Policies and Procedures

Information Technology Policies and Procedures

The following information applies to all users at all Archdiocese of Chicago department and agency offices with the exception of Catholic Charities, Catholic Cemeteries, Food Service Professionals, Mercy Home, St. Mary of the Lake University, and other locations with recognized existing IT departments.

The policies and procedures listed below are being formally enacted in order to ensure the ability to protect, maintain, and improve the operational effectiveness of our investments in Information Technology.


Adoption and Effectiveness

This policy is adopted in draft form on May 6, 2002 and is effective immediately.

This policy will be formally formatted and submitted to the policy committee for inclusion in Archdiocese policy manuals.

These policies will be amended as technology needs, threats, or changes dictate.


Support

The IT Service Center is here to provide remote and onsite technical assistance to our Quigley and Meyer Center customers as well as phone support to our customers who are members of the Archdiocese of Chicago Parishes and Schools.

As the single point of contact for our customers, the IT Service Center is positioned to ensure each problem or question reported is resolved in as expedient a manner possible, as well as help our customers fully utilize the benefits of the Technology Solutions currently offered.

To submit a question or problem you are experiencing, please contact the IT Service Center in one of the following ways. By using one of these methods, it will ensure the question or problem is responded to as quickly as possible, and that the right resources are able to be engaged if required.

Contact and Hours of Service:

IT Service Center
(312) 534-5227
ITServiceCenter@archchicago.org

When contacting the Service Center, a Ticket will be opened detailing the question or problem you are experiencing.  This ticket will assist us in following through with your call or email until you have received a resolution.

Normal Service: Monday - Friday, 8am - 6pm

After-Hours Critical Incident Service: Monday - Friday, 6pm - 8am

 

Note: After-Hours Critical Incident is designed for wide-scale outages and AoC-critical business. Although all customer issues are important to the IT Service Center, and we strive to resolve all issues in a timely manner, only Critical Incident situations, as defined above, can be addressed by the IT Service Center during After-Hours Critical Incident Service.

Should an incident require escalation or there are concerns over the handling of the incident you reported, please contact Aaron Finnemore., Infrastructure and Technical Services Manager.

 


Support Response Targets

As calls for service are received from end-users, they are classified by type and severity in order to ensure that proper resources are applied to problems. This is based on the impact to the user or the environment as a whole. The following list describes the types of problem classifications and target resolution times. The times are called “target” because the amount of problems reported can exceed available resources. These times are based on best-case goals for instances when resources are not already engaged, and are available for immediate dispatch.

“Problems” are classified as an event that requires intervention, with existing installed hardware or software that is either malfunctioning or inoperable and which is impeding one or more users from performing their functions.

For our purposes we have classified problems into three categories to reflect both the amount of impact to the user environment, and the level and speed of our response to the problems.

Severity 1

This is a problem that causes an outage to a group of users, a department, or floor, such that they are unable to perform their normal work functions, and for which there is no “acceptable” workaround, or for a single user who has a failure that prevents any use of the PC. For our purposes the determination of acceptability of an offered work around will be at the discretion of the affected users.

Response – Calls classified as Severity 1 will be responded to as follows:

  • Initial Contact from Technical Services or Application Support = 15 minutes from time of dispatch.
  • On-Scene Time = within one hour (within Pastoral Center)
  • Targeted time to Resolution = within eight business hours

Severity 2

This is a problem that causes an outage for one or more users, for which there is an acceptable workaround, or for which the user is able to continue working in an alternate method.

  • Response – Calls classified as Severity 2 will be responded to as follows:
  • Initial Contact from Technical Services or Application Support = Two Hours.
  • On-Scene Time = within four hours (within Pastoral Center)
  • Targeted time to Resolution = within 16 business hours

Severity 3

These are problems that do not involve impact to the work effort and for which an immediate response is not needed. IE: A user is having problems getting a document to print properly, and knows that the problem is related to margins, and has found a way to work around it, but would like someone to assist them adjusting their document to the specific printer.

  • Response – Calls classified as Severity 3 will be responded to as follows:
  • Initial Contact from Technical Services or Application Support = Eight hours from time of dispatch.
  • On-Scene Time = within 16 business hours (within Pastoral Center)
  • Targeted time to Resolution = within 24 business hours

Service Request

A “Service Request” is simply what its name implies, a “request for service”. Services that might be requested are such things as ordering hardware, installing hardware, moving hardware, and expanding networks or servers to meet new requirements. Other examples include: enrolling in training, requesting technical documentation, requesting a service enhancement or service modification. The easiest way to identify something that is a Service Request is that it involves a “request” but does not involve a “failure”.

