Risk Management of Email and Internet Use in the Workplace by John Ruhnka and Windham E. Loopesko from The Journal of Digital Forensics, Security and Law is available under a Creative Commons Attribution-NonCommercial 4.0 International license.
Internet Use Policy
John Ruhnka, University of Colorado, Denver & Windham E. Loopesko, University of Colorado, Denver
4. OBJECTIVES OF CORPORATE INTERNET USE POLICIES
While preserving the confidentiality of internal operations, proprietary information and confidential client data, and avoiding legal liability from inadvertent, unauthorized or harmful acts of employees are primary goals for corporate email and internet use policies, they are not the only goals.
Corporations must also factor in other objectives not always consistent with limiting legal liability.
4.1 Reducing Lost Productivity
The concern among many businessmen from about 2000 was that allowing internet access in the workplace could result in a great increase in employee non-work activities. Available content on the internet has expanded far beyond TV fare since 2000 to include Facebook, streaming video and music sites, fantasy sports teams, on-line shopping, eBay, financial web sites and bank account access, news feeds, blogs and Twitter. Clearly, excessive employee non-work internet use during working hours can impose significant costs on a company; one source cites productivity loss as the top reason for instituting an “acceptable use policy” (AUP) for company email and internet (Smith, 2013).
Also, employee perceptions that “everyone” is engaging in non-work-related email and internet use can rapidly spread. However, employees increasingly reject the idea of strictly defined “work” and “non-work” hours, believing they can be more productive engaging in company business at any time and from any place–on devices that they choose.
4.2 Protecting Tangible and Intangible Assets
Increasingly sophisticated hackers are constantly developing tools to penetrate corporate networks–almost always to the potential detriment of the company and its clients. They may be working for criminal enterprises, or for competitors or foreign governments, but their goal is the same–to gather as much valuable information for as long as possible. Citibank and Sony are only two of the largest and best-known victims of such attacks. Email remains the most popular way to introduce malware into corporate networks (Cisco, 2013).
4.3 Controlling Internet Costs
Many non-business internet uses (e.g., streaming video, movies and music downloads, and internet music and television feeds) are “bandwidth hogs”. While these applications may not directly cost the corporation, their cumulative use can easily consume a substantial portion of a corporation’s available bandwidth, which can require major expenses to expand the corporation’s network capabilities.
4.4 Attracting Talented Employees
If human capital is a company’s most valuable asset, avoiding unnecessary barriers to a ...
Risk Management of Email and Internet Use in the Workplace by John.docx
1. Risk Management of Email and Internet Use in the Workplace
by John Ruhnka and Windham E. Loopesko from The Journal of
Digital Forensics, Security and Law is available under a
Creative Commons Attribution-NonCommercial 4.0
International license.
Internet Use Policy
John Ruhnka, University of Colorado, Denver & Windham E.
Loopesko, University of Colorado, Denver
4. OBJECTIVES OF CORPORATE INTERNET USE POLICIES
While preserving the confidentiality of internal operations,
proprietary information and confidential client data, and
avoiding legal liability from inadvertent, unauthorized or
harmful acts of employees are primary goals for corporate email
and internet use policies, they are not the only goals.
Corporations must also factor in other objectives not always
consistent with limiting legal liability.
4.1 Reducing Lost Productivity
The concern among many businessmen from about 2000 was
that allowing internet access in the workplace could result in a
great increase in employee non-work activities. Available
content on the internet has expanded far beyond TV fare since
2000 to include Facebook, streaming video and music sites,
fantasy sports teams, on-line shopping, eBay, financial web
sites and bank account access, news feeds, blogs and Twitter.
Clearly, excessive employee non-work internet use during
working hours can impose significant costs on a company; one
source cites productivity loss as the top reason for instituting an
“acceptable use policy” (AUP) for company email and internet
(Smith, 2013).
Also, employee perceptions that “everyone” is engaging in non-
work-related email and internet use can rapidly spread.
However, employees increasingly reject the idea of strictly
defined “work” and “non-work” hours, believing they can be
more productive engaging in company business at any time and
2. from any place–on devices that they choose.
4.2 Protecting Tangible and Intangible Assets
Increasingly sophisticated hackers are constantly developing
tools to penetrate corporate networks–almost always to the
potential detriment of the company and its clients. They may be
working for criminal enterprises, or for competitors or foreign
governments, but their goal is the same–to gather as much
valuable information for as long as possible. Citibank and Sony
are only two of the largest and best-known victims of such
attacks. Email remains the most popular way to introduce
malware into corporate networks (Cisco, 2013).
4.3 Controlling Internet Costs
Many non-business internet uses (e.g., streaming video, movies
and music downloads, and internet music and television feeds)
are “bandwidth hogs”. While these applications may not directly
cost the corporation, their cumulative use can easily consume a
substantial portion of a corporation’s available bandwidth,
which can require major expenses to expand the corporation’s
network capabilities.
4.4 Attracting Talented Employees
If human capital is a company’s most valuable asset, avoiding
unnecessary barriers to attracting the best future employees may
require considerable adaptations in a corporation’s internet use
and access policies. CISCO argues that preventing or limiting
employee access to social media can put companies at a
competitive disadvantage, and that by accepting social media,
companies provide their employees with the tools–and the
culture–to be more productive, innovative and competitive.
