Title ITP Information Technology Policy
Chapter ITP.1 Information and Technology Use and Security Policy
Preamble
This ordinance is enacted pursuant to the inherent sovereign authority of the Lac Courte Oreilles Band of Lake Superior Chippewa Indians to provide for the decent, safe, and sanitary dwellings for the members of the Tribe which predates its Treaties of 1825, 1826, 1837, 1842, 1847 and 1854 with the United States Government. In the implementation of this inherent sovereign authority, the Amended Constitution and Bylaws of the Lac Courte Oreilles Band of Lake Superior Chippewa Indians, empowers the Tribal Governing Board to: "organize, charter and regulate any association or group, including a Tribal Governing Board, for the purpose of providing social or economic benefits to the members of the Band or residents of the reservation." (Article V, § 1(l)). Pursuant to this inherent sovereign authority, the Tribal Governing Board hereby enacts this ordinance.
Subchapter ITP.1.1 Introduction
ITP.1.1.010 Title
This policy and procedure manual shall be known as the Lac Courte Oreilles Information and Technology Policy.
ITP.1.1.020 Authority
This policy and procedure manual is enacted pursuant to the inherent sovereign authority of the Lac Courte Oreilles Band of Lake Superior Chippewa Indians to promote the traditional value that children are the most important asset of the Tribe, which predates its Treaties of 1825, 1826, 1837, 1842, 1847 and 1854 with the United States Government. In the implementation of this inherent sovereign authority, Article V, § 1 (q),(s), (t), and (u) of the Amended Constitution and By-laws of the Lac Courte Oreilles Band of Lake Superior Chippewa Indians empowered the Tribal Governing Board to establish a Children's Court Division of the Lac Courte Oreilles Tribal Court..."
ITP.1.1.030 Purpose
The Tribe depends heavily on its information resources today and will become even more dependent on them in the future. Information is one of the Tribe's most important assets. Protection of information assets is necessary to establish and maintain trust between Tribal members, Tribal Departments and Entities, Tribal leadership, and third-party vendors . The security of the Tribe's systems and information is essential to its safety and to the privacy of Tribal financial information. The purpose of this policy is to establish general guidelines for maintaining a computing environment within the Tribe that is controlled, consistent and secure. The policy's primary objective is to enhance the productivity of users by optimizing network performance, reducing wasted use of resources and the risk of legal liability caused by illegal or inappropriate use of the Network, and to provide for Network security and safety. The Tribe is establishing standards relating to administrative, technical, and physical safeguards for Tribal records and information. These safeguards are to ensure the security and confidentiality of Tribal records and information, protect against any anticipated threats or hazards to the security or integrity of these records, and protect against unauthorized access to or use of these records or information that would result in substantial harm or inconvenience to the Tribe or a Tribal member. Attacks frequently compromise personal and business data; it is critical for the Tribe to respond quickly and effectively when security breaches occur by implementing an Incident Response Program that responds to incidents in a consistent manner so that the appropriate actions are taken. These incident response measures help personnel to minimize loss or theft of information and disruption of services, including the ability to use information gained during the incident to better prepare for handling future incidents and to provide stronger protection for systems and data.
ITP.1.1.040 Effective Date
Except as otherwise provided in specific sections, the provisions of this policy and procedural manual shall be effective on the date adopted by the Tribal Governing Board.
ITP.1.1.050 Interpretation
The provisions of this ordinance:
(a) Shall be interpreted and applied as minimum requirements applicable to the Information Technology activities subject to this ordinance;
(b) Shall be liberally construed in favor of the Tribe;
(c) Shall not be deemed a limitation or repeal of any other tribal power or authority.
(d) Shall be interpreted to be in accordance with tribal customary law. Whenever there is uncertainty or a question as to the interpretation of certain provisions of this ordinance, tribal law and custom shall be controlling, and where appropriate, may be based on the written or oral testimony of a qualified tribal elder, tribal historian, or tribal representative. If the traditions and customs of the Tribe are inconclusive in any matter, the Court may use tribal law, federal law, or the State law for guidance.