Service Request Classifications

Service Requests fall into two categories of classification within Track-It. “ASAP (Service Request)” and “Scheduled (Service Request).”

ASAP (Service Request)

This would be a request to perform a service (move, add, install, order etc.) as soon as possible. The service target for “ASAP (Service Request)” is “best effort” at this time. This means that ALL problems take priority over Service Requests. However, the user must be contacted within eight business hours from time of dispatch and notified of our best estimate of when the service will be rendered. If time is of the essence, and pre-existing service requests preclude service delivery for something that is urgent to the user, the party responsible will offer the services of outside contractors to the user. The costs of any outside contractors for purposes of service requests are to be borne by the requesting department.

Scheduled (Service Request)

These requests are similar to the above but involve an agreement between the responsible party and the user on the date on which the service will be rendered. An example of this is the ordering and installation of new PCs. The initial call from the user to order the PCs would be classified as “Scheduled (Service Request)” since the service is not something that can be delivered immediately. Because PCs need to be ordered and delivered, and delivery of the PC will ultimately impact the user, a mutually agreeable time will need to be scheduled for the installer and the user.


Escalation Procedures

All problems and service requests are tracked in a problem management system known as Track-It.

Track-It automatically escalates tickets to various management levels within IT if due dates are missed. If a user is at anytime dissatisfied with any interactions with the Technical Services Group they should contact the Manager of the Technical Services Group at 312-534-5249 to discuss the issues. Further escalation is available by contacting the Director of the Office of Information Technology at 312-534-5330.


Protection of Data Resources

Users may not access, view, copy, read, or alter a file on a local or network drive without the express permission of the data owner in the case of data in a shared area; or the creator of the file, in the case of data stored on a local drive.

The mere ability to access data does not imply, or bestow the permission to read, alter, or copy that file.

Users are not authorized to view, display, peruse, or otherwise examine the directories or files of others.


Shared Drives

Departments can have shared directories in a public area where files may be shared among any number of users—from just department employees, to cross-department teams, or to all LAN users. Contact IT to arrange for the creation of such folders on drive “S:” and set appropriate security for those folders.


Ownership of Systems, Software and Information

ll computers, systems, software, and technology supplied by the Archdiocese, or used in the performance of Archdiocesan business, are the property of the Archdiocese.

All Archdiocesan technology resources are to be used only for legitimate, authorized, purposes. Users are permitted authorized access to assist them in the performance of their duties. Users are not authorized to alter, reconfigure, transfer, install or uninstall software or hardware unless specifically authorized to do so by the Director of the Office of Information Technology AND their Department or Office Director.


Network Printers

Although many users have printers connected directly to their PC’s there are also one, or more, shared network printers available for use by all users on each floor of the Pastoral Center and in many of the large outside agencies. Due to the overall lower cost per user and per page, locally attached printers should not be ordered or installed without a documented reason why existing resources are unsuitable that is accepted as valid by the department manager and Director of Information Technology.

Users are encouraged to use the shared printers whenever possible to reduce overall cost as well as reducing the time required to complete your print jobs.

Shared printers are usually in common file areas or near the copier machines and are labeled with a unique network name.


Training Classes

Several training classes are offered throughout the year at the Pastoral Center.  These classes primarily focus on the Microsoft Office suite of products and Novell GroupWise.

Most classes are open to ALL Archdiocesan employees (including school and parish employees).  All classes are provided AT NO COST, unless specified.

Occasionally, changes in software or procedures within the Pastoral Center Network may require mandatory training for all network users or a subset of users.  When mandatory training is required, several sessions will be made available.

Registration and the list of upcoming classes is available on the Training page of the IT website.


New User Training

All users who log into the Pastoral Center Network are required to attend New User Training.

New network users (full-time, temporary and volunteers) will be scheduled for New User Training by the Lead Training Coordinator.  This training is typically held on the 2nd and 4th Wednesdays of each month from 1:30 - 4:00 PM.

Users should make every possible attempt to attend the earliest New User Training course.  In the event that a new user can't attend training at their scheduled time, call the IT Service Center so the instructor can accommodate the user's availability.

Failure to attend the training within the first 30-days of logging into our network may result in the termination of network access.


Software License Compliance

All software used on Archdiocesan owned equipment shall have a valid license and shall be used in compliance with such license conditions. No duplication of software or use on additional PC’s other than the initial installation is allowed unless EXPRESSLY allowed in the vendor license agreement.

