Internet & Cell Phone Usage Policy

Transcription

1 Internet & Cell Phone Usage Policy The Internet usage Policy applies to all Internet & Cell phone users (individuals working for the company, including permanent full-time and part-time employees, contract workers, temporary agency workers, business partners, and vendors) who access the Internet through these computing or networking resources. The company's Internet users are expected to be familiar with and to comply with this policy, and are also required to use their common sense and exercise their good judgment while using Internet services. Within this document, the term Internet is used to reference all electronic communications which access the Internet, including web sites, Internet Relay Chat (IRC), message boards, or blogs. INTERNET SERVICES Access to the Internet will be provided to users to support business activities and only on an as needed basis to perform their jobs and professional roles. Internet services will be granted based on an employee s current job responsibilities. If an employee moves to another business unit or changes job functions, a new Internet access request must be submitted within 5 days. User Internet access requirements will be reviewed periodically by company departments to ensure that continuing needs exist. USAGE POLICIES Allowed Usage Internet usage is granted for the sole purpose of supporting business activities necessary to carry out job functions. All users must follow the corporate principles regarding resource usage and exercise good judgment in using the Internet. Questions should be addressed to the IT Department. Acceptable use of the Internet for performing job functions might include: Communication between employees and non-employees for business purposes; IT technical support downloading software upgrades and patches; Review of possible vendor web sites for product information; Reference regulatory or technical information. Research Internet Services Allowed: Capabilities for the following standard Internet services will be provided to users as needed: E- mail -- Send/receive messages to/from the Internet (with or without document attachments). Navigation -- WWW services as necessary for business purposes, using a hypertext transfer protocol (HTTP) browser tool. Full access to the Internet; limited access from the Internet to dedicated company public web servers only. File Transfer Protocol (FTP) -- Send data/files and receive in-bound data/files, as necessary for business purposes. Remote Desktop / Screen Sharing -- Standard Internet protocol for terminal emulation. Users are required to use only approved applications for Internet initiated contacts into the company or cloud based solutions. Management reserves the right to add or delete services as business needs change or conditions warrant. All other services will be considered unauthorized access to/from the Internet and will not be allowed. Personal Usage Using company computer resources to access the Internet for personal purposes, without approval from the user s manager and the IT department, may be considered cause for disciplinary action up to and including termination. All users of the Internet should be aware that the company network creates an audit log reflecting request for service, both in-bound and out-bound addresses, and is periodically reviewed. Users who choose to store or transmit personal information such as private keys, credit card

2 numbers or certificates or make use of Internet "wallets" do so at their own risk. The company is not responsible for any loss of information, such as information stored in the wallet, or any consequential loss of personal property. Prohibited Usage Information stored, or any consequential loss of personal property. Acquisition, storage, and dissemination of data which is illegal, pornographic, or which negatively depicts race, sex or creed is specifically prohibited. The company also prohibits the conduct of a business enterprise, political activity, engaging in any form of intelligence collection from our facilities, engaging in fraudulent activities, or knowingly disseminating false or otherwise libelous materials. Other activities that are strictly prohibited include, but are not limited to: Accessing company information that is not within the scope of one s work. This includes unauthorized reading of customer account information, unauthorized access of personnel file information, and accessing information that is not needed for the proper execution of job functions. Misusing, disclosing without proper authorization, or altering customer or personnel information. This includes making unauthorized changes to a personnel file or sharing electronic customer or personnel data with unauthorized personnel. Deliberate pointing or hyper-linking of company Web sites to other Internet/WWW sites whose content may be inconsistent with or in violation of the aims or policies of the company. Any conduct that would constitute or encourage a criminal offense, lead to civil liability, or otherwise violate any regulations, local, state, national or international law including without limitations US export control laws and regulations. Use, transmission, duplication, or voluntary receipt of material that infringes on the copyrights, trademarks, trade secrets, or patent rights of any person or organization. Assume that all materials on the Internet are copyright and/or patented unless specific notices state otherwise. Transmission of any proprietary, confidential, or otherwise sensitive information without the proper controls. Creation, posting, transmission, or voluntary receipt of any unlawful, offensive, libelous, threatening, harassing material, including but not limited to comments based on race, national origin, sex, sexual orientation, age, disability, religion, or political beliefs. Any form of gambling Accessing the internet, Texting or ing while driving. The use of camera phones, tablets or other audio or recording capable devices to record video or audio within the company is prohibited. This activity may constitute not only invasion of employees personal privacy, but may breach confidentiality of the company s protected information. Unless specifically authorized under the provisions of section 4.2, the following activities are also strictly prohibited: Unauthorized downloading or installing of any shareware programs, mobile applications or files for use without authorization in advance from the IT Department and the user s manager. Any ordering (shopping) of items or services on the Internet. Playing of any games. Forwarding of chain letters. Participation in any on-line contest or promotion. Acceptance of promotional gifts. Downloading or streaming of online music. Forwarding copywriten images, music or text without written consent of the author. Bandwidth both within the company and in connecting to the Internet is a shared, finite resource. Users must make reasonable efforts to use this resource in ways that do not negatively affect other employees. Specific departments may set guidelines on bandwidth use and resource allocation, and may ban the downloading of particular file types. If you have any questions about Acceptable Use, contact the IT Department