ITP.1.1.070 Relation to Other Laws
(a) Applicable Law. Unless affected or displaced by this ordinance, principles of law and equity common law of the Tribe and tribal customs and traditions are applicable, and the general principles of law of any other Tribe or any other state may be used as a guide to supplement and interpret this ordinance.
(b) Conflicts with Other Laws.
(1) Tribal Law. To the extent that this ordinance may conflict with tribal laws or ordinances which have been enacted to comply with statutes or regulations of any agency of the United States, such tribal laws or ordinances shall govern over the provisions of this Code if it has specific applicability, and it is clearly in conflict with the provisions of this Code.
(2) State Law. To the extent that the laws of any state may be applicable to the subject matter of this ordinance, such laws shall be read to be advisory and not directly binding and shall not govern the relations of the parties.
ITP.1.1.080 Severability and Non-Liability
If any section, provision, or portion of this ordinance is adjudged unconstitutional or invalid by a court of competent jurisdiction, the remainder of this ordinance shall not be affected thereby. The Tribe further asserts immunity on its part and that of its agencies, employees, and/or agents from any action or damages that may occur as a result of reliance upon and conformance with this ordinance.
ITP.1.1.090 Repeal of Inconsistent Tribal Ordinances
All ordinances and resolutions inconsistent with this ordinance are hereby repealed. To the extent that this ordinance imposes greater restrictions than those contained in any other tribal law, code, ordinance or regulation, the provisions of this ordinance shall govern.
Subchapter ITP.1.2 Definitions
ITP.1.2.010 General Definitions
Any term not defined in this section shall be given its ordinary meaning. The following terms, wherever used in this ordinance, shall be construed to apply as follows, except where the context indicates otherwise:
(a) "Agent" shall mean a person who is authorized to act on behalf of the Lac Courte Oreilles Band of Lake Superior Chippewa Indians with respect to a specific transaction or transactions. For the purposes of this ordinance, agent shall include all individuals elected or appointed to serve on a board, committee, or commission of the Tribe.
(b) "Employee" shall mean any individual who is employed by the Tribe and is subject to the direction and control of the Tribe with respect to the material details of the work performed, or who has the status of an employee under the usual common law rules applicable to determining the employer-employee relationship. For the purposes of this ordinance, employee shall include individuals employed by a tribal entity or Tribally Chartered corporation.
(c) "Network or Information Technology (IT)" shall encompass desktop computers, laptops, network resources, internet, intranet, email, world wide web, telephone systems, social media, etc.
(d) "Officer" shall mean a person elected or appointed to serve on a board, committee, or commission of the Lac Courte Oreilles Band of Lake Superior Chippewa Indians.
(e) "Personal electronic devices" shall include, but shall not be limited to, employee-owned desktop, laptop, tablet, handheld or worn computing devices, whether wired or wireless, USB drives, cameras and smartphones/cellular telephones.
(f) "Reservation or Reservation Lands" shall mean those lands located within the exterior boundaries of the Lac Courte Oreilles Reservation lands as well as off-reservation lands under the jurisdiction and purview of the Lac Courte Oreilles Tribe.
(g) "Tribal Entity" shall mean a corporation or other organization which is wholly owned by the Lac Courte Oreilles Band of Lake Superior Chippewa Indians and is operated for governmental or commercial purposes.
(h) "Tribe" shall mean the Lac Courte Oreilles Band of Lake Superior Chippewa Indians, and includes all departments, divisions, business units, and other subdivisions of the Tribe.
(i) "Tribal Court" shall mean the court of the Lac Courte Oreilles Band of Lake Superior Chippewa Indians.
(j) "Tribal Governing Board" shall mean the Tribal Governing Board of the Lac Courte Oreilles Band of Lake Superior Chippewa Indians.
Subchapter ITP.1.3 Information Security
ITP.1.3.010 Responsibilities
(a) The Tribal Governing Board hall oversee the Tribe's efforts to develop, implement, and maintain an effective Information Security Program. The Tribal Governing Board Counsel shall be responsible for approving this policy and the written report on the effectiveness of the Tribe's Information Security Program on an annual basis.
