Acceptable Use Policy

Precision1.0 Computer’Purpose

This policy outlines the acceptable use of the organization's intentionsinformation technology resources. Its purpose is to ensure these resources are used for publishinglegitimate anbusiness Acceptable Use Policy are notpurposes, to imposeprotect restrictionsemployees, thatpartners, areand contrarythe organization from illegal, damaging, or unethical actions conducted knowingly or unknowingly via these resources, and to <Companysafeguard Name>’sthe establishedconfidentiality, integrity, and availability of information systems. The organization is committed to a culture of openness, trusttrust, and integrity.integrity, Precisionand Computerthis policy supports these values by defining clear expectations for responsible use. Effective security is committeda shared responsibility, requiring the participation and support of every user.

2.0 Scope

This policy applies to protecting <Company Name>'sall employees, partnerscontractors, consultants, temporary staff, vendors, agents, and other workers of the companyorganization fromand illegalits subsidiaries ("Users"). It governs the use of all information, electronic and computing devices, network resources, and systems (including internet, intranet, extranet, email, and cloud services) owned, leased, or damaging actionsmanaged by individuals,the eitherorganization, knowinglyas well as personal or unknowingly.third-party devices when used to conduct organization business or interact with internal networks and business systems.

Internet/Intranet/Extranet-related3.0 systems,Policy Statements

3.1 Ownership and General Use

*   All organization-provided IT resources, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing,accounts, and FTP,associated data, are the property of <Companythe Name>.organization.
*   These systems are tointended be usedprimarily for business purposes in serving the interestsservice of the company,organization's interests and ofits ourclients/customers. clientsLimited personal use may be permissible provided it is brief, occasional, does not interfere with work duties, does not consume significant resources, and customerscomplies inwith theall courseorganizational policies (including this AUP). Users should have no expectation of normalprivacy operations.when Pleaseusing revieworganizational resources. Refer to Human Resources policies for further details.

details

Effectiveon security is a team effort involving the participation and support of every <Company Name> employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.

The purpose of this policy is to outline the acceptablepersonal use ofexpectations.
*   computer equipment at <Company Name>. These rules are in place to protect the employee and <Company Name>. Inappropriate use exposes <Company Name> to risks including virus attacks, compromise of network systems and services, and legal issues.

This policy applies to the use of information, electronic and computing devices, and network resources to conduct <Company Name> business or interact with internal networks and business systems, whether owned or leased by <Company Name>, the employee, or a third party. All employees, contractors, consultants, temporary, and other workers at <Company Name>  and its subsidiariesUsers are responsible for exercising good judgment regarding appropriate use of information, electronic devices, and networkconducting resourcestheir activities in accordance with <Companyorganizational Name>   policies andpolicies, standards, and localapplicable laws and regulation.regulations.

Exceptions

3.2 Security Requirements

*   Users must comply with the organization's Password Policy for all system and user-level passwords. Sharing passwords or allowing others (including family members) to thisuse policyyour are documented in section 5.2

This policy applies to employees, contractors, consultants, temporaries, and other workers at <Company Name>, including all personnel affiliated with third parties. This policy applies to all equipment thataccount is ownedstrictly orprohibited.
*   leased by <Company Name>.

 

Security and Proprietary Information

All mobile and computing devices that connectused to theaccess internalorganizational networkresources must comply with the Minimum Access Policy.

System levelPolicy and userrelevant levelworkstation passwordssecurity standards.
*   Workstations must complybe secured (screen locked or logged off) when unattended. Password-protected screensavers with thean Passwordautomatic Policy.activation of 10 minutes or less are required.
*   Users must exercise extreme caution when handling emails or files from unknown senders or unverified sources, particularly regarding opening attachments or clicking links that could contain malware.
*   Providing unauthorized access to anotherorganizational individual,resources, either deliberately or through failure to secure itscredentials access,or devices, is prohibited.

All3.3 computingProprietary devicesand Confidential Information

*   Users must behandle securedproprietary withand aconfidential password-protectedorganizational screensaverinformation appropriately, adhering to the Data Classification Policy and Data Protection Standard.
*   When posting to external forums (newsgroups, etc.) from an organizational email address or identifying oneself as affiliated with the automaticorganization, activation feature set to 10 minutes or less. Youusers must lock the screen or log off when the device is unattended.

Postings by employees from a <Company Name> email address to newsgroups should containinclude a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of <Companythe Name>,organization, unless the posting is inan theofficial courseduty.
*   Providing information about or lists of businessorganizational duties.employees to external parties without authorization is prohibited.

