Here's the <Company> Computer Security policy. For your convenience, we've included the legal interpretation in black type and the <Company> user-friendly interpretation in blue!
Your computer terminal, PC, systems and networks are the property of <Company>.
All computer related activity must be directly related to providing greater
value for the shareholders of this company. Your computer related activities
must NOT intentionally compromise the company's ability to carry on operations,
compromise security of its assets or information, be used for personal financial
gain, or at the expense or well being of any of <Company>'s employees,
suppliers or customers.
Computer equipment is owned and provided by <Company>.
Please use the equipment for <Company> business only. Don't try to circumvent
or compromise security.
Permission
Your use of computer equipment and facilities must be authorized by the owner
of the information or a senior manager. You must obtain permission to use another's
computer, account or user id from the owner of the account, who is responsible
for it's use. All electronic files belong to somebody. You should assume them
to be private and confidential unless the owner has explicitly made them available
to others.
Don't look at other people's files unless they tell
you it's okay to do so!
Data Ownership
You are the owner of your data and it is your responsibility to ensure that
it is adequately protected against unauthorized access. That means that you
must avail yourself of the access controls and other security measures that
the company has provided for you and take prudent and responsible steps to limit
access to your passwords and accounts. Never leave your desktop "signed
on". When you leave for lunch, a break or at the end of the day, sign off
your PC. Leaving PCs "signed on" and unattended, is an invitation
for anyone to access your files or use your system identity without your knowledge.
You are ultimately responsible for all activities done with your userid. Protect
it.
Don't share your user id or passwords.
Mainframe Data Ownership
All data resident on <Company> mainframes is the sole property of <Company>.
You may not download, transfer or otherwise distribute files outside <Company>
without express permission from the senior IT executive. Information intended
as Sales related (product information or information concerning the customer
ordering process) or for Government compliance (MSDS, Audits) is exempted.
Data Backup
You are responsible for the proper backup of all personal data residing on the
hard drive of your computer. The Systems department is responsible for backup
of all data residing on network servers and mainframes.
If your data isn't on the Network servers or mainframe,
backup is YOUR responsibility. The Helpdesk can advise you how to store your
files on our Network servers.
Password Security
Keep your passwords and accounts confidential. You should change your passwords
frequently and avoid using your name, your spouse or friend's names or a password
that could be easily guessed. Do not leave your PC or Terminal unattended without
logging out first. It is every <Company> employee's responsibility to
secure data on their PCs and Networks.
Passwords should be:
· A minimum of 6 characters in length
· Should not be a proper name or date
· Should contain a mixture of letters and numbers
· Should never be shared with another employee
· Should never be written down and stored in or around your desk.
· Should be changed at least 3 times per year (NOTES, Network and RAS access
if any).
Unauthorized Access to Files and Directories
You must not engage in any activity that is intended to circumvent computer
security controls. That means you must not attempt to crack passwords, to discover
unprotected files or to decode or make visible, hidden, system or encrypted
files. This includes creating, modifying or executing programs that are designed
to surreptitiously penetrate computer systems. You must not access the accounts
of others with the intent to read, browse, modify, copy or delete files or directories
unless you have specific authorization to do so. Do not use any account for
a purpose not authorized when the account was established, including personal
and commercial use.
Don't try to get around existing security measures.
Don't pry into other people's files. Always use your OWN userid when accessing
systems.
Unauthorized Use of Software
All software should be requested through the Helpdesk for several reasons:
· <Company> can negotiate corporate discounts for software, which everyone
can take advantage of
· If the Helpdesk orders the software, they can also schedule the installation
on your desktop/laptop
· By centrally purchasing software, the company can more easily track licenses
- otherwise the responsibility rests with the end-user.
· We can more easily manage versions of the same software to insure file version
compatibility within our company.
You are prohibited from downloading from the web or FTP server and loading any software on any computer system without approval from the IT department and your supervisor. That includes commercial, shareware, and freeware software. All software to be used on company computers can only be installed by the IT Department, following all licensing agreements and procedures. The IT staff will inspect the computers periodically to verify that only approved and licensed software has been installed. Vendor licensing regulations will be followed for all commercial software downloaded over the Internet. Trial versions of programs should be deleted after the trial period, or the software should be procured through approved procedures. It is the responsibility of each employee, (managed by the unit Controller) to show proof of purchase for any non-standard software installed on any PC in his or her facility. This includes, MS Project, Visio, and CAD applications among others.
