Web Filtering Policy

Take a Virtual Tour
Schedule a Tour
Explore Our Services

1. PURPOSE

The purpose of this policy is to define standards for exceptions allowed on the web filter device.  The web filter device serves as a method of systems monitoring and a stop-gap for risky internet behavior from any host within the network. These standards are designed to ensure employees use the internet in a safe and responsible manner and reduce the risk of a compromise to any host on the network.

2. SCOPE

  • This policy applies to all employees, contractors, vendors and agents with a St Paul-owned or personally-owned computer or workstation connected to the St Paul network.
  • This policy applies to all end user initiated communications between St Paul’s network and the Internet, including web browsing, instant messaging, file transfer, file sharing, and other standard and proprietary protocols.
  • Web filtering applies to all devices using credentials on the St Paul domain.  Web filtering exceptions will not apply to public devices that are not connected to St Paul Domain. Publicly available computers on Guest networks are filtered through OpenDNS.
  • Server to Server communications, such as email traffic, backups, automated data transfers or database communications are excluded from this policy.

3. DEFINITIONS

A web filtering device is an appliance or software which is used to filter internet traffic for content.  St Paul utilizes Meraki hardware and software for firewall monitoring which monitors and filters traffic by URL, application and can identify and monitor protocols.  A website classification service is used to categorize websites then rules are set up on the firewall which block sites which are classified in that category.

When properly configured, a firewall is the first line of defense for a network as it can identify and sometimes prevent intrusion from malicious sources.  Although a firewall can be highly effective, it is important that users continue to use common sense when accessing the internet.

4. POLICY

4.1 Web Site Monitoring

St Paul has the right to monitor internet use from all computers and devices connected to the corporate network. Please see Section 3.1 in the Internet Usage Policy.

4.2   Internet Use Filtering System

St Paul has the right to block access to Internet websites and protocols that are deemed inappropriate for St Paul’s corporate environment as referenced in Section 3.2 of the Internet Usage Policy.

  • Blocked Sites

The following protocols and categories of websites will be blocked:

  • Adult/Sexually Explicit Material
  • Advertisements & Pop-Ups
  • Auctions
  • Chat and Instant Messaging
  • Cult and occult
  • Dead sites
  • Gambling
  • Games
  • Illegal Drugs
  • Intimate Apparel and Swimwear
  • Peer to Peer File Sharing
  • Personals and Dating
  • Malicious sites including bot-nets, keyloggers, SPAM, Dynamic Content, Phishing, Fraud and Spyware
  • Software Downloads
  • Social Networking full access
  • Tasteless and Offensive Content
  • Violence, Intolerance and Hate

Allowable Sites for Legitimate Business Purposes

Some sites may be needed for legitimate business purposes, but are not available to all users based on the Internet Usage Policy. Business related purposes are defined by the following criteria:

  1. The site is used specifically for the positive promotion and visibility of St Paul on the internet and the corresponding accounts necessary to manage St Paul’s internet presence.
  2. The site is used specifically for client or resident programming.
  3. The site is considered relative in security risk to other allowed sites and will be used in accordance with current internal HIPAA policies.
  4. An alternative solution cannot be provided by Parasol Alliance.

Categories that may have exceptions for some departments or users include:

  • File Sharing
  • Social Networking base access
  • Software Downloads
  • Streaming
  • Personal Webmail

4.3 Limitations of Internet Filtering

Occasionally, portions of sites may be blocked or will fail to load if an element on the page falls into one of the above categories.  As a result, a blocked message may appear in the place of the element or the webpage may fail to load properly.  Although Parasol Alliance will strive to correct issues in the appearance of an allowed webpage by providing alternative viewing methods, blocked sites will not be allowed to correct the appearance of a webpage.

4.4 Internet Filtering Rule Changes

Parasol Alliance shall periodically review and recommend changes to web and protocol filtering rules. Changes to web and protocol filtering rules will be recorded in the Internet Use Monitoring and Filtering Policy and department managers will be notified of this change in order to inform their staff.

4.5 Exceptions

Employees may be granted access to blocked sites if appropriate and necessary for business purposes and if the website meets HIPAA and security standards.  Exceptions will not apply to any third-party contractors who need to access files or information from their parent organization when the method of transfer is currently blocked. All exception requests should be made by sending a ticket to the Parasol Alliance at support@parasolalliance.com and require executive approval.

Upon receipt of the ticket, the request will be reviewed and a risk assessment performed.  If the requested resource is business related and low risk, the exception will be implemented and the requestor and manager notified once access is granted.  If the requested resources are deemed by St Paul to entail risk to the company, further discussions, justification and documentation may be required.  In some cases, St Paul will grant access Agency wide to a resource (e.g. reference site like www.drugs.com)

4.5.1 Exception review

All exception requests must meet the following criteria and any additional criteria listed under the specific categories in Appendix A:

  • The exception request may not compromise HIPAA compliance or require a Business Associates agreement.
  • The exception request may not violate the Internet Usage Policy except in cases where there is a clear business related benefit to the exception.
  • The exception request may not create unnecessary risk of client or network exposure to malicious internet content.
  • The exception request may not overextend network resources and bandwidth, managers will be notified of this change to inform their staff.
  • The exception request will be assessed for risk based on the category, threat assessment, vulnerability, the likelihood that the site will cause a security threat and the potential impact.