5. WHAT SHOULD AN EFFECTIVE EMAIL AND INTERNET
POLICY CONTAIN?
It is one thing to create an AUP for workplace email and
internet but another– in a world where increasing numbers of
employees consider access to the internet a right and claim they
are willing to ignore or circumvent an employer’s internet use
policies if they find them overly constraining–to enforce it.
5.1 Elements of an Acceptable Use Policy
3. No one is suggesting that not having an AUP is an option today.
Every sizable business needs to have a formal risk management
policy for email and internet use. Widespread agreement exists
that the following elements need to be included:
5.1.1 Contractual Agreement
The AUP should be a written agreement with each employee and
agent of the corporation having email and internet access; all
employees should sign the AUP and acknowledge an
understanding of its requirements as a prerequisite to gaining
password access to the corporate network.
5.1.2 Corporate Ownership of Information
The AUP should clearly state that any information produced,
collected or stored on the company’s email servers, internal
networks and internet system is company property–even if the
information was obtained from third-party web sites.
5.1.3 Monitoring
The AUP should indicate that the corporation reserves the right
to monitor anyand all employee access to and usage of its
internal networks and internet system, including the volume of
traffic and tracking web sites visited (although monitoring of
specific content will not occur except in cases of a suspicion of
improper behavior).
5.1.4 Retention
The AUP should indicate that all workplace emails and network
transmissions are the property of the company, that they will be
stored and retained indefinitely, and that the company has the
right to demand access to any employee’s PCs, laptops, iPads or
other electronic devices used for company business in the event
of litigation or internal, regulatory or law enforcement
investigations in which data generated or stored on such devices
may be potentially relevant.
5.1.5 Sanctions
Sanctions for violation of the email and internet use policy must
be described and should include progressive steps, from initial
verbal warnings up through dismissal and referral for criminal
prosecution for repeated and/or serious offenses.
4. 5.2 The Traditional View of Acceptable Use Policies
Differences of opinion exist over how to describe permitted and
prohibited email and internet related activities. The traditional
view (often advanced by vendors of solutions for creating and
monitoring AUP policies) is that internet use policies should
contain long and detailed lists of prohibited behaviors. For
those following this “laundry list” approach, a list of prohibited
email and internet activities often includes:
· Violating copyright laws or licensing agreements through
unauthorized reproduction or distribution of copyrighted or
protected materials.
· Using company computers to gain unauthorized access to
external computer systems.
· Connecting unauthorized equipment to the company’s
network.
· Making unauthorized attempts to circumvent data protection
devices.
· Associating unapproved domain names with a company-owned
IP address.
· Performing an act that interferes with the normal operation of
any company hardware or software.
· Installing or running on any computer a program intended to
damage or place excessive load on a computer system (e.g.,
viruses, Trojan horses or worms).
· Engaging in activities that waste or overload company
computing resources.
· Using company resources for any non-work related
commercial activity.
· Using email, social media or company-owned or sponsored
hardware or services to harass or threaten others, or sending
materials that might be deemed defamatory, derogatory,
prejudicial, sexually offensive or unwanted.
· Initiating, propagating or perpetuating electronic chain letters.
· Sending inappropriate mass mailings, including “spamming”,
“flooding” or “bombing”
· Forging a user or machine identity electronically.
5. · Transmitting or reproducing materials that are slanderous or
defamatory, that violate existing laws or regulations, or are
otherwise inappropriate in a workplace environment.
· Transmitting images, text or internet links that could be
considered lewd, obscene or sexually explicit.
5.3 An Alternative Risk-based View of Acceptable Use Policies
We suggest, however, that alternate risk management
approaches may make more sense in many instances–focusing
on controlling only those potential risks relevant to a
corporation’s or organization’s specific activities. For example,
a company engaged in design and manufacture of laptop
computers necessarily works with critical proprietary
information (e.g., R&D project designs, patent applications,
trade secrets, manufacturing know how). Some of this
information is owned and some is licensed from third parties–
but all needs to be continuously protected to avoid potentially
large economic damage and legal liability if improperly
communicated, disclosed or accessed. The same need for
protection of confidential client information would apply to
law, accounting or consulting firms dealing with intellectual
property, financial data, litigation, strategic acquisitions or
other client information that requires protection against
disclosure or inadvertent access. The same level of intellectual
property safeguards would not be necessary for a pizza chain
that provides online ordering and delivery scheduling. But the
pizza business still needs to safeguard customer credit or debit
card information, and both the computer manufacturer and the
pizza business are equally exposed to potential workplace
sexual harassment claims by employees resulting from use of
company email or internet access.
Businesses embracing a “risk-focused” approach usually will
retain the right to monitor employee compliance with specified
or prohibited behaviors but may limit surveillance to activities
at higher risk of employee misuse and spend more time making
sure that employees understand the consequences of a failure to
comply. Such more focused AUPs are more likely to be
6. understood and followed–and to gain “buy-in” from a workforce
that increasingly considers information security and liability
avoidance as the IT department’s problem–and not theirs
(Cisco, 2013).
