IT Acceptable Use Policy

I.Overview

Effective security and asset management is a team effort involving the participation and support of every employee. It is the responsibility of every computer user to know these guidelines, and to conduct his/her activities accordingly.

II.Purpose

This document sets forth company policy regarding acceptable use of computing resources, including security, access to computers and resources, the monitoring, disclosure, and proper use of the company’s internal and external electronic mail systems, messages (either email or instant messaging) and attachments.

These rules are in place to protect both the employee and the company. Inappropriate use exposes the company to risks including virus attacks, compromise of network systems and services, and legal issues.

III.Scope

This policy applies to employees, contractors, consultants, temporaries, and other workers including all personnel affiliated with third parties. This policy applies to all equipment that is owned, leased, borrowed or otherwise managed by the company.

IV.Ownership and Access of Electronic Mail, Computers, and Computer files

While IT desires to provide a reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of the company.

The Company owns the rights to all data and files in any computer, network, or other information system used in the Company. The Company reserves the right to monitor computer, internet, and e-mail usage, both as it occurs and in the form of account histories and their content. The Company has the right to inspect any and all files stored in any areas of the network, hard drive, or on any types of computer storage media in order to assure compliance with this policy and state and federal laws. The Company will comply with reasonable requests from law enforcement and regulatory agencies for logs, diaries, archives, or files on individual computer and e-mail activities. The Company also reserves the right to monitor electronic mail messages and their content. Employees must be aware that the electronic mail messages sent and received using Company equipment are not private and are subject to viewing, downloading, inspection, release, and archiving by Company officials at all times. No employee may access another employee's computer, computer files, or electronic mail messages without prior authorization from either the employee or an appropriate Company official.

The Company uses software in its electronic information systems that allows monitoring by authorized personnel and that creates and stores copies of any messages, files, or other information that is entered into, received by, sent, or viewed on such systems. Accordingly, employees should assume that whatever they do, type, enter, send, receive, and view on Company electronic information systems is electronically stored and subject to inspection, monitoring, evaluation, and Company use at any time. Further, employees who use Company systems and Internet access to send or receive files or other data that would otherwise be subject to any kind of confidentiality or disclosure privilege thereby waive whatever right they may have to assert such confidentiality or privilege from disclosure. Employees who wish to maintain their right to confidentiality or a disclosure privilege must send or receive such information using some means other than Company systems or the company-provided Internet access.

The Company has licensed the use of certain commercial software application programs for business purposes. Third parties retain the ownership and distribution rights to such software. No employee may create, use, or distribute copies of such software that are not in compliance with the license agreements for the software. Violation of this policy can lead to disciplinary action, up to and including dismissal.

Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Any questions on personal use should be directed to the IT Manager.

The company reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.

All computing equipment given to the employee for use while employed remains the property of the company and must be returned upon request.

V.Security and Proprietary Information

Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts.If a user suspects their password has been compromised he or she should change it immediately. Passwords should be changed every 90 days and must meet password complexity rules as enforced by Active Directory (your computer login).To minimize the risk of someone guessing your password:

  • Use two or three short words that are unrelated.
  • Deliberately misspell words.
  • Take the first letter from each word of a phrase.
  • Do not use any part of the account identifier (your login ID, name, etc.).
  • Must not contain consecutive duplicate characters such as: 99 or BB
  • Must not contain consecutive-count numbers or letters such as: 1234 or ABCD
  • Do not use a proper name or any word in the dictionary without altering it in some way.

If your current password contains any of these please change it immediately.

All PCs, laptops, tablets, and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 5 minutes or less. This is done automatically through policy, so you do not need to explicitly change this setting, it will be done for you. Users are expected to make reasonable efforts (e.g. by one more of the following: locking, logging out, using privacy screens, etc.) to restrict the viewable access to workstations that are connected to (or are considered to be) Confidential Systems when they are going to be out of viewable range of those workstations.

Because information contained on portable computers is especially vulnerable, special care should be exercised when traveling with your computer and smartphone. Laptops, tablets, and smartphones should be kept with the employee at all times, and not allowed to be borrowed or used by third parties. Never leave them unattended such as in a hotel room or rental car. On airplanes, laptops, tablets, and smartphones should be carried onboard as much as possible as allowed by governmental regulations. If airlines regulations restrict the ability to carry on your portable computer, contact IT for instructions. If a computer or smartphone is lost or stolen, you need to contact IT immediately.

