IT Process and Procedures - Access and Use Policy by Millaisb

VIEWS: 113 PAGES: 22

This set of IT Policies cover the following areas:
• Master Policy
o Introduces the overall IT Policy Approach
• Access & Use
o Governs User Access and Usage
• Data Availability
o Identifies Backups, Service Continuity
• IT Hardware
o Sets out the parameters and controls around all IT provided Hardware
• IT Software
o Introduces the concept of Standard Operating Procedure and what is delivered via same
• Cost Recovery
o Advises departments and Users alike what items cost and how they will be recovered
These documents are not templates, they are not suggestions or pointers but full blown documents that will allow you to have a full set of working documents that can be "exercised" as soon as you perform a simple "Find and Replace" for key criteria. This will transform these documents and workflow diagrams, just add your company logo and you are off and running.

More Info
									infrastructure technology group




                 IT Processes & Procedures


                          Access and Use Policy




www.infratechgrp.com.au                                                             ABN 56 087 369 506
                              Infrastructure Technology Group Pty Ltd
sales@infratechgrp.com.au                                               T 0431 548 717 ::: F 02 8456 5728
                                                                      IT Processes & Procedures
infrastructure technology group                                            Access and Use Policy




Document Change Control
Please note significant document changes with a version increment of 1.0. Minor
administrative changes, where the meaning or intention of the document is not altered
should increase by an increment of 0.1.

  Version               Date                    Author(s)               Summary of Changes
 1.0             April 10           Infrastructure Technology Group   Release




Document Sign-Off
Document in accordance with requirements and strategic architecture
 Name (Position)                                    Signature                       Date

 Primary Person
 Technical Services Manager

 Secondary Person
 CIO

 Designated Signatory
 Designated Signatory Position



Document Nomenclature
To modify this document to suit your requirements, the following designations should be
replaced with your preferred name.


                   Document Name                                      Replacement

Acme Inc.                                             Your Company Name.




 Copyright Acme Inc.              Error! Unknown document                                 Page 2
                                        property name.
                                                                                                                       IT Processes & Procedures
infrastructure technology group                                                                                             Access and Use Policy




Table of Contents
1       ACME INC. ICT ACCESS AND USE POLICY ................................................................................ 5
    1.1         YOUR RESPONSIBILITY ......................................................................................................................... 5
    1.2         BREACH ................................................................................................................................................... 5
    1.3         ASSOCIATED ACME INC. ICT POLICIES ........................................................................................... 5
2       ACCESS ......................................................................................................................................................... 6
    2.1         DURING LEAVE ...................................................................................................................................... 6
3       SECURITY ................................................................................................................................................... 7
    3.1    PASSWORDS ............................................................................................................................................ 7
      3.1.1    General Password Construction Guidelines .......................................................................... 9
    3.2    CONFIDENTIAL INFORMATION ............................................................................................................. 9
      3.2.1    Copying and Deleting ................................................................................................................. 9
      3.2.2    Document Protection ................................................................................................................. 10
4       DATA STORAGE...................................................................................................................................... 11
    4.1    GENERAL............................................................................................................................................... 11
    4.2    DISK SPACE ALLOCATION ON SERVERS............................................................................................. 11
    4.3    SCANNED DOCUMENTS ....................................................................................................................... 11
    4.4    DISK SPACE ALLOCATION ON THE LOCAL DRIVE OF A PC ............................................................... 11
      4.4.1    Disk Space allocated on the local drive of a laptop ............................................................ 11
    4.5    WHAT IS NOT TO BE STORED ON SERVERS ........................................................................................ 12
5       ELECTRONIC MAIL .............................................................................................................................. 13
    5.1    EMAIL RULES ....................................................................................................................................... 13
      5.1.1   Prohibited Use ............................................................................................................................ 13
      5.1.2   Personal Use ............................................................................................................................... 13
      5.1.3   Monitoring .................................................................................................................................. 13
    5.2    EMAIL ADDRESSES .............................................................................................................................. 14
    5.3    GENERIC ADDRESSES .......................................................................................................................... 14
    5.4    HOUSEKEEPING ................................................................................................................................... 14
6       ANTI-VIRUS POLICY ............................................................................................................................ 15
    6.1         ANTI-VIRUS PROCESS ......................................................................................................................... 15
7       INTERNET ................................................................................................................................................. 16
    7.1    PERMITTED USE OF INTERNET .......................................................................................................... 16
    7.2    UNAUTHORISED USE OF INTERNET................................................................................................... 16
    7.3    BLOCKING ACCESS TO THE INTERNET ............................................................................................... 16
    7.4    WEB BASED APPLICATIONS ................................................................................................................. 17
      7.4.1    Social networking sites ............................................................................................................. 17
      7.4.2    External messaging systems .................................................................................................... 17
8       REMOTE ACCESS .................................................................................................................................. 19
    8.1         GENERAL TERMS ................................................................................................................................. 19
    8.2         REQUIREMENTS ................................................................................................................................... 19
9       INSTANT MESSENGER (IM) POLICY ........................................................................................... 20
    9.1    ACME INC. COMMUNICATOR ........................................................................................................... 20
    9.2    SCOPE .................................................................................................................................................... 20
    9.3    ACCEPTABLE USE ................................................................................................................................ 20
      9.3.1    Managers ..................................................................................................................................... 20
      9.3.2    Employees.................................................................................................................................... 20