While social media is gaining in importance in corporate
activities, email remains the primary means of communication–
and hence the primary focuses for corporate efforts to limit
employee-caused legal liabilities or outside threats. To that end,
many companies are using software such as Compuscan that
inserts disclaimers of liability for prohibited email use into all
corporate email communications. However, such disclaimers are
an imperfect shield at best–no court case has yet allowed a
company to escape liability for damaging emails through use of
a blanket disclaimer contained in the email. Disclaimers are
more effective if they are targeted at specific areas of the
business where liability is more likely–for an electrical
contractor’s customer and vendor communications–“no bids or
estimates are binding unless and until approved in writing by
the VP for Finance”–and not simply attached to every email that
company employees send.
6. STEPS IN IMPLEMENTING EFFECTIVE INTERNET USE
POLICIES AND PROTECTING THE COMPANY FROM
LEGAL LIABILITY
The changing state of the law on corporate liability for
electronic communications and evolving employee attitudes and
expectations make across-the-board recommendations for
corporate internet and email use policies difficult–other than the
recommendation every corporation or organization should have
an AUP tailored to its specific workplace activities and risk
exposures (indeed, the failure to have an AUP might be almost
conclusive evidence of corporate negligence in litigation
involving inappropriate employee emails or network activities).
However, some general recommendations are possible:
· Analyze and understand the specific types of communications
your company is actually sending and receiving and specific
legal liabilities that are involved.
7. · Consult employees periodically as to how they are using the
internet and email systems; do not simply rely on use statistics.
· Develop and mandate employee education programs (for both
new hires and existing employees) about the potential for
specific corporate liability for inappropriate communications.
· Implement monitoring software to follow all activities that the
company decides to prohibit in its internet use policy (although
it should be used only on a random basis or when cause for
suspicion exists).
7. CONCLUSION
The continuing exposure to legal liability for corporate email
and electronic communications and the importance of such
communications in litigation and governmental investigations
are unlikely to slow so long as corporate email and internet
usage continue to gain importance in internal and external
business activities. But increasingly companies are moving to
“risk-focused” instead of “laundry list” approaches to
controlling internet and email use. To use this riskfocused
approach, corporate risk management policies and employee
educational activities for employee internet and email use need
to be periodically revisited and revised, and corporations need
to continuously seek employee “buy-in” and cooperation, to
meet the most important legal exposures associated with
specific corporate and employee activities.
REFERENCES
CFO Journal. (2013, August 21). The Wall Street Journal,
August 13 2013. Retrieved from
http://blogs.wsj.com/cfo/2013/08/13/the-morning-ledger-cfos-
seek-securityfrom- cybercrime/
Cisco Systems. (2013). Cisco 2011 annual security report.
Retrieved from
http://www.cisco.com/en/US/prod/collateral/vpndevc/security_a
nnual_report_2011.pdf (pp. 6-8)
Compuscan. (2013).Email disclaimer. Retrieved from
https://www.compuscan.co.za/ about-us/132-email-disclaimer
Sony insurer doesn’t want to pay for data breaches.(2013).
8. ITPro. Retrieved from http://www.itpro.co.uk/635140/sony-
insurer-doesn-t-want-to-pay-fordata-breaches
Watch porn at work–a guide for employers and managers.
(2013). Mailguard. Retrieved from
http://www.mailguard.com.au/blog/porn-at-work/
National Legal Research Group, Inc. (2013). Internet acceptable
use policies for law firms and other employers. Retrieved from
http://www.nlrg.com/internet-acceptable-use-policies-for-law-
firms-and-otheremployers/
PBT Consulting. (2013). Research: Employees spend entirely
too much time accessing the internet while at work. Retrieved
from http://tommytoy.typepad.com/tommy-toy-pbt-
consultin/2010/09/researchemployees-spending-entirely-too-
much-time-surfing-the-web-while-atwork.html
Pingdom. (2013). Internet 2011 in numbers. Retrieved from
http://royal.pingdom.com/2012/01/17/internet-2011-in-
numbers/on May 21, 2013.
Ponemon Institute Research Report. (2013). Cost of data breach
study: Global analysis.Retrieved from
https://www4.symantec.com/mktginfo/whitepaper/053013_GL_
NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-
Report_daiNA_cta72382.pdf
Radicati, S., & Hoang, Q. (2013). Email statistics report, 2011-
2015. Retrieved from http://www.radicati.com/wp/wp-
content/uploads/2011/05/Email-Statistics-Report-2011-2015-
Executive-Summary.pdf
Smith, A. (2013). Citi–Millions stolen in May hack attack.
CNN. Retrieved from
http://money.cnn.com/2011/06/27/technology/citi_credit_card/in
dex.htm
Yarow, J. (2013). 107,000,000,000,000. Business Insider.
Retrieved from http://articles.businessinsider.com/2011-01-
14/tech/30078145_1_hours-ofvideo-uploaded-big-number-
facebook
Zubulake v. UBS Warburg [case study]. (2003).
9. Appendix A: Sample Acceptable Use Agreements and Policies
from Forum Unified Education Technology Suite comprises
public domain material from the National Center for Education
Statistics, U.S. Department of Education.
Example of an Acceptable Use Policy
(courtesy of the Rochester School Department, Rochester, New
Hampshire)
The [Name of Organization] recognizes the value of computer
and other electronic resources to improve student learning and
enhance the administration and operation of its schools. To this
end, the [Governing Body Name] encourages the responsible
use of computers; computer networks, including the Internet;
and other electronic resources in support of the mission and
goals of the [Name of Organization] and its schools.
