End-User Computing Policy PDF

END-USER COMPUTING POLICY Page Doc. No.
1 of 16 IT-SEC-0003
INFORMATION SECURITY DEPARTMENT
Refer to the DynamicPolicy system for the latest revision of this document. Printed copies are valid only for
the day on which the document was printed. For the current version, version number and effective date,
always refer to DynamicPolicy, where documents are periodically updated. Policy owners can track
approvers’ reviews and comments in the system.
Author(s):
Jose De Jesus Sr. Director, Information Security
Contributor(s):
Obed Rodriguez VP, Information Security & Corporate Compliance
Distribution List:
All Employees
Document Revision History:

Description of Revision Responsible Effective Date
Original publication in DynamicPolicy 8/10/06
10/31/06
11/21/06
12/06/06
Alberto Forero 2/19/07

Moved “Network Intrusion / Security Incidents” to Sharyn Zimmerman 9/14/07
new Incident Response policy.
Added SNMP paragraph and monitoring references;
reformatted per current standards; 2008 review and Jose De Jesus 3/12/08
update
Completely revised for end-user content only;
technical, IT-specific content moved to separate IT Jose De Jesus 10/27/08
Security policy
Republished for 2009 – no changes Jose De Jesus 2/06/09
Remote Access section updated Jose De Jesus 10/05/09
Updated dept name to “Information Security”; 6.13

Jose De Jesus 1/10/11
updated re remote desktop access
Section 6.4.1 added “vendors”, updated for OIM;
added 6.4.3 re employee / consultant terminations; Jose De Jesus 8/1/11
added 6.13 VPN inactivity; updated 6.15 Data
Center Security
2013 review:
Section 6.5 added MAX access; Jose De Jesus 4/5/13
Vendor Management name updated to Vendor
This policy is the confidential and proprietary product of TracFone Wireless, Inc. Any unauthorized use,
reproduction or transfer of this policy is strictly prohibited. Copyright © 2011 by TracFone Wireless, Inc.
(subject to limited distribution and restricted disclosure only.) All rights reserved.
Last updated 3/24/17
END-USER COMPUTING POLICY Page Doc. No.:
2 of 16 IT-SEC-0003
Description of Revision Responsible Effective Date

Staffing;
Updated Company Forms references; added
“Referenced Forms” section;
6.14 Wireless Networks updated for guest wireless
access.
2014 review:
Section 6.5: MAX access now requested through
OIM; Database Access requested through Request
Form.
6.8: Admin rights requested through OIM. Jose De Jesus 4/18/14
6.9: Removal of infected computers from the
network.
6.14: Wireless Networks updated for general
wireless access.
2015 review:
Section 6.15 - VPN access now requested and
provisioned through OIM;
PCI DSS references updated for PCI version 3.1 Jose De Jesus 8/14/15
New sections for:
 Acceptable Data Storage Locations
 DLP Agent
 Information Security Awareness Training
2016 review:
HITRUST CSF references added
Section 3 expanded Jose De Jesus 6/28/16
Section 6.14 expanded
Section 6.17 expanded
2017 review: Jose De Jesus 3/24/17

