This sample policy provides a guide or a place to begin. Credit union policies should always be structured to
meet the specific needs of the credit union and its membership. Efforts are made to update the material to
reflect applicable changes in the law. This sample should not be considered legal advice nor relied upon as a
substitute for professional services. Credit unions are encouraged to contact legal counsel for legal advice. The
Kansas Credit Union Association will not be liable for any direct, indirect or consequential damages resulting
from the use of this policy.
SAMPLE INTERNET SECURITY POLICY
I. Statement of Purpose
A. It is recognized by the credit union that the Internet provides resources, services and
connectivity, as well as risks. It is the intent of this policy to provide official guidelines
for Internet use and security.
A. This policy applies to all credit union officials, management, employees, contractors,
and other users including those third parties who may access the credit union’s
B. All information traveling over credit union computer networks will be treated as an
asset of the credit union. It is the policy of the credit union to prohibit unauthorized
access, misuse or theft of this information.
III. Access Privileges
A. Access must be approved by management (or by user’s supervisor, where
B. Access will be restricted to legitimate business-oriented need for such access,
and management will periodically review system privileges.
C. Access privileges will be revoked immediately upon termination of employment.
D. All changes in duties or employment must be reported promptly to ensure access
privileges are revoked properly.
E. Passwords are the responsibility of the person to whom they are assigned.
Passwords must not be written down and must be changed on a schedule set up by
the credit union. If there is a reason to believe that a password has been disclosed,
it must be changed immediately.
E. Users may not test or attempt to compromise computer or communication system
security unless specifically approved by management.
F. Employees are responsible for logging off all systems at the end of each day or any
time they are away from their workstation for an extended time.
IV. Internet Access
A. Access to the Internet has been provided to staff members for the benefit of the
credit union and its members.
B. The Internet is to be used in an effective, ethical, and lawful manner for the conduct
of official credit union business.
C. Employees must obtain management approval prior to placing information on the
Internet and should make every attempt to ensure that the information is accurate
and up to date.
D. The Internet may not be used for personal gain or advancement of personal views.
Solicitation of non-credit union business or any use of the Internet for personal gain
is prohibited. Pornographic or personal email sites are prohibited.
E. To prevent computer viruses from being transmitted through system, there will be no
unauthorized downloading of any software. Illegal or unauthorized downloading,
uploading, copying or distribution of copyrighted works is strictly prohibited and
infringements could result in legal liability for the credit union.
F. Playing computer games during working hours is prohibited.
A. The credit union may, at its own discretion and at any time, monitor the contents of
any employee’s email box. Because the credit union reserves the right to access
any computer messages stored on the system, employees should not assume that
such messages are confidential or that access by the credit union or its authorized
representatives will not occur.
B. No electronic communications systems are to be used in any way that may be
disrespectful, offensive to others, or harmful to morale. No sexually explicit images,
ethnic slurs, social epithets or anything that may be construed as harassment or
disparagement of others based on their race, national origin, sex, sexual orientation,
age religious beliefs, or political beliefs may be displayed or transmitted.
VI. Disciplinary Action
A. Any staff members found to be in violation of these policies may be subject to
disciplinary action, which may include dismissal. The credit union reserves the
discretion to discipline in whatever manner it deems appropriate.
B. All information created, sent, or retrieved over the Internet or through email is the
property of the credit union and should be considered public information. The credit
union reserves the right to access and monitor all messages and files on the
computer systems as deemed necessary. All communications including test and
images can be disclosed to law enforcement and other third parties without prior
consent of the sender or receiver.
Policy reviewed by the Board of Directors on (date)