Employees3.4 mustUnacceptable useSystem extremeand cautionNetwork when opening e-mail attachments received from unknown senders, which may contain malware.Activities

 

Unacceptable Use

The following activities are,are instrictly general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).prohibited:

Under*   no circumstances is an employee of <Company Name> authorized to engageEngaging in any activity that is illegal under local, state, federalfederal, or international lawlaw.
*   whileViolating utilizingintellectual <Company Name>-owned resources.

The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use.

System and Network Activities

The following activities are strictly prohibited, with no exceptions:

Violations of theproperty rights of(copyright, anypatent, persontrade secret), including installing or companydistributing protectedunlicensed by("pirated") copyright, trade secret, patentsoftware, or otherunauthorized intellectual property, or similar laws or regulations, including, but not limited to, the installation or copying/distribution of "pirated" or other software products that are not appropriately licensed for use by <Company Name>.

Unauthorized copying of copyrighted materialmaterials including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted (music, andimages, thetext, installationetc.).
*   ofIntroducing any copyrightedmalicious software for which <Company Name> or the end user does not have an active license is strictly prohibited.

Accessing data, a server or an account for any purpose other than conducting <Company Name> business, even if you have authorized access, is prohibited.

Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question.

Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mailransomware, bombs,spyware) etc.).into

the

Revealingnetwork.
*   your account password to othersAttempting or allowing use of your account by others. This includes family and other household members when work is being done at home.

Using a <Company Name> computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction.

Making fraudulent offers of products, items, or services originating from any <Company Name> account.

Making statements about warranty, expressly or implied, unless it is a part of normal job duties.

Effectingeffecting security breaches or disruptionsdisruptions:
 of   network*   communication.Unauthorized Securityaccess breachesto include,data, but are not limited to, accessing data of which the employee is not an intended recipientservers, or loggingaccounts.
 into   a*   server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, networkNetwork sniffing, pingedport floods,scanning, security scanning, packet spoofing, denialdenial-of-service ofattacks, service,ping andfloods, forgedor forging routing information forwithout maliciousexplicit purposes.authorization

from

Portthe scanningdesignated IT authority (e.g., Precision Computer).
    *   Circumventing user authentication or security scanningmeasures is expressly prohibited unless prior notification to Precision Computer is made.

Executingof any formhost, ofnetwork, or account.
    *   Monitoring network monitoring which will intercept data not intended for the employee'user's host,device unless thisexplicitly activityauthorized is aas part of thejob employee'sduties.
 normal   job/duty.*  

Circumventing user authentication or security of any host, network or account.

Introducing honeypots, honeynets, or similar technology on the <Company Name> network.

Interfering with or denying service to any user otheror thansystem.
 the   employee's*   host (for example, denial of service attack).

Using anyprograms/scripts/commands program/script/command, or sending messages of any kind, with the intentintended to interfere with,with or disable,disable aanother user's terminalsession.
*   session,Introducing viahoneypots, any means, locallyhoneynets, or viasimilar unauthorized security-testing technologies onto the Internet/Intranet/Extranet.network.
*   Exporting software or technical information in violation of export control laws. Consult management if unsure.

Providing3.5 informationUnacceptable about, or lists of, <Company Name> employees to parties outside <Company Name>.

 

Email and Communication Activities

WhenThe usingfollowing company resources to access and use the Internet, users must realize they represent the company. Whenever employees state an affiliation to the company, they must also clearly indicate that "the opinions expressedactivities are mystrictly own and not necessarily those of the company". Questions may be addressed to the IT Departmentprohibited:

*   Sending unsolicited bulk email messages,("spam"), includingjunk themail, sendingchain ofletters, "junk mail"Ponzi" or otherpyramid advertisingschemes.
*   materialEngaging to individuals who did not specifically request such material (email spam).

Any form ofin harassment via email, telephonemessaging, or paging,other whethercommunication throughchannels (based on language, frequency, or sizemessage ofsize).
*   messages.

Unauthorized use,use or forging,forgery of email header information.
*  

Solicitation ofSoliciting email for any other email address,addresses other than that of the poster'one's account,own with the intent to harass or to collect replies.replies

fraudulently.
*  

Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type.

Use of unsolicited email originating from within <Company Name>'s networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by <Company Name> or connected via <Company Name>'s network.

Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).
*   Using organizational resources to procure or transmit material that violates sexual harassment or hostile workplace laws.
*   Making fraudulent offers or unauthorized statements about warranties.

3.6

Blogging and Social Media

Blogging*   byAll employees,activities on blogs, wikis, social networking sites, and related platforms are subject to this AUP, whether using <Company Name>’s property and systemsorganizational or personal computer systems, isif alsothe subjectactivity relates to the termsorganization andor restrictionsidentifies setthe forthuser inas thisaffiliated Policy.with Limitedit. andRefer occasionalto usethe of <Company Name>’organization's systemsSocial toMedia Policy for detailed guidance.
*   Users must not disclose organizational confidential or proprietary information or trade secrets.
*   Users must not engage in blogging isor acceptable,social providedmedia activities that itcould isharm donethe in a professional and responsible manner, does not otherwise violate <Company Name>’organization's policy, is not detrimental to <Company Name>’s best interests, and does not interfere with an employee's regular work duties. Blogging from <Company Name>’s systems is also subject to monitoring.

 

<Company Name>’s Confidential Information policy also applies to blogging. As such, Employees are prohibited from revealing any <Company> confidentialreputation or proprietary information, trade secretsgoodwill, or any other material covered by <Company>’s Confidential Information policy when engaged in blogging.

 

Employees shall not engage in any blogging that may harm or tarnish the image, reputation and/or goodwill of <Company Name> and/or any of its employees. Employees are also prohibited from making anyinvolve discriminatory, disparaging, defamatorydefamatory, or harassing comments when blogging or otherwise engaging in any conductcontent prohibited by <Companyother Name>’sorganizational policies (e.g., Non-Discrimination and Anti-HarassmentHarassment).
*   policy.

Users

 

Employees may alsomust not attribute personal statements, opinionsopinions, or beliefs to <Companythe Name> when engaged in blogging.organization. If an employee is expressing hispersonal opinions while identifying affiliation, clearly state that the views are personal.
*   Organizational trademarks, logos, or her beliefs and/or opinions in blogs, the employee may not, expressly or implicitly, represent themselves as an employee or representative of <Company Name>. Employees assume any and all risk associated with blogging.

 

Apart from following all laws pertaining to the handling and disclosure of copyrighted or export controlled materials, <Company Name>’s trademarks, logos and any other <Company Name> intellectual property may also not be used in connection with anypersonal blogging activityor social media activities without authorization.

4.0 Compliance

4.1 Compliance Measurement

The designated IT authority (e.g., Precision Computer teamteam) will verify compliance towith this policy through various methods, including but not limited to, businessmonitoring toolnetwork reports,traffic, reviewing system logs, audits (internal and externalexternal), audits,inspection of devices, and feedbackanalysis toof thereports policyfrom owner.security tools. User activity on organizational resources may be monitored without notice.

4.2 Exceptions

Certain restrictions (e.g., security scanning, network monitoring) may be exempted for specific job responsibilities (e.g., IT system administration) with appropriate authorization. Any other exception to thethis policy mustrequires beformal, approveddocumented byjustification and advance approval from the designated IT authority (e.g., Precision Computer team in advance. team).

An4.3 employeeEnforcement

found

Violation to have violatedof this policy may beresult subject toin disciplinary action, up to and including termination of employment.employment or contract, as well as potential legal action. Access privileges may be restricted or revoked pending investigation.

5.0 Related Policies and Definitions

*   **Related Policies:**
    *   Data Classification Policy

 

  *   Data Protection Standard

 

  *   Human Resources Policies (regarding personal use, conduct)
    *   Minimum Access Policy
    *   Non-Discrimination and Anti-Harassment Policy
    *   Password Policy
    *   Social Media Policy

 

Minimum   Access*   Policy

Workstation

PasswordSecurity Policy

Policy/Standards
*  

The**Definitions:**
 following   definition*   **Blogging:** Writing and termspublishing canposts beon founda inblog (web log).
    *   **Honeypot/Honeynet:** Decoy computer systems set up to attract and detect unauthorized use attempts or malware.
    *   **Proprietary Information:** Information owned by the SANSorganization, Glossaryoften locatedconfidential, at:providing a competitive advantage (e.g., trade secrets, internal processes, customer lists).
    *   **Spam:** Unsolicited bulk electronic messages, typically commercial emails.

https://www.sans.org/security-resources/glossary-of-terms/

 

Blogging

Honeypot

Honeynet

Proprietary Information

Spam