Section 6.5 User Application Access - expanded
3 of 16 IT-SEC-0003
TABLE OF CONTENTS
Executive Summary .......................................................................................................... 5
1. Purpose ..................................................................................................................... 5
2. Scope......................................................................................................................... 5
3. Introduction and Security Framework .................................................................... 5
4. Responsibilities ........................................................................................................ 6
4.1 Employees and Contractors ................................................................................................................6
4.2 Managers and Supervisors ..................................................................................................................6
4.3 Business Owners ..................................................................................................................................6
4.4 Service Desk ..........................................................................................................................................7
5. Policy Enforcement .................................................................................................. 7
6. General Information Security .................................................................................. 7
6.1 Roles and Responsibilities of Users ...................................................................................................7
6.2 Use of Systems .....................................................................................................................................7
6.3 Privacy ...................................................................................................................................................7
6.4 User Network Access ...........................................................................................................................7
6.4.1 New Employees, Consultants, Vendors and Temporary Employees ..............................................7
6.4.2 Consultant and Temporary Employee Extension .............................................................................7
6.4.3 Employee Termination and Consultant/Temporary Employee End of Engagement .......................8
6.5 User Application Access ......................................................................................................................8
6.6 Login/Logoff Process ...........................................................................................................................8
6.7 User Passwords ....................................................................................................................................8
6.8 Software/Hardware Usage ....................................................................................................................9
6.9 Acceptable Data Storage Locations .....................................................................................................9
6.10 Antivirus Security .............................................................................................................................10
6.11 DLP (Data Leakage Prevention) Agent ............................................................................................10
6.12 System Access – Other Considerations ..........................................................................................10
6.12.1 Anonymous Access ......................................................................................................................10
6.12.2 Unauthorized Access Attempts ....................................................................................................10
6.13 Internal Network Isolation .................................................................................................................10
6.14 Files, Data and Printer Output and Mailing .....................................................................................10
6.15 Remote Access ..................................................................................................................................11
6.16 Wireless Networks .............................................................................................................................11
6.17 Information Security Awareness Training .......................................................................................12
6.18 Data Center Security ..........................................................................................................................12
7. E-Mail Usage ........................................................................................................... 13
7.1 Authorized E-Mail Usage .....................................................................................................................13
8. Internet Usage ........................................................................................................ 14
8.1 Information Integrity ...........................................................................................................................14
8.2 Authorized Internet Usage .................................................................................................................14
9. User Compliance .................................................................................................... 14
4 of 16 IT-SEC-0003
10. Referenced Forms .................................................................................................. 15

Attachment A - Receipt and Acknowledgement of Information Security Policy ....... 16
5 of 16 IT-SEC-0003
Executive Summary
TracFone Wireless, Inc. provides computer equipment and communication systems for the purpose of
conducting company business. All TracFone messaging, communications, data storage and network
systems, including voice mail and email, are the sole property of TracFone. Unauthorized use of TracFone
property is prohibited.
TracFone can and will exercise its right to access, review, remove, audit, monitor, intercept and disclose
messages, data or information that is created, sent, received or stored on any such systems. TracFone may
also release, publicize or disclose such information obtained for business reasons at its discretion.
Any employee who violates any provision of this policy may be subject to disciplinary action.
TracFone reserves the right to amend, modify, replace, terminate or make specific exceptions to this policy
any time, without prior notice to employees. Changes to this policy will be communicated to employees via
the DynamicPolicy system and to consultants and temporary employees by Vendor Staffing.
All new TracFone employees and consultants (including temporary employees) are provided a copy of the
End User Computing Policy prior to accessing the TracFone network. Employees and consultants must
agree to comply with this policy as a condition of their employment/engagement.
1. Purpose
The purpose of this policy is to provide specific Information Security (“InfoSec”) policies and guidelines
necessary for a secure computing environment for TracFone employees and consultants. InfoSec has
developed this policy with the objective of maintaining adequate data and system availability, integrity and
confidentiality.
2. Scope
This policy applies to all operating departments, employees, consultants and business partners of TracFone
Wireless, Inc.
3. Introduction and Security Framework
Information and information systems are critical and vitally important assets. Without reliable and properly
secured information and information systems, business operations would be severely disrupted. Likewise,
the preservation and enhancement of the company’s reputation is directly linked to the way in which both
information and information systems are managed.
To be effective, information security should be a team effort involving the active participation and support of
every user who deals with information and/or information systems. In recognition of the need for teamwork,
this Information Security policy clarifies the responsibilities of users as well as the steps they should take to
help protect information and information systems. This document provides a framework and guideline for
TracFone users to make appropriate use of our systems and network.
6 of 16 IT-SEC-0003
Every user must comply with the information security policies found in this and related information security
and corporate governance documents, such as the Employee Handbook, Code of Business Conduct, etc.
The security framework represented by this policy has been created to satisfy the following elements:
Critical Business Functions

Information and information systems are necessary for the performance of just about every essential
activity. If the availability, integrity or confidentiality of TracFone systems is affected, the company could
suffer serious consequences including lost customers, reduced revenues and/or degraded reputation.
Supporting Business Objectives

This document has been prepared to ensure that the company is able to support further growth of the
business, comply with regulatory requirements as well as ensure a consistently high level of customer
service. Because prevention of security problems is considerably less expensive than correction and
recovery, adherence to these practices will also reduce costs in the long run.
Team Effort Required