(b) The Tribe's IT Department shall assist with the enforcement and adherence to the standards and guidelines established within this policy.
(c) The Tribe's IT Department shall provide direction and control for information security at the Tribe.
(d) The Tribe shall exercise due diligence in selecting its service providers and require its service providers by contract to implement security measures that safeguard Tribal information.
(e) Employees shall know and understand their duties with respect to the Information Security Policy and comply with the terms of this policy.
(f) Security Objectives. The Tribe shall meet its business objectives by implementing business systems with due consideration of information technology (IT) related risks to the Tribe, business and trading partners, technology service providers, and customers. The Tribe shall meet this goal by striving to accomplish the following objectives:
(1) Availability, integrity and confidentiality of data or systems
(2) Accountability and assurance of processes and controls
(g) Security Process. The Tribe shall implement an ongoing security process and shall assign clear and appropriate roles and responsibilities to the Tribal Governing Board, management, and employees. The process shall be designed to identify, measure, manage and control the risks to system and data availability, integrity, and confidentiality, and ensure accountability for system actions.
ITP.1.3.020 Risk Assessment
Information security risk assessment is the process to identify and understand risks to the confidentiality, integrity, and availability of information and information systems. The Tribe shall maintain an ongoing information security risk assessment program that effectively involves three phases:
(a) Information gathering. Gather data regarding the information and technology assets of the Tribe, threats to those assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements;
(b) Analysis. Analyze the probability and impact associated with the known threats and vulnerabilities to its assets; and
(c) Prioritize responses. Rank the risks present due to threats and vulnerabilities to determine the appropriate level of training, controls, and testing necessary for effective mitigation.
ITP.1.3.030 Strategy
The Tribe strives to mitigate risks while complying with legal, statutory, contractual, and internally developed requirements. In building this strategy, the Tribe shall define its control objectives and establish an implementation plan. The security strategy shall include:
(a) Cost comparisons of different strategic approaches appropriate to the Tribe's environment and complexity;
(b) Layered controls that establish multiple control points between threats and Tribe assets; and
(c) Educating officers and employees in implementing the information security program.
ITP.1.3.040 Controls Implementation
The following security controls shall be implemented as available:
(a) Access rights admin. The Tribe shall have an effective process to administer access to system resources. The Tribe shall strive to identify and restrict access to any system resource to the minimum required for work to be performed. The process shall include the following controls:
(1) Assign end-users and system resources only the access required to perform their required functions;
(2) Update access rights based on personnel or system changes;
(3) Periodically review users' access rights based on the risk to the application or system; and
(4) Design appropriate acceptable-use and end-user policies.
(b) Authentication. The Tribe shall use effective authentication methods appropriate to the level of risk by:
(1) Selecting authentication mechanisms based on the risk associated with a particular application or service;
(2) Considering whether multiple forms of authentication are appropriate for each application, considering that multi-forms authentication is increasingly necessary for many forms of electronic communication and electronic payment activities; and
(3) Encrypting the transmission and storage of authenticators (e.g., passwords, PINs).
(c) Network access. The Tribe shall secure access to their computer networks through multiple layers of access controls to protect against unauthorized access. Access control measures shall include:
(1) Group network servers, applications, data, and users into security domains;
(2) Require use of unique user IDs and strong passwords;
(3) Establishing appropriate access requirements within and between each security domain; and
(4) Implementing appropriate controls to meet those access requirements consistently
(d) Operating System access. The Tribe shall secure access to the operating systems of all system components by:
(1) Securing access to system utilities;
(2) Restricting and monitoring privileged access;
(3) Logging and monitoring user or program access to sensitive resources;
(4) Updating the operating systems with security patches; and
(5) Securing the devices that can access the operating system through physical and logical means
(e) Application access. The Tribe shall control access to applications by:
(1) Using authentication and authorization controls appropriate for the risk of the application;
(2) Monitoring access rights to ensure they are the minimum required for the user's current business needs;
(3) Using time of day limitations on access as appropriate; and
(4) Logging access and security events
(f) Remote access. The Tribe shall secure remote access to and from their systems by:
(1) Controlling access through management approvals;
(2) Implementing controls over configuration to disallow potential malicious use;
(3) Monitoring remote access;
(4) Securing remote access devices; and
(5) Using strong authentication and encryption to secure communications.
