Acceptable Use Policy

Document Control
Document Title: Acceptable Use Policy
Version: 0.2
Version Date: 06/07/2023
Created By: Bhaumik Shah
Approved By: Gary DeJarnett
Confidentiality Level: Confidential
Table of Contents
1 Purpose 1
2 Scope 1
3 Policy 1
3.1 General Use 1
3.2 Email Access and Use 2
3.3 Internet Access and Use 2
3.4 Blogging and Social Media 3
3.5 Incidental Use 3
3.6 Privacy 3
1 Purpose
The Acceptable Use Policy is established to achieve the following:

● To ensure compliance with applicable statutes, regulations, and mandates regarding the
management of information assets.
● To establish prudent and acceptable practices regarding the use of organization information
assets.
● To educate individuals who may use organization information assets with respect to their
responsibilities associated with such use.

2 Scope
This policy applies equally to all individuals granted access privileges to any organization information
asset.

3 Policy
3.1 General Use

● organization employees must not attempt to access any data or programs contained on
organization systems for which they do not have authorization or explicit consent.
● organization employees must not divulge any remote access information (i.e. VPN server
identification, etc.) to anyone not specifically authorized to receive such information.
● organization employees must not share their organization account(s), passwords, Personal
Identification Numbers (PINs), Security Tokens/fobs (i.e. Smartcard), digital certificates,
identification badges or similar information or devices used for identification and authorization
purposes.
● organization employees must not make or use unauthorized copies of copyrighted software.

● organization employees must not purposely engage in activity that may harass, threaten or
abuse others, degrade the performance of organization information assets, deprive an
authorized organization user access to a organization information asset, obtain additional
resources beyond those allocated or circumvent organization computer security measures.
● organization employees must not purposely use organization information assets to access third-
party non-public systems or obtain third-party proprietary information without the express
permission of such third-party.

1 | Page
 ● organization employees must not download, install or run security programs or utilities that
reveal or exploit weakness in the security of a system without explicit consent from organization
management. For example, organization users must not run password cracking programs,
packet sniffers, port scanners, or any other non-approved programs on any organization
Information asset.
● organization employees must not intentionally access, create, store or transmit material which
organization may deem to be offensive, indecent or obscene.
● Organization employees accessing corporate technology assets must ensure that the system
they use is installed with an active, updated security software license with definitions updated at
least daily (i.e. anti-virus software, personal firewall, etc.) whenever possible.
● organization employees must not store or otherwise intentionally access malicious software
(malware) with any organization information asset. The only exception to this policy, being that
doing so is a function of an employee's position within the organization and such handling is
done within an isolated network or in a secured environment not connected to other
organization information assets.
● organization employees must not engage in acts using organization information assets against
the aims and purposes of organization as specified in its governing documents or in rules,
regulations and procedures.
● organization employees shall only use management approved Operating Systems on any
organization issued laptops and devices.

3.2 Email Access and Use

● Auto-forwarding electronic messages to e-mail addresses other than those within the
organization's internal email system is prohibited.
● Mailbox delegation is prohibited, with the only exception being calendars, related calendaring
functions, shared mailboxes, or situations which have received explicit approval by a member of
the Executive Staff.
● organization information assets may not be used to send or receive organization Confidential
Information, PHI or PII to a party unless:
o Such party is under a signed non- disclosure agreement (or non-disclosure provisions in
the commercial agreement) with organization.
o The Confidential Information is authorized for the purposes of the transaction with the
party.
o Confidential Information sent via email must always employ strong encryption.
● Employee email accounts must not be used to send or respond to spam email messages.

● Any personal use of organization provided email must not:

2 | Page
 o Involve solicitation to external parties.
o Be associated with any political entity, excluding the organization sponsored Political
Action Committees, if any.
o Have the potential to harm the reputation of organization
o Forward chain emails.
o Contain or promote anti-social or unethical behavior.
o Violate local, state, federal, or international laws or regulations or knowingly encourage
others to do the same.
o Result in unauthorized disclosure of organization Confidential Information, PHI, or PII.

3.3 Internet Access and Use

● The Internet (including file sharing and sending services) must not be used to communicate
organization Confidential Information, PHI, or PII unless:
o The confidentiality and integrity of the information is ensured and the identity of the
recipient is established pursuant to a signed non-disclosure agreement (or non-
disclosure provisions in the commercial agreement) with organization.
o The Confidential Information is authorized for the purposes of the transaction
contemplated with the recipient.
● Users are required to respect and comply with all legal protections provided by patents,
copyrights, trademarks, and intellectual property rights for any software and/or materials
viewed, used or obtained via the Internet using organization networking or computing
resources.
● Using organization networking and computing resources to make or attempt unauthorized entry
to any network or computer accessible via the Internet is prohibited.
● Disabling or altering security software installed and configured on organization information
assets is prohibited (i.e. anti-virus software, disk encryption, personal firewalls, etc.).

3.4 Blogging and Social Media

● organization employees are prohibited from revealing any confidential or proprietary
information, trade secrets or any other material covered by the organization ISMS when
engaged in blogging or social media activities.
● organization employees shall not engage in any blogging or social media communications that
may harm or tarnish the image, reputation and/or goodwill of organization and/or any of its
employees.
● organization employees may also not attribute personal statements, opinions or beliefs to
organization when engaged in blogging or posting to social media outlets. If an employee is
expressing his or her beliefs and/or opinions in blogs, the employee may not, expressly or
implicitly, represent themselves as an employee or representative of organization.

3 | Page
 ● All laws pertaining to the handling and disclosure of copyrighted or export of controlled
materials, organization’s trademarks, logos and any other intellectual property may also not be
used about any blogging or social media activity.

3.5 Incidental Use

As a convenience to the organization user community, incidental use of information assets is permitted.
The following restrictions apply:

● Incidental personal use of electronic mail, Internet access, fax machines, printers, copiers, and
so on, is restricted to organization approved users; it does not extend to family members or
other acquaintances.
● Incidental use must not result in direct costs to organization.

● Incidental use must not interfere with the normal performance of an employee’s work duties.

● No files or documents may be sent or received that may cause legal action against, or
embarrassment to organization or its customers.
● Storage of personal email messages, voice messages, files and documents within organization
information assets must be nominal.
● All messages, files, calendars and documents – including personal messages, files and
documents located on organization information assets are owned by organization, may be
subject to open records requests, and may be accessed in accordance with this policy.

3.6 Privacy

● Electronic files created, sent, received, or stored on information assets owned, leased,
administered, or otherwise under the custody and control of organization are not private and
may be accessed by organization Operations employees at any time, under the direction of
organization management, without knowledge of the information asset user or owner.
● To manage systems and enforce security, organization may log, review, and otherwise utilize
any information stored on or passing through its information asset systems in accordance with
the provisions and safeguards provided in organization Information asset standards.
● Systems Administrators, Operations, and other organization personnel may have privileges that
extend beyond those granted to standard business users. Personnel with extended privileges
may not access files and/or other information that is not specifically required to carry out an
employment related task.
● Business partners and other third parties have entrusted their information to the organization
for business purposes, and all workers at organization must do their best to safeguard the
privacy and security of this information.

4 | Page
 ● Users must report any weaknesses in organization computer security, any incidents of possible
misuse or violation of this agreement to the proper authorities by contacting the organization
VP of Operations: compliance@organization.com
● Users must not attempt to access any data or programs contained on organization systems for
which they do not have authorization or explicit consent.
● Management (or appropriate delegate) may be granted limited access to an employee’s files
and email account upon a reporting employee’s departure from organization.

5 | Page