Info-security part of everyday office routine
|
Tracey O'Donnell |
Information security sometimes means saying "no" to the police, says Tracey O'Donnell, self-sufficiency manager in the Newport DHS Office for District 4 (Linn, Benton and Lincoln counties).
"It doesn't happen a lot," O'Donnell says. "But there are times when law enforcement contacts us looking for information on a client. You want to be able to help them in whatever investigation they're conducting, so it's sometimes hard to have to say, 'I'm sorry, we can't give you that information, our records are confidential.'"
But mostly, it's the everyday office routine that presents information-security challenges, says O'Donnell, who has been with DHS in Lincoln County since 1991 in a variety of positions.
"We work in an office with nothing but cubicles," she says. "When we're interviewing clients, we collect a lot of personal data." “While it’s not always possible to go to a conference room for sensitive interviews, something as simple as lowering voices, or asking only questions to obtain the ‘minimum necessary information’ can handle that issue.
Formerly, when clients approached the receptionist, one of the first requests was for the client's Social Security number. "Now, we ask them to write it down," she says. "That solves one piece, but it creates another issue, because now you have another piece of paper with somebody's Social Security number on it, so you have to handle that correctly."
Privacy issues go both ways, she says. Sometimes case managers want to know more than they really need to know about their clients who are referred for mental health or substance abuse counseling. DHS does not need to know what specific issues a client is dealing with, she says.
"Really, all we need to know is: did they show up for their appointment, will they be seeing a provider ongoing and do we need to include that as part of their plan, are they attending regularly, and are they making progress," she says.
Her regular conversations with new hires during their training periods include privacy and security policies, and procedures. The department's "Secure It!" posters are visible throughout the office. Staff also get reminders that include:
- If you send a document to the printer, go pick it up right away;
- When interviewing a client, don't have documents about other clients out on your desk;
- Be aware of what's on your computer screen and who can see it;
- Keep voice lowered when discussing client information on the phone or in person.
"It comes down to making a reasonable effort," she says. "What I ask the staff is, if it was your information, how would you want it to be handled?"
Gary Whitehouse, 503-945-6934; gary.whitehouse@state.or.us
FAQ: Personal use of computers, Internet
The Office of Human Resources and Information Security Office have received a number of questions about the personal use of the state’s information technology equipment, which includes e-mail and the Internet.
|
|
Here are some of the frequently asked questions, with answers provided in collaboration with the Office of Information Services and the Information Security Office. Please keep in mind that, in all of these situations, personal use must be incidental and must occur on the employee’s coffee breaks or unpaid lunch break.
Q. May I use the state’s Internet system for online banking?
A. Yes.
Q. May I use the state’s Internet system to access my Oregon Savings Growth Plan?
A. Yes. The OSGP is a benefit provided to state employees. You are allowed to access this benefit in the same way that you are able to access the PEBB Web site for other benefits such as your medical and dental plans.
Q. May I use the state’s Internet system to do online shopping?
A. It depends. The online shopping must be for items that do not violate other state policies. Examples of inappropriate online activities include:
- Shopping for items of a sexually explicit nature that would be offensive and inappropriate for the workplace;
- Accessing Web sites that violate a state policy, violate a state statute, or compromise the DHS mission and values.
Online shopping also must not affect the state's or department's bandwidth availability. If personal Internet use begins to affect the department's ability to send or receive business-related information online, it will be curtailed.
Q. May I use my state computer to view or download streaming audio or video?
A. No. Streaming audio (such as online radio) or video (such as YouTube or other video sites) dramatically affect bandwidth. And downloading these items can expose the department to copyright or other liability.
Q. May I use my state computer for a college course associated with my college degree?
A. Yes; however, it is highly recommended that the employee talk with his or her supervisor to ensure that the supervisor is aware of the activity. The supervisor may suggest alternatives to accomplishing this personal use through other means and an exception may be granted for this work to be completed outside the breaks and lunch period.
Q. May I load software provided to me by my college professor for my college course?
A. It depends. The Information Security Office must provide approval prior to this activity to ensure that these actions do not compromise the security of the state’s computer and Internet systems.
If you have other questions, please submit them to the Information Security Office, dhsinfo.security@state.or.us or call 503-945-5733.
Louise Melton-Breen, Administrator, Office of Human Resources, louise.melton-breen@state.or.us
Information security aligns with Core Values
As DHS employees, we all have access to important personal information that we need to do our jobs. Howe
ver, if we don't properly take care of this information, we can put clients, co-workers and the department at risk.
As DHS professionals, we all have a responsibility to track and keep information secure. DHS has policies and procedures in place to minimize risk. As individuals, we can – and must – assist the organization. It is up to each of us to use the information we have in a professional and responsible manner and in harmony with the DHS Core Values. Here are some suggestions:
- Take stock of the information you use, both electronic format and on paper.
- Organize information appropriately so that it is secure. If using paper information, cover it up so that it is not in plain sight. If electronic, use appropriate and secure filing systems.
- Protect the information – Secure It! Simply walking away from your work station can put information at risk. Make sure you lock your computer station. An easy Control-Alt-Delete keystroke will do the trick.
- If at all possible, do not take information out of the office. If you must, make sure it is secure and not at risk of getting into the wrong hands.
- When you do offer information to another party, ask yourself whether it is appropriate and whether you know to what purpose the information will be used.
Our co-workers, clients and the department entrust us with valuable information every day. It is our role as professionals to make sure that information does not get into the wrong hands.
Lisa Harnisch, DHS core values manager, 503-945-6304; lisa.s.harnisch@state.or.us
|
Training The following training is available from DHS Training and Development. Space is available at the time of this publication. Employees should work with their managers to determine if participation in training is approved. Some managers may have unique needs for team development or change management resources. Please contact Judy Gerrard, judy.l.gerrard@state.or.us, 503-945-6436 to explore if services may be brought to your work unit. To register: Go to the DHS Learning Center, click on Courses & Registration/Find A Course and type the course title in the keyword search. If you need help with registration, please contact DHS Training & Development, 503-947-5457 or DHS.Training@state.or.us July and August 2007 Required new manager training
General employee training
|