(g) Physical Security. The Tribe shall implement appropriate preventative and detective controls to protect against the risk to physical security.
(h) Encryption. The Tribe shall employ encryption to mitigate the risk of disclosure or alteration of sensitive information and storage transit. Encryption implementations shall include:
(1) Encryption strength sufficient to protect the information while in transit between unsecure systems;
(2) Effective encryption key management practices; and
(3) Appropriate protection of the encrypted communication's endpoints.
(4) USB storage devices shall not be authorized for general use. If a USB storage device is needed to store sensitive or confidential information, then something like "bit locker" with encryption that requires a username and password shall be used.
(i) Malicious code. The Tribe shall protect against the risk of malicious code by:
(1) Using anti-virus products on clients and servers;
(2) Using an appropriate blocking strategy on the network perimeter;
(3) Filtering input to applications; and
(4) Educating staff in appropriate computing policies and procedures
(j) Systems development, acquisition, and maintenance. The Tribe shall ensure that systems are developed, acquired, and maintained with appropriate security controls. These steps shall include:
(1) Defining security requirements before developing or acquiring new systems;
(2) Incorporating recognized standards in developing security requirements;
(3) Incorporating appropriate security controls, audit trails, and logs for data entry and data processing;
(4) Implementing an effective change control process;
(5) Hardening systems before deployment;
(6) Establishing an effective patch process for new security vulnerabilities; and
(7) Overseeing vendors to protect the integrity and confidentiality of application source code.
(k) Personnel security. The Employee Handbook and Human Resources policies shall discuss risk mitigation posed by internal users
(l) Virtualization. The Virtual environment and the Virtualization of servers shall be the responsibility of the IT Department.
(m) Electronic and paper-based media handling. The Tribe shall control and protect access to paper, film, and computer-based media to avoid loss or damage. The Tribe shall:
(1) Establish and ensure compliance with policies for handling and storing information;
(2) Ensure safe and secure disposal of sensitive media and
(3) Secure media in transit or transmission to third parties.
(4) Employees are instructed to save data to "shared drives" or other network drives for security and backup purposes.
(n) Logging and data collection. The Tribe shall take reasonable steps to ensure that sufficient data is collected from secure log files to identify and respond to security incidents and to monitor and enforce policy compliance. The Tribe shall have appropriate logging controls to ensure that security personnel can review and analyze log data to identify unauthorized access attempts and security violations, provide support for personnel actions, and aid in reconstructing comprised systems.
(o) Service provider oversight. The Tribe shall review security responsibilities for outsourced operations through
(1) Appropriate due diligence in service provider research and selection;
(2) Contractual assurances regarding security responsibilities, controls, and reporting;
(3) Nondisclosure agreements regarding the Tribe's systems and data; and
(4) Third-party review of the service provider's security through appropriate audits and tests.
(p) Intrusion detection and response. The Tribe shall strive to detect and respond to an information system intrusion commensurate with risk. Risk mitigation practices shall include:
(1) Preparation. Analysis of data flows, decisions on the nature and scope of monitoring, consideration of legal factors, appropriate procedures governing detection and response; and
(2) Response to an intrusion. Containment and restoration of systems and appropriate reporting.
(q) Business continuity considerations. The Tribe shall develop a plan that includes:
(1) Identification and training of personnel with key security roles during continuity plan implementation; and
(2) Security needs for back-up sites and alternate communications.
(r) Insurance. The Tribe shall evaluate the extent and availability of coverage in relation to the specific risks they are seeking to mitigate.