3 Cell Phone and Portable Device Usage Cell phone and portable device usage will be granted to all employees while at work in order to support business activities and only on an as needed basis to perform their jobs and professional roles. Usage Threats Internet & Cell Phone connectivity presents the company with new risks that must be addressed to safeguard the facility s vital information assets. These risks include: Inappropriate Use of Resources Access to the Internet and Cell Phones by personnel that is inconsistent with business needs will be considered as misuse of resources. These activities may adversely affect productivity due to time spent using or "surfing" the Internet, ing, or Texting. Additionally, the company may face loss of reputation and possible legal action through other types of misuse. Misleading or False Information All information found on the Internet or in s should be considered suspect until confirmed by another reliable source. There is no quality control process on the Internet, and a considerable amount of its information is outdated or inaccurate. Request & Approval Procedures All employees must submit their personal cell phone and portable devices for review prior to being used for any business activities. Request for Internet Access & Cell Phone Usage while at work As part of the Internet access request process, the employee is required to read both this Internet usage Policy and the associated Internet/Intranet Security Policy. The user must then sign the statements (located on the last page of each document) that he/she understands and agrees to comply with the policies. Users not complying with these policies could be subject to disciplinary action up to and including termination. Cell Phone usage while at work will only be provided to individuals when it is necessary for personal or family emergencies. Exceptions to this rule must be submitted in writing and approved by a department supervisor. Policy awareness and acknowledgment, by signing the acknowledgment form, is required before access will be granted. Approval Internet access is requested by the user or user s manager submitting an IT Access Request form to the IT department along with an attached copy of a signed Internet usage Coverage Acknowledgment Form. Removal of privileges Internet access will be discontinued upon termination of employee, completion of contract, end of service of non-employee, or disciplinary action arising from violation of this policy. In the case of a change in job function and/or transfer the original access code will be discontinued, and only reissued if necessary and a new request for access is approved. All user IDs that have been inactive for thirty (30) days will be revoked. The privileges granted to users must be reevaluated

4 by management annually. In response to feedback from management, systems administrators must promptly revoke all privileges no longer needed by users. The company reserves the right to disconnect devices or disable services without notification. Lost or Stolen Employees in possession of company equipment such as cell phones, laptops or tablets are expected to protect the equipment from loss, damage or theft. Lost or stolen devices must be reported to the company within 24 hours. Employees are responsible for notifying their personal mobile carrier immediately upon loss of a device. The company will not be responsible for the replacement costs of personal cell phones, laptops or tablets. Software License The company strongly supports strict adherence to software vendors license agreements. When at work, or when company computing or networking resources are employed, copying of software in a manner not consistent with the vendor s license is strictly forbidden. Questions regarding lawful versus unlawful copying should be referred to the IT Department for review or to request a ruling from the Legal Department before any copying is done. The company licenses the use of computer software from a variety of outside companies. The company does not own this software or its related documentation, and unless authorized by the software developer, does not have the right to reproduce it except for backup purposes. The company purchases computer workstations (desktops and laptops) configured with an approved suite of standard software tools from the manufacturer. This standard software suite includes operating system, office applications, and security tools (virus, firewall, SPAM, and other appropriate protection software). If an employee has a requirement for additional software tools loaded on the workstation, he/she must submit justification to the Chief Technology Officer (CTO) and receive approval before proceeding. Please refer to the company s Purchase Policy. Similarly, reproduction of materials available over the Internet must be done only with the written permission of the author or owner of the document. Unless permission from the copyright owner(s) is first obtained, making copies of material from magazines, journals, newsletters, other publications and online documents is forbidden unless this is both reasonable and customary. This notion of "fair use" is in keeping with international copyright laws. Using company computer resources to access the Internet for personal purposes, without approval from the user s manager and the IT department, may be considered cause for disciplinary action up to and including termination. All users of the Internet should be aware that the company network creates an audit log reflecting request for service, both in-bound and outbound addresses, and is periodically reviewed. Users who choose to store or transmit personal information such as private keys, credit card numbers or certificates or make use of Internet "wallets" do so at their own risk. The company is not responsible for any loss of information. Information Reliability All information acquired from the Internet must be considered suspect until confirmed by separate information from another source. Before using free Internet-supplied information for business decisionmaking purposes, employees should corroborate the information by consulting other sources. Virus Checking All non-text files downloaded from non-company sources through the Internet must be screened with current virus detection software prior to being used. Whenever an external provider of the software is not trusted, downloaded software must be tested on a stand-alone, non-production machine that has been recently backed up. Downloaded files must be decrypted and decompressed before being screened for viruses. The use of digital signatures to verify that a file has not been altered by unauthorized parties is

