JUSTFAB JUSTFAB ACCEPTABLE USE POLICY - VERSION CONTROL
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
JustFAB JustFAB Acceptable Use Policy Version Control Version Date Author Modifications 1.0 6/24/2014 Jason Loomis, VP IT Initial release Security/Operations Page 1 of 8
1. Overview The functioning and success of JustFAB is critically dependent on information and information systems. If important information were disclosed to inappropriate or unauthorized persons, the company could be held financially liable by our customers and partners. The good reputation that JustFAB is establishing is also directly linked with the way that it manages both information and information systems. For example, if private customer information were to be publicly disclosed, the organization’s reputation would be harmed as well as subjecting JustFAB to serious risk of lawsuits. Executive management has initiated and continues to support an information security effort. One part of that effort is the definition of these information security policies. To be effective, information security must be a team effort involving the participation and support of every JustFAB worker who deals with information and information systems. In recognition of the need for teamwork, this policy statement clarifies the responsibilities of users and the steps they must take to help protect JustFAB information and information systems. 2. Purpose The purpose of this policy is to outline the acceptable use of computer equipment, networks and infrastructure at JustFAB and to ensure rules are in place to protect JustFAB workers and JustFAB. 3. Scope This policy applies to employees, contractors, consultants, interns, vendors and other workers at JustFAB, including all personnel affiliated with third parties. This policy applies to all computer and network systems owned, leased, licensed or administered by JustFAB. This includes, but is not limited to all operating systems, computer systems, and application systems. The policy covers only information handled by computers and networks. Although this document includes mention of other manifestations of information such as voice and paper, it does not directly address the security of information in these forms. For information about the protection of information in paper form, see the employee handbook. 4. Policy 4.1. Need to know Access to information in the possession of, or under the control of JustFAB must be provided based on a need to know. Information must be disclosed only to people who have a legitimate business need for the information. Workers must Page 2 of 8
not attempt to access sensitive information unless the appropriate management has granted them access. When a worker changes job duties, including termination, transfer, promotion and leave of absence, his or her supervisor must immediately notify Human Resources. 4.2. Information Classification JustFAB has adopted an information classification system that categorizes information into three groupings. All information under JustFAB control, whether generated internally or externally, falls into one of these categories: Secret, Confidential, or Public. All workers must familiarize themselves with the definitions for these categories and the steps that must be taken to protect the information within each of these categories. Details can be found in the JustFAB Information Classification Standard. For purposes of this policy, “sensitive information” is information that falls into either the Secret or Confidential categories. 4.2.1. Secret This classification label applies to the most sensitive business information that is intended for use strictly within JustFAB. Its unauthorized disclosure could seriously and adversely impact JustFAB, its customers, its business partners, and its suppliers. Examples include but are not limited to merger and acquisition documents, corporate level strategic plans, litigation strategy memos, reports on breakthrough new product research, and Trade Secrets such as certain computer code or programs. 4.2.2. Confidential This classification label applies to less-sensitive business information that is intended for use within JustFAB. Its unauthorized disclosure could adversely impact JustFAB or its customers, suppliers, business partners, or employees. Information that some people would consider to be private is included in this classification. Examples include employee performance evaluations, customer transaction data, strategic alliance agreements, unpublished internally- generated market research, computer passwords, identity token personal identification numbers, and internal audit reports. Personally Identifiable Information, Credit Card information, and other applicable information is an example of Confidential Information. If Information or a system has no label or is not known, it is to be considered confidential and handled according to the “confidential” rating noted within this policy. Page 3 of 8
4.2.3. Public This classification applies to information that has been approved by JustFAB management for release to the public. By definition, there is no such thing as unauthorized disclosure of this information and it may be disseminated without potential harm. Examples include finalized product and service brochures, advertisements, job opening announcements, and press releases. 4.2.4. Additional Information For additional guidance on labeling and handling of secret and confidential information refer to the JustFAB Information Classification Standard or contact the IT Security Department. 4.3. User IDs and Passwords JustFAB requires that each worker accessing multi-user information systems have a unique user ID and a private password. Each worker is personally responsible for the usage of his or her user ID and password. Passwords must follow the guidelines below (for additional guidance, refer to the JustFAB Information Security Policy on the selection of IT Security approved passwords. Minimum password requirements Your password must be at least 8 characters long Your password cannot contain more than two consecutive characters of your full name Your password must contain characters from three of the four following categories: o English uppercase characters (A through Z) o English lowercase characters (a through z) o Base 10 digits (0 through 9) o Non-alphabetic characters (all symbols) Page 4 of 8
Difficult-to-guess passwords - passwords must not be related to one’s job or personal life or be common words found in a dictionary (regardless of language). Repeated password patterns - Users must not construct passwords that are identical or substantially similar to passwords they have previously employed. Password storage - Passwords must not be stored in readable form in batch files, automatic logon scripts, software macros, terminal function keys, in computers without access control systems, or in other locations where unauthorized persons might discover them. Passwords must not be written down in some readily-decipherable form and left in a place where unauthorized persons might discover them. Sharing passwords - Passwords must never be shared with or revealed to others except when first created by IT. Suspected unauthorized use - If a user believes that his or her user ID and password are being used by someone else, the user must immediately notify Info Sec 4.4. Release of Information to Third Parties Unless it has specifically been designated as public information, all JustFAB internal information must be protected from disclosure to third parties. Third parties may be given access to JustFAB internal information only when a demonstrable need to know exists and when a JustFAB non-disclosure agreement has been signed. If sensitive information is lost, is disclosed to unauthorized parties, or is suspected of being lost or disclosed to unauthorized parties, the Security Department must be notified immediately. 4.5. Physical Security to Control Information Access Access to every office, computer machine room, and other JustFAB work area containing sensitive information must be physically restricted to those people with a need to know. When not in use, Secret/Confidential information must always be protected from unauthorized disclosure. Workers must position their computer screens such that unauthorized people cannot look over their shoulder and see the Secret/Confidential information displayed. 4.6. Network Connections All JustFAB computers that store Secret/Confidential information and that are permanently or intermittently connected to internal computer networks must Page 5 of 8