(s) Equipment disposal/destruction. When equipment is retired from use, the hard drive shall be removed and stored or deleted and cleaned with software of a Department of Defense grade. Other equipment such as copiers, printers, and multi-function machines Shall have memory or other data storage devices deleted or destroyed. Equipment shall then be recycled, disposed of, or donated with no software or data.
ITP.1.3.050 Security testing
The Tribe shall gain assurance of the adequacy of their risk mitigation strategy and implementation by:
(a) Basing their testing plan, test selection, and test frequency on the risk posed by potentially non-functioning controls;
(b) Establishing controls to mitigate the risks posed to systems from testing; and
(c) Using test results to evaluate whether security objectives are met.
ITP.1.3.060 Monitoring and updating
(a) The Tribe shall continuously gather and analyze information regarding new threats and vulnerabilities, actual and potential attacks on the Tribe or others, and the effectiveness of the existing security controls.
(b) The information in par. (a) shall be used to update the risk assessment, strategy, and implemented controls.
(c) To complete the goals of (a) and (b) the Tribe shall utilize malware, antivirus, and other security programs.
ITP.1.3.070 Reporting
Employees that become aware of any system misuse; potential threat, intrusion, or unexplained occurrence; or violations of this IT policy, shall inform a member of the IT Department immediately.
ITP.1.3.080 Incident response program
(a) Incident Response Team. The Tribe shall establish an Incident Response Team that is available for anyone who discovers or suspects that an incident has occurred. One or more team members are responsible for handling the incident, analyzing the incident data, determining the impact of the incident, and acting appropriately to limit the damage and restore normal services.
(1) The primary Incident Response Team shall consist of:
(A) IT Director
(B) IT Department personnel
(2) More severe or extensive incidents can include:
(A) Office of Attorney General
(B) Tribal Law Enforcement
(C) Compliance/Audit Officer
(3) All Tribal employees shall be aware of the possibility of system or security incidents.
(4) Physical building incidents shall be directed to the Tribe's security officer.
(5) Computer security related incidents shall be directed to the IT or Operations Departments.
(6) Individuals shall work with the response team and executive management to execute an incident response.
(b) Phases of Incident Response
(1) Preparation. This initial phase involves establishing and training a response team and acquiring the necessary tools and resources. During preparation, the Tribe shall attempt to limit the number of incidents that will occur by selecting and implementing a set of controls based on the results of risk assessments. Other preparation items include:
(A) Risk Assessment
(i) Host Security
(ii) Network Security
(iii) Malware Prevention
(B) User Awareness and Training
(C) System Hardening Guidelines
(D) System Access Guidelines
(E) Facilities Security Guidelines
(F) Insurance Policies
(2) Detection and analysis. The process of monitoring and awareness. Training creates an awareness of what constitutes an incident and who to contact when it occurs. Log monitoring, with knowledge of baseline system activities, will create trigger points. Once detected, the Tribe may mitigate the impact of the incident by containing it and ultimately recovering from it.
(3) Containment, eradication, and recovery. The response to the Incident.
(4) Post incident activity. Once the incident is over, an overall assessment report of the incident shall be developed detailing the cause of the incident, steps to prevent future incidents, and steps to mitigate consequences of future incidents.
(5) Unauthorized access to tribal information procedures
(6) Audit. The Tribe shall utilize both internal and external audit procedures to provide independent assessments that evaluate the Tribe's:
(A) Quality of internal controls associated with the acquisition, development, implementation, and operational use of information technology.
(B) Exposure to risks throughout the Tribe and its service provider(s) in the areas of user and data center operations, client/server architecture, local and wide area networks, telecommunications, information security, electronic data interchange, systems development, and contingency planning, including risk management and mitigation techniques implemented by the Tribe; and
(C) Compliance with this and other related policies, procedures and processes concerning information technology related risks.
Subchapter ITP.1.4 Acceptable Use
Network access is deemed to be a business tool providing a source of information with the potential for benefiting all areas of the tribe and enhancing customer service, customer retention, and growth. The Information Technology department shall approve Network access as deemed appropriate and shall determine what components of the Network shall be available (email, internet, World Wide Web, etc.). All employees accessing the Network on tribal equipment, on tribal premises, or on a tribal Internet access account shall become proficient in its capabilities, practice proper network etiquette, and agree to the conditions and requirements of this agreement.