5 recommended, but this does not assure freedom from viruses, Trojan horses, and other problems. Spoofing Users Before employees release any internal company information, enter into any contracts, or order any products through public networks, the identity of the individuals and organizations contacted must be confirmed. Identity confirmation is ideally performed through digital signatures or digital certificates, but in cases where these are not available, other means such as letters of credit, third-party references, and telephone conversations may be used. User Anonymity Misrepresenting, obscuring, suppressing, or replacing a user s identity on the Internet or any company electronic communications system is forbidden. The user name, electronic mail address, organizational affiliation, and related information included with messages or postings must reflect the actual originator of the messages or postings. If users have a need to employ r ers or other anonymous facilities, they must do so on their own time, with their own information systems and Internet service provider accounts. Use of anonymous FTP logons, anonymous UUCP logons, HTTP or web browsing, and other access methods established with the expectation that users would be anonymous are not permissible. Electronic Mail Attachments Employees must not open electronic mail attachments unless they were expected from a trusted sender. When they are expected from a known and trusted sender, attachments must be scanned with a virus package prior to being opened. Responding to Information Requests Employees must never respond to unsolicited requests for personal information, including passwords or credit card numbers, from an electronic mail message. Any such message should be immediately reported to the Information Technology Security Office. Expectation of Privacy Monitoring Users should consider their Internet activities as periodically monitored and limit their activities accordingly. Management reserves the right to examine , personal file directories, web access, and other information stored on company computers, at any time and without notice. This examination ensures compliance with internal policies and assists with the management of company information systems. Confidentiality Users should be aware that clear text is not a confidential means of communication. The company cannot guarantee that electronic communications will be private. Employees should be aware that electronic communications can, depending on the technology, be forwarded, intercepted, printed, and stored by others. Users should also be aware that once an is transmitted it may be altered. Deleting an from an individual workstation will not eliminate it from the various systems across which it has been transmitted. All proprietary, or private information must not be sent over the Internet unless it has been encrypted by approved methods. Unless specifically known to be in the public domain, source code must always be encrypted before being sent over the Internet. Maintaining Corporate Image

6 Representation When using company resources to access and use the Internet, users must realize they represent the company. Whenever employees state an affiliation to the company, they must also clearly indicate that "the opinions expressed are my own and not necessarily those of the company". Questions may be addressed to the IT Department. Company Materials Users must not place company material (examples: internal memos, press releases, product or usage information, documentation, etc.) on any mailing list, public news group, or such service. Any posting of materials must be approved by the employee s manager and the public relations department and will be placed by an authorized individual. Creating Web Sites & Social Media Profile Pages All individuals and/or business units wishing to establish a WWW home page or Social Media Profile Pages must first develop business, implementation, and maintenance plans. Formal authorization must be obtained through the IT Department. This will maintain publishing and content standards needed to ensure consistency and appropriateness. In addition, contents of the material made available to the public through the Internet must be formally reviewed and approved before being published. All material should be submitted to the Corporate Communications Department for initial approval to continue. All company pages are owned by, and are the ultimate responsibility of, the Corporate Communications Department. All company web sites must be protected from unwanted intrusion through formal security measures which can be obtained from the IT department. Employees must not establish new Internet pages dealing with the company business, or make modifications to existing web pages dealing with the company business, unless they have obtained the approval of the Information Technology Relations and Marketing departments. Modifications include the addition of links to other sites, updating the information displayed, and altering the graphic layout of a page. This approval process will ensure that all posted material has a consistent and polished appearance, is aligned with business goals, and is protected with adequate security measures. Access Control Inbound User Authentication All users wishing to establish a real-time connection with internal computers through the Internet must employ a virtual private network (VPN) product approved by the IT Department that can encrypt all traffic exchanged. These VPN products also must authenticate remote users at a firewall before permitting access to the internal network. This authentication process must be achieved through a dynamic password system approved by the IT Department. Remote Machine Security Employees who have not installed required software patches or upgrades, or whose systems are virus-infested, must be disconnected immediately from the company network until they have reestablished a secure computing environment. The computers used by all employees employing VPN technology must be remotely scanned automatically to determine that the software is current and that the system has been properly secured. Restriction of Third-Party Access Inbound Internet access privileges must not be granted to third-party vendors, contractors, consultants, temporaries, outsourcing organization personnel or other third parties unless the