Because the Internet is an unregulated, worldwide vehicle for
communication, information available to staff and students is
impossible to control. Therefore, the [Governing Body Name]
adopts this policy governing the voluntary use of electronic
resources and the Internet in order to provide guidance to
individuals and groups obtaining access to these resources on
[Name of Organization]-owned equipment or through [Name of
Organization]-affiliated organizations.
[Name of Organization] Rights and Responsibilities
It is the policy of the [Name of Organization] to maintain an
environment that promotes ethical and responsible conduct in
all online network activities by staff and students. It shall be a
violation of this policy for any employee, student, or other
individual to engage in any activity that does not conform to the
established purpose and general rules and policies of the
network. Within this general policy, the [Name of Organization]
recognizes its legal and ethical obligation to protect the well-
being of students in its charge. To this end, the [Name of
Organization] retains the following rights and recognizes the
following obligations:
1. To log network use and to monitor fileserver space utilization
10. by users, and assume no responsibility or liability for files
deleted due to violation of fileserver space allotments.
2. To remove a user account on the network.
3. To monitor the use of online activities. This may include
real-time monitoring of network activity and/or maintaining a
log of Internet activity for later review.
4. To provide internal and external controls as appropriate and
feasible. Such controls shall include the right to determine who
will have access to [Name of Organization]-owned equipment
and, specifically, to exclude those who do not abide by the
[Name of Organization]'s acceptable use policy or other policies
governing the use of school facilities, equipment, and materials.
[Name of Organization] reserves the right to restrict online
destinations through software or other means.
5. To provide guidelines and make reasonable efforts to train
staff and students in acceptable use and policies governing
online communications.
Staff Responsibilities
1. Staff members who supervise students, control electronic
equipment, or otherwise have occasion to observe student use of
said equipment online shall make reasonable efforts to monitor
the use of this equipment to assure that it conforms to the
mission and goals of the [Name of Organization].
2. Staff should make reasonable efforts to become familiar with
the Internet and its use so that effective monitoring, instruction,
and assistance may be achieved.
User Responsibilities
1. Use of the electronic media provided by the [Name of
Organization] is a privilege that offers a wealth of information
and resources for research. Where it is available, this resource
is offered to staff, students, and other patrons at no cost. In
order to maintain the privilege, users agree to learn and comply
with all of the provisions of this policy.
Acceptable Use
1. All use of the Internet must be in support of educational and
research objectives consistent with the mission and objectives
11. of the [Name of Organization].
2. Proper codes of conduct in electronic communication must be
used. In news groups, giving out personal information is
inappropriate. When using e-mail, extreme caution must always
be taken in revealing any information of a personal nature.
3. Network accounts are to be used only by the authorized
owner of the account for the authorized purpose.
4. All communications and information accessible via the
network should be assumed to be private property.
5. Subscriptions to mailing lists and bulletin boards must be
reported to the system administrator. Prior approval for such
subscriptions is required for students and staff.
6. Mailing list subscriptions will be monitored and maintained,
and files will be deleted from the personal mail directories to
avoid excessive use of fileserver hard-disk space.
7. Exhibit exemplary behavior on the network as a
representative of your school and community. Be polite!
8. From time to time, the [Name of Organization] will make
determinations on whether specific uses of the network are
consistent with the acceptable use practice.
Unacceptable Use
1. Giving out personal information about another person,
including home address and phone number, is strictly
prohibited.
2. Any use of the network for commercial or for-profit purposes
is prohibited.
3. Excessive use of the network for personal business shall be
cause for disciplinary action.
4. Any use of the network for product advertisement or political
lobbying is prohibited.
5. Users shall not intentionally seek information on, obtain
copies of, or modify files, other data, or passwords belonging to
other users, or misrepresent other users on the network.
6. No use of the network shall serve to disrupt the use of the
network by others. Hardware and/or software shall not be
destroyed, modified, or abused in any way.
12. 7. Malicious use of the network to develop programs that harass
other users or infiltrate a computer or computing system and/or
damage the software components of a computer or computing
system is prohibited.
8. Hate mail, chain letters, harassment, discriminatory remarks,
and other antisocial behaviors are prohibited on the network.
9. The unauthorized installation of any software, including
shareware and freeware, for use on [Name of Organization]
computers is prohibited.
10. Use of the network to access or process pornographic
material, inappropriate text files (as determined by the system
administrator or building administrator), or files dangerous to
the integrity of the local area network is prohibited.
11. The [Name of Organization] network may not be used for
downloading entertainment software or other files not related to
the mission and objectives of the [Name of Organization] for
transfer to a user's home computer, personal computer, or other
media. This prohibition pertains to freeware, shareware,
copyrighted commercial and non-commercial software, and all
other forms of software and files not directly related to the
instructional and administrative purposes of the [Name of
Organization].
12. Downloading, copying, otherwise duplicating, and/or
distributing copyrighted materials without the specific written
permission of the copyright owner is prohibited, except that
duplication and/or distribution of materials for educational
purposes is permitted when such duplication and/or distribution
would fall within the fair use doctrine of US copyright law
(Title 17, USC).