4.6 Subsequent reviews

All exceptions are subject to periodic review.  High risk exceptions must have a specific review date, and must be re-submitted to keep the exception in place.

5. Enforcement

St Paul may request that their IT vendor tol periodically review Internet use monitoring and filtering systems and processes to ensure they follow this policy.  Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment (Section 3.5 Non-Compliance Internet Usage Policy).

5.1 Required Training

Employees who have access to sites within the Social Media, Streaming and Web Based Email categories will be required to attend a biannual internet safety and HIPAA compliance program as provided by St Paul.  If the employee is unable to attend the training session, the web filtering exceptions will be removed until the employee can arrange a training session with IT.

Appendix A: Exception Criteria

Adult/Sexually Explicit Material

  • This category includes all adult or sexually explicit material and sites used to sell or display intimate apparel.
  • Risk: These sites violate the Internet Usage Policy (Sections 3.3.3, 5, 7, 8, 11, 13, 15, 19). Additional risk includes the prevalence of malicious software and links resulting in a compromise of the local host/network.
  • Exception criteria: Sites categorized as Adult/Sexually Explicit Material must be categorized incorrectly for an exception to be approved.  After it is determined that the site is categorized incorrectly, a risk assessment on the specific site will be conducted.

Advertisements & Pop-Ups

  • Includes advertisements and pop-up windows from specific sites who serve ads to websites.
  • Risk: These sites violate the Internet Usage Policy (Sections 3.3.13). Additional risk includes the prevalence of malicious software and links resulting in a compromise of the local host/network.
  • Exception criteria: A site in this category may be allowed if the site is categorized incorrectly.

Auctions

  • Includes advertisements and pop-up windows from specific sites who serve ads to websites.
  • Risk: These sites violate the Internet Usage Policy (Section 3.3.7, 15, 20) as there is little business related need for access. Limited additional risk exists.
  • Exception criteria: A site in this category may be allowed if the site is categorized incorrectly or if there is a legitimate, business related need.

Chat and Instant Messaging

  • Includes chat rooms and instant messengers such as GoogleChat, IRC, SnapChat and ChatRoulette.
  • Risk: These sites violate the Internet Usage Policy (Sections 3.3.13, 15). Additionally, the ability to upload, exchange photos and transfer information in this method makes discoverability as it relates to HIPAA regulations impossible.  Use of such sites increases the risk of a data breach by an insider.  Chat and instant messengers are also a popular tool for compromising the local machine.
  • Exception criteria: A site in this category may be allowed if the site is categorized incorrectly.

Cult and occult

  • Description: Includes sites pertaining to astrology, spells, curses, magic powers, satanic or supernatural beings. Includes horoscope sites.
  • Risk: These sites violate the Internet Usage Policy, (Sections 3.3.1, 7, 12 & 15)
  • Exception criteria: A site in this category may be allowed if the site is categorized incorrectly.

Dead sites

  • Sites that are no longer maintained.
  • Risk: This type of site is blocked as a preventative measure.
  • Exception criteria: A site in this category may be allowed if the site is categorized incorrectly or if there is a legitimate, business related need.

 Gambling

  • Includes online gambling and betting.
  • Risk: These sites violate the Internet Usage Policy, (Sections 3.3.1, 3, 6, 7, 12, & 15) as there is little business related need for access.
  • Exception criteria: A site in this category may be allowed if the site is categorized incorrectly.

 Games

  • Includes online gaming and games
  • Risk: These sites violate the Internet Usage Policy (Sections 3.3.3, 6, 7, 12, 13, 15 & 19) as there is little business related need for access.
  • Exception criteria: A site in this category may be allowed if the site is categorized incorrectly.  As all sites/departments that would benefit from this type of site have a way of accessing gaming sites that are off of the St Paul domain, this category will not have additional exceptions.

 Illegal Drugs

  • Includes sites specifically containing information and paraphernalia for drug use.
  • Risk: These sites violate the Internet Usage Policy (Sections 3.3.1, 3, 7, 11 & 13).
  • Exception criteria: A site in this category may be allowed if the site is categorized incorrectly.  On rare occasions, a legitimate drug company or legal drug related information may be blocked.

 Peer to Peer File Sharing

  • Includes file sharing sites such as GoogleDocs and DropBox
  • Risk: These sites violate the Internet Usage Policy, (Sections 3.3.1, 2, 3, 6, 7, 8, 11, 13, 14, 15, 16 & 17). Many of the file sharing sites are specifically used for sharing material that is covered by copyright laws.  Other uses for sites including easy access to files at multiple locations may have a legitimate business use, however most file sharing sites specifically express that they are not HIPAA compliant.  Any upload of any ePHI requires St Paul to report a potential breach.  Additionally, the ability to upload, exchange photos and transfer information in this method makes discoverability as it relates to HIPAA regulations impossible.  Use of such sites increases the risk of a data breach by an insider.
  • Exception criteria: A site in this category may be allowed if the site is categorized incorrectly.  This type of site must comply with HIPAA and a Business Associates agreement may be required.

