Email and Internet Usage Policy
Warning: The department may, and does, monitor and record any activities occurring on its IT systems.
This policy is a key part of the department’s information security framework and integrates with the social media policies. It will ensure that the department complies with the mandatory requirements of the Protective Security Policy Framework (PSPF), Australian Government Information Security manual (ISM) and the APS Values and Code of Conduct.
This policy identifies things personnel must do and other things they must not do to ensure the information we hold on behalf of the government and our clients remains secure. Further information is provided in a number of related policies and guidelines and during security awareness training.
The objectives of this policy are:
- to establish clear expectations that the department’s Internet connectivity and email systems are to be used primarily for business purposes
- to establish clear expectations as to how the departments Internet connectivity and email systems may be used for private purposes
- to ensure personnel understand that all use of the department’s internet and email services must comply with the APS Values and Code of Conduct
This policy applies to everyone who uses the department’s information systems including APS employees, contractors, consultants and employees of service providers. Throughout this policy the term personnel is used to refer to all these groups to maintain consistency with the PSPF.
Non-compliance with this policy represents a risk to the department’s information, systems or reputation.
Failure to comply with this policy may result in:
- disciplinary action for breaching the APS Code of Conduct
- penalties for breach of contract
- loss of security clearance.
Access to the Internet is provided primarily to enable personnel to carry out their jobs in an efficient and effective manner. When accessing external systems for business purposes, personnel are only authorised to access the systems and information that is required to do their job. Where a system has documented procedures these must be followed.
Official information must not be copied or transferred to external systems unless this is essential to the task and everyone able to access the information has a need to know or the information is approved for public release. External systems are those that are not managed by the department or Hewlett Packard Enterprise for the department.
Sensitive or classified information must not be copied or transferred to external systems unless:
- the system has been accredited (i.e. formally approved by the CIO) for this purpose
- everyone able to access the information has a need to know and, for classified systems, has an appropriate clearance
- the system’s documented procedures are followed. If copying or transferring information to the system is not part of a documented procedure it must be approved by your manager.
Personal information, apart from your own personal information, must not be copied or transferred to external systems unless the system has been accredited for this purpose, everyone able to access the information has a need to know and the systems documented procedures are followed. If copying or transferring information to the system is not part of a documented procedure it must be approved by your director.
Personnel must use a different passphrase for each system or group of systems.
Personnel must not attempt to download or install unauthorised software.
If documented procedures or work instructions for system exist, you must follow them. If a procedure is unclear or no longer appropriate, you should inform the system manager and/or your manager.
Access to the Internet is provided primarily for the conduct of the department's business, however, limited personal use is acceptable provided it complies with the APS Values and Code of Conduct and does not interfere with your work or that of your colleagues.
All Internet usage must comply with the APS Values and Code of Conduct.
The department’s IT services must not be used to promote or conduct a private business. If you are not sure whether an activity is considered a business, discuss it with your supervisor or email the Integrity and Conduct Helpdesk.
Private usage is a privilege and must not interfere with either your work or that of other personnel. This means the usage must be:
- in your own time
- within reasonable usage levels.
While email is essential for the department’s day-to-day business, it also presents a significant risk to the department. Incorrect or inappropriate email usage can result in a loss of confidentiality and reputation damage. Failure to file emails appropriately may result in loss of important departmental records.
Personnel must not auto-forward emails to an external address.
Personnel must not email official information to external parties unless they have a need-to-know.
Personnel must not email personal information to third parties unless the disclosure of that information complies with the Australian Privacy Principles (APPs), particularly APP 6.
Personnel must not provide other personnel with access to their email or calendar unless they have a need-to-know and appropriate clearance.
Personnel must use the correct protective marking on all emails.
Personnel must not email sensitive or classified information to their personal email address.
Personnel must file corporate business records in HP Records Manager in accordance with the department’s Recordkeeping Policy.
All emails sent or received using a departmental email address belong to the department. Limited personal use is acceptable provided it complies with the APS Values and Code of Conduct and does not interfere with your work or that of your colleagues.
All email usage must comply with the APS Values and Code of Conduct.
Your departmental email address must not be used to promote or conduct a private business.
Private emails must be identified by using the UNOFFICIAL marking.
Two common methods used to introduce malicious software to IT systems are malicious email attachments and malicious web pages. Frequently personnel are encouraged to visit a malicious web page through a malicious link in an email.
Malicious emails vary greatly – some appear almost identical to legitimate emails with legitimate looking email addresses and content that is directly related to the target recipient’s job or personal interests. The best defence against these is to pause before opening an attachment or clicking on a link. If the email looks unusual or wasn’t expected, contact the sender via an alternate method (e.g. a phone call) to confirm it is legitimate. Alternately forward the email to the IT Service Desk and wait until they indicate whether it is legitimate or not.
Personnel must not open attachments or click links in emails they regard as suspicious.
Suspicious emails should be deleted.
If you are suspicious of a link in an email, consider typing the web site’s address into your browser instead of clicking on the link. This helps avoid links that appear to be from a legitimate site but actually link to a site controlled by the attacker.
Malicious web pages
An enormous variety of malicious techniques are used to try to:
- run malicious software on your computer
- hijack a connection from your computer to a legitimate web page
- get you to enter information such as your banking details into a fake web page.
- personnel must not attempt to download or install software on a departmental computer
- personnel must not use the passphrase for any departmental system on any other system
- personnel must not use password hints or choose security questions where he answer is on their Facebook page (or another family member’s Facebook page), other social media or in a genealogy database.
- don’t click the link
- don’t enter information into the web page
- ask the IT Service Desk for advice.
The Department may, and does, monitor and record any activities occurring on its IT systems. Personnel should note "transaction logs" of all e-mail (even if deleted), Internet mail and all Internet activity, identifiable by individual workstation, are maintained and form part of the public record for evidentiary or FOI purposes.
Activities can be tracked back to the user logged into the workstation and are considered to have been undertaken by that user.To protect yourself:
- do not provide your password to any other person
- do not allow another person unsupervised access to a computer that you are logged into
- do not leave a computer that you are logged into unsupervised unless it has been locked
- do not conduct any private business activities using departmental systems or your official email address.
If you are not sure if an activity is appropriate, ask your manager or contact the integrity and conduct helpdesk first.