Users play an important role in the information security area. With information and information systems
distributed to the office desktop, information security is no longer the exclusive domain of IT personnel –
it is now a team effort requiring the participation of every employee who comes into contact with
information and/or information systems.
TracFone will grant access to company systems based on the principles of least privilege and deny by
default. All relevant applications to the business have pre-defined roles and responsibilities that govern
users’ access to ensure that users only receive the minimum access needed to perform their job duties.
(HITRUST CSF 01.v) Authorization to access information and/or systems must be requested in accordance
with the company’s Information Security policies, standards and procedures.
4. Responsibilities
Departments and individuals have varying levels of responsibility to minimize the risk of unauthorized use,
disruption, modification, disclosure or misuse of information and technology assets.
4.1 Employees and Contractors

All TracFone personnel – employees as well as contractors – should familiarize themselves with the
security policies and procedures documented in this policy. Employees will read and acknowledge
acceptance of this policy via the DynamicPolicy system. Whenever new versions are published,
employees will be notified via email and will read and accept the revised policy.
4.2 Managers and Supervisors

All managers and supervisors should ensure that their staff (employees as well as contractors) read and
accept the policy.
4.3 Business Owners

TracFone Management has established formal “Business Ownership” for TracFone business
applications to ensure appropriate authorization of users to systems and data. The Business Owner
establishes “Roles and Responsibilities” to predefine applications that will be accessed for the financial
applications.
7 of 16 IT-SEC-0003
4.4 Service Desk

The TracFone IT Service Desk provides a channel of communication between the TracFone user
community and InfoSec. The Service Desk team provides password reset services to associates after
confirmation of associate identity. Refer to the IT practice policies for detailed documentation.
5. Policy Enforcement
Violation of the End-User Computing Policy or of the standards and procedures established in support of this
policy is grounds for disciplinary action. If any associate, employee, manager or contractor suspects or
witnesses a violation of this policy, he/she must contact their Supervisor, Human Resources Representative
or InfoSec immediately. Failure to do so constitutes a violation of TracFone’s Information Security policy.
6. General Information Security
6.1 Roles and Responsibilities of Users

Users will use the information only for the purposes specifically approved by the Data Owner. Users
need to comply with all security measures defined by the InfoSec Department. Users are expected to
report to the InfoSec Department all situations where they believe an information security vulnerability or
violation may exist.
6.2 Use of Systems

TracFone Management reserves the right to revoke the privileges of any user at any time. Conduct that
interferes with the normal and proper operation of information systems, which adversely affects the
ability of others to use these information systems, or which is harmful or offensive to others will not be
permitted. For example, users must not exploit vulnerabilities or deficiencies in information systems
security to damage systems or information, to obtain resources beyond those they have been authorized
to obtain, to take resources away from other users, or to gain access to other systems for which proper
authorization has not been granted.
6.3 Privacy
Unless contractual agreements dictate otherwise, data sent over company computer and
communications systems are the property of TracFone. To protect and manage TracFone’s data assets,
management reserves the right to examine at any time and without prior notice all data stored or
transmitted. Users should have no expectation of privacy associated with the information they store or
send through TracFone systems.
6.4 User Network Access

For accountability and auditing purposes, all users accessing resources must have and use their own
unique set of credentials (user ID and password). Every system, domain and application administrator
must have his own exclusive account.
6.4.1 New Employees, Consultants, Vendors and Temporary Employees

All new employees, consultants, vendors and temporary employees must be authorized to access
the TracFone network. Computer access requests must be completed, submitted and approved via
the Oracle Identity Manager (OIM) tool before access will be granted.
6.4.2 Consultant and Temporary Employee Extension

Consultant accounts are automatically set to expire no later than 90 days after starting work. If a
consultant needs to be extended, prior to the expiration date, the hiring manager/requester will
8 of 16 IT-SEC-0003
complete the extension form, obtaining required signatures before submitting the form to Vendor
Staffing. The extension must be approved via OIM.
6.4.3 Employee Termination and Consultant/Temporary Employee End of Engagement

Requests for termination of employees and consultants / temps are documented by a Service Desk
ticket opened by Human Resources / Vendor Staffing (respectively). Information Security and
various IT groups remove or disable the users’ accounts.
6.5 User Application Access

