Internet Usage Policy

1. Overview

Internet connectivity presents the company with new risks that must be addressed to safeguard the facility’s vital information assets. These risks include:

Access to the Internet by personnel that is inconsistent with business needs results in the misuse of resources. These activities may adversely affect productivity due to time spent using or “surfing” the Internet. Additionally, the company may face a loss of reputation and possible legal action through other types of misuse.

All information found on the Internet should be considered suspect until confirmed by another reliable source. There is no quality control process on the Internet, and a considerable amount of its information is outdated or inaccurate.

Access to the Internet will be provided to users to support business activities and only on an as-needed basis to perform their jobs and professional roles.

2. Purpose

This policy aims to define the Internet’s appropriate uses by eCuras employees and affiliates.

3. Scope

The Internet usage Policy applies to all Internet users (individuals working for the company, including permanent full-time and part-time employees, contract workers, temporary agency workers, business partners, and vendors) who access the Internet through the computing or networking resources. The company’s Internet users are expected to be familiar with and comply with this policy. They are also required to use their common sense and exercise their good judgment while using Internet services.

3.1 Internet Services Allowed

Internet access is to be used for business purposes only. Capabilities for the following standard Internet services will be provided to users as needed:

Management reserves the right to add or delete services as business needs change or conditions warrant.

All other services will be considered unauthorized access to/from the Internet and will not be allowed.

3.2 Request & Approval Procedures

Internet access will be provided to users to support business activities and only as needed to perform their jobs.

3.2.1 Request for Internet Access

As part of the Internet access request process, the employee must read both this Internet usage Policy and the associated Internet/Intranet Security Policy. The user must then sign the statements (located on the last page of each document) that he/she understands and agrees to comply with the policies. Users not complying with these policies could be subject to disciplinary action up to and including termination.

Policy awareness and acknowledgment, by signing the acknowledgment form, is required before access will be granted.

3.2.2 Approval

Internet access is requested by the user or user’s manager submitting an IT Access Request form to the IT department and an attached copy of a signed Internet usage Coverage Acknowledgment Form.

3.2.3 Removal of privileges

Internet access will be discontinued upon the employee’s termination, completion of the contract, end of service of non-employee, or disciplinary action arising from a violation of this policy. In the case of a change in job function and/or transfer, the original access code will be discontinued and only reissued if necessary, and a new access request is approved.

All user IDs that have been inactive for thirty (30) days will be revoked. The privileges granted to users must be reevaluated by management annually. In response to management feedback, systems administrators must promptly revoke all privileges no longer needed by users.

4. Policy

4.1 Resource Usage

Access to the Internet will be approved and provided only if reasonable business needs are identified. Internet services will be granted based on an employee’s current job responsibilities. If an employee moves to another business unit or changes job functions, a new Internet access request must be submitted within five days.

User Internet access requirements will be reviewed periodically by company departments to ensure that continuing needs exist.

4.2 Allowed Usage

Internet usage is granted for the sole purpose of supporting business activities necessary to carry out job functions. All users must follow the corporate principles regarding resource usage and exercise good judgment in using the Internet. Questions can be addressed to the IT Department.

Acceptable use of the Internet for performing job functions might include:

4.3 Personal Usage

Using company computer resources to access the Internet for personal purposes without approval from the user’s manager and the IT department may cause disciplinary action up to and including termination.

All Internet users should be aware that the company network creates an audit log reflecting requests for service, both in-bound and out-bound addresses, and is periodically reviewed.

Users who choose to store or transmit personal information such as private keys, credit card numbers, or certificates or use Internet “wallets” do so at their own risk. The company is not responsible for any loss of information, such as information stored in the wallet, or any consequential loss of personal property.

4.4 Prohibited Usage 

Information stored in the wallet, or any consequential loss of personal property.

Acquisition, storage, and dissemination of data, which is illegal, pornographic, or negatively depicts race, sex, or creed are expressly prohibited.