Failure to comply with license agreements can result in substantial monetary penalties to the Archdiocese in addition to possible criminal penalties for the parties responsible for the theft of intellectual property.

We enjoy significant discounts on software due to our functions as an educational institution. We should not jeopardize this valuable resource.


Standard Products List

Specific products for each of the core office functions and most vertical applications have been selected and standard installation package exist for each. The listing of current standard products is available using the link below.

Non-standard products require the approval of the department director AND the Director of the Office of Information Technology.  Once approved, it will be tested to ensure interoperability with existing products.

Requirements for non-standard software should be discussed with IT prior to purchase to avoid the possibility of the purchase of software that is problematic or non-supportable in our environment. Many times, past experience in various vertical software products allow OIT to identify a viable solution for needs without the need for prolonged testing or further research.

To ensure that we are at all times compliant with licensing regulations all original licensing documentation as well as original media disks or CD’s will be retained by OIT and also duplicated and stored off site to support disaster recovery needs.

Click here to view the Approved Software list.


Provisioning

The OIT maintains agreements with key vendors to ensure availability of certified systems, software, and other IT components at the best prices.

User’s wishing to obtain new or updated hardware, software, or other components must first have the approval of their department head and then request requisitioning by contacting the OIT at 312-534-5227 and conveying their request. At this time a tracking ticket will be opened to handle the request. When needed, a staff member may call the user back to verify product information, and the best product for the user’s task.

IT will then determine the best price and delivery method for the product and prepare a requisition for the item on behalf of the user. Each requisition must be signed by the relevant department head, after which time a purchase order will be created for the designated item.

Once the product is received and configured or tested, the user will be contacted to arrange an installation time. After the product is installed or upgraded, the tracking ticket will be closed.

To avoid financial or data loss due to incompatible systems or hardware, departments and agencies must involve the OIT in the vendor or product selection process before attempting to provision services.

Services vendors are not allowed to perform services at locations supported as part of the Archdiocese Pastoral Center Network. Locations with networks not part of the AOC-PC network or standalone locations should contact the OIT to arrange for any services they require. Services will be performed by OIT staff or OIT approved vendors as needs require.


Security

Many systems and products within the IT environment contain critical or sensitive information. In order to maintain control of access to information the following policies are required.

User IDs and Passwords will not shared with anyone at anytime.

Users will not allow anyone else to log in with their ID or password at any time.

Passwords will not be written down unless placed in a secure location (eg, a locked drawer or on your person) 

Passwords may not be re-used within a 13 month period

Password will require a minimum of seven characters and should include mixed letters and numbers

ALL employees accessing systems will have unique user ID’s

Temporary employees will have accounts that expire every 30 days; manager approval is required to extend for 30-day increments

Users will not use “checkboxes” within applications that offer to “remember” passwords.


New User IDs

Every user who connects to the Pastoral Center network needs their own User ID.  This includes any temporary employees and volunteers as well as new employees.

To begin the process of requesting an account, someone from the agency the new employee is working with needs to fill out a new user request on the web-site (https://forms.archchicago.org/).

The person filling out the request must have an account in the Pastoral Center's network and must be a full-time employee.  The person who is selected as the manager of the new employee needs to approve the request (they will receive e-mail notification of a pending account).  If the person filling out the request is also the new employee's manager, the request will automatically be approved.

The information that is provided about the employee is used to establish the permissions the employee will have and also is used for that person's information in the Novell GroupWise Address Book and the Pastoral Center phone directory.

Although user requests are usually completed within 24 - 48 hours, requesting managers should allow 7 days for the completion of new user ID requests or security level changes due to the highly segmented levels of security involved requiring the involvement of various members of OIT to complete the process.

If you forget to fill out a user request before the employee begins work, please contact the IT Service Center after you fill out the request so we can create the User ID as soon as possible.  Other permissions may take longer.


Changes, Deletions, Terminations, Transfers

All changes to user security are the responsibility of the employee’s supervisor.  The supervisor will also be responsible to notify, via the IT Service Center, or via e-mail status changes of employees that should result in the reduction or complete deletion of access to Archdiocese systems or data resources. Such notifications should precede the date of actions but in all cases will be reported before the end of business on the day of any termination or transfer.


Internet Access Process

Access to the Internet is governed by the Archdiocese of Chicago “Electronic Communications Tools” policy, and as such requires the signed acknowledgement of approved uses as well as the signature of the employee’s Department Director. The policy is presented to each employee at time of hire, and a signed copy is maintained by Human Resources. The employee is responsible for obtaining Director approval for Internet Access and then forwarding the signed Electronic Communication User Agreement page to Human Resources.