When a user requires access to a TracFone application, his/her access must first be requested and
approved.
 For Business Intelligence (BI), Oracle Financials System (OFS) and MAX, the employee or
consultant submits the access provision/change request through OIM for electronic approval. A
substantiated business reason for this access must be documented on the request. The
requestor must agree to comply with FCC regulations over access to MAX Call Detail Records.
 For Clarify/TAS, an employee or consultant completes the “Clarify/WebCSR Application Access

Request Form”. InfoSec will email a request for authorization / approval to the Clarify business
owner for the new account(s) associated with each user and/or role.
 For Database Access, the employee or consultant completes the “Database Tools Access
Request Form”. Requests for access to sensitive data must be justified on the form and will be
carefully reviewed by Information Security. In order to obtain MAX database access, a user
must also fill out the “MAX Database Access Request Form – Supplemental” to provide a
substantiated business reason to access Call Detail Records (CDRs) and to acknowledge
compliance with FCC regulations when accessing CDRs. Once the form(s) have been fully
signed/approved, the database account will be created by the Database Support Services Team.
 For access to the APEX Oracle front-end database application, a user completes the “APEX
Tools Access Request Form”. Once the form has been fully signed/approved, the database
account will be created by the Database Support Services Team.
6.6 Login/Logoff Process

All users will be positively identified prior to using any multi-user computer or communications system
resources. Positive identification for internal TracFone networks involves a user ID and a password,
both of which are unique to an individual user.
Positive identification for users originating external real-time connections to TracFone systems or
networks via value added networks, public networks (Internet), or any other external communications
system may also involve additional user authentication techniques.
Employees will lock up all systems, when leaving their desks for meetings, breaks, lunches, etc. At the
end of the day, employees will log out of or lock all systems.
6.7 User Passwords

User-IDs and passwords may never be shared or revealed to anyone else besides the authorized user
(PCI 8.5). Users are responsible for all activity performed with their personal user-IDs. Users may not
allow others to perform any activity with their user-IDs. All passwords must be promptly changed if they
are suspected or are known to have been disclosed to unauthorized parties.
9 of 16 IT-SEC-0003
Password standards, such as those addressing minimum length and complexity, are enforced on all
systems and applications. All user-chosen passwords must contain at least one alphabetic, at least one
upper case, and one non-alphabetic character (including numbers and punctuation), depending on the
application or system. Users may not reuse the same passwords and are required to change their
password after a certain period of time. Upon first login, when a new user is issued a user id and
password, the user must change his/her password. Users should not write down their passwords.
Users are limited in the number of unsuccessful login attempts before their account is locked. The
system will automatically lock the screen and suspend the session after a period of idle time; the user
must re-enter his network password to re-establish the session. Users who have not logged on or
changed their passwords for an extended period of time will have their accounts disabled.
Note: Some applications or systems cannot be fully configured as above due to system limitations.
6.8 Software/Hardware Usage

All software and hardware used on, in, or to enhance or develop company systems is the property of
TracFone. The company has provided this software and hardware for use in conducting company
business; personal use is prohibited.
Users are not permitted to download software from electronic bulletin board systems, the Internet, or
other systems outside of the company unless specifically authorized by the InfoSec Department.
Authorized downloads can be made only on systems in which current anti-virus software is installed and
functioning, as determined by the InfoSec Department.
Users may not install any software on the company's personal computers, network servers, or other
machines (such as laptops and stand-alone computers) without first receiving advanced written
authorization from the InfoSec Department.
Users who have a valid business reason to have administrative rights to their assigned computer
equipment (laptop or desktop) must request administrative privileges (admin rights) via an OIM request.
The request must include a substantial business justification. The necessary approvals will be obtained
via OIM.
Strict adherence to software vendors' license agreements and copyright holders' notices is required.
Users are forbidden from making unauthorized copies of software.
Computer equipment provided by the company must not be altered or added to in any way without
authorization from the InfoSec Department. In addition, users must not bring their own computers
(including laptops), computer peripherals or computer software into company facilities without advance
written authorization from their manager and the InfoSec Department.
6.9 Acceptable Data Storage Locations