Postings by employees from a company email address to newsgroups should only be made if the posting is in the course of business duties. Postings should never be made to non-business related sites with your company email address. Employees should be very careful about the information they post on social networking sites, such as Facebook or Linkedin pages or twitter "tweets", even from non-company accounts. Employees should not disclose any company sensitive information on these sites, or information that casts the company or its employees in a derogatory light. The general rule is: if you're not sure, don't post it. This is not intended to limit or prohibit use of these technologies, but is instead focused on the impact of the content published.

Non companyequipment (including, but not limited to, personal laptops and tablets, smartphones, iPods, wireless communication devices, network hubs, routers, firewalls, gateways, access control points and modems) cannot be connected to the network without the express permission of IT.

Any files or communications made or stored on company systems may be subject to discovery in litigation and may have to be produced as evidence in court. Remember that messages you delete can still be retrieved. You should never transmit anything through the Internet or email that you would not want others to see.

VI.Use of Internet

The company is not responsible for material viewed or downloaded by users from the Internet. The Internet is a worldwide network of computers that contains millions of pages of information. Users are cautioned that many of these pages contain offensive, sexually explicit, and inappropriate material. In general, it is difficult to avoid at least some contact with this material while using the Internet. Users accessing the Internet do so at their own risk.

Please be informed that streaming video or music is prohibited unless directly required for performing job responsibilities. This means no streaming video or music sites are to be accessed nor are any streaming video or music programs/applications to be downloaded.

VII.Removable Media Policy

Staff may use removable media in their work computers. Confidential information should be stored on removable media only when required in the performance of assigned duties or when responding to legitimate requests for information. When confidential information is stored on removable media, it must be encrypted in accordance with the Company Acceptable Encryption Standard Policy.

VIII.Acceptable Encryption Standard

It is required that certain sensitive data must be encrypted. The current regulations according to the National Institute of Standards and Technology (NIST) are that all confidential data must be encrypted using the Advanced Encryption Standard (AES) encryption method. A minimum 128 bit key for confidential data and recommends a higher 256 bit key for highly confidential data.

There are many programs and methods of encrypting data that meet the Company policies and standards. Which program and method the user uses is completely up to his/her discretion but users are warned that use of encryption technology not listed in this standard may be ineffective for its intended purposes and may result in a violation of these policies if confidential information is ineffectively encrypted. Further, IT is unable to provide support for any encryption technologies other than those listed in this standard.

IX.Physical Access

This policy applies to any individual who has been granted authorized access to any company property. All key and building access key cards.
Access to information resource areas and facilities must be granted only to authorized personnel whose job responsibilities require access.

Employees are responsible for the keys and access cards assigned to them.

No person shall knowingly possess an unauthorized company key or access card.

In the event a key or key card is lost or stolen please notify your manager immediately. If at Corporate please notify IT immediately.

All physical access to facilities by third parties (visitors, customers, vendors, subcontractors etc.) must be logged (i.e. through sign-in sheets) for entry time, exit time, purpose, and employee who allowed (enabled) the facility entry. Vendors should always be escorted by employee when in a facility covered by this policy. Sign-in sheets or visitor logs must be kept for the current year plus 1 year. For Regional Treatment Centers sign-in sheets or visitor logs must be kept for the current year plus 3 years.

X.VPN

Approved employees and authorized third parties (customers, vendors, subcontractors etc.) may use company VPN. It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to LSSS internal networks. VPN gateways will be set up and managed by LSSS IT staff.

Users of computers that are not LSSS/TCS/DR-owned equipment must configure the equipment to comply with LSSS Remote Access Policy.

XI.Malicious Code and Anti-Virus Protection

All computers or other equipment used by the employee that are connected to the Internet/Intranet/Extranet, shall be continually executing approved antivirus-scanning software with a current virus database.IT will maintain antivirus software on all corporate systems. You cannot disable, uninstall or terminate antivirus scanning software without the permission of IT.