The company also prohibits a business enterprise’s conduct, political activity, engaging in any form of intelligence collection from our facilities, engaging in fraudulent activities, or knowingly disseminating false or otherwise libelous materials.

Other activities that are strictly prohibited include, but are not limited to:

Unless specifically authorized under the provisions of section 4.3, the following activities are also strictly prohibited:

Bandwidth, both within the company and in connecting to the Internet, is a shared, finite resource. Users must make reasonable efforts to use this resource in ways that do not negatively affect other employees. Specific departments may set guidelines on bandwidth use and resource allocation and may ban the downloading of particular file types.

4.5 Software License

The company strongly supports strict adherence to software vendors’ license agreements. When at work or when company computing or networking resources are employed, copying software in a manner not consistent with the vendor’s license is strictly forbidden. Questions regarding lawful versus unlawful copying should be referred to the IT Department for review or to request a ruling from the Legal Department before any copying is done.

Similarly, the reproduction of materials available over the Internet must be done only with the written permission of the author or owner of the document. Unless permission from the copyright owner(s) is first obtained, making copies of material from magazines, journals, newsletters, other publications, and online documents is forbidden unless this is both reasonable and customary. This notion of “fair use” is in keeping with international copyright laws. 

Using company computer resources to access the Internet for personal purposes without approval from the user’s manager and the IT department may cause disciplinary action up to and including termination.

All Internet users should be aware that the company network creates an audit log reflecting requests for service, both in-bound and out-bound addresses, and is periodically reviewed.

Users who choose to store or transmit personal information such as private keys, credit card numbers, or certificates or use Internet “wallets” do so at their own risk.

4.6 Review of Public Information

All publicly-writable directories on Internet-connected computers will be reviewed and cleared each evening. This process is necessary to prevent the anonymous exchange of information inconsistent with company business. Examples of unauthorized public information include pirated information, passwords, credit card numbers, and pornography.

4.7 Expectation of Privacy

4.7.1 Monitoring

Users should consider their Internet activities as periodically monitored and limit their activities accordingly.

Management reserves the right to examine E-mail, personal file directories, web access, and other information stored on company computers, at any time and without notice. This examination ensures compliance with internal policies and assists with the management of company information systems.

4.7.2 E-mail Confidentiality

Users should be aware that clear text E-mail is not a confidential means of communication. The company cannot guarantee that electronic communications will be private. Employees should be aware that electronic communications can, depending on the technology, be forwarded, intercepted, printed, and stored by others. Users should also be aware that once an Email is transmitted, it may be altered. Deleting an Email from an individual workstation will not eliminate it from the various systems across which it has been transmitted.

4.8 Maintaining Corporate Image

4.8.1 Representation

When using company resources to access and use the Internet, users must realize they represent the company. Whenever employees state an affiliation to the company, they must also clearly indicate that “the opinions expressed are my own and not necessarily those of the company.” Questions may be addressed to the IT Department.

4.8.2 Company Materials

Users must not place company material (examples: internal memos, press releases, product or usage information, documentation, etc.) on any mailing list, public newsgroup, or such service. Any posting of materials must be approved by the employee’s manager and the public relations department and placed by an authorized individual.

4.8.3 Creating Web Sites

All individuals and/or business units wishing to establish a WWW home page or site must first develop business, implementation, and maintenance plans. Formal authorization must be obtained through the IT Department. This will maintain the publishing and content standards needed to ensure consistency and appropriateness.

Also, contents of the material made available to the public through the Internet must be formally reviewed and approved before being published. All material should be submitted to the Corporate Communications Directors for initial approval to continue. All company pages are owned by and are the ultimate responsibility of the Corporate Communications Directors.

All company web sites must be protected from unwanted intrusion through formal security measures obtained from the IT department.

4.9 Periodic Reviews

4.9.1 Usage Compliance Reviews

To ensure compliance with this policy, periodic reviews will be conducted. These reviews will include testing the degree of compliance with usage policies.