All data should be stored within TracFone internal information systems. The IT department will backup
data storage repositories using TracFone approved backup methods and media. However, it is the
responsibility of Data Custodians to make Data Administrators and Information Security aware of specific
data types that require protection, such as disk encryption, secure transfer protocols, etc. so that proper
security controls are applied. (PCI 12.3.6)
The use of Cloud storage is strictly forbidden. Any user with a valid business reason for considering the
use of Cloud based storage solutions must request Information Security review and approval of the use
of such services.
10 of 16 IT-SEC-0003
6.10 Antivirus Security

All TracFone resources are protected from computer viruses by continuous employment of appropriate
antivirus software and devices. Each computer will have TracFone approved antivirus software that
continuously scans the computer for viruses. No employee may remove a virus protection mechanism
without the explicit written permission and knowledge of the InfoSec Department.
Computer equipment infected by viruses will be removed from the network until the equipment is free of
viruses. If an employee or consultant’s equipment becomes infected multiple times in a short period of
time, his/her equipment will be examined to determine the possible cause of repeated infection. If the
employee or consultant has admin rights to his/her equipment and it is determined that virus infection
has been caused by downloading unauthorized software, admin rights may be revoked. If the virus
infection has been caused by frequent visits to a website that has been compromised or that is
determined to have links that contain malware, access to such website will be blocked.
6.11 DLP (Data Leakage Prevention) Agent

TracFone has implemented a Data Leakage Prevention Program that consists of End-User DLP
Awareness training and deployment of an Enterprise DLP system to automatically monitor, detect and
prevent storage and use of unprotected sensitive data within TracFone file repositories.
In order for the Data Leakage Prevention system to monitor and prevent the unauthorized use and/or
distribution of TracFone sensitive data, all TracFone issued workstations (desktop and laptop) will have
the Symantec DLP Agent installed and functional. End-users shall not tamper with, disable or otherwise
make inoperable the Symantec DLP agent. For additional information refer to the Data Leakage
Prevention and Data Classification Guidelines.
6.12 System Access – Other Considerations
6.12.1 Anonymous Access

Except for electronic Internet sites or other systems where all regular users are anonymous, users
are prohibited from logging into any TracFone system or network anonymously: that is, by using a
“guest” user ID.
6.12.2 Unauthorized Access Attempts

Users will not test or attempt to compromise computer or communication system security.
Incidents involving system cracking, password cracking, file decryption, bootleg software copying or
similar unauthorized attempts to compromise security measures may be unlawful and will be
considered serious violations of TracFone’s Information Security policy.
6.13 Internal Network Isolation

TracFone internal networks contain much of the company's technical and business information and
provide the electronic environment through which most employees accomplish much of their jobs.
Access to the internal network resources is set up by the InfoSec Department through enforcing role-
based security. Responsibilities are granted in a manner that will reduce risk, protect TracFone’s assets
and minimize liability.
6.14 Files, Data and Printer Output and Mailing

Users are responsible for protecting their own files and data from reading and/or writing by other users,
via whatever protection mechanisms are provided by the operating system in use.
11 of 16 IT-SEC-0003
Users are responsible for picking up their printed output from printers, copiers and facsimile machines in
a timely fashion to avoid theft, disposal or unintentional exposure and display of information contained
therein. Sensitive or critical business information must not be left unattended or available for
unauthorized individuals to access.
When transporting printed documents with sensitive information within the facilities and through inter-
office mail, ensure that the information is not viewable through envelope windows and mark envelopes
according to the classification of the information (e.g., “Confidential”).
It is prohibited to mail sensitive information, such as protected health information or credit card data, via
US mail, overnight delivery services, etc. Any received mail containing sensitive information must be
immediately protected, and the employee must advise the sender of TracFone’s policy prohibiting the
receipt of unprotected sensitive information. (HITRUST CSF 01.h)
6.15 Remote Access

