10.3.4 General Security and Email Policies
All users of archdiocese and Location communication systems and devices should use care in creating email, text, video, still images, instant or voicemail messages, or any postings on any social networking site. Even when a message has been deleted, it may still exist on a backup system; it may be restored, downloaded, recorded, or printed; or it may have been forwarded to someone else without its creator's knowledge. The contents of email and text messages are the same as other written documentation and cannot be considered private or confidential.
As with paper records, proper care should be taken in creating and retaining electronic records for future use, reference, and disclosure, as applicable. See Document Retention.
Postings to groups such as "All Employees," "All Parents/Guardians," "All Seminarians," "All Parishioners," and the like on intranets or the Internet must be approved by the person in charge of the Location before the postings are sent out.
Archdiocese and Location systems, devices, and materials are not private and security cannot be guaranteed. User IDs and passwords are intended to enhance system security, not to provide users with personal privacy. User account passwords for systems that are not controlled by a centralized user directory or authentication system must be on record with the person in charge of the Location.
Do not disclose User IDs and passwords to unauthorized parties or share with other employees, students, or volunteers. User accounts are intended to be used only by the assigned party.
Change passwords to user accounts regularly. Avoid using the same password for user accounts with different providers.
All information systems that create, store, transmit, or otherwise publish data or information (e.g., a website) must have authentication (ability to verify the identity of the user) and authorization systems (e.g., individualized user accounts) to prevent unauthorized use, access, and modification of data and applications.
Any electronic medium that is intended for use by the general public may allow access as long as the medium does not allow unauthorized posting and modification of the official information.
All files downloaded from the Internet, all data received from outside sources, and all content downloaded from portable memory devices must be scanned with current virus detection software. Immediately report any viruses, malware, tampering, or other system breaches to the person in charge of the Location.
Back up critical information periodically onto backup storage. Store backed-up information in a safe place that is available for recovery in case of a loss of the original information. Depending on the complexity of a Location's information systems, a detailed disaster recovery plan may need to be developed.
Protect computer networks and physical hardware from unauthorized use. Both local physical access and remote access must be controlled.
Complete archdiocesan information is accessible exclusively through the Archdiocesan Community Email Services (ACES) and all employees, clergy, and similar users are encouraged to obtain and use an ACES account as their preferred business account.