DTS POLICY 5000-0004
Status: Active Policy
Effective Date: November 8, 2016
Revised Date: February 25, 2020
Approved By: Michael Hussey, CIO
Authority: UCA 63F-1-103; UCA 63F-1-206; Utah Administrative Code R895-7 Acceptable Use of Information Technology Resources
Originator: Jerri Averre
Next Review: February 2021
Reviewed Date: February 2020
Reviewed By: Ben Mehr
The purpose of this policy is to establish a baseline for restricting Internet access in order to reduce the risk of exposure to the State of Utah Information Systems and Network.
The Acceptable Use of Information Technology Resources defines how State of Utah technology resources, including workstations, networks, and servers may be used. In accordance with this administrative rule, this policy establishes restrictions to reduce risk to State of Utah Information Systems containing sensitive and confidential data and restrict access to non-work sites. There is a positive correlation between access to restricted websites and the risk of being infected with malware or becoming the target of other cyber exploits. Web filtering is essential to provide proper controls to minimize security risk and to meet due diligence requirements pursuant to applicable state and federal regulations.
This policy applies to all State of Utah employees and contractors that access the Internet through the State of Utah Network.
Web filtering is applied to all networks which traverse the State of Utah perimeter firewall.
The Chief Information Security Officer or the Enterprise Information Security Office will review requests to bypass restricted categories due to job duties when provided valid justification from the State Employee’s or State Contractor’s Manager or Director.
2.0 Web Filtering
The Web URL Filter application will restrict, monitor and log Internet usage of users on the State of Utah Network. The Web URL Filter assigns web sites to one of a number of predefined categories. Categories which are being blocked across all State of Utah networks are defined below. The restricted categories are subject to review and may be changed at any time. Exceptions may be granted upon request, based upon work requirements. Accounts that are granted exceptions may be subject to elevated monitoring and additional security controls to protect State of Utah technology resources.
3.0 Restricted Web Categories/Definitions
Sites that promote the abuse of both legal and illegal drugs, use and sale of drug-related paraphernalia, manufacturing and/or selling of drugs.
Sexually explicit material, media (including language), art, and/or products, online groups or forums that are sexually explicit in nature. Sites that promote adult services such as video/telephone conferencing, escort services, strip clubs, etc..
Alcohol and Tobacco
Sites that pertain to the sale, manufacturing, or use of alcohol and/or tobacco products and related paraphernalia. Includes sites related to electronic cigarettes.
Command and Control
URLs and domains used by malware or compromised systems, or both, to surreptitiously communicate with an attacker’s remote server to receive malicious commands or exfiltrate data.
Websites and services that are dedicated to illegally serving videos, movies, or other media for download, explicitly infringing copyright holders.
Sites that provide and/or utilize dynamic DNS services to associate domain names to dynamic IP addresses. Dynamic DNS is often used by attackers for command-and-control communication and other malicious purposes.
Websites promoting terrorism, racism, fascism, or other extremist views discriminating people or groups of different ethnic backgrounds, religions, or other beliefs.
Lottery or gambling websites that facilitate the exchange of real and/or virtual money. Related websites that provide information, tutorials or advice regarding gambling, including betting odds and pools. Corporate websites for hotels and casinos that do not enable gambling are categorized under Travel
Sites that provide online play or download of video and/or computer games, game reviews, tips, or cheats, as well as instructional sites for non-electronic games, sale/trade of board games, or related publications/media. Includes sites that support or host online sweepstakes and/or giveaways.
Sites relating to the illegal or questionable access to or the use of communications equipment/software. Development and distribution of programs, how-to-advice and/or tips that may result in the compromise of networks and systems. Also includes sites that facilitate the bypass of licensing and digital rights systems.
Sites containing malicious content, executables, scripts, viruses, trojans, and code.
Sites that contain nude or seminude depictions of the human body, regardless of context or intent, such as artwork. Includes nudist or naturist sites containing images of participants.
URLs which host limited content or click-through advertisements, which may generate revenue for the host entity but generally, do not contain content that is useful to the end user.
Sites that provide access to or clients for peer-to-peer sharing of torrents, download programs, media files, or other software applications.
Seemingly reputable sites that harvest personal information from its users via phishing.
Proxy Avoidance and Anonymizers
Proxy servers and other methods that bypass URL filtering or monitoring, or pharming.
Sites containing tasteless humor, offensive content targeting specific demographics of individuals or groups of people, criminal activity, illegal activity, and get rich quick sites.