Acceptable Use Policy

## Acceptable Use Policy
### Overview
Data, electronic file content, information systems, and computer systems at [Company] must be managed as valuable organization resources.
Information Security’s (IS) intentions are not to impose restrictions that are contrary to [Company]’s established culture of openness, trust, and integrity. 
IS is committed to protecting [Company]’s authorized users, partners, and the company from illegal or damaging actions by individuals either knowingly or unknowingly.
Internet/Intranet/Extranet-related systems, including, but not limited to, computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and File Transfer Protocol (FTP) are the property of [Company]. 
These systems are to be used for business purposes in serving the interests of [Company] and of its clients and members during normal operations.
Effective security is a team effort involving the participation and support of every [Company] employee, volunteer, and affiliate who deals with information and/or information systems.
It is the responsibility of every computer user to know these guidelines and to conduct activities accordingly.

### Purpose
The purpose of this policy is to outline the acceptable use of computer equipment at [Company]. These rules are in place to protect the authorized user and [Company]. Inappropriate use exposes [Company] to risks including virus attacks, compromise of network systems and services, and legal issues.

Scope
This policy applies to the use of information, electronic and computing devices, and network resources to conduct [Company] business or interacts with internal networks and business systems, whether owned or leased by [Company], the employee, or a third party.
All employees, volunteer/directors, contractors, consultants, temporaries, and other workers at [Company], including all personnel affiliated with third parties, are responsible for exercising good judgment regarding appropriate use of information, electronic devices, and network resources in accordance with [Company] policies and standards, local laws, and regulations.
Policy Detail
Ownership of Electronic Files
All electronic files created, sent, received, or stored on [Company] owned, leased, or administered equipment or otherwise under the custody and control of [Company] are the property of [Company].
Privacy
Electronic files created, sent, received, or stored on [Company] owned, leased, or administered equipment, or otherwise under the custody and control of [Company] are not private and may be accessed by [Company] IT employees at any time without knowledge of the user, sender, recipient, or owner. 
Electronic file content may also be accessed by appropriate personnel in accordance with directives from Human Resources or the President/CEO.

### General Use and Ownership
Access requests must be authorized and submitted from departmental supervisors for employees to gain access to computer systems. Authorized users are accountable for all activity that takes place under their username.
Authorized users should be aware that the data and files they create on the corporate systems immediately become the property of [Company]. Because of the need to protect [Company]’s network, there is no guarantee of privacy or confidentiality of any information stored on any network device belonging to [Company].
For security and network maintenance purposes, authorized individuals within the [Company] IT Department may monitor equipment, systems, and network traffic at any time.
[Company]’s IT Department reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
[Company]’s IT Department reserves the right to remove any non-business related software or files from any system. 
Examples of non-business related software or files include, but are not limited to; games, instant messengers, pop email, music files, image files, freeware, and shareware.

### Security and Proprietary Information
All mobile and computing devices that connect to the internal network must comply with this policy and the following policies:
  •	Account Management
  •	Anti-Virus
  •	Owned Mobile Device Acceptable Use and Security
  •	E-mail
  •	Internet
  •	Safeguarding Member Information
  •	Personal Device Acceptable Use and Security
  •	Password
  •	Cloud Computing
  •	Wireless (Wi-Fi) Connectivity
  •	Telecommuting

System level and user level passwords must comply with the Password Policy. Authorized users must not share their [Company] login ID(s), account(s), passwords, Personal Identification Numbers (PIN), Security Tokens (i.e. Smartcard), or similar information or devices used for identification and authentication purposes. 
Providing access to another individual, either deliberately or through failure to secure its access, is prohibited.
Authorized users may access, use, or share [Company] proprietary information only to the extent it is authorized and necessary to fulfill the users assigned job duties.
All PCs, laptops, and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less.
All users must lockdown their PCs, laptops, and workstations by locking (control-alt- delete) when the host will be unattended for any amount of time. Employees must log-off, or restart (but not shut down) their PC after their shift.
[Company] proprietary information stored on electronic and computing devices, whether owned or leased by [Company], the employee, or a third party, remains the sole property of [Company]. All proprietary information must be protected through legal or technical means.
All users are responsible for promptly reporting the theft, loss, or unauthorized disclosure of [Company] proprietary information to their immediate supervisor and/or the IT Department.
All users must report any weaknesses in [Company] computer security and any incidents of possible misuse or violation of this agreement to their immediate supervisor and/or the IT Department.
Users must not divulge dial-up or dial-back modem phone numbers to anyone without prior consent of the [Company] IT Department.
Authorized users must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan Horse codes.

Email and Communication Activities
When using company resources to access and use the Internet, users must realize they represent
the company. Whenever employees state an affiliation to the company, they must also clearly
indicate that "the opinions expressed are my own and not necessarily those of the company".
Questions may be addressed to the IT Department
  1. Sending unsolicited email messages, including the sending of "junk mail" or other
  advertising material to individuals who did not specifically request such material (email
  spam).
  2. Any form of harassment via email, telephone or paging, whether through language,
  frequency, or size of messages.
  3. Unauthorized use, or forging, of email header information.
  4. Solicitation of email for any other email address, other than that of the poster's account,
  with the intent to harass or to collect replies.
  5. Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type.
  6. Use of unsolicited email originating from within <Company Name>'s networks of other
  Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service
  hosted by <Company Name> or connected via <Company Name>'s network.
  7. Posting the same or similar non-business-related messages to large numbers of Usenet
  newsgroups (newsgroup spam).