 Remote access via Virtual Private Network (VPN) to TracFone’s network will be granted to
individuals who require it to support business operations or to provide remote services. Needing
access to email is not justification for remote access, as TracFone email can be accessed from the
Internet via https://webmail.tracfone.com.
 Remote access via VPN must be authorized by the user’s supervisor prior to approval and access
being granted by the InfoSec Department.
 All users requiring VPN access will submit a request via OIM. The request must include a
substantial business justification. The necessary approvals will be obtained via OIM. After the
user’s manager and Cost Center owner have approved the request, Information Security will review
and approve VPN requests within one (1) business day.
 Remote accounts will be issued to individuals only; no group accounts will be supported.
 VPN access is for business use only. Individuals are responsible for the appropriate use of their VPN
accounts.
 Users must not connect to TracFone’s internal network via unauthorized workstation software or
remote access tools. Remote desktop access from any computer (whether personal or company
issued) to TracFone’s desktop or laptop computers is not permitted. When connecting with
equipment not provided by TracFone, users are responsible for ensuring that all security policies
detailed in this document are met (i.e. current anti-virus software installed, etc.).
 VPN software and standard installation instructions for connectivity are provided to all approved
users. Support is provided via Service Desk to individuals using TracFone issued equipment. No
support will be offered for VPN software installed on personal equipment.
 All VPN sessions will be automatically disconnected after 30 minutes of inactivity.
 Remote access logs are regularly reviewed to identify potential problems and attempts to
compromise the network.
6.16 Wireless Networks

TracFone Wireless has deployed the use of wireless technology for access to the Internet only, not to the
company network. Computer security restrictions are in effect on company desktops or laptops
connecting wirelessly to the internet.
The use of any wireless device (routers, wireless cards, etc.) that allows for wireless connectivity to the
company network is strictly forbidden, as this represents unauthorized technologies that pose many
inherent risks to the safeguarding of TracFone data and the security of the internal network.
The installation or activation of wireless network interface cards on company desktops or laptops is
strictly prohibited. Any equipment that has an enabled wireless network card must not also have an
12 of 16 IT-SEC-0003
enabled wired network card, since the presence of both wired and wireless cards can create a potential
bridge between the two networks.
While we realize that consultants, visitors or vendors may have a valid need to use wireless technology,
such use is limited to wireless data cards on equipment that is not physically plugged into the TracFone
internal network.
6.17 Information Security Awareness Training

Upon hire and then annually thereafter, all users must complete an online training course related to
security and privacy, provided by Information Security. This course explains the importance and
responsibility of following the processes and practices in place to safeguard TracFone’s information
assets, especially, but not limited to, payment cardholder data security (PCI 8.5) and other protected
data, such as personal health information. (HITRUST CSF 02.e)
Employees receive this training online via the corporate training system.
 Information Security provides the security awareness training material to the Human
Resources contact for uploading into the training system.
 The mandatory course is followed by a short quiz to validate the student’s understanding of
the material. A passing score of 80% or more is required. If the student does not pass with a
score of at least 80%, the training system requires the user to repeat the training until a
passing score is achieved.
Upon hire, new employees are enrolled by Human Resources in the online security awareness training.
The training system notifies the new employees and their managers via email of the mandatory training
course. Past due notices are emailed to non-compliant employees and their managers for follow-up.
Annually, all employees must repeat the security awareness online training course, even if the employee
successfully completed it during the prior year.
 Information Security reviews and updates the course, as applicable, and submits the
presentation and quiz to the Human Resources contact for uploading into the corporate
training system.
 Human Resources enrolls employees in the online training course.
 Human Resources management announces the mandatory course to all employees via
email with a designated completion date.
 Past due notices are emailed to non-compliant employees and their managers for follow-up.
 HR generates reports from the training system indicating employees’ completion status for
Information Security to follow up on non-compliance and to escalate as needed.
All new hires also attend a New Hire Orientation session that includes Information Security Awareness
training.
6.18 Data Center Security

Anyone needing to enter the Data Center facility (other than those with full access or those assigned to
the Data Center) must submit a formal request for access through the Service Desk. With approval from
the Data Center Business Owners, the individual will be granted the appropriate level of access (limited
or escorted) as determined by his credentials and business need for being in the Data Center.
No one without a current TracFone employee or contractor identification will be allowed unescorted
access in the Miami Data Center. If the contractor is not one of our existing vendors/contractors, he will
be accompanied by IT personnel or a Security Guard.
13 of 16 IT-SEC-0003
Refer to the “Miami Data Center Policy and Procedures” for further details.
7. E-Mail Usage
TracFone provides its employees and certain vendors with electronic mail communications. Use of company
e-mail constitutes acceptance of this policy. Refer as well to other corporate policies, such as the Employee
Handbook and Code of Business Conduct.
The network username and password used to access e-mail is the responsibility of the individual to whom it
is assigned. Any authorized use of the network user credentials by other individuals to gain access to the
network and e-mail makes that user responsible for any and all actions of those individuals.
Electronic communication systems are company property. The company has provided these systems for
use in conducting company business. All communications and information transmitted by, received from,
passing through or stored in these systems are company records and the exclusive property of the company.
7.1 Authorized E-Mail Usage