All users will follow the procedures given below to prevent, detect and remove computer viruses:

  • Do not configure Microsoft Outlook to enable the preview pane.
  • Do not open email messages from unknown or suspicious looking senders.
  • Do not open email attachments from unknown or suspicious looking senders.
  • Do not open email attachments from known users if you are not expecting the attachment.
  • Any computer files that are stored on any removable media (diskettes, CDs) will be scanned for computer viruses before the files are copied to the hard disk drive.
  • Do not download files from Internet websites, unless the website is trusted and proper authorization has been received.
  • Contact IT immediately if it is suspected that a computer virus may have infected a workstation.

XII.Message Storage, Retention, and Deletion

The emailof employees who leave the company will be retained forup to 30 days. During this time the manager of the employee can request access to the emails and for assistance with setting up an automated response for this account. After 30 days the account will be closed.

XIII.Confidential Data

All employees must safeguard confidential information as part of their daily actions and work routines.

Users must not attempt to access any data, documents, email correspondence, and programs contained on corporate systems for which they do not have authorization.

All reasonable efforts should be made to avoid storing confidential data on computers (especially tablets and laptops), mobile devices, including PDA's, Blackberries, Flash Drives, etc. In the event that there is no alternative to local storage, all confidential data must be encrypted.

Any device that has the capability to capture, store, or transmit a still or motion image of any document, person, or environment under the authority of this Contract must have the image-capturing function disabled or powered off when the user is operating in any area with access to DFPS information or other restricted DFPS environments. Exemptions to this requirement include dedicated document scanning devices and other equipment designed specifically to capture document images for archival storage.

For authorized personnel confidential data may be made available on a need to know basis as and when required. For all other persons access to such information must be prohibited.

Unauthorized modification, transmitting or other dissemination of confidential information is strictly prohibited. Unauthorized dissemination of this information may result in disciplinary or legal action as appropriate.

Confidential information should be safely stored and protected while on file servers, network drives, workstations, and during any type of transmission. Authorized access should be enforced. Network or directory share information showing where the confidential information is stored must not be publicly viewable.

Confidential data should not be emailed or faxed; unless there is no other method available to transmit the information. Confidential information sent via email must be sent from users official corporate email account.

Employees must not download and store confidential information unless encrypted on their personal computers, external hard drives, thumb/ pen drives and CD/DVD, or any removable device.

Printed reports that contain confidential data must not be left available to the public. All printed confidential data must be shredded or disposed of into locked bins.

The Employees will be periodically audited to insure compliance and enforcement of policy.

XIV.Unacceptable Use

The activities in the following sections are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities. Such exemptions require the approval of your SLT member or IT Manager.

Under no circumstances is an employee authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing company-owned resources.

The lists below provide a framework for activities which fall into the category of unacceptable use.

XV.System and Network Activities

The following activities are strictly prohibited, with no exceptions:

  1. Engage in activity that might be harmful to systems or to any information stored thereon, such as creating or propagating viruses, disrupting services, or damaging or deleting files and directories.
  1. Attempt to circumvent or subvert system or network security measures.
  1. Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by the company.
  2. Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, copyrighted video for which the company does not have an active license is strictly prohibited. The installation of any copyrighted software for which the company nor the end user has a valid active license is prohibited.
  1. Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal.
  2. Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
  3. Revealing your domain account password to others or allowing use of your domain account or access to company resources by others. This includes coworkers. This includes family and other household members when work is being done at home.
  4. Using a company computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment, discrimination or hostile workplace laws in the user's local jurisdiction.
  5. Using a company computing asset to communicate derogatory or inflammatory remarks about an individual’s race, age, disability, religion, national origin, physical attributes, or sexual preference, or that contains abusive, profane or offensive language
  6. Viewing or communicating X-rated or pornographic materials on a company computing asset
  7. Using a company computing asset for any purpose that is illegal, against company policy, or contrary to the company’s best interest is prohibited. Solicitation of non-company business or any use of the systems for personal gain is prohibited.
  8. Making fraudulent offers of products, items, or services originating from any company account.
  9. Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intendedrecipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular job duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, ping floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
  10. Port scanning or security scanning is expressly prohibited unless this activity is a part of the employee's normal job/duty.
  11. Executing any form of network monitoring which will intercept data not intended for a computer on the company network, unless this activity is a part of the employee's normal job/duty.
  12. Circumventing user authentication or security of any host, network or account.
  13. Using any program, script, command, or sending messages of any kind, with the intent to interfere with or disable a user's system, via any means, locally or via the Internet or Intranet.

XVI.Email and Communications Activities