IT Code of Ethics Policy

Version: 1.00Issue Date: 10/15/2014

1.0 Overview

This IT Code of Ethics Policy defines behaviors that are ethical or not ethical by the organization or its employees or authorized agents.

2.0 Purpose

The purpose of this IT Code of Ethics Policy is to define ethical or unethical behavior.

3.0 Scope

This IT Code of Ethics Policy applies to all users of any organizational assets or systems. It applies to the organization and its management. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Organizational Rights

There are some specific organizational rights that exist regarding its resources and equipment. These rights include:

  • The organization may monitor and record activities on their systems.
  • The organization may read or monitor employee use of email if a business reason or need exists including suspicion of inappropriate activity.
  • Administrators may view some email in the process of managing email or performing their duties but any viewing not associated to an investigation should only be incidental and kept to the minimum required to manage the email or perform duties.
  • The organization has the right to monitor or restrict employee visits to websites.
  • The organization owns information held on local computer workstations and therefore has the right to view information held there by employees. However this information will not be viewed unless required for an investigation of improper use, computer security incident, or there is a business need to access information while the employee is away or has previously left the organization.
  • The organization has the right to search personal property brought onto organizational property including but not limited to computers, purses, briefcases, envelopes, and automobiles. Searches will be performed only by authorized personnel and only for purposes of security or an investigation of abuse, policy or of the law.
  • The word "welcome" may not appear on the first system login screen.
  • If an employee whether inadvertantly or deliberately views or uncovers information indicating the organization is breaking the law or violating a regulation, they are obligated ro report it to the appropriate chain of management bypassing any managers possibly involved with the illegal or unethical activities. The violation of law or regulations supercedes obligations of non-disclosure and/or privacy.
  • The organization has the right to supress inbound content so long as it may threaten or be harmful to the organization and does not violate policy or terms of use of external information or products. For example filtering out advertising on websites is only allowed if the owners of the websites have no policy against it or the material may somehow be harmful to the organization such as it may contain malware.

4.0 Organizational Responsibilities

There are some specific organizational responsibilities that must be exercised as organizational rights are used. These responsibilities include:

  • Users must be informed that the organization may monitor and record activities on their systems. The users do not have a need to know the method or methods used to monitor or record activities.
  • Users must be informed that the organization may read or monitor employee use of email if a business reason or need exists including suspicion of inappropriate activity.
  • Users must be informed that administrators may view their email in the process of managing email or performing their duties.
  • Users must be informed that their use of the internet may be monitored and/or recorded.
  • Users must be informed about appropriate use of the internet and the possible consequences of violations.
  • Users must be informed about appropriate use of email, telephone and all organizational systems and the consequences of violations.
  • Users must be informed that the organization may view information held on their organizationally owned workstation due to business need or during an investigation of improper use or computer security incident.
  • Users must be informed that personal property brought to organizational premises may be searched by authorized personnel for security reasons or during the course of an investigation.
  • The organization is obligated to follow the law and regulations. Violations of the law supercede any right of non-disclosure or privacy to any officials or employees of the organization.
  • The organization may not supress advertising on websites or associated with products if the supression of the advertising violates the terms of use of the product or website. If the organization wants to use a product or website without associated advertising, they are obligated to pay the owner of the website or product for licensed use provided without advertising.

5.0 Information Protection

The organization must support policies that prevent unauthorized or inappropriate disclosure of sensitive information.

  • Organizational management is committed to ethical conduct and prevention of unauthorized disclosure of confidential or sensitive information.
  • An organizational training program for all employees covering ethics on the job and in the IT function along with security practices to protect confidential information and organizational systems against loss of confidentiality, integrity, or availability shall be developed and implemented. Employees shall be informed about the security incident handling policy and trained about how to follow the security incident handling procedures.
  • All users shall be informed about the current code of ethical conduct on an annual basis.
  • Users shall only be granted access to IT resources after they are educated about:
    • Proper and correct use of IT resources.
    • How to handle security incidents.
    • Ethics in using IT resources
    • Organizational security requirements.
    • Computer security training

6.0 Enforcement

Violators of this policy may be subject to disciplinary action up to and including denial of access, legal prosecution, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

7.0 Additional Requirements

  • A Code of Ethical Conduct in line with this policy.
  • A computer security training policy.
  • A security incident policy.
  • A IT resource appropriate use policy.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________