Blogging and Social Media
  1. Blogging by employees, whether using <Company Name>’s property and systems or
  personal computer systems, is also subject to the terms and restrictions set forth in this
  Policy. Limited and occasional use of <Company Name>’s systems to engage in
  blogging is acceptable, provided that it is done in a professional and responsible manner,
  does not otherwise violate <Company Name>’s policy, is not detrimental to <Company
  Name>’s best interests, and does not interfere with an employee's regular work duties.
  Blogging from <Company Name>’s systems is also subject to monitoring.
  2. <Company Name>’s Confidential Information policy also applies to blogging. As such,
  Employees are prohibited from revealing any <Company> confidential or proprietary
  information, trade secrets or any other material covered by <Company>’s Confidential
  Information policy when engaged in blogging.
  3. Employees shall not engage in any blogging that may harm or tarnish the image,
  reputation and/or goodwill of <Company Name> and/or any of its employees. Employees
  are also prohibited from making any discriminatory, disparaging, defamatory or harassing
  comments when blogging or otherwise engaging in any conduct prohibited by <Company
  Name>’s Non-Discrimination and Anti-Harassment policy.
  4. Employees may also not attribute personal statements, opinions or beliefs to <Company
  Name> when engaged in blogging. If an employee is expressing his or her beliefs and/or
  opinions in blogs, the employee may not, expressly or implicitly, represent themselves as
  an employee or representative of <Company Name>. Employees assume any and all risk
  associated with blogging.
  5. Apart from following all laws pertaining to the handling and disclosure of copyrighted or
  export controlled materials, <Company Name>’s trademarks, logos and any other
  <Company Name> intellectual property may also not be used in connection with any
  blogging activity

#### Unacceptable Use
Users must not intentionally access, create, store, or transmit material which [Company] may deem to be offensive, indecent, or obscene.
Under no circumstances is an employee, volunteer/director, contractor, consultant, or temporary employee of [Company] authorized to engage in any activity that is illegal under local, state, federal, or international law while utilizing [Company]-owned resources.
System and Network Activities
The following activities are prohibited by users, with no exceptions:
•	Violations of the rights of any person or company protected by copyright, trade secret, patent, or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by [Company].
•	Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution from copyrighted sources, copyrighted music, and the installation of any copyrighted software for which [Company] or the end user does not have an active license is prohibited. Users must report unlicensed copies of installed software to IT.
•	Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
•	Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.
•	Using a [Company] computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws.

  •	Attempting to access any data, electronic content, or programs contained on [Company] systems for which they do not have authorization, explicit consent, or implicit need for their job duties.
  •	Installing any software, upgrades, updates, or patches on any computer or information system without the prior consent of [Company] IT.
  •	Installing or using non-standard shareware or freeware software without [Company] IT approval.
  •	Installing, disconnecting, or moving any [Company] owned computer equipment and peripheral devices without prior consent of [Company]’s IT Department.
  •	Purchasing software or hardware, for [Company] use, without prior IT compatibility review.
  •	Purposely engaging in activity that may;
     o	degrade the performance of information systems;
     o	deprive an authorized [Company] user access to a [Company] resource;
     o	obtain extra resources beyond those allocated; or
     o	circumvent [Company] computer security measures.
  •	Downloading, installing, or running security programs or utilities that reveal passwords, private information, or exploit weaknesses in the security of a system. For example, [Company] users must not run spyware, adware, password cracking programs, packet sniffers, port scanners, or any other non- approved programs on [Company] information systems. The [Company] IT Department is the only department authorized to perform these actions.
  •	Circumventing user authentication or security of any host, network, or account.
  •	Interfering with, or denying service to, any user other than the employee’s host (for example, denial of service attack).
  •	Using any program/script/command, or sending messages of any kind, with the intent to interfere with or disable a user’s terminal session, via any means, locally or via the Internet/Intranet/Extranet.
 
Access to the Internet at home, from a [Company]-owned computer, must adhere to all the same policies that apply to use from within [Company] facilities. Authorized users must not allow family members or other non-authorized users to access [Company] computer systems.
  [Company] information systems must not be used for personal benefit.

### Incidental Use
As a convenience to the [Company] user community, incidental use of information systems is permitted. The following restrictions apply:
  •	Authorized Users are responsible for exercising good judgment regarding the reasonableness of personal use. Immediate supervisors are responsible for supervising their employees regarding excessive use.
  •	Incidental personal use of electronic mail, internet access, fax machines, printers, copiers, and so on, is restricted to [Company] approved users; it does not extend to family members or other acquaintances.
  •	Incidental use must not result in direct costs to [Company] without prior approval of management.
  •	Incidental use must not interfere with the normal performance of an employee’s
  •	work duties.
  •	No files or documents may be sent or received that may cause legal action against, or embarrassment to, [Company].
  •	Storage of personal email messages, voice messages, files, and documents
  •	within [Company]’s information systems must be nominal.
  •	All messages, files, and documents — including personal messages, files, and documents — located on [Company] information systems are owned by [Company], may be subject to open records requests, and may be accessed in accordance with this policy.

### Review and Acceptance
All [Company] staff is responsible for review and acceptance of Policy 1: Acceptable Use upon starting work at [Company] (see Exhibit A). 
New employee onboarding and training shall include this Policy 1 at a minimum, and in addition to all other applicable training and orientation material, and instructions for acceptance shall be provided at that time. Signed acceptance will be received and retained by Information Technology management.

### Policy Compliance
  5.1 Compliance Measurement
  The Infosec team will verify compliance to this policy through various methods, including but
  not limited to, business tool reports, internal and external audits, and feedback to the policy
  owner.
  5.2 Exceptions
  Any exception to the policy must be approved by the Infosec team in advance.
  5.3 Non-Compliance
  An employee found to have violated this