Acceptable Use Policy

Overview
An Acceptable Use Policy is not to impose restrictions that are contrary to the established culture
of openness, trust and integrity. Shielding employees, partners and the company from the actions
of nefarious individuals is the primary commitment of the Network Security (NETSEC)
department.
Systems including but not limited to software, operating systems, hardware, storage media,
network accounts, e-mail accounts, web browsing, FTP, and physical computer assets are the
property of the organization. These systems are to be used for business operations in serving the
organization, clients and customers. Refer to HR policies for further details.
Network Security requires the participation and support of every employee or affiliate who has
access to sensitive information and/or information systems. Every computer user is responsible
to conduct their activities in compliance of the guidelines laid out henceforth.

Purpose
The acceptable use of computer equipment is outlined in this policy. Rules to protect the
employee and organization are contained in this policy. Exposure to risks of network system
compromise, virus, trojan or malware infection is the result of unapproved use of network
systems. Inappropriate computer use can also have legal ramifications for the offender and the
organization.

Scope
The use of information, computing or electronic devices, and network resources to conduct
business or interact with organizational networks or business systems owned or leased by the
organization require compliance with this policy document and all related established policies.
All employees, contractors, consultants, temporary, and other workers at this organization or any
subsidiaries must exercise impeccable judgment regarding appropriate use of electronic devices,
network resources, or sharing of information. These actions must take place in accordance with
local laws, regulations and established company standards and policies.
This policy applies to all employees, contractors, consultants, temporaries, and other workers
operating in a third-party role with this organization. This policy applies to all equipment that is
owned or leased by this organization.

Page | 1
Policy
A. General Use and Ownership
a) Storage of proprietary information on electronic or computing assets owned or
leased by this organization, employee or a third party, remain under the ownership
of this organization. In accordance with the Data Protection Standard, proprietary
information must be protected by the user through legal or technical means.
b) Responsibility to promptly report theft, loss or unauthorized disclosure of
proprietary information falls solely upon the user of the missing
equipment/information.
c) Authorization and necessity will be considered when sharing authorized
proprietary information in the completion of assigned jog duties.
d) Employees are held accountable for exercising sound judgment regarding the
need for and nature of personal use. Departments are responsible for creating
guidelines concerning personal use of organizational systems. If organization
level policies are not intact, employees should be guided by departmental policies
on personal use. The supervising manager is to be consulted if there is still an
instance of uncertainty.
e) Authorized individuals within the network may monitor equipment, systems and
network traffic at any time for security and maintenance per INFOSEC Audit
Policy.
f) The right to audit networks and systems on a periodic basis to ensure compliance
with this policy and all applicable standards is held by this organization.
B. Security and Proprietary Information
a) Minimum Access Policy must be adhered to by all mobile and computing devices
that connect to the internal network.
b) All levels of passwords and/or pass-phrases must comply with the Password
Policy. Granting access to another individual, either deliberately or mistakenly in
a manner that circumvents secure access is strictly forbidden.
c) Password-protected screensaver with automatic activation set to 3 minutes or less
must be active on all computing devices connected to the internal network. You
must lock the screen or log off when the device is unattended at any time.
d) Employee postings to newsgroups from a company email address must contain
the requisite disclaimer stating that expressed opinions are that of the employee
independently. This disclaimer is not required when posting in the performance of
business obligations.
C. Unacceptable Use
In general, the following activities are prohibited. Employee exemption is only possible if
these actions are necessary during the course of their legitimate job responsibilities (e.g.,
systems administration staff may have a need to disable the network access of a host if that
host is disrupting production services). No employee authorized to engage in any activity that
is illegal under local, state, federal or international law while utilizing company owned