 Copyright Acme Inc.                                    Error! Unknown document                                                                                Page 3
                                                              property name.
                                                                                                                IT Processes & Procedures
infrastructure technology group                                                                                      Access and Use Policy


10       DISCLAIMER ....................................................................................................................................... 22
  10.1 LICENSE ................................................................................................................................................ 22
    10.1.1 Limited Usage Granted ............................................................................................................ 22
    10.1.2 Modifications .............................................................................................................................. 22
    10.1.3 Unauthorized Use ...................................................................................................................... 22
    10.1.4 Assignability ............................................................................................................................... 22
    10.1.5 Ownership ................................................................................................................................... 22
    10.1.6 Company Details ....................................................................................................................... 22




 Copyright Acme Inc.                                Error! Unknown document                                                                           Page 4
                                                          property name.
                                                                                                   IT Processes & Procedures
infrastructure technology group                                                                         Access and Use Policy



1 ACME INC. ICT Access and Use Policy

1.1 Your Responsibility
To adhere to all ICT policies as referenced in the Acme Inc. Information, Technology (IT)
Policy Guide.

1.2 Breach
Any violation will be viewed most seriously and may result in disciplinary action
including termination of employment.

1.3 Associated ACME INC. ICT Policies

The diagram below identifies the associated ACME INC. IT policies and provides an
indication of the policy content to be found in each document.


                                                               Acme Inc. IT
                                                               Master Policy



                                                                 Acme Inc. IT                                 Acme Inc. IT
                  Acme Inc. IT
                                                               Data and Systems                              Cost Recovery
                Equipment Policy
                                                                     Policy                                      Policy




                                                                IT Data Backups,
      Content




                                                     Content




                                                                                                   Content




                IT Hardware Provision                                                                        IT Cost Recovery
                                                               Restores and Service
                  & Communications                                                                             Matrix & Items
                                                                    Continuity




                                                                                        Acme Inc. IT
                                           Acme Inc. IT
                                                                                       Access And Use
                                          Software Policy
                                                                                           Policy




                                                                                       IT Security, Email,
                               Content




                                                                             Content




                                         IT Permitted Software
                                                                                        Internet & Instant
                                             Environments
                                                                                            Messaging




                    You Are
                     Here


 Copyright Acme Inc.                           Error! Unknown document                                                         Page 5
                                                     property name.
                                                              IT Processes & Procedures
infrastructure technology group                                    Access and Use Policy



2 ACCESS
2.1 During Leave
During periods of leave, Employees are not working and, accordingly, are not expected to
access Company email and internet resources unless there are specific arrangements in
place (e.g. a specific agreement between the particular Employee and their Manager, or a
specific requirement in the Employee’s contract).

Where an Employee is on leave, the Company may restrict the Employee’s access to
his/her Internet, email networks and resources. This will be determined on a case by case
basis.

Employees are also reminded that, during periods of leave, the Company may access their
files, data and email, including personal email.




 Copyright Acme Inc.         Error! Unknown document                              Page 6
                                   property name.
                                                               IT Processes & Procedures
infrastructure technology group                                     Access and Use Policy



3 Security
3.1 Passwords
Network passwords and usernames are not to be shared with any other person.

Network passwords and usernames are not to be written down. All Passwords are to be
memorised

On leaving the Company the user will disable any document passwords and return all
hardware and peripherals to the Company.

All users must minimise the possibility of theft, loss or damage of corporate data by
ensuring that wherever possible computing equipment is not left in motor vehicles, sent
as unattended baggage or left in unsecured locations.

Do not use your network username and password to log another person (whether
employee, or not) onto the Acme Inc. network.

Do not login on behalf of another person, even if that person gives you permission to login
to the system as them.
You are not to use the same password for Acme Inc. accounts as for other non-Acme Inc.
access (e.g., personal ISP account, option trading, benefits, etc.).

Where possible, do not use the same password for various Acme Inc. access needs. For
example, select one password for the web based systems and a separate password for IT
systems.

Do not share Acme Inc. passwords with anyone, including administrative assistants or
secretaries. All passwords are to be treated as sensitive, confidential Acme Inc.
information.

Please find below an additional of "don’ts":

      Don't reveal a password over the phone to ANYONE
      Don't reveal a password in an email message
      Don't reveal a password to your manager or supervisor
      Don't talk about a password in front of others
      Don't hint at the format of a password (e.g., "my family name")
      Don't reveal a password on questionnaires or security forms
      Don't share a password with family members
      Don't reveal a password to co-workers while on vacation

If someone demands a password, refer them to this document or have them call the Help
Desk.

Do not use the "Remember Password" feature of applications.