Electronic communications systems are to be used for business activities. Incidental personal use of
electronic mail is permitted. However, the personal use of e-mail should not interfere with company
operations, nor should it cause harm or damage to the organization or its customers. Employees are
reminded that the use of corporate resources, including electronic communications, should never create
either the appearance or the reality of inappropriate use.
Users need to be aware that deletion of any e-mail messages and attachments may not truly eliminate
the messages and attachments from the systems. All e-mail messages and attachments are stored on a
central back-up system in the normal course of data management.
Even though TracFone has the right to retrieve and read any e-mail messages, those messages should
still be treated as confidential by other users and be accessed only by the intended recipient. Unless
specifically authorized by the appropriate personnel, users are prohibited from retrieving or reading any
e-mail messages that are not directly sent to them.
Users are reminded that electronic communications systems are not encrypted by default. If sensitive
information should be sent by electronic communication systems, encryption or similar technologies to
protect the data must be employed.
Users must not use profanity, obscenities or derogatory remarks in electronic mail messages discussing
employees, customers, competitors or others. Such remarks, even when made in jest, may create legal
problems such as trade libel and defamation of character.
Company policies against sexual or other harassment apply fully to the electronic communication
systems. No messages should be created, sent, forwarded or received on any of the electronic
communication systems if they contain intimidating, hostile or offensive material concerning sex, race,
color, national origin, religion, sexual orientation, age, marital status, disability or any other classification
protected by law. Any message received that contains intimidating, hostile or offensive material should
be reported immediately to the Information Security Department so that appropriate measures can be
taken to prevent future violations of this policy.
Recognizing that some information is intended for specific individuals and may not be appropriate for
general distribution, electronic communications users should exercise caution when forwarding
14 of 16 IT-SEC-0003
messages. Blanket forwarding of messages to outside parties is prohibited unless prior permission from
the Human Resources Department has been obtained.
Users shall not use their company email account to register with or subscribe to any Internet website or
service (newsletters, promotions, marketing, etc.) unless authorized by the InfoSec Department.
Electronic registration of Internet services will likely result in the account being acquired by spammers
and junk mailers.
8. Internet Usage
Access to the Internet through the company network is a privilege and carries responsibilities reflecting
responsible and ethical use. Internet access is granted to all employees and contractors. Use of the Internet
through the network constitutes the individual’s acceptance of this policy. Refer as well to the corporate
Employee Handbook and Code of Business Conduct policies.
8.1 Information Integrity

Unless authorized by the InfoSec Department, systems shall not be used to send (upload) or receive
(download) copyrighted materials, trade secrets, proprietary financial information or similar materials.
Furthermore, such information shall not be sent or received from users’ personal e-mail accounts or
personal web pages without authorization from the InfoSec Department.
Misrepresenting, obscuring, suppressing or replacing a user's identity on the Internet or any company
electronic communications system is forbidden. The user name, electronic mail address, company
affiliation and related information included with messages or postings should reflect the actual originator
of the messages or postings.
All information taken off the Internet should be confirmed by separate information from another source.
There is no quality control process on the Internet, and a considerable amount of its information is
outdated and inaccurate, and in some instances even deliberately misleading. Accordingly, before
using free Internet-supplied information for business decision-making purposes, users should consider
the source of the information and corroborate the information by consulting other sources.
8.2 Authorized Internet Usage