Further you are expressly prohibited from using the company computer and equipment
to make illegal copies of licensed or copyrighted software. Copyrighted software
must only be used in accordance with its license or purchase agreement. You
do not have the right to own or use unauthorized copies of software or make
unauthorized copies of software for yourself or anyone else. You are prohibited
from using software that is designed to destroy data, provide unauthorized access
to the computer systems or disrupt computing processes in any other way. Using
viruses, worms, Trojan Horses and any other form of invasive software is expressly
forbidden. Violation of this policy may result in disciplinary action.
Use your <Company> computer with the software
provided. Don't load your own software without express permission from the IT
Department and your supervisor. Do not make illegal copies of software.
All employees are required to use the anti-virus software installed on your
system. You are prohibited from tampering with this software or turning it off.
All disks that are inserted into the company's computers must first be scanned
for viruses or signs of other forms of malicious software.
Don't disable the anti-virus software that is loaded
on your computer. Inform your IT Department immediately if the anti-virus software
is not configured to check all discs inserted into the floppy drive.
Use for For-Profit Activities
The company's computer systems are for the sole use of the company. You are
prohibited from using the company's computer systems for personal or private
financial gain, unless that use has been specifically authorized.
<Company> computers are for <Company> business
ONLY.
Harassment
Do not use the company's computer systems to harass anyone. This includes the
use of insulting, racist, obscene, or suggestive electronic mail; tampering
with other's files; and invasive access to other's equipment. In addition, users
of any electronic communication facilities-such as electronic mail, networks,
bulletin boards, and newsgroups are obliged to comply with the restrictions
and acceptable practices established for those specific facilities. Certain
types of communications are expressly forbidden. This includes the random mailing
of messages, the sending of obscene, harassing or threatening material; or the
use of the facilities for commercial or political purposes.
Use common courtesy when using emails.
Theft
All hardware, software and computer related supplies and documentation are the
sole property of the company. They must not be removed from the company without
proper authorization. All hardware, software and computer related supplies must
be disposed of within the guidelines established by authorized company computer
system personnel.
Be careful NOT to throw away computer disks that contain information. Diskettes
and computer tapes should be erased prior to disposal.
When disposing of computer related materials, like
printed reports or diskettes, make sure they don't contain sensitive information!
If they do, shred the reports or format the diskettes.
Waste & Abuse
You must avoid any activity around your workstation or laptop that may result
in damage to your computer, software or information. The company's computer
systems are a valuable resource and they must not be wasted or abused. Be considerate
of your fellow workers if you must share computer resources. Avoid monopolizing
systems, connect time, printers, disk space and other computer resources.
Using the company's computer systems to store personal data and to play computer
games is not permitted.
Don't be a systems resource hog! Please play games
on your home computer, not ours.
Networks
Do not use company owned or any other network accessible by company computers-whether
local, national or international for any activity other than company-related
business. This includes but is not limited to, surfing the Internet, engaging
in online discussions in newsgroups and bulletin board services; attempting
to access other computer systems without authorization; posting commercial messages;
and transmitting viruses, worms or other invasive software.
Use company computers and equipment for company business
only.
The Information Technology department has sole responsibility for the operation,
access, services, specifications, performance management, security and server
software run on our shared Global network. The reasons for this are:
IT needs to know what's running on our networks for operations planning, bandwidth
management, security, support and manageability of all devices, services and
protocols.
Under some conditions, IT will allow (as in the case of software development
engineering) for standalone networks to be built and managed by others. This
is done with the prior approval of IT and with the understanding that those
operating the standalone networks are solely responsible for the support of
that network, the backup of data and all devices attached to it. Under no circumstances
will "test/development environment" networks be connected to our production
environment.
Wide Area Network (WAN) services and connections may only be ordered and managed
by IT. This function is managed globally, under a worldwide Corporate contract
and it is imperative that it be managed centrally to obtain Global pricing,
assure proper communications connections and router configurations.
Enforcement
The company will investigate any alleged abuses of its computer resources. As
part of that investigation, the company may access the electronic files of its
employees. If the investigation indicates that computer privileges have been
violated, the company may limit the access of employees found to be using computer
systems improperly. Further, the company may refer abuse to senior managers
or law enforcement authorities. Although the company wishes to ensure that the
privacy of all its employees is protected, in the course of its investigation,
the company may reveal private, employee related information to other employees.