7 relevant system manager determines that these individuals have a legitimate business need for such access. These privileges must be enabled only for specific individuals and only for the time period required to accomplish approved tasks. Browser User Authentication Employees must not save fixed passwords in their web browsers or electronic mail clients. These fixed passwords must be provided each time that a browser or electronic mail client is invoked. Browser passwords may be saved if a boot password must be provided each time the computer is powered up, and if a screen saver password must be provided each time the system is inactive for a specified period of time. All computer users must refuse all offers by software to place a cookie on their computer so that they can automatically log on the next time that they visit a particular Internet site. Cookies that serve other purposes are permissible. Data Aggregators Users must not provide their Internet user IDs and passwords to data aggregators, data summarization and formatting services, or any other third parties. Internet Service Providers With the exception of telecommuters and mobile computer users, employees must not employ Internet service provider accounts, dial-up lines, and wireless devices to access the Internet with Palm Beach State computers. All Internet activity must pass through Palm Beach State firewalls so that access controls and related security mechanisms can be applied. Users must employ their Palm Beach State electronic mail address College related business. Use of a personal electronic mail address for this purpose is prohibited. Establishing Network Connections Unless the prior approval of the Information Technology department has been obtained, employees must not establish Internet or other external network connections that could permit non-company users to gain access to corporate systems and information. These connections include the establishment of multi-computer file systems, Internet pages, Internet commerce systems, FTP servers, and wireless access points. Conducting Business Over The Internet Unless advance approval of the purchasing department has been obtained, all employees must not purchase any goods or services through the Internet if these goods or services are offered by a business based in, or operating out of, a foreign country. Password Policy It is a company policy that all employees create a strong password and safeguard its confidentiality. At no time should the employee grant access to his/her account by providing someone else the password. Knowing another employee s User ID and password combination does not constitute authorization for access. Passwords for commonly administered systems and servers should be changed in accordance to program and company policy. There may be instances due to contractual or customer requirements in which program managers may place more stringent requirements on passwords. Periodic Reviews Usage Compliance Reviews

8 To ensure compliance with this policy, periodic reviews will be conducted. These reviews will include testing the degree of compliance with usage policies. Policy Maintenance Reviews Periodic reviews will be conducted to ensure the appropriateness and the effectiveness of usage policies. These reviews may result in the modification, addition, or deletion of usage policies to better suit company information needs. References Points of Contact Contact the IT Department if you need assistance regarding the topics related to Internet usage and Cell Phone usage. Notification Process If sensitive company information is lost, disclosed to unauthorized parties, or suspected of either, the employee s immediate supervisor must be notified immediately. If any unauthorized use of the company information systems has or is suspected of taking place, the employee s immediate supervisor must be notified immediately. Whenever passwords or other system access control mechanisms are lost, stolen, or disclosed, or are suspected of being lost, stolen, or disclosed, the employee s immediate supervisor must be notified immediately. All unusual systems behavior, such as missing files, frequent system crashes, and misrouted messages must be immediately reported to the employee s immediate supervisor. The specifics of security problems must not be discussed widely but should instead be shared on a need-to-know basis. Consequences of Violations Violations of the Internet & Cell Phone Usage Policy will be documented and can lead to revocation of system privileges and/or disciplinary action up to and including termination. Additionally, the company may at its discretion seek legal remedies for damages incurred as a result of any violation. The company may also be required by law to report certain illegal activities to the proper enforcement agencies. Before access to the Internet via company network is approved, the potential Internet & Cell Phone user is required to read this Internet & Cell Phone Usage Policy and sign an acknowledgment form (located on the last page of this document). The signed acknowledgment form should be turned in and will be kept on file at the facility granting the access. For questions on the Internet & Cell phone Usage Policy, contact the Information Technology (IT) Department. INTERNET USAGE COVERAGE ACKNOWLEDGMENT FORM After reading this policy, please sign the coverage form and submit it to your facility s IT department or granting facility s IT department for filing. By signing below, the individual requesting Internet access through company computing resources hereby acknowledges receipt of and compliance with the Internet Usage Policy. Furthermore, the undersigned also acknowledges that he/she has read and understands this policy before signing this form. Internet access will not be granted until this acknowledgment form is signed by the individual s manager. After completion, the form is filed in the individual s human resources file (for permanent employees), or in a folder specifically dedicated to Internet access (for contract workers, etc.), and maintained by the IT department. These acknowledgment forms are subject to internal audit. ACKNOWLEDGMENT

9 I have read the Internet Usage Policy. I understand the contents, and I agree to comply with the said Policy. Name: Signature Date Manager/Supervisor Signature Date