
• ethical obligations: rcw 42.52.050

appendix a

criteria for agency selection of online file storage services

at a minimum, agencies should include the following criteria when selecting online file services:
security
• ensure that the security controls in place in the solution comply with ocio 141.10
• records should be encrypted in transit and at rest with a minimum strength of 128 bit encryption
• least privilege concepts and role based access controls can be enforced to ensure users only have access to authorized files
• ensure automated enforcement of strong p-sswords per ocio security standards
• ensure that logging and monitoring tracks all add, change, delete, copy/sync activity for each file. agency administrators should be able to review these logs
• provide high availability infrastructure, all within the united states

central administration
• agency central account creation and de-activation
• administration interface to manage file and folder structures and access
• administrators can search for and access records across all agency/employee accounts
• retention, logging, and archiving must support agency requirements for e-discovery and investigations
• usage monitoring and the ability to view file storing, sharing, and modification activity over time
• mobile application user settings / options management
• recovery of items that have been inadvertently deleted
• manual and automated expiration for files
• forced deletion of objects that are past their records retention storage date
• remote administration capabilities, including the ability to remotely wipe devices or synchronized files from those devices
• ability to monitor and add additional storage
• secure methods to ensure user authentication and controlled access
• integration with active directory

terms of service
“cl!ck- through” terms of service, which cannot be negotiated, frequently include provisions that create legal or risk issues for state agencies. also, agencies may not have authority to agree to some provisions contained in these terms. at a minimum, consider the following issues:
• do the terms indicate whether state records will be stored only in the united states?
• is the service provider expressly prohibited from using state records for any purpose other than providing services to the agency, such as “data mining”?
• do the terms provide for state records to be downloaded or destroyed in a manner acceptable to the agency when services are terminated?
• do the terms provide that the agency agrees to waive its right to a jury trial? agencies are encouraged to discuss this circ-mstance with their aag
• do the terms state that the agency agrees to indemnify the service provider? agencies are encouraged to discuss this circ-mstance with their aag
• do the terms provide for jurisdiction and venue in, or applying the laws of, another state? agencies are encouraged to discuss this circ-mstance with their aag
• the privacy policy for online file storage services should be consistent with federal and state privacy obligations, including implications for personal information required from employees
agencies and their aags will vary in their risk tolerance on these points

whether to agree to a particular term or set of terms is for the agency to decide, as long as it has conducted a thorough review of the terms of service before accepting them via “cl!ck through”

letras aleatórias

MAIS ACESSADOS

Loading...