Any files stored on <Company>'s systems MAY have
their privacy compromised in the event of a security or abuses investigation.
Your Responsibility
You are responsible for your own actions, should you violate the company's computer-use
guidelines, you will be disciplined and in the case of extreme abuse or disregard
of the guidelines, your employment may be terminated. You are also required
to participate in assuring the legal and ethical use of company computers and
user accounts. Any violation of these guidelines should be reported to your
supervisor or a senior manager.
Play by the rules or suffer the consequences!
Workplace Monitoring
The company has the obligation to ensure that its computer resources are used
properly and within the guidelines established by the company. In pursuit of
that goal, the company reserves the right to monitor our systems and services
(such as Internet access) for signs of illegal or unauthorized activity.
We can check on how our systems are being used from
time to time.
Moving Computers
All IT computing equipment is properly accounted for by the <Company>
Accounting department and the IT department. Computing equipment should not
be relocated without the assistance of the IT department.
Don't move your computer without notifying the Help
Desk.
Non-Expressly Prohibited Activities
Because an activity is not expressly prohibited by this policy does not mean
that it is implicitly authorized. Any computer-related activity, which jeopardizes
company operations, security, assets or adversely affects, the well being of
its employees is forbidden.
If you're not sure whether what you want to do is okay
- ask first!
Global Application of IT Policies
The policies that appear within this section are written for a North American
audience. These policies are written to provide our worldwide employees with
an understanding of how to use technology within <Company> and what constitutes
acceptable and unacceptable behaviors.
In cases where these policies could potentially violate local national laws,
(for example, employee privacy, system & employee monitoring or potential
employee disciplinary actions) they will be administered in accordance with
the laws of the employee's country.
Internet and Web Use Policy
1. The use of the Internet is a privilege provided by the company. No employee should have expectations of privacy as to his or her Internet usage. Management reserves the right to analyze Internet activity and usage patterns as well as grant or deny Internet access at their discretion without prior notification.
2. Any personal use must not interfere with normal business activities, must
not involve solicitation, must not be associated with any for-profit outside
business activity, and must not potentially embarrass the company.
3. The display of any kind of sexually explicit images or documents on any company system is a violation of Company policy. In addition, sexually explicit material may not be downloaded, archived, stored, distributed, edited or recorded using our network or computing resources.
4. When communicating via e-mail over the Internet, your e-mail address contains
a company-related domain name (firstname_lastname@
5. Employees are reminded that discussion groups, chat rooms and newsgroups are public forums. It is inappropriate to reveal confidential company information, customer data, trade secrets, and any other material covered by existing company communication policies in these forums.
6. Each employee using the company Internet system shall identify him or herself honestly, accurately and completely when participating in discussion groups, chat rooms, or newsgroups.
7. All existing company policies apply to one's conduct on the Internet including, but not limited to, activities which would be considered sexual harassment, discriminatory or inflammatory communication toward others based on race, color, national origin, gender, marital status, sexual orientation, age, disability, or religious or political beliefs.
8. Company communications systems and equipment, including electronic mail and
Internet systems, along with their associated hardware and software, are for
official and authorized purposes only. Managers may authorize incidental use
which: does not interfere with the performance or professional duties; is of
reasonable duration and frequency, serves a legitimate company interest, such
as enhancing professional interests or education, and does not overburden the
system or create any unreasonable additional expense to the company.
9. Access to the Internet from a company-owned home computer or through company-owned
connections must adhere to all the same policies that apply to use from within
company facilities. Employees should not allow family members or other non-employees
to access company computer systems.
10. It is impossible to define all possible unauthorized use, therefore disciplinary
action may occur after other actions if the circumstances warrant it. Examples
of other behavior deemed unacceptable which would result in disciplinary action
include:
Unauthorized attempts to break into any computer.
Using company time and resources for personal gain.
Theft or copying electronic files without permission.
Sending or posting company confidential files outside the company or inside
the
company to unauthorized personnel.
Refusing to cooperate with a reasonable security investigation.
Sending chain letters through e-mail.
11. Managers are responsible for ensuring that assigned personnel understand
Internet acceptable use policy.
