Appendix C. Information Systems Acceptable Use Agreement and Policy

I understand and acknowledge that should I become aware of any misuse of information or information systems, I am obligated to inform a member of management immediately.

I understand and acknowledge that the Company reserves the right to monitor system activity and usage, including Internet activity. My signature on this document means I have consented to this monitoring.

I understand and acknowledge that there should be no expectation of privacy or ownership. All emails, files, and documents—including personal messages, files, and documents—created, sent, received, or stored on information systems or devices that are owned, leased, administered, or otherwise under the custody and control of the Company are the property of the Company and may be subject to review.

I further understand and acknowledge that violation of this policy may result in disciplinary action. Depending on the severity or frequency of the violations, this could include:

1. Counseling statements for policy violations.

2. A suspension or termination of access permissions, which could result in a job reassignment and compensation modification.

3. A termination of employment.

4. Personal liability under applicable local, state, or international laws.

Acknowledged and agreed to by: ____________________________________

                                                   Information Systems User Signature                     Date

Name (Printed) _______________________________________________________

Please complete and send this form to HR.

1.2. Information systems users must utilize Company systems and devices solely for the purposes for which they were granted access.

1.3. All information systems users are expressly forbidden from accessing, or from attempting to access, any data or programs for which they do not have authorization or explicit consent.

1.4. In the event that an information systems user is sent or inadvertently accesses files that contain information that the user does not have a “need to know,” or authority to receive, the user is required to immediately secure the material from view and notify their supervisor.

1.5. Customer-related files are classified as “protected.” Please refer to the Data Handling Requirements Matrix for instructions on working with “protected” data.

1.6. Company-related files are classified as “confidential.” Please refer to the Data Handling Requirements Matrix for instructions on working with “confidential” data.

1.7. Information systems users are forbidden from making copies of any data from any Company information system or device unless approved by management.

1.8. Data may not be removed, transported, or transmitted from the Company without the specific and expressed approval of the Information Security Officer. If approved, only storage media and transmission technology provided by the Company may be used.

1.9. Pictures or videos of information systems, data, facilities, or other workforce personnel may not be taken without the specific and expressed permission of the Information Security Officer.

2.2. It is important to protect login credentials from disclosure. Users must not share or disclose their user account(s), passwords, personal identification numbers (PINs), security tokens, or similar information or devices used for identification and authorization purposes.

2.3. Users must not circumvent password entry with auto-login, application remembering, embedded scripts, or hard-coded passwords in client software.

2.4. Users must not use any Company password for personal applications, including email and social media accounts.

2.5. Users must report all password compromises or attempted compromises to the Help Desk.

2.6. Network, Company application, mobile device, and Internet passwords must meet or exceed the following criteria:

Passwords must be at least eight characters long and must be composed of a minimum of three out of the following four types of characters: numbers, lowercase letters, uppercase letters, and special characters (such as, #, &, *, and so on).

The password must not include the user’s first or last name, and should not contain obvious words or names such as those of children, pets, or favorite hobbies.

Passwords must be changed at least every 90 days.

Users are not permitted to reuse any of their last ten passwords when selecting a new password.

2.7. Computing devices must not be left unattended without enabling a password protected screensaver, locking the workstation, or completely logging off of the device.

3.2. Before an application can be installed on any of the Company systems, the application must be evaluated and approved by the Information Security Officer or designee to ensure that it meets minimum security requirements.

3.3. Applications must be able to support access privileges adequate for the classification level of the information being handled.

3.4. Applications, upgrades, and enhancements to be installed on information systems must follow the Company change control process.

3.5. Information systems users must not make unauthorized copies of copyrighted software.

4.2. All messages are the property of the Company. The Company has the right, with or without cause, to review, examine, archive, retrieve, restore, investigate, and delete all messages.

4.3. Regular (non-secure) messaging should never be used to send or transmit customer data outside of the Company. Customer information can be sent via encrypted email. To do so, include the word “secure” in the subject line.

4.4. Customer-related messages must not be forwarded under any circumstances to personal accounts.

4.5. Information systems users must not open attachments that arrive from an unknown or unrecognizable source.

4.6. Access to personal email accounts (such as Yahoo!, Google, Hotmail, and so on) from inside the Company network is not allowed.

4.7. Anonymous or disguised e-messages are prohibited under all circumstances, as are bulk emails (“spam”) and chain letters.

4.8. Company messaging systems are not to be used for the transmission of funding solicitations, requests for donations, and so on, whether initiated by the information systems user or forwarded from another source.

5.2. Internet access is subject to filtering at the discretion of the Company.

5.3. Access to social media sites such as Twitter and Facebook is allowed only for those information systems users that have an approved business need.

5.4. Internet access is monitored.

5.5. Information systems users must not download software, shareware, or freeware from any Internet site with the expressed permission of an information technology department employee.

5.6. Information systems users must not knowingly visit Internet sites that contain obscene, hateful, or other objectionable materials; send or receive any material, whether by email, voice mail, memoranda, or oral conversation, that is obscene, defamatory, harassing, intimidating, offensive, discriminatory, or that is intended to annoy, harass, or intimidate another person.

5.7. Information systems users must not knowingly violate copyrights or intellectual property laws.

5.8. Informations systems users must not knowingly engage in activities that violate local, state, or federal laws.

6.2. Only approved mobile devices may be used to access Company information resources.

6.3. Mobile device use must be authorized by the Director of Information Technology.

6.4. Mobile device users will be required to acknowledge and sign a Mobile Device Agreement.

6.5. All mobile devices must be encrypted.

6.6. Mobile device passwords must conform to the password requirements detailed in Section 2.6 of this policy.

6.7. Mobile devices will be configured to be wiped after five failed password attempts.

6.8. Mobile devices will be configured with screen savers that lock after ten minutes of inactivity.

6.9. Mobile device users are responsible for ensuring the devices are secured and properly stored at all times.

6.10. Lost or stolen portable devices must be reported to the Help Desk immediately.

6.11. Mobile devices must be returned to the Company during periods of extended absence, upon termination, or upon request of management.

7.2. Remote access users must be authorized by the Information Security Officer.

7.3. Remote access users will be required to acknowledge and sign a Remote Access Agreement.

7.4. Only Company-owned equipment may be used for remote access connections.

7.5. All remote access sessions require multifactor authentication.

7.6. Split tunneling is not allowed. All traffic during remote sessions must be directed through the corporate network.

7.7. Remote access sessions will be automatically disconnected after one minute of inactivity.

8.2. In the event malware is suspected:

Immediately contact the Help Desk.

Do not continue to use the device.

Do not turn off the device.

Make no attempt to remove the malware.