13. Use of the network for any unlawful purpose is prohibited.
14. Use of profanity, obscenity, racist terms, or other language
that may be offensive to another user is prohibited.
15. Playing games is prohibited unless specifically authorized
by a teacher for instructional purposes.
16. Establishing network or Internet connections to live
communications, including voice and/or video (relay chat), is
13. prohibited unless specifically authorized by the system
administrator.
Disclaimer
1. The [Name of Organization] cannot be held accountable for
the information that is retrieved via the network.
2. Pursuant to the Electronic Communications Privacy Act of
1986 (18 USC 2510 et seq.), notice is hereby given that there
are no facilities provided by this system for sending or
receiving private or confidential electronic communications.
System administrators have access to all mail and will monitor
messages. Messages relating to or in support of illegal activities
will be reported to the appropriate authorities.
3. The [Name of Organization] will not be responsible for any
damages you may suffer, including loss of data resulting from
delays, nondeliveries, or service interruptions caused by our
own negligence or your errors or omissions. Use of any
information obtained is at your own risk.
4. The [Education Agency Name] makes no warranties
(expressed or implied) with respect to:
· the content of any advice or information received by a user, or
any costs or charges incurred as a result of seeing or accepting
any information; and
· any costs, liability, or damages caused by the way the user
chooses to use his or her access to the network.
5. The [Name of Organization] reserves the right to change its
policies and rules at any time.
User Agreement (to be signed by all adult users and student
users above grade 5)
I have read, understand, and will abide by the above Acceptable
Use Policy when using computer and other electronic resources
owned, leased, or operated by the [Name of Organization]. I
further understand that any violation of the regulations above is
unethical and may constitute a criminal offense. Should I
commit any violation, my access privileges may be revoked,
school disciplinary action may be taken, and/or appropriate
legal action may be initiated.
14. ?????????????????????????
User Name (please print)
?????????????????????????
User Signature Date
Parent Agreement (to be signed by parents of all student users
under the age of eighteen)
As parent or guardian of [please print name of student]
__________________________, I have read the Acceptable Use
Policy. I understand that this access is designed for educational
purposes. [Name of Organization] has taken reasonable steps to
control access to the Internet, but cannot guarantee that all
controversial information will be inaccessible to student users. I
agree that I will not hold the [Name of Organization]
responsible for materials acquired on the network. Further, I
accept full responsibility for supervision if and when my child's
use is not in a school setting. I hereby give permission for my
child to use network resources, including the Internet, that are
available through [Name of Organization].
?????????????????????????
Parent Name (please print)
?????????????????????????
Parent Signature Date
Your Organization’s Current Policies
Below, you will find three policies that are currently used by
your organization. You will review and revise these policies
(one in each step during Steps 4, 5, and 6).
Acceptable Use Policy for Employee Technology: Your
Company
Policy/Revision Date: 77.00/11-16-2016
Previous Policy/Date: 77.00/11-16-2010
Originator: Chief Information Officer, Chief Information
Security Officer, Human Resource Director
1. Purpose
Your Company has made a commitment to inform its employees
15. of the proper guidelines to follow when utilizing technology
resources. Your company is also required by law to inform
employees of these policies. These resources are offered to
employees to help them represent this company in an
appropriate manner and complete their work while operating
with the highest level of professionalism and integrity.
Applicable individuals should respect the rights of others,
refrain from abusing these resources, and comply with
associated policies, local laws, and federal laws.
2. Applicability
Any and all employees who access and operate company-
provided technology resources, or represent the company while
accessing said resources, are required to adhere to this policy.
Persons covered by this policy include, but are not limited to:
employees or contractors of Your Company and sister
companies or other affiliates, whose work may directly affect
the view of our company's moral standing.
3. Acceptable Use
All applicable technology users must adhere to the following
guidelines:
a. Comply with applicable federal, state, and all other internal
and external mandated laws, policies, rules, contracts, and
licenses.
b. Protect company technology accounts by securing passwords
and not sharing account information with others.
c. Access only his or her account and respect the privacy of
others and their accounts. Note: If there is a concern about
someone else’s security, notify your direct supervisor
immediately.
d. Use company resources for business purposes only. Personal
use is at the discretion of each employee’s immediate supervisor
and should not affect the performance of an employee.
e. Use company-provided signatures and e-mail templates.
Respond with professional etiquette in e-mails at all times.
f. Refrain from visiting or viewing inappropriate websites,
including—but not limited to—pornography.
16. g. Protect confidential and proprietary information from
unauthorized persons and those outside of the company domain.
h. Avoid participation in illegal actions at any time with
technology resources.
i. Observe the following policies of Your Company: 77.10 E-
mail Guidelines, 77.20 Mobile Device Guidelines, 77.30
Participation in Social Media Guidelines, and 77.40 Web Search
Guidelines.
4. Security and Privacy
a. Employees and users of Your Company’s technology
resources understand they give up the right of privacy in all
said interactions with company resources.
b. It is at the discretion and right of Your Company to
investigate all technology resources it owns and
communications made by its employees at any time.
c. If it is suspected that a technology user at Your Company
may be participating in illegal activity, potential harm of a
person or operations, or other suspicious activity, Your
Company may monitor usage and may do so without permission.