have a password-based access control system. Users working with all other types of computers must employ the screen saver passwords that are provided with operating systems, so that after a period of no activity the screen will go blank until the correct password is again entered. Multi-user systems throughout JustFAB must employ automatic log off systems that automatically terminate a user’s session after a defined period of inactivity. It is prohibited to enable your computer as a hotspot while connected to the JustFAB corporate or wireless networks. Only approved IT network devices are allowed on the JustFAB corporate network, this includes, but is not limited to, wireless access points, network hubs/switches, and media devices such as Sonos/Roku for example. When using JustFAB computers, JustFAB workers must not establish connections with external networks including, but not limited to, Internet Service Providers, anonymizers, or remote access software to non-JustFAB systems, unless these connections have been approved by the IT Security Department. 4.7. Internet Access Workers are provided with Internet access to perform their job duties. All information received from the Internet should be considered to be suspect until confirmed by reliable sources. Secret/Confidential information, including, but not limited to, passwords and credit card numbers, must not be sent across or placed on the Internet unless this information is encrypted and such transmission has been authorized. These and related considerations are discussed in greater detail in the Internet Communications Standard and the Electronic Mail Standard. Using company provided Internet access to view or store to offensive or objectionable material or information is prohibited. Workers are prohibited from using company provided Internet access to engage in any actions that violate any federal, state or local laws or regulations. These and related considerations are discussed in greater detail in the Internet Communications Standard and the Electronic Mail Standard. 4.7.1. Electronic Mail Every JustFAB worker who uses computers in the course of their regular job duties will be provided JustFAB email address. A personal Internet service provider electronic mail account or any other electronic mail address must not be used for JustFAB business. These and related considerations are discussed in greater detail in the Electronic Mail Standard. Using electronic mail to send offensive or objectionable material or information is prohibited. Workers are prohibited from using the company’s electronic mail to transmit or receive any information in violation of federal, state or local laws or regulations, including Page 6 of 8
trade secrets. These and related considerations are discussed in greater detail in the Internet Communications Standard and the Electronic Mail Standard. 4.8. Security Software All personal computers provided by JustFAB may have security software installed and enabled. Workers must not bypass, tamper, modify, remove or disable any security software. 4.8.1. Malicious software All computers connected to the JustFAB network must have approved anti- malware software installed as applicable. Any non-JustFAB managed anti- malware software must have the most current updates. Anti-malware screening software must be used to scan all software and data files coming from third parties. This scanning must take place before new data files are opened and before new software is executed. If workers suspect infection by malware they must immediately stop using the involved computer, disconnect from the network, and notify the JustFAB Servicedesk. 4.9. Software JustFAB computers and networks must not run software that comes from sources other than other JustFAB, knowledgeable and trusted user groups, well- known systems security authorities, or established computer, network, or commercial software vendors. Users must not copy software provided by JustFAB to any storage media, transfer such software to another computer, or disclose such software to outside parties without advance permission from their manager. 4.10. Backup Responsibility Backups are not generally provided for personal computers. Any data that may require a backup located on the user’s personal computer, must be copied/moved to a JustFAB provided network resource. Third party backup solutions are strictly prohibited. 4.11. Right to Search and Monitor JustFAB management reserves the right to monitor, inspect, or search at any time all JustFAB information systems, networks, files and emails. This examination may take place with or without the consent, presence, or knowledge of the involved workers. All searches of this naturewill be conducted after the approval of the Legal and Security departments has been obtained. Because JustFAB computers and networks are provided for business purposes only, and at all times remain the property of JustFAB, workers have no Page 7 of 8
expectation of privacy associated with the information they store in or send through these information systems, networks and/or devices. 4.12. Personal Use JustFAB information systems are intended to be used for business purposes only. Incidental personal use is permissible if the use does not consume more than a trivial amount of resources that could otherwise be used for business purposes, does not interfere with worker productivity, does not preempt any business activity and is appropriate within a business environment. 4.13. Security Testing Unless specifically authorized by the IT Security Department, JustFAB workers must not acquire, possess, trade, or use hardware or software tools that could be employed to evaluate or compromise information systems security. Without this type of approval, workers are prohibited from using any hardware or software that monitors the traffic on a network or the activity on a computer. 5. Violation and Incident Reporting All JustFAB workers must report suspected violations of this policy or any other Information Security policy or standard. Additionally, all JustFAB workers will report to the IT Security Department any actual or suspected security issues or losses including, but not limited to, system intrusions, malicious software infestations, and other conditions that might jeopardize JustFAB information or JustFAB information systems. 6. Enforcement Failure to comply with, or violation of, these polices may subject workers to disciplinary warnings and/or disciplinary action including possible termination and prosecution. Page 8 of 8
You can also read