12. Web pages must follow existing approval procedures regarding company documents,
reports, memos, marketing information, etc. All content on company WWW servers
connected to the Internet must be approved by the persons responsible for the
content. No confidential material may be made available on the Web site.
13. Users are forbidden to download, install or run Web server software. The
senior IT executive must approve the operation of any web server.
14. All users who require access to Internet services must do so by using company-approved
software and Internet gateways. All other forms of Internet access (such as
via dial-out modems) from sites connected to the company WAN are prohibited.
15. A firewall has been placed between our private networks and the Internet
to protect our systems. Employees must not circumvent the firewall by using
modems or network tunneling software to connect to the Internet.
16. Some protocols have been blocked or redirected. If you have a business need
for a particular protocol, you must raise the issue with your manager and the
IT Help Desk.
17. You are responsible for your own actions, should you violate the company's
guidelines, you will be disciplined and in the case of extreme abuse or disregard
of the guidelines, your employment may be terminated. You are also required
to participate in assuring the legal and ethical use of company computers and
user accounts. Any violation of these guidelines should be reported to your
supervisor or a senior manager.
Global Application of IT Policies
The policies that appear within this chapter are written for a North American
audience. These policies are written to provide our worldwide employees with
an understanding of how to use technology within <Company> and what constitutes
acceptable and unacceptable behaviors.
In cases where these policies could potentially violate local national laws, (for example, employee privacy, system & employee monitoring or potential employee disciplinary actions) they will be administered in accordance with the laws of the employee's country.
Electronic Communications Policy
Company Property
As a productivity enhancement tool, <Company> encourages the business
use of electronic communications (notably voice mail, electronic mail, and fax).
Electronic communications systems, and all messages generated on or handled
by electronic communications systems, including back-up copies, are considered
to be the property of <Company>, and are not the property of users of
the electronic communications services.
Use email, but remember that you're using a company
owned & operated system.
Authorized Usage
<Company> electronic communications systems generally must be used only
for business activities. Incidental personal use is permissible so long as:
(a) it does not consume more than a trivial amount of resources, (b) does not
interfere with worker productivity, and (c) does not preempt any business activity.
Users are forbidden from using <Company> electronic communication systems
for charitable endeavors, private business activities, or amusement/entertainment
purposes. Employees are reminded that the use of corporate resources, including
electronic communications, should never create either the appearance or the
reality of inappropriate use. Sending unsolicited junk mail, chain letters,
electronic greetings and jokes via the company e-mail system should be discouraged.
You can use email occasionally for personal reasons
(excluding running a personal business!) as long as it doesn't interfere with
your job performance.
Default Privileges
Employee privileges on electronic communication systems must be assigned such
that only those capabilities necessary to perform a job are granted. This approach
is widely known as the concept of "need-to-know." For example, end-users
must not be able to reprogram electronic mail system software. With the exception
of emergencies and regular system maintenance notices, broadcast facilities
must be used only after the permission of a department manager has been obtained.
You will be provided the rights to perform the work
you need to accomplish.
User Separation
Where electronic communications systems provide the ability to separate the
activities of different users, these facilities must be implemented. For example,
electronic mail systems must employ user-IDs and associated passwords to isolate
the communications of different users. But fax machines that do not have separate
mailboxes for different recipients need not support such user separation.
Everyone will receive his or her own unique email user
id.
User Accountability
Regardless of the circumstances, individual passwords must never be shared or
revealed to anyone else besides the authorized user. To do so exposes the authorized
user to responsibility for actions the other party takes with the password.
If users need to share computer resident data, they should utilize message forwarding
facilities, public directories on local area network servers, and other authorized
information-sharing mechanisms. To prevent unauthorized parties from obtaining
access to electronic communications, users must choose passwords, which are
difficult to guess (not a dictionary word, not a personal detail, and not a
reflection of work activities).
You may not share one email id among a group of people.
You don't share your bank card PIN numbers do you?
No Default Protection
Employees are reminded that <Company> electronic communications systems
are not encrypted by default. If sensitive information must be sent by electronic
communication systems, encryption or similar technologies to protect the data
must be employed.
Using email is no more or less secure than writing
on a piece of paper.