5. Enforcement of Improper Use
a. Your Company’s technology user will be notified of their
noncompliance with the Acceptable Use Policy.
b. Violators and suspected violators of Your Company’s
Acceptable Use Policy may be denied access to technology
resources and disciplinary action may be taken, including
possible termination, or other imposed penalties set by the
company and civil or criminal statutes.
6. Related Policies
a. Policy 77.10 - E-mail Guidelines
b. Policy 77.20 - Mobile Device Guidelines
c. Policy 77.30 - Participation in Social Media Guidelines
d. Policy 77.40 - Web Search Guidelines.
Computer, Internet, and E-mail Usage Policy: Your Company
Policy
These guidelines are issued to protect and inform our personnel
of the proper policies and procedures for accessing the Internet
17. and using other technology resources on behalf of Your
Company. Users are granted access to these technological
resources to act as a representative of the company and must
acknowledge and adhere to said usage requirements. Those who
infringe upon these policies and procedures may face
disciplinary action, up to termination and any legal action
resulting from criminal offenses committed against the federal,
state, and local laws.
Purpose
To define acceptable and unacceptable policies and procedures,
relative to utilizing Internet and network infrastructure while
working for Your Company.
Scope
All employees with access to the Internet, utilizing technology
resources, or acting on behalf of Your Company are responsible
for complying with this policy and applicable procedures.
1. Acceptable Use
a. Internet and technical applications should be utilized for
official business purposes only.
b. Business purposes consist of work-related activities, but
educational, professional development, and research are also
authorized.
c. Personnel should contact their direct supervisor if there is
any confusion as to what is acceptable use. Direct supervisors
should utilize the services of the Technical Support Team if
further clarification is needed.
2. Unacceptable Use
a. Personnel should not use the Internet for illegal, unlawful, or
inappropriate purposes. Illegal, unlawful, or inappropriate
categories include—but are not limited to—pornographic or
obscene content, violent or threatening subject matter,
fraudulent activity, or any other forms of related content.
b. E-mail and messaging services are strictly intended for Your
Company business purposes. Bullying practices, disruptive
behavior, and other continued actions that will interrupt the
productivity of daily business functions will not be tolerated.
18. c. Internet use for private and entertainment purposes and for
activities unrelated to Your Company duties should be avoided.
d. Internet use should not be exploited for external commercial
or political purposes.
e. Company users should not access the network unless granted
permission in an administration capacity.
f. Employees should not access, transfer, store, or distribute
illegal copyrighted materials or files on the company’s network
or property.
3. Proper Internet and E-mail Conduct
a. E-mail should be reflect a professional tone and the use of
profane language is restricted.
b. Personnel should seek the approval of management before
divulging private or personal information of any kind.
c. Users should act cautiously when handling sensitive
information that will be sent via e-mail and should only be
shared with essential stakeholders.
d. Your Company exercises the right to monitor and inspect any
and all electronic activities that transpire on the company's
server.
4. Security Standards
a. Potential and explicit security issues should be reported at
once to the user's direct supervisor and the Technical Support
Team.
b. Users should not share their passwords, allow another user to
access their account, or perform operations under the account of
another user.
c. If Your Company personnel is found to be a security risk or
has had repeated security issues, an immediate restriction may
be placed on his or her account.
5. Disciplinary Action
a. Violation of any of the abovementioned policies and
procedures may result in immediate denial of access to the
company network and corrective action up to termination.
b. If a criminal offense has been committed, federal, state, and
local law enforcement will assume responsibilities and press
19. charges. Your Company will provide information and cooperate
to the fullest extent.
6. User Consent
a. I accept the terms and conditions within the Internet Use
Policy and will respect these guidelines and procedures when
utilizing the Your Company network and Internet.
b. By signing the Internet Use Policy, I agree and will adhere to
any and all guidelines.
Full Name Printed______________________________
Signature______________________________
Date______________________________
Department______________________________
Privacy Policy: Your Company
Customer Protection Obligation
Your Company assumes the responsibility to its customers to
disclose our privacy policy and practices for
www.YourCompany.com. This policy applies exclusively to
information collected by the Your Company website. It will
report the following information:
· process to revise correct and update your personal information
· options available to you concerning your personal information
· specific personal information that is collected through
http://www.yourcompany.com
· security process in place that protects information from
improper conduct
Information Distribution, Collection, and Usage
Your Company will only collect and access information that has
been provided by you directly, voluntarily, in any and all
methods you deem appropriate. We may contact you via the
methods you supplied us, to communicate specials, products, or
services, or changes to this policy. At any time, you may
contact us to be removed from any of these lines of
communication.
Once received, sole ownership of your personal information will
remain with Your Company. We vow to not freely provide, sell,
or rent your information to any third party person or business.
20. This information should be used for the purposes to complete
your request.
Information Access and Control
You may notify Your Company at any time via phone or e-mail
to change your communication preferences or opt out
completely. You may take the following actions:
· inquire about and receive data we have on file about you, if
any
· correct or update the contact information we have on record
for you
· request to remove your data from our records
· address concerns and review our policies regarding use of
your data
Personal Information Security
We ensure that all possible safeguards are taken to protect your
information online and offline at Your Company. Encryption is
introduced at collection and will remain during all phases of
handling your sensitive information, such as, but not limited to,
credit card data. If there is a question at any time, you may
establish this security by confirming that your web page starts
with "https." Your information will only be available on a need
to know basis and employees must be permitted to accept your
information. Your personal information is housed within an
environment of servers and computers that exemplifies the
utmost level of security.
