Professional Documents
Culture Documents
1. Introduction
1.1 Background
At XYZ, all data acquired, processed and shared with customers and stakeholders must be
adequately protected against unauthorized access and or modification, accidental or willful.
This protection is ensured with adequate technical controls and defining an acceptable use of
resources framework, by all associates/ subjects who access such information/ data in
performing their job functions. The technical controls that are used within the company
provide an essential element of the required protection. However, these only deliver part of
the solution, the most effective defense being achieved through awareness and good working
practices. This document, which forms XYZ’s Acceptable Use of Computer Resources Policy
(including Internet, web and email usage) in support of XYZ’s Information Security Policy,
defines both acceptable and unacceptable usage of IT facilities, contributing to the overall goal
of systems and information security management.
1.2 Applicability
This Policy concerns:
• The use of company owned assets; and,
• Network facilities, regardless of whether these are used through the XYZ LAN or
through external connection as in the case of mobile devices such as Laptops (where
this has been authorized).
It is the personal responsibility of every individual to whom this Policy applies to adhere fully
with its requirements. The department heads are responsible for implementing this Policy
within their respective department and for overseeing compliance by associates under their
direction and/or supervision.
1.3 Scope
This Policy concerns all computer systems and network facilities operated by XYZ, regardless of
location.
2. Use of XYZ Computer Resources
Anyone else wishing to use company’s computer resources, or access to company’s premises, or
wishing to connect equipment to the company’s network, must contact the appropriate
authority. Company’s IT infrastructure and networking facilities may only be used with proper
authorization. Only the system administration team for the respective computer systems can
grant access to / deny, if found inappropriate. All Associates will be assigned a unique USERID
and default PASSWORD on joining the company. A USERID entitles an individual to use
computer systems for performing their job including personal work, if any for a limited
acceptable time without impacting business emergencies. USER IDs are strictly confidential,
and shall not be shared with anyone. USER IDs and Passwords are strictly confidential. Best
practices on the selection and management of PASSWORDS shall be done in accordance with
the Password Usage & Management Policy. When USER IDs lapse on a timed basis, the
individual’s access credentials become invalid and will no longer provide access to systems.
However, files associated with the user will be retained for a reasonable period of time and
can be retrieved if necessary. A lapsed USERID will be re-instated on request where such
applications are authorized by the appropriate authority.
3.2 Connectivity
Users will be provided with Internet, web access and email facilities either by Local Area
Network (LAN) connectivity, Wireless LAN connectivity, via Virtual Private Network (VPN) or
through any other means based on their profile in the organization. In addition, some XYZ
computing resources are available through web services. Access to these facilities is granted
subject to compliance with the policy requirements, responsible conduct and requirements
concerning ‘mobile and remote accesses.
Any user who inadvertently accesses an inappropriate Internet site must immediately close the
session. Any associate who receives an inappropriate email message or email content that
appears to have been sent by another associate may wish to report the matter to their
reporting manager immediately.
The publishing of this Policy is one of the means of company informing associates about
standard monitoring practices at the company. XYZ reserves the right to deploy software and
systems that monitor, block or record all Internet access. These systems and utility tools are
capable of recording (for each and every user) exactly how much Internet usage is being
exercised for each World Wide Web site visit (the date and time visited and how long was spent
on the site), each email message, and each file transfer into and out of our internal networks.
This right is reserved at all times, although it is anticipated that instances of such monitoring
will be minimal and proportional to operational needs. Privately owned equipment connected
to XYZ networks in accordance with 2.2 will be subject to the same monitoring activities as XYZ
equipment to ensure the security of XYZ Network at all times. Logs of computer system usage
shall be taken and scrutinized. These will be retained for periods appropriate for operational
purposes and Data may be archived.
Anyone wishing to send an inter-circle email must obtain authorization for sending it from the
head of the respective circle. All approved bulk email messages are to contain the following
information:
• Subject line: with clearly stated subject;
• From: line that contains the email address of sender;
• To: line that includes XYZ group/s to which the mass email will be sent;
• Signature information providing the name, business unit, and telephone number of the
sender.
Business Units wishing to announce organization level sponsored events should use the facilities
available, such as ‘Common Info’ etc. Alternatively, there is provision for associates to
subscribe to opt in mailing lists.
XYZ Confidential