 Personals and Dating

  • Includes online dating sites.
  • Risk: These sites violate the Internet Usage Policy (Sections 3.3.3, 4, 5, 6, 7, 8, 10, 11 & 15) and no business related need for access exists.
  • Exception criteria: A site in this category may be allowed if the site is categorized incorrectly.

 Malicious, Bot-nets, Keyloggers, SPAM, Dynamic Content, Phishing and Fraud and Spyware

  • Sites that host and/or distribute malicious software or engage in behavior specifically for the collection of confidential information.
  • Risk: This policy is to be implemented in accordance with HIPAA regulation 164.308 (a)(5)(ii)(B) which states that compliant organizations must apply procedures for guarding against, detecting and reporting malicious software. These sites violate the Internet Usage Policy (All sections of 3.3 are applicable) This type of site is blocked as a preventative measure as they have been identified as sites that are serving malicious continent.  These sites are high risk for compromise of both the local host and network.
  • Exception criteria: This category can be allowed if the site is categorized incorrectly.

 Social Network Services

  • Includes sites such as Facebook or Twitter.
  • Risk: These sites will be available for limited use. The Marketing and Development Departments will have extended usage rights. Caution should be taken when using social networking sites as phishing attacks are extremely common.  In this type of attack, a user is encouraged to reveal their password or provide identifiable information in order for the attacker to take control of their account.  Compromised accounts can result in malicious, inflammatory, politically motivated and/or derogatory comments posted on the company’s social networking accounts.
  • Exception criteria: Exceptions will be made to the members of the marketing and development departments responsible for the management of social media.  All social media request must go through the marketing department for approval.  The Parasol Alliance reserves the right to disable social media rights at any time by individual or agency wide.  Management will be made aware of this decision and why access has been disabled.

Software Downloads

  • Includes all software downloads and software updates.
  • Risk: These sites violate the Internet Usage Policy (Sections 3.3.11-17 and 20 and 3.4) as the websites take up a significant portion of the available bandwidth.  The bandwidth required to stream music and videos can be a significant tax on the network.  Consequences of excessive bandwidth use by several users may include slow internet and web applications for all users and/or disruption of services.
  • Exception criteria: Exceptions will be made for Life Enrichment Services, Learning and Marketing.  Other users may be granted access if there is a long-term business need.  The bandwidth use of users with access to streaming will be monitored for abuse.

 Streaming

  • Includes music and video streaming from sites like YouTube, Amazon, Pandora and Netflix.
  • Risk: These sites violate the Internet Usage Policy (Sections 3.3.11-17 and 20) as the websites take up a significant portion of the available bandwidth.  The bandwidth required to stream music and videos can be a significant tax on the network.  Consequences of excessive bandwidth use by several users may include slow internet and web applications for all users and/or disruption of services.
  • Exception criteria: Exceptions will be made for Life Enrichment Services, Learning and Marketing.  All users will have limited rights to some streaming sites.  The bandwidth use of users with access to streaming will be monitored for abuse and the Parasol Alliance reserves the right to disable access by user or agency wide.

 Tasteless and Offensive Content; Violence, Intolerance and Hate

  • These categories are self-descriptive. The sites have been categorized as such based on the extreme nature of the sites.
  • Risk: These sites violate the Internet Usage Policy (Sections 3.3.3, 5, 7, 8, 11, 13, 15, 19). Additional risk includes the prevalence of malicious software and links resulting in a compromise of the local host/network.
  • Exception criteria: Sites categorized as Adult/Sexually Explicit Material must be categorized incorrectly for an exception to be approved.  After it is determined that the site is categorized incorrectly, a risk assessment on the specific site will be conducted.

 Web Based Email

  • Includes personal email access sites such as Gmail, Yahoo, AOL, Comcast, AT&T and all other email access portals.
  • Risk: These sites violate the Internet Usage Policy, (Sections 3.3.1-3, 6- 8, 11 and 13-17). For security purposes and to maintain the HIPAA compliance standards of discoverability and the transfer of ePHI, all business related correspondence must be sent through the email accounts provided to an employee by St Paul. In addition to compliance concerns, access to personal email will place the network in high risk of being compromised by factors that the agency has no control over. The spam filtering service used by St Paul to mitigate the risk of malicious and persistent attacks such as Trojans and worms cannot filter the personal email of employees and, in the event of such an incident, will limit the ability for the Parasol Alliance to correct the infection and increases the risk of reinfection. A breach of this type would need to be disclosed and would require a forensic network analysis.
  • Exception criteria: A site in this category may be allowed if the site is categorized incorrectly.  This type of site must comply with HIPAA and a Business Associates agreement may be required.
Scroll to Top