Privacy Policy Updates
Updates will be communicated on our website and you may
submit a written request for the current policy.
Note: Please contact us immediately via phone at 555-555-5555
or via e-mail at [email protected] if you believe you have
witnessed instances where our privacy policy is not being
followed.
Project Scenario
21. After introducing yourself as the newly hired cybersecurity
analyst, you look around the conference table at the others in
your meeting. This multidisciplinary policy development team
includes employees from HR, IT, finance and legal. After
introductions are complete, Brian, an attorney from the legal
department, begins to speak: "Upper management has tasked
this team with reviewing the Internet usage policy, acceptable
usage policy, and privacy policy. These are the types of policies
that we encounter when we are required to sign or click the 'I
Agree' box as we turn on our business computers or purchase
software."
Brian continues, "We will each need to consider our
perspectives and roles on this team throughout the policy
development process. We need to balance the writing of the
revised policies from the standpoint of the customer and/or user
while considering business goals.
"This also means that we will each need to keep in mind aspects
such as protecting corporate data, ensuring customer privacy,
corporate due diligence, and legal or regulatory compliance
respective to our areas of expertise."
Brian turns to you and says, "Since these three policies are
focused on cybersecurity, you will conduct the initial review.
Begin by evaluating and rewriting each policy. Then prepare a
cover letter summarizing the justifications, including your
written evaluation. Please have this ready for our next meeting
one week from today."
When you submit your project, your work will be evaluated
using the competencies listed below. You can use the list below
to self-check your work before submission.
Policy Components
Cybersecurity policies are critical to establishing and
maintaining security of networks and data, communicating
expectations to employees, and determining consequences for
actions. Such policies represent an expression of expectations.
Here are the key elements of a good cybersecurity policy:
22. · Definitions, which explain terms in the context of the
organization's mission and culture.
· Access to computers and data, which explains the processes
for gaining access privileges and approvals, and the
expectations regarding use of company IT assets. Password
expectations would also be established herein.
· Use of external (e.g., mobile) devices, to include any
restrictions on use of outside devices on internal company IT
assets.
· Security procedures, explaining the reporting requirements
should malicious acts be discovered.
· Internet use, to include acceptable use policy and what, if any,
filtering might be used. This policy also explains personal use
of the Internet on work-related computers.
· Data storage and recovery, defining storage requirements
(length of time, type of data to be stored), and the expectations
regarding recovering from unexpected outages or losses.
· Remote access, which explains expectations regarding remote
access to company IT assets, and expectations regarding that
privilege.
· Auditing, which describes frequency and type of review for
cybersecurity and IT assets.
· Training, which explains requirements for maintaining or
learning skills or policies needed for cybersecurity.
Privacy Policy
How is privacy different from security? Privacy refers to the
right of an individual to have his or her personal information
protected from voluntary disclosure by the holder of that
information. Security protects the information from hacking or
other types of involuntary disclosure. Amazon protects your
privacy by not selling it to a third party; it makes the
information secure by installing a firewall, patching the
operating system, and using antivirus programs.
As the internet expands and related technologies are developed,
concerns about privacy protection for individuals grow. The
23. more we conduct personal and professional business in
cyberspace, the more we expose our sensitive, personal
information to third-party sources. Consumers must rely on
organizations to protect their right to privacy.
Governments across the globe have used legislation to address
issues of privacy. Although legislation in the European Union
has favored the protection of the individual’s privacy, the
United States tends to favor protecting the rights of the
employer. Yet, there has been significant US legislation
designed to protect privacy in several industries including
finance, communications, and health services. In addition, the
federal government has, after considerable pressure, moved to
protect the privacy of its employees and the privacy of
individuals who interact with the government.
Organizations and websites must demonstrate transparency and
diligence to employees and customers by providing privacy
policies. Privacy policies may be found on websites and also
within an organization's corporate policies. A privacy policy
explicitly discloses the manner in which the personal
information of a customer and/or employee is collected and
used. Privacy policies clearly communicate expectations of
privacy for all parties.
Privacy Policies
What Is a Privacy Policy?
A privacy policy is a document that a website writes up to
inform its users how it handles any personal information that is
collected from users of the website or which users enter into the
website. There are two main elements to a privacy policy:
· It explains how the website will protect the privacy of its
users by not collecting, keeping, or sharing certain personal
information.
· It makes the user aware of what kinds of personal information
will be collected or asked for from the website, whether it will
be shared or not, and—if it is to be shared—with whom.
24. Why Are Privacy Policies Important?
Many people don't take the time to read website privacy
policies, as many of them are long and filled with hard-to-
understand legal terms. In fact, some people just assume that
their personal information won't be shared by a website simply
because it has a privacy policy. Unfortunately, as we just
explained, many privacy policies are as much (or more) about
what a website will do with any information that it gets from
you as they are about what a website won't do with your
information.