Again, do not write passwords down and store them anywhere in your office. Do not store
passwords in a file on ANY computer system (including PDAs or similar devices) without
encryption.


 Copyright Acme Inc.          Error! Unknown document                               Page 7
                                    property name.
                                                              IT Processes & Procedures
infrastructure technology group                                    Access and Use Policy


Change passwords at least once every three months.

If an account or password is suspected to have been compromised, report the incident to
the Help Desk and change all passwords.




 Copyright Acme Inc.         Error! Unknown document                              Page 8
                                   property name.
                                                              IT Processes & Procedures
infrastructure technology group                                    Access and Use Policy




3.1.1 General Password Construction Guidelines

Since very few systems have support for one-time passwords (i.e., dynamic passwords
which are only used once), everyone should be aware of how to select strong passwords.

Poor, weak passwords have the following characteristics:

       The password contains less than eight characters
       The password is a word found in a dictionary (English or foreign)
       The password is a common usage word such as:
       Names of family, pets, friends, co-workers, fantasy characters, etc.
       Computer terms and names, commands, sites, companies, hardware, software.
       The words "Acme Inc.", "Sydney", "Aust" or any derivation.
       Birthdays and other personal information such as addresses and phone numbers.
       Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
       Any of the above spelled backwards.
       Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

Strong passwords have the following characteristics:

•       Contain both upper and lower case characters (e.g., a-z, A-Z)
       Have digits and punctuation characters as well as letters e.g., 0-9,
        !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
       Are at least eight alphanumeric characters long.
       Is not a word in any language, slang, dialect, jargon, etc.
       Are not based on personal information, names of family, etc.
       Passwords should never be written down or stored on-line. Try to create passwords
        that can be easily remembered. One way to do this is create a password based on a
        song title, affirmation, or other phrase. For example, the phrase might be: "This
        May Be One Way To Remember" and the password could be: "TmB1w2R!" or
        "Tmb1W>r~" or some other variation.

NOTE: Do not use either of these examples as passwords!


3.2 Confidential Information

Whilst Acme Inc. makes every effort to protect sensitive data, there will be occasions
when an employee comes into contact with information, either, not originally intend for
them (for example an email sent by mistake to the wrong person), or by deliberate means.
In such cases the employee is expect to act with integrity and not use the information in
an unethical manner.


3.2.1 Copying and Deleting
From time to time, the Company may implement protocols for backing up and/or deleting
data which is stored or recorded on the Company’s electronic equipment. Subject to those
protocols, Employees are to minimise copying of such data, including the making of hard
copies and the storage of data on external devices.


 Copyright Acme Inc.         Error! Unknown document                              Page 9
                                   property name.
                                                                IT Processes & Procedures
infrastructure technology group                                      Access and Use Policy



3.2.2 Document Protection

Any electronic document or file created or held by an Employee that is of a sensitive or
confidential nature should be protected with a password. From time to time, the Company
may specify passwords for documents or files, or to be used by a particular Employee
generally. These passwords must be used and must not be altered without prior consent.

Unless it is the Company’s intention that the recipient be able to alter a document or file,
any documents or files which are sent to third parties should be sent in a form which
cannot be altered by the recipient.




 Copyright Acme Inc.          Error! Unknown document                               Page 10
                                    property name.
                                                                 IT Processes & Procedures
infrastructure technology group                                       Access and Use Policy



4 Data storage
4.1 General
The purpose of the data servers within Acme Inc. is to store all company information in
the most appropriate locations and format i.e. JPG, GIF, PDF, MS-Office, Scanned
documents, etc.

It is the responsibility of the Technical Services department to ensure that all servers
have adequate disk space to support the growth of Acme Inc..


4.2 Disk Space allocation on Servers
Acme Inc. acknowledges the requirement for storage is constantly increasing in line with
the growth of Acme Inc.’s, legal requirements to retain information and general usage of
the systems as the company continues to grow

1GB of storage is allocated to each employee on a server. The Technical Services
department will ensure that the server doesn’t run out of space on this basis. Acme Inc.
acknowledges that “individual” allocations are not appropriate to our business i.e. with
one person only needing 50MB and another needing 1.5GB, and therefore this is based on
the total number of users logging into the server. Therefore 5 users connected to a server
have a combined disk storage space allocation of 5GB.

Should the disk space allocation for a particular business unit or State be exceeded as a
result of too much information being stored by the user community assigned to that area,
then a Manager responsible for the particular business unit or state will be contacted and
informed that information needs to be archived, relocated, or removed from the systems.

4.3 Scanned Documents

All scanned documents should be saved in GIF JPG or PDF format to reduce overall space
requirements.

4.4 Disk Space allocation on the local drive of a PC

Zero disk space is provided for storage on local PC hard drives. All documents stored on a
local disk is not a part of the corporate back up schedule, will not receive Technical
Services support and maybe removed without prior notice.

4.4.1 Disk Space allocated on the local drive of a laptop

All employees with laptops are able to save data to their local hard drive. However, u
								
To top