One the signed paperwork is received from Human Resources, access to non-hosted internet sites will be granted.

Dial-up connections to the Internet or to other services providing Internet access are prohibited in locations that have Internet access available via the local area network.

Click here for the Electronic Communications User Agreement form.


Internet Services Usage

Due to the growing challenges and risks in maintaining a secure interface between a network and the Internet it has become necessary to block the following types of Internet traffic from entering out network:

  • Active-X
  • Java (but not JavaScript)
  • NNTP (USENET servers)
  • SMTP (Internet mail services blocked outbound – except for Archdiocese mail server)
  • Instant Messaging
  • PCAnywhere
  • FTP
  • TFTP
  • Telnet

Also, all usage is content filtered to prevent access or redirection to inappropriate or offensive sites. Should you find what you feel is a page that is blocked without valid reason, please contact the IT Service Center and we will investigate the issue for you.

All Internet access is also logged and such usage logs, which contain such things as site names, pages visited, times, files download, etc. are available to department managers upon request to investigate compliance with the Archdiocese Electronic Communications Tools Policy.


E-Mail Content Filter

Messages that you receive from outside of our e-mail system are scanned for inappropriate content, and scored, by the Barracuda Spam Filter.  Messages that are more likely than not to be junk mail will be placed in quarantine.

Messages that contain non-English text are more likely to be tagged incorrectly.

Messages that score too high will simply be discarded.


Anti-Virus Software

Virus infections are a constant problem and are increasing in frequency. The tremendous risk of data loss that they represent requires us to take extreme measures to protect our environment from infection. For this reason, all workstations connecting to our network are provided with antiviral software that is automatically updated to recognize and deal with new virus forms as they are identified.

Disabling or bypassing the virus software is prohibited.


E-Mail Accounts

Access to e-mail services is given to all Pastoral Center employees that have valid network accounts unless otherwise requested by their Manager or Director.


Confidential E-Mail

E-Mail sent from the Pastoral Center's network is not encrypted.  Because of this, and because you can't be 100% certain who reads e-mail in a particular account, you should not send any confidential/sensitive information via e-mail. Any such communication should be done via phone, courier, or US Mail.


E-Mail Delivery Times

Internal mail (Pastoral Center and connected locations) is available 24x7 unless there is scheduled maintenance or a system failure. Mail delivery within our internal system is almost instantaneous.

Internet e-mail has no guarantee of delivery, or guaranteed delivery interval. Mail flow across the Internet can involve crossing hundreds of networks before it reaches it’s intended delivery point. Some failing points save mail and forward once recovered which can delay delivery.

Problems with slow delivery of mail originating on our network to another person across the Internet should be reported to OIT who will verify whether it was sent, received, refused, or still in transit.

Problems with mail enroute to you from someone on another network should be reported to the sender for investigation on their end.

Most problems with delivery of e-mail are simply due to an incorrect e-mail address.  Depending on the nature of the problem, you may receive a non-deliverable notification right away or, in the worst case scenario, three days later.

If you try to send a message to an invalid post office (the part of the address after the @ symbol), you will receive a non-delivery message from the GroupWise Internet Agent (GWIA).

If you try to send a message to an incorrect mailbox (the part of the address before the @ symbol), you should receive a non-delivery message from the post office you sent the message to

If you try to send a message to a post office that is not responding, our mail system will try for up to 3 days to send the message. After the 3rd day, if the message still can't be delivered, you will receive a non-delivery message.

You can check the status of a message you send to another network by viewing the Properties of the Sent Item in GroupWise (switch to your Sent Items, double-click the message and click the Properties tab or choose File, Properties).  Any message that has been Transferred was sent to the receiving post office.  Any message with Transfer Pending is experiencing delivery problems, but is still trying to send.  Any message with Transfer Failed was NOT delivered.


E-Mail Size Limitations

The Archdiocese, much like other organizations, has restrictions on the size inbound mail messages.

To protect against unplanned shortages of disk space on the mail servers and possible denial-of-service attacks, inbound mail messages are limited to 7MB in size. Messages larger than 7MB (the message plus any attachments) will be rejected. If you encounter problems with critical inbound mail attachments larger than 7MB which cannot be obtained through other means, contact the IT Service Center and we can investigate alternative methods or the possibility of a temporary lifting of the file size restrictions.

Although the Archdiocese does not limit on the size of outbound mail messages, your recipient’s mail system might.  If you plan to send someone a large file, you should check with them first to find out any size restrictions their mail system might have in place.