Understanding what a privacy policy does and doesn't allow a
website to do with respect to your personal information helps
you to make an informed decision about your privacy on the
Internet. If you feel that a website's privacy policy gives it too
much leeway to intrude into your personal life, you may want to
consider using another website that has a stricter privacy policy.
Or you may want to use some of the strategies and tools from
other articles in this course to protect your privacy yourself,
instead of expecting other websites to do it for you.
Things to Be Aware of in a Privacy Policy
We realize that we just mentioned that many privacy policies
are difficult to read because they are lengthy and filled with
legal-speak. However, you can make them slightly easier to
digest—and gauge how well they will actually protect your
privacy—by asking a few key questions.
10 Questions to Ask While Reading a Privacy Policy
· What information does the website require me to provide in
order to use it?
· Does the website collect any information from me besides
what is required to use it?
· By merely using the website, am I consenting to the website
being able to collect information from me?
· What reason or reasons does the website give for collecting or
requiring certain types of information from me (e.g., "deliver
our services," "improve my experience," etc.)?
· Does the website share, sell, or trade any of the information
25. that it collects from me with anyone else?
· If the website shares, sells, or trades my information, with
whom do they do so? (Their partner services? Advertisers? The
government? Law enforcement? Other groups?)
· When does the website release my information to anyone else?
(Never? When they're required to by law? When they fear that
their own—or someone else's—well-being is at stake?
Whenever they want?)
· How long does the website keep any information that it
collects from me? (Thirty days? Ninety days? A year? Until I
close my account or otherwise request that they get rid of it? As
long as they are required to by law? Until they deem that it's no
longer useful to them?)
· Does the website actually delete any information that they
collect from me (whether I request it or they do so in keeping
with their privacy policy), or do they simply remove any parts
of it that could personally identify me?
· Does the website allow any other groups, besides themselves,
to collect information from me while I use their website? If so,
what are the privacy policies of these groups?
Project 1
Revised acceptable use policy - FOLLOW INST, REVISE
CURRENT POLICY
Policy changes matrix - ATTACHED
Revised internet use policy - FOLLOW INST, REVISE
CURRENT POLICY
Revised privacy policy – FOLLOW INST, REVISE CURRENT
POLICY
Cover letter – 2 PAGES MAX
Policy revisions evaluation
INST
26. · Review P1 Scenario
· Current Policy – Attached, revise the 3 policies.
· Complete policy changes matrix
· Create – Cover Letter
· Complete – Policy Revisions Evaluation essay.
Revised acceptable use policy
Begin reviewing and updating the first of three security policies
for your own organization. Review your organization's current
acceptable use policy. Determine what changes are necessary
and note your suggested changes on the Policy Changes Matrix.
Rewrite two to three sections of the acceptable use policy that
may be in question and provide justification for your suggested
modifications.
The new policy and the Policy Changes Matrix will be attached
to the final deliverable in Step 8. Submit the new policy and
table for feedback.
Revised internet use policy
Now, you will review and update the second of the three
security policies for your organization. Review your
organization's current Internet Use Policy. Determine what
changes are necessary and note your suggested changes on the
Policy Changes Matrix. Rewrite two to three sections of the
Internet use policy that may be in question and provide
justification for your suggested modifications.
The new policy and the Policy Changes Matrix will be attached
to the final assignment in Step 8. Submit the new policy and
table for feedback.
Revised privacy policy
now you will review and update the last of the three security
policies for your organization. Review your organization's
current privacy policy. Determine what changes are necessary
and note your suggested changes on the Policy Changes Matrix.
Rewrite two to three sections of the privacy policy that may be
in question and provide justification for your suggested
27. modifications.
The new policy and the Policy Changes Matrix will be attached
to the final deliverable in Step 8. Submit the new policy and
table for feedback.
Cover letter
After completing the revision process of the acceptable use
policy, the Internet policy, and the privacy policy in the
previous three steps, you will need to prepare a cover letter
summarizing the justifications for your suggested modifications
for the next team meeting. This cover letter (maximum two
pages) will provide an explanation for the Policy Changes
Matrix. Address the letter to the CEO, IT, and HR directors.
Justifications should be in line with the business goals.
Submit your cover letter and table for feedback.
Policy revisions evaluation
Now that you have completed your analysis and revision of the
three policies, provide a written evaluation of your
organization's cybersecurity policy to present at the next team
meeting. Your evaluation should examine the completeness and
compliance of the organization's cybersecurity policy. Consider
your organization and organization-related interests as you
create your evaluation, and consider other aspects, such as how
to prevent the failure of the cybersecurity policy.
Complete the following tasks as you write your evaluation:
· Differentiate among the various concepts of enterprise
cybersecurity.
· Develop a high-level implementation plan for enterprise
cybersecurity policies.
· Assess the major types of cybersecurity threats faced by
modern enterprises (assessing risk).
· Discuss the principles that underlie the development of an
enterprise cybersecurity policy framework.
· Articulate clearly and fairly others' alternative viewpoints and
28. the basis of reasoning.
· Identify significant, potential implications, and consequences
of alternative points of view.
· Evaluate assumptions underlying other analytical viewpoints,
conclusions, and/or solutions.
Attach the cover letter, revisions, and Policy Changes Matrix,
and submit.
Policy Changes Matrix
Policy Type
Current Text
Suggested Change
Business Reason