ITP.1.4.010 General principles
(a) Network, internet, and email privileges provided by the Tribe, shall be considered tribal resources, and shall be used for tribal business purposes. Network and Internet usage shall not be private. Usage shall be monitored for unusual or unacceptable activity and can be monitored at any time for any reason.
(b) Internet use includes, but is not limited to:
(1) email received and sent,
(2) websites visited,
(3) social media posts,
(4) uploads, and
(5) downloads
(c) The Tribe shall own the Network, messaging systems, and the information transmitted and stored within it.
(d) Employees shall have no expectation of privacy or confidentiality in any of their emails or network files. Employee email, web history and phone usage may be monitored for policy, security, network and/or tribal management reasons from time to time and is subject to inspection at any time.
(e) Correspondence, internal or external, via email, or instant messaging (IM) shall not be private. Email shall not be guaranteed protection from other employees or from others outside the tribe.
(f) The distribution of any information through the Network, computer-based services, or email shall be subject to the scrutiny of tribal management and its auditors. The Tribe reserves the right to determine the suitability of this information.
(g) Employees shall be restricted in their usage of employee-owned personal electronic devices and media storage devices on the Tribal Network.
(h) Employees utilizing web sites and social media sites at work for personal use shall do so during break and lunch times in a professional manner as to not interfere with their job duties and responsibilities. Excessive use, as deemed by their supervisor and/or management, shall result in loss of privilege for the user and possibly other disciplinary action as outlined in this agreement.
ITP.1.4.020 Conditions of use
(a) Users shall
(1) Comply with all current tribal policies
(2) Lock or log off computers when leaving them unattended for any length of time
(3) Use unique user IDs and strong passwords as indicated by tribal policy and maintain password credentials in a confidential manner
(4) Contact the IT and Department manager immediately upon discovering suspicious activity on the Network, Including a Tribal workstation, network resource, or email
(5) Immediately notify IT and management if a business-related mobile device is lost, stolen, exchanged, unusable, or no longer used
(6) The user shall be required to maintain and safeguard the equipment issued and return it to the Tribe if they leave the employment position from which it was issued. This includes when an employee transfers to a new department. If the employee is leaving the employment of the Tribe, they shall return all equipment before they receive their last paycheck.
(b) Users shall not
(1) Knowingly visit Internet sites that contain illegal, obscene, hateful, or other objectionable materials
(2) Knowingly access ads or other solicitations commonly seen in the margins of reputable website pages or that popup while on a site
(3) Knowingly open an attachment or access a link provided in an unsolicited, unfamiliar email. The IT Department shall review any suspicious email
(4) Send non-encrypted emails containing sensitive customer information.
(5) Send or receive any material, whether by IM, email, memoranda, or oral conversation, which is obscene, defamatory, harassing, intimidating, offensive, illegal, discriminatory, or which is intended to annoy, harass, or intimidate another person.
(6) Solicit non-tribal business for personal gain or profit
(7) Download any software or electronic files to a tribal workstation or the Network unless authorized by the IT department
(8) Represent personal opinions as those of the tribe or purport to represent the tribe when not authorized to do so.
(9) Upload, download, or otherwise transmit software or any copyrighted materials in violation of its copyright or license whether it belongs to parties outside of the tribal, or the tribe itself
(10) Reveal or publicize confidential or proprietary information which includes, but is not limited to: financial information, customer information, marketing strategies and plans, databases and any information contained therein, customer lists, computer software source codes, computer/network access codes, passwords/login information and business relationships.
(11) Intentionally interfere with the normal operation of the Network, including the propagation of computer viruses and sustained high volume network traffic, which substantially hinders others in their use of the network.
(12) Examine, change, or use another person's username, password, files, and output, for which they do not have explicit authorization.
(13) Perform any other uses identified by the tribe as inappropriate.
(14) Use tribal equipment or other resources for any purpose other than that authorized by tribal management and IT department.