4.9.2 Policy Maintenance Reviews

Periodic reviews will be conducted to ensure the appropriateness and the effectiveness of usage policies. These reviews may result in the modification, addition, or deletion of usage policies to better suit company information needs. 

5. Policy Compliance

5.1  Compliance Measurement

The Infosec team will verify compliance with this policy through various methods, including but not limited to business tool reports, internal and external audits, and feedback to the policy owner.

5.2  Exceptions

The Infosec Team must approve any exception to the policy in advance.

5.3  Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Additionally, at its discretion, the company may seek legal remedies for damages incurred as a result of any violation. The company may also be required by law to report certain illegal activities to the appropriate enforcement agencies.

Before access to the Internet via the company network is approved, the potential Internet user must read this Internet usage Policy and sign an acknowledgment form (located on the last page of this document). The signed acknowledgment form should be turned in and kept on file at the facility granting access. For questions on the Internet usage Policy, contact the Information Technology (IT) Department.

6. Related Standards, Policies, and Processes

6. INTERNET USAGE COVERAGE ACKNOWLEDGMENT FORM

After reading this policy, please sign the coverage form and submit it to your facility’s IT department or granting the facility’s IT department for filing.

By signing below, the individual requesting Internet access through company computing resources hereby acknowledges receipt of and compliance with the Internet Usage Policy. Furthermore, the undersigned also acknowledges that he/she has read and understands this policy before signing this form.

Internet access will not be granted until the individual’s manager signs this acknowledgment form. After completion, the form is filed in the individual’s human resources file (for permanent employees) or a folder specifically dedicated to Internet access (for contract workers, etc.) and maintained by the IT department. These acknowledgment forms are subject to internal audit.

ACKNOWLEDGMENT

I have read the Internet Usage Policy. I understand the contents, and I agree to comply with the said Policy.

Location   (Location and address)

Business Purpose 

Name

Signature ______________________________Date __________________

Manager/Supervisor Signature_________________Date ___________

Revised: March 14th, 2018

Table of Content

  1. Acceptable Encryption Policy
  2. Acceptable Use Policy
  3. Clean Desc Policy
  4. Data Breach Response Policy
  5. Disaster Recovery Plan Policy
  6. Digital Signature Acceptance Policy
  7. Email Policy
  8. Ethics Policy
  9. Pandemic Response Planning Policy
  10. Password Construction Guidelines
  11. Password Protection Policy
  12. Security Response Plan Policy
  13. End User Encryption Key Protection Policy
  14. Acquisition Assessment Policy
  15. Bluetooth Baseline Requirements Policy
  16. Remote Access Policy
  17. Remote Access Tools Policy
  18. Router and Switch Security Policy
  19. Wireless Communication Policy
  20. Wireless Communication Standard
  21. Database Credentials Policy
  22. Technology Equipment Disposal Policy
  23. Information Logging Standard
  24. Lab Security Policy
  25. Server Security Policy 
  26. Software Installation Policy
  27. Workstation Security (For HIPAA) Policy
  28. Web Application Security Policy
  29.  Analog/ISDN Line Security Policy
  30. Anti-Virus Guidelines
  31. Server Audit Policy
  32. Automatically Forwarded Email Policy
  33. Communications Equipment Policy
  34. Dial In Access Policy
  35. Extranet Policy
  36. Internet DMZ Equipment Policy
  37. Internet Usage Policy
  38. Mobile Device Encryption Policy
  39. Personal Communication Devices and Voicemail Policy
  40. Removable Media Policy
  41. Risk Assessment Policy
  42. Server Malware Protection Policy
  43. Social Engineering Awareness Policy
  44. DMZ Lab Security Policy
  45. Email Retention Policy
  46. Employee Internet Use Monitoring and Filtering Policy
  47. Lab Anti Virus Policy
  48. Mobile Employee Endpoint Responsibility Policy
  49. Remote Access Mobile Computing Storage
  50. Virtual Private Network Policy