Use of company information systems to access the Internet for personal purposes should be limited. Any
personal use of the Internet is expected to be on the user’s own time and is not to interfere with the
person’s job responsibilities. Any excessive use may be considered cause for disciplinary action. All
users of the Internet need to be aware that tools are in place to monitor the browsing activities of all
employees and contractors utilizing the Internet connection at TracFone Wireless.
Connecting to certain non-business web sites is prohibited. Users of company computers who discover
they have connected with a web site that contains sexually explicit, racist, violent or other potentially
offensive material should immediately disconnect from that site. The ability to connect to a specific web
site does not in itself imply that users of company systems are permitted to visit that site.
9. User Compliance
Users are responsible for complying with this policy and all other TracFone policies defining computer and
network security measures.
15 of 16 IT-SEC-0003
10. Referenced Forms
The following forms apply to this policy and procedure. They are directly or indirectly noted within this
document and are accessible on the corporate Intranet \ Company Forms. This list constitutes the OFFICIAL
form list for this policy and procedure.
Form Reference
No. Form Name Purpose
IT-SEC-0003/0001 Clarify/WebCSR Authorization for assignment of Clarify/TAS
Application Access roles/security groups
Request Form
16 of 16 IT-SEC-0003
Attachment A - Receipt and Acknowledgement of Information Security Policy
All new TracFone employees and consultants (including temporary employees) are provided a copy of the
End-User Computing Policy prior to accessing the TracFone network. Employees and consultants must
agree to comply with this policy as a condition of their employment/engagement.
In complying with the TracFone End-User Computing Policy, employees and consultants are to be
particularly aware of the following important controls aimed at reducing the company’s exposure to security
risks:
1. Wireless connectivity to the TracFone network is not permitted. The use of any device
(routers, wireless cards, etc.) that allows for wireless connectivity to the company network is
not permitted.
2. No personal computing equipment (such as laptops) is to be used on the TracFone network

unless specifically authorized in writing by management and approved by Information
Security in advance.
Employees will also confirm their acceptance of the current End-User Computing Policy (and future updates)
electronically through the DynamicPolicy system, available via the corporate Intranet. Any employee who
violates this Policy may be subject to disciplinary action, up to and including discharge.
Non-compliance with this policy will impact consultants’ tenure at TracFone.
Acknowledgement by Employee / Consultant and Temporary Employee
By signing below, I acknowledge that I have received and will fully comply with the TracFone End-User
Computing Policy.
12/18/19
_____________________________________ _______________
Employee/Consultant Signature Date
DANA A REED
_____________________________________
Printed Name

End-User Computing Policy PDF

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

End-User Computing Policy PDF

Transféré par

Droits d'auteur :

Formats disponibles

END-USER COMPUTING POLICY Page Doc. No.

Document Revision History:

Alberto Forero 2/19/07

Remote Access section updated Jose De Jesus 10/05/09

Updated dept name to “Information Security”; 6.13

Description of Revision Responsible Effective Date

2017 review: Jose De Jesus 3/24/17

10. Referenced Forms .................................................................................................. 15

3. Introduction and Security Framework

Critical Business Functions

Supporting Business Objectives

Team Effort Required

4.1 Employees and Contractors

4.2 Managers and Supervisors

4.3 Business Owners

4.4 Service Desk

6. General Information Security

6.1 Roles and Responsibilities of Users

6.2 Use of Systems

6.4 User Network Access

6.4.1 New Employees, Consultants, Vendors and Temporary Employees

6.4.2 Consultant and Temporary Employee Extension

6.4.3 Employee Termination and Consultant/Temporary Employee End of Engagement

6.5 User Application Access

 For Clarify/TAS, an employee or consultant completes the “Clarify/WebCSR Application Access

6.6 Login/Logoff Process

6.7 User Passwords

6.8 Software/Hardware Usage

6.9 Acceptable Data Storage Locations

6.10 Antivirus Security

6.11 DLP (Data Leakage Prevention) Agent

6.12 System Access – Other Considerations

6.12.1 Anonymous Access

6.12.2 Unauthorized Access Attempts

6.13 Internal Network Isolation

6.14 Files, Data and Printer Output and Mailing

6.15 Remote Access

6.16 Wireless Networks

6.17 Information Security Awareness Training

6.18 Data Center Security

7.1 Authorized E-Mail Usage

8.1 Information Integrity

8.2 Authorized Internet Usage

10. Referenced Forms

Attachment A - Receipt and Acknowledgement of Information Security Policy

2. No personal computing equipment (such as laptops) is to be used on the TracFone network

Non-compliance with this policy will impact consultants’ tenure at TracFone.

Acknowledgement by Employee / Consultant and Temporary Employee

Vous aimerez peut-être aussi