Respecting Privacy Rights
Except as otherwise specifically provided, employees may not intercept or disclose,
or assist in intercepting or disclosing, electronic communications. <Company>
is committed to respecting the rights of its employees, including their reasonable
expectation of privacy. <Company> also is responsible for servicing and
protecting its electronic communications networks. To accomplish this, it is
occasionally necessary to intercept or disclose, or assist in intercepting or
disclosing, electronic communications.
No Guaranteed Message Privacy
<Company> cannot guarantee that electronic communications will be private.
Employees should be aware that electronic communications could, depending on
the technology, be forwarded, intercepted, printed, and stored by others. Furthermore,
others can access electronic communications in accordance with this policy.
Assume that all your email communications are public.
Your messages can be forwarded, printed and stored.
Regular Message Monitoring
It is the policy of <Company> NOT to regularly monitor the content of
electronic communications. However, the content of electronic communications
may be monitored and the usage of electronic communications systems will be
monitored to support operational, maintenance, auditing, security, and investigative
activities. Users should structure their electronic communications in recognition
of the fact that <Company> will from time to time examine the content
of electronic communications.
Occasionally, email systems (including email content)
will be monitored by Technical staff in the performance of normal systems maintenance.
Statistical Data
Consistent with generally accepted business practice, <Company> collects
statistical data about electronic communications. As an example, call detail
reporting information collected by telephone switching systems indicates the
numbers dialed, the duration of calls, the time of day when calls are placed,
etc. Using such information, technical support personnel monitor the use of
electronic communications to ensure the ongoing availability and reliability
of these systems.
Systems technical support may track all company email
activity, in the same way that your phone company keeps track of your personal
long distance calls.
Incidental Disclosure
It may be necessary for technical support personnel to review the content of
an individual employee's communications during the course of problem resolution.
Technical support personnel may not review the content of an individual employee's
communications out of personal curiosity or at the behest of individuals who
have not gone through proper approval channels.
When resolving an email problem, technical support
people could accidentally view the content of one of your emails.
Message Forwarding
Recognizing that some information is intended for specific individuals and may
not be appropriate for general distribution, electronic communications users
should exercise caution when forwarding messages. <Company> sensitive
information must not be forwarded to any party outside <Company> without
the prior approval of a local department manager. Blanket forwarding of messages
to parties outside <Company> is prohibited unless the prior permission
of your supervisor has been obtained.
Be careful who you forward messages to. Respect the
privacy of the person who sent you the message.
Purging Electronic Messages
Messages no longer needed for business purposes must be periodically purged
by users from their personal electronic message storage areas. After a certain
period -- generally six months -- electronic messages backed-up to a separate
data storage media (tape, disk, CD-ROM, etc.) will be automatically deleted
by systems administration staff. Not only will this increase scarce storage
space, it will also simplify records management and related activities.
Personal Mail box size will
be limited to 100mg. Once your mailbox reaches this point, your e-mail functionality
will be affected.
Inbound (internet) e-mails will be limited to 5mg in size. Any emails exceeding
the 5mg size will be returned to sender as "undeliverable."
Internal e-mails will be limited to 5mb in size. IT will offer some alternative
solutions (Winzip, FTP services) for those individuals who need to send/receive
large files.
Keep your email room clean.
Temporary Email Users
If the company provides access to electronic mail to external users such as
consultants, temporary employees, or partners, they must read and sign the electronic
communications policy statement.
Do Not Share
Users must not allow anyone else to send email using their accounts. This includes
their supervisors, secretaries, assistants and any other subordinates.
POLICY FOR INSTANT MESSAGING
The use of Consumer IM products (eg. MSN and Yahoo!) is permitted for intercompany
use (non-<Company> partners). The interaction with external, non-authenticated
services opens channels for the inadvertent or deliberate exchange of Intellectual
Property. Therefore, all the principles outlined in <Company>'s Electronic
Communications and Internet Usage Policies apply to Instant Messaging.
The preferred methods of electronic File Transfer are either: email or FTP (file transfer protocol). Both are better suited for attachments, are designed to handle higher bandwidth communications, and can regulate acceptable file sizes
Global Application of IT
Policies
The policies that appear within this chapter are written for a North American
audience. These policies are written to provide our worldwide employees with
an understanding of how to use technology within <Company> and what constitutes
acceptable and unacceptable behaviors.
In cases where these policies could potentially violate local national laws, (for example, employee privacy, system & employee monitoring or potential employee disciplinary actions) they will be administered in accordance with the laws of the employee's country.