Page | 2
resources under any circumstance. Lists below are not comprehensive but attempt to provide
a framework for actions that are prohibited under the terms of unacceptable use.
D. System and Network Activities
The following activities are strictly prohibited, with no exceptions:
a) Infringing on rights protected by copyright law, trade secret, patent, intellectual
property, or similar laws or regulations. Not limited to, acquisition or distribution
of "pirated" software or media products not licensed for use by the person in
possession of pirated material.
b) Copying of copyrighted material including, but not limited to, digitization and
distribution of photographs from magazines, books or other copyrighted sources,
copyrighted music, and the installation of any copyrighted software for which or
the end user does not have an active license is strictly prohibited.
c) Gaining access to data, a server or an account for any non-business purpose, even
if you normally have authorized access, is strictly forbidden.
d) Illegal exportation of software, tech information, encryption technology, in
violation of international or regional export control laws. Discussion of exporting
any material that is in question should be discussed with management prior to the
commencement of export procedures.
e) Intentional placement of malicious programs into server or network (viruses,
worms, Trojan horses, DOS attacks, etc.).
f) Allowing use of your account or revealing password to others. This includes
family and other household members when completing job duties remotely.
g) Actively engaging in violation of sexual harassment or hostile workplace laws in
the user's local jurisdiction while using a company computing asset.
h) Fraudulent claims for products or services originating from any account or
company computing asset.
i) Actions performed outside normal job duties such as, making statements about
warranties, expressly or implied.
j) Purposefully causing security breaches or disruptions of network function.
Breaches include, but are not limited to, data access which the employee is not an
intended recipient, accessing a server or account that the employee is not
expressly authorized to access. Exception made if these duties are within the
scope of regular responsibilities. Network "disruption" includes, but is not limited
to, network sniffing, ping floods, packet spoofing, DOS, and forged routing tables
with malicious intent.
k) Prior notification of INFOSEC is required when port scanning or security
scanning is to be performed. These actions are expressly prohibited if prior
notification is not made and permission granted by INFOSEC.
l) Any form of network monitoring unless this activity is a part of the employee's
normal job/duty.
m) Circumventing user authentication or security of any host, network or account.

Page | 3
 n) Introduction of honeypots, honeynets, or similar technology on the network
without approval from INFOSEC and network architecture team.
o) Denial of service to any user other than the employee's host (for example, denial
of service attack)
p) Providing information about, or lists of, employees to parties outside the
company.
E. Email and Communication Activities
Employees must be aware that when using company resources to access and use the Internet
they are representing the company always. Employees that declare affiliation with the
company, must clearly indicate that "the opinions expressed are my own and not necessarily
those of the company".
a) Unsolicited email messages, spam or other advertisements to persons or entities
that did not request such material.
b) Harassment via telephone, email, or instant message through language, frequency,
or any type of provocation.
c) Manipulation of email header information.
d) Forwarding or authoring "chain letters" or other "pyramid" type schemes.
F. Blogging and Social Media
a) Employees choosing to make blog entries whether using company systems or
personal computer systems, are subject to the stipulations and constraints set forth
in this Policy. Occasional use of company systems to engage in social media
posting is acceptable, when done in a professional manner, in accordance to
company policy. Posts must not be detrimental to the best interests of the
company or interfere normal work responsibilities. All posts will be monitored
when made from company assets.
b) Confidential Information policy also applies to social media posts. Employees are
prohibited from revealing any confidential or proprietary information or any
material covered by the Confidential Information policy when interacting on
social media.
c) Employees shall not engage in any social media posting that harms the image,
reputation or goodwill of the company or any of its employees. Employees are
also prohibited from making any discriminatory, disparaging, defamatory or
harassing comments or any conduct prohibited by the Non-Discrimination and
Anti-Harassment policy.
d) Employees expressing his or her beliefs and/or opinions on social media may not
expressly or implicitly, represent the organization. Employees assume all risk
associated with posting on social media.
e) Any form of intellectual property without express rights granted to the
organization cannot be posted relating to the company. Copyrighted materials,
company trademarks, logos or any other intellectual property associated with the
organization cannot be posted to personal social media accounts to prevent
misrepresentation or dilution of the brand identity.

Page | 4
Policy Compliance
A. Compliance Measurement: INFOSEC will verify compliance to this policy through
various methods, including but not limited to, business tool reports, internal and external
audits, and feedback to the policy owner.
B. Exceptions: Any exception to the policy must be approved by the INFOSEC team in
advance to any action being taken on the part of the exception requestor
C. Non-Compliance: An employee found to have violated this policy may be subject to
disciplinary action, up to and including termination of employment.

Related Standards, Policies and Processes

Data Classification Policy
Data Protection Standard
Social Media Policy
Minimum Access Policy
Password Policy

Page | 5