IT Acceptable Use Policy

Version: 1.00Issue Date: 10/15/2014

1.0 Overview

This IT acceptable use policy is designed to protect the employees and the organization from risks that IT resource inappropriate use would create. These risks include but are not limited to possible legal issues, virus, spyware, adware, and other malware infection of organizational computers, and possible compromise of servers or the organization's network. Management is committed to protecting the organizationís partners, employees, and the organization from damaging or illegal actions through intentional or unintentional means.

2.0 Purpose

This IT acceptable use policy defines acceptable use of computer equipment, software, and data owned by the organization and at the organization. These rules protect the members of the organization and the organization since inappropriate use can expose the organization or its members to legal issues and compromise of systems or data.

3.0 Scope

This acceptable use policy applies to all organizational IT and communication equipment including but not limited to telephone, email, computer, network, printers, FAX machines, hand held devices, and wireless networked devices.

All employees and personnel that have access to organizational computer and communication systems including contractors, consultants, and temporary employees must adhere to this IT resource acceptable use policy. Effective security is a team effort involving the participation and support of every organizational member and organizational affiliate who deals with information or information systems. Every computer user, staff member, and associate using organizational resources must know this IT resource acceptable use policy and comply with it. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Definitions

  • Improper purpose - Improper purpose or use of organizational assets includes, but is not limited to use of assets or actions that harass anyone including but not limited to sexual, racial, or any other form of harassment against any employee, visitor, or any person. Improper use includes but is not limited to:
    • Unauthorized disclosure of any organizational sensitive or confidential information
    • Storing or viewing pornography.
    • Use of any equipment that interferes with productivity or job performance.
    • Theft
    • Violation of any law.
    • Any kind of solicitation.
    • Personal use of equipment, software, or assets owned by the organization. Personal use of business assets including any form of hardware or software not allowed in this policy is prohibited.
    • Any other use of organizational equipment not related to organizational business.
    • Any other inappropriate use which is inconsistent with organizational policies.
    • Personal use of organizational equipment such as telephones, e-mail, or internet access on organizational time except in cases of emergency. Personal use of telephones or email is allowed during break and non-work times at the discretion of the manager.

4.0 Ownership

All systems and data provided by the organization or created for the organization are property of the organization. These systems and data include, but are not limited to, computer equipment, operating systems, software, network accounts, system accounts, electronic mail, telephones, printers, FAX machines, network equipment, applications, files, storage media, and data. These systems and information are provided for business purposes in serving the interests of the organization and the public in the course of normal operations.

E-mail and Internet access is provided for organizational business use only. Use of e-mail or internet access for personal purposes is only allowed within reasonable limits as determined by the appropriate supervisor. All e-mail and internet access records are organizational owned records and should only be transmitted only to individuals who have a business requirement for them.

5.0 Privacy

Organizational management reserves the right to monitor and inspect all usage of information technology resources, including e-mail, voice communications, all programs, and all data files. This may be done to protect data and resources from unauthorized use or access and is intended to protect privacy and the rights and interests of customers, the public, and the organization. Monitoring may be done for quality assurance, training, disciplinary, or other purposes as deemed necessary by the organization's management.

The organization has the right to access any equipment owned by the organization including any and all information retained on any organizational telephone or computer for any reason. The organization has the right to review staff members use of computers, e-mail, network and internet access, and telephone systems for any reason. Staff members, visitors, contractors, and suppliers or any one using organizational equipment do not have an expectation to any right to privacy when using organizational owned equipment or resources. All e-mail, telephone records, voicemail messages, and Internet records are available for review by authorized organizational representatives. Review of information and records is only allowed by authorized individuals.

Organizational e-mail or Internet records may be subject to disclosure to government officials, law enforcement officials, or to other third parties due to subpoenas or other processes. Information contained in these records should be appropriate, lawful, and accurate.

6.0 Software

Use of, copying, or installation of organizational licenced software on personally owned computers for nonbusiness or personal use is prohibited.

7.0 Other Policies

Users must remain in compliance with all organizational policies including the Approved Application Policy, Computer Training Policy, Password Policy, Licensing Policy, and Code of Ethics Policy.

8.0 Sensitive Information Disclosure

Users agree not to send confidential or sensitive information using unencrypted email or any unsecured media to approved or unapproved recipients. Users are not allowed to send credit card information or social security numbers through unencrypted email or any unapproved or unsecured media. Users shall not send confidential or sensitive information including but not limited to social security numbers and credit card information to recipients that are not approved by their management.

9.0 Proper Use

All staff members who are entrusted with any organizational equipment or assets, including, but not limited to, computer, e-mail, network, Internet, and voicemail systems, are prohibited from using any such assets for an improper purpose as defined in section 4.0 above.

Additional requirements:

  • Passwords may never be shared by more than one person. Each staff member must keep their passwords and any confidential access codes secret and never share them with anyone according to the Password Policy.
  • Users shall not use any method to attempt to gain the passwords of other users.
  • Providing any unauthorized persons with access, access information, or allowing such unauthorized persons the use of organizational computer equipment is prohibited.
  • Staff members may not access other individualís e-mail, voicemail files, or computers, unless specifically authorized by their supervisors in performance of their duties for the organization.
  • Modifying any files, information, software, or equipment without authorization is prohibited.
  • Deliberately entering false or unauthorized information in a computer or database or modifying a database, electronic storage device, or document so it contains unauthorized or false information is prohibited.
  • All communication on electronic systems or face to face should be professional and inoffensive. Slurs and insults are unprofessional and will be dealt with appropriately by management. Attempts to influence the personal beliefs of others is inappropriate.
  • Announcements to be made using organizational e-mail, telephone, or PA equipment must be related to organizational business, authorized, and appropriate.
  • Software programs may not be duplicated unless authorized.
  • Computer equipment, systems files, or software programs may not be removed from organizational property unless specifically authorized by someone with authority to authorize such removal. Movement of equipment should be according to the Asset Control Policy.
  • Use of organizational equipment to transact business for personal gain is prohibited.
  • Users shall not attempt to gain unauthorized access to any systems or physical areas without authorization.
  • Users shall not attempt to damage equipment.
  • Users shall not attempt to modify storage media, files, or data belonging to other users without authorization.
  • Users shall not attempt to distribute malware including trojan horses, viruses, adware, spyware, or worms.
  • Users shall not keep malware including trojan horses, viruses, adware, spyware, or worms without authorization.
  • Users shall not illegally distribute software or violate copyright or licensing laws.
  • Users shall not keep illegal copies of software.
  • Users are required to understand the organizational Information Sensitivity Policy and only handle information and classified material that they have authority and qualifications to handle.
  • Users must abide by system use policies.
  • Keep work areas quiet and clean.
  • Refrain from wasteful activities such as excessive use of the internet, unneeded printing, and holding of computing resources without need.

10.0 Communication

All users of organizational equipment or data must sign a statement indicating they have read and agree to comply with this policy before access to the equipment is granted. The organizational communications officer shall implement programs such as newsletters, presentations, posters, email messages, and other means to communicate this and other security policies to organizational members and associates.

11.0 Enforcement

Since proper use of resources is very important to the security of the organization, access logging, auditing, or detection over the network shall be used as a mechanism to be sure the IT acceptable use policy is being followed. All activity that does not comply with this IT acceptable use policy and other policies and procedures is investigated. Organizational members that do not adhere to this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

12.0 Additional Requirements

  • An organizational formal disciplinary process for staff who are found to have violated organizational security policies and procedures must be developed. Organizational members and associates must be made aware of this process.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________