Acceptable Use Policy

Posted in Information Security Policies

0.0/5 rating (0 votes)

Download This Document

[Company Name]
Section: Policy Manual
Policy Title: Acceptable Use Policy
Policy Owner (section/department):
Policy Number:
Date Effective:

I. PURPOSE

Information, communications and technology resources are made available to the <Name of Company>'s officers and employees, including its affiliates, to facilitate its mission, in accordance to its core values, aligned to the principles, goals, and ideals described in its Vision Statement.

Therefore, the purpose of this policy is to outline the standards for the acceptable uses of information, communications and technology resources.

II. SCOPE AND APPLICABILITY

This policy applies to all users of the company's computing resources such as networks, applications, including all company owned, licensed, or managed hardware (end user devices such as computers) and software.

III. DEFINITION OF TERMS

EMAIL “BOMBING”. Deliberate sending of hundreds or thousands of identical messages to a particular person's e-mail address. This kind of denial-of-service (DOS) attack saturates the victim's e-mail capacity.

EMAIL “SPAMMING”. A variant of bombing which refers to sending email to hundreds or thousands of users (or to lists that expand to that many users). It can be made worse if recipients reply to the email, causing all the original addressees to receive the reply. It may also occur innocently, as a result of sending a message to mailing lists and not realizing that the list explodes to thousands of users, or as a result of an incorrectly set-up responder message. E-mail spam is also known as junk e-mail or unsolicited bulk e-mail (UBE).

EMAIL FLOODING. A denial-of-service (DOS) attack that sends large quantities of emails, often with large attachments, in order to disable a network or part of a network.

BROADCAST or “SMURF” ATTACKS. A variety of distributed denial-of-service (DDoS) attack, called an amplification attack, which is accomplished by flooding a victim computer with ICMP echo and reply messages sent to one or more unprotected intermediary network broadcast addresses.

VI. COMMENCEMENT

This policy commences on the date of its approval.

V. POLICY

Access to <Name of Company>'s information, communications and technology resources is a privilege, not a benefit, and shall be treated with the highest level of ethical and legal standards.

Preserving these accesses to information, communications and technology resources is a concerted effort that requires each officer and employee to act responsibly by 1) protecting its confidentiality, availability, and integrity; and by 2) guarding it against all kinds of threats and abuses.

Therefore, both the <Name of Company> as a whole and each officer and employee user have an obligation to abide by the following standards:

A. General acceptable and ethical use :
1) Information, communications and technology resources and data shall be used only when authorized, only to the extent of the authority provided, and shall be used only for its intended purpose.
2) Reasonable efforts shall be exerted to protect individual passwords to all accounts and to secure resources and data against unauthorized use or access.
3) Use of another individual's account, or attempt to capture or guess other users' passwords is strictly prohibited.
4) Individual account holders shall be responsible for the appropriate use of all resources and data provided by the company and shall be accountable to the company for all use of such resources and data.

B. System and Network Security
1) Violations of system or network security are strictly prohibited, and may result in criminal and/or civil liability. The following are considered as violations:
• Unauthorized access to systems and programs, including networks, security software and all other administrative applications;
• Unauthorized use of data, systems or networks, including downloading of tools that are generally used to breach security or to attack computer systems or networks (e.g., password "crackers", vulnerability scanners, network sniffers, etc.)
• Unauthorized monitoring of data or traffic on any network or system;
• Deliberate disruption of service to any user, host or network including, without limitation, email "bombing", email "spamming", flooding;
• Deliberate attempts to overload a system, and broadcast or "smurf" attacks.

C. Fair and appropriate use of resources:
1) Officers and employees of <Name of Company> who operate and maintain computers, network systems and servers, are expected to use these resources in the most appropriate way, with due consideration for others who also use them.
2) <Name of Company> shall set limits on use of a resource by employees, through quotas, time limits, and other means that ensure resources are available for use of other authorized employees who need it.
3) Additional cost accrued from unnecessary use of company resources, especially those that are not official, company-related in nature, are strictly discouraged.
4) Excessive or inappropriate use of resources which corrupts performance for others and/or prevents many others from doing their assigned tasks, is strictly discouraged.
5) Only authorized systems and applications are allowed within the company network. Commercial multimedia files, which consume much of our computing and network resources, such as music and videos, including applications such as online computer games, are strictly not allowed.

D. Copyrights and Legal Use of Resources
1) <Name of Company> respects and supports all local, national and international laws, rules, policies, and contracts governing use of resources, particularly on copyright and intellectual property compliance. It is therefore a must that all officers and employees abide by and uphold all these laws, rules, policies, and contracts.
2) <Name of Company> also respects and supports all rules and regulations of the nationwide and worldwide networks to which its computers are connected. Accordingly, all officers and employees are expected to abide by all these rules and regulations.

E. E-mail
1) Unsolicited mail messages, including, without limitation, commercial use or use of the company's email resource for political and/or personal financial gain, is explicitly prohibited.
2) Materials that are pornographic, harassing, hateful, racist, sexist, abusive, obscene, discriminatory, offensive or threatening are strictly not allowed in the company's email system. This includes sexually-oriented messages or images and messages that represents sexual harassment.

VI. ENFORCEMENT

Any offense/violation, or attempted offense/violation to this policy shall be dealt with in accordance to the company's Code of Conduct and shall be subjected to disciplinary actions, which includes, but not limited to, revocation of computing privileges, suspension, dismissal, prosecution and restitution for damages according to the severity of the offense.

INVOLVEMENT IN THE INFRACTION SHALL INCLUDE, BUT IS NOT LIMITED TO, PARTICIPATION, ENCOURAGING, AIDING OR FAILING TO REPORT KNOWN OFFENSES.

VII. REPEALING CLAUSE

All existing policies, and other issuances or parts thereof, which are inconsistent with this Policy, are hereby repealed, amended or modified accordingly.
In view of the changes on technology, the nature of threats and vulnerabilities, this Policy shall be reviewed annually, or as the need arises, and revised accordingly.
Any and all changes, revisions, and modifications shall take into effect only upon approval of the authorized signatory.
Any exceptions to this policy shall likewise be explicitly reviewed by the IT Department and approved by top management.

VIII. APPROVAL

<Name of Approving Authority>
<DATE>
Download This Document:
Acceptable Use Policy.doc
Acceptable Use Policy.pdf

Share This

Comments (0)

Leave a comment

Please login to leave a comment. Optional login below.