(15) Use tribal email accounts (xxxxx@lco-nsn.gov) to open or maintain personal Internet accounts, such as social media, websites, blogs, etc.
(16) Use film cameras, digital cameras, digital camcorders, and personal devices with camera and/or video capabilities (i.e., a cellular phone including a camera capable of capturing and transmitting still or full motion images) in any way that violates Tribal policies, including illicit and illegal use. Photos showing tribal security measures, secure areas such as vaults, information on computer screens or any Network resources are strictly prohibited.
(17) And are prohibited from connecting personal electronic devices or media, including but not limited to smartphones, tablets, CD/DVD burners, special keyboards, mice, external hard drives, and USB "jump" drives, to Tribal workstations or Network resources; even for the purpose of charging the device unless authorized by the department manager and the IT department.
(18) And are prohibited from using portable media storage devices, including but not limited to USB drives and other external drives, to duplicate and/or distribute Tribal information, including confidential information copyrighted materials, music, video, movies, and software unless authorized by the department manager and the IT Department.
(19) Load a bootable, alternate operating system on any Tribal owned computer from any employee-owned source or media, including CD/DVD discs or USB devices ("jump" drives), without prior permission of the department manager and IT Department.
(20) Connect any employee-owned electronic device whether desktop, laptop, tablet, handheld, wearable or media storage device, through a wired connection to Tribal provided network or Internet access without the prior permission of the department manager and IT Department. Wireless internet access is provided at the main lobby and Peter Larson room for guest and employees to use with personal devices.
ITP.1.4.030 Personal posts
The Tribe recognizes that employees may post personal information on the Internet through personal websites, social media, blogs and/or uploading content to websites and the like. The Tribe respects our employee's interest in participating in these forms of personal expression on their own time. Employees should be aware; however, that problems can arise when personal postings identify or appear to be associated with the Tribe, or when a personal posting is used in ways that violate the Tribe's rights or the rights of other employees.
Each employee is legally responsible for content they post on the Internet, whether on a social network, website or otherwise. You can be held personally liable for defaming others, revealing trade secrets, confidential information or proprietary information, etc. Tribal policies apply to what you post on the Internet. For example, you may not use personal postings to harass or threaten other employees or reveal confidential tribal information. Embarrassing or unkind comments about tribal employees or members, customers, or competitors are also inappropriate. Posting anonymously or under a pseudonym, does not protect your real identity; it can be discovered relatively easily.
ITP.1.4.040 Violations
Users who violate any of the guidelines set in this agreement may be subject to disciplinary action including written warnings, revocation of access privileges, and termination. Unacceptable use of personal electronic devices will result in the immediate confiscation of the involved device(s) or media as appropriate. Depending upon the nature and severity of the violation, the confiscated device(s) or media may be held as evidence indefinitely. The Tribe also retains the right to perform personal property searches in relation to any guideline violation and report any illegal violations to the appropriate authorities.
Subchapter ITP.1.5 Backup and Recovery
ITP.1.5.010 Backup and Recovery
(a) All tribal critical data that is stored locally on the domains file server shall be backed up daily and kept off site in the cloud.
(b) Backups shall be done on all critical information that is stored on the shared network.
(c) The backup shall be set up to run automatically after normal working hours and a log of the success shall be kept.
(1) These backups shall be based on an incremental or differential backup methodology
(2) Backup shall be performed in such a way that information can be restored from a time frame requested up to ninety (90) days incrementally from the past.
(d) Information shall be restored monthly at the discretion of the IT department to ensure backups are functioning properly and that the information shall be available if needed.
(e) Department Directors shall request IT to restore information from a backup by email or memo.
(1) Generally, the requested information shall be available to the department within twenty-four (24) hours of the request.
(2) If the data recovery is needed do to a minor or major system failure it may take longer to restore depending on the level of failure.
(f) The servers or equipment that are performing the backups shall be in a locked and restricted location. These servers or equipment shall also be on Uninterruptible Power Supply (UPS) to help mitigate problems resulting from power fluctuations or short power outages.