These restrictions don't affect message you send within our mail system.  However, large file attachments will quickly fill up your mailbox as well as the recipients' mailboxes.


Broadcast E-Mails

Broadcast e-mails are e-mail messages sent to a large amount of members in a post office. To reduce annoyance, traffic, and accidental delivery to non-Archdiocese of Chicago employees, all broadcast e-mail’s must be approved first.

Messages for broadcast that are sent to schools and/or principals need to be approved by the Superintendent of Schools.  Route any messages directed to a large number of schools and/or principals to Ryan Blackburn.

Messages to be sent to the entire Pastoral Center, all (or most) parishes, or all employees need to be approved by the Moderator of the Curia.  Route any of those messages to Diana Kozojed.

Upon review, the message will either be returned to you or distributed.


Generic Mailboxes

Departments may request that one or more users be assigned to an generic mailbox.  This allows mail addressed to a generic department e-mail address to be received by one or more people to ensure that all inbound mail is read by someone in the department on a regular basis and handled accordingly.


Mailbox Size Limitations

Users are encouraged to minimize the amount of mail retained within their mailboxes. The disk space requirements to use mail as a “filing cabinet” can be extreme and the shear volume of mail can negatively impact the ability to safely back it up and restore it in the case of a system failure.

Mailbox sizes for Pastoral Center network users are set to 50 MB after the user has attended New User Training.  The 50 MB storage includes all items you receive, send, move into your cabinet, post on your calendar, and place in the trash.  If you reach or exceed your mailbox size limit, you will still receive items but won't be able to send mail, reply to or forward messages, or add items to your calendar.

Users should clean out their mailbox on a regular basis.  Delete items that you no longer need (including Sent Items).  When you delete an item, it will be sent to your trash.  Empty your trash on a regular basis.

File attachments are the biggest culprit in eating up your mailbox space.  Whenever possible, save the attachment to your local drive (or shared drive when appropriate) so that you can delete the message and reclaim the mailbox space.


File Attachments

You can include files along with the text of an e-mail message.  To prevent viruses from entering into our network, the following file types (extensions) can't be sent into our network (although you can send these files to other users of our e-mail system).

The blocked file types include:  .exe, .bat, .com, .cmd, .pif, .htm, .html, .php, .jse, .perl, .shs, .hta, .scr, .drv, .vbs, .eml, .zip and .gen. Other file types may be added as other files become "carriers" for viruses.

Zip files are quarantined (rather than discarded) since we can't automatically scan the contents of the zip file. If you are expecting a Zip file via e-mail, contact the IT Service Center so that we can manually scan the file and send it to you.


Viruses

In addition to removing certain types of files, all e-mail that comes into the Pastoral Center network e-mail system is scanned for viruses.  If the virus scanner detects an infected file, it will discard the entire message.


Policy on Use of Smart Phones and Tablet Devices

A smartphone is a cell phone that offers more advanced computing ability and connectivity including over-the-air Internet access and email syncing. Smartphones may be thought of as handheld computers with integrated mobile phone capabilities and Internet access. Smartphone operating systems provide a platform for application developers to develop and distribute 3rd party applications on the device. Thus, they combine the functions of a cell phone, camera and personal digital assistant (PDA) for email calendar and contacts syncing with email and other applications (apps) on the device. Tablets also offer similar functionality but typically do not include cell phone calling capabilities.

Growth in demand and use of advanced mobile devices boasting powerful processors, abundant memory, larger screens, and apps has outpaced the rest of the cell phone market for several years. Smart devices are important tools in today’s highly mobile workforce.
 

View the full policy here.


Connections to Our Network

We have a constant problem maintaining the database of hardware and location, definitions. Occasionally, equipment ends up in other diocese locations where the device is not configured to work. Similar problems have occurred with PC's brought in from other locations.

Equipment not properly configured can cause undeterminable problems at the workstation level and possible network outages. The inability to locate a failing device, because it has been physically moved, or installed without permission, prolongs the time to problem resolution while we have to physically survey each network connection to identify the failing device.

For these reasons no equipment may be connected or disconnected from the network without the approval of IT.

Each user is responsible for ensuring that their use of modems or outside networks, where not already prohibited herein, does not compromise the security of the Archdiocese networks, systems, data, or operational abilities. This responsibility requires that users take every precaution to prohibit unauthorized access, the introduction or spread of viruses, and the creation of a security exposure.

All employees who become aware of misuse or violation of any IT policy have a positive duty to immediately report the incident to the Director of the Office of Information Technology.