1.1 This policy sets out rules that all 1836 Technologies personnel must follow when using the 1836 Technologies Network and/or the Internet from any 1836 Technologies computer, which includes usage of both the World Wide Web (www) and 1836 Technologies’s internal intranet systems(“1836 Technologies Network”)
1.2 This policy also applies to personal use of 1836 Technologies’s E-mail (Outlook) system. However, additional confidentiality and liability conditions apply to e-mails.
1.3 This policy also explains what 1836 Technologies may do as an employer to lawfully monitor and report use of the 1836 Technologies Network and/or 1836 Technologies computer and investigate suspected systems breaches by personnel or third parties as well as unlawful behavior.
1.4 This policy applies to any person who uses 1836 Technologies’s network and/or computers to access the Internet and E-mail. Where the policy refers to “personnel” or “user” this means anyone employed by 1836 Technologies or its parent company, any person carrying out work activities on 1836 Technologies occupied premises who is not directly employed by 1836 Technologies (e.g. students, interns, work placements or volunteers), or any person providing a service to 1836 Technologies under contract (independent contractor, consultant, or temporary employee). Collectively referred to as “1836 Technologies Personnel”.
1.5 Access to the 1836 Technologies network and/or Internet access is provided primarily to 1836 Technologies personnel to use for 1836 Technologies’s business and to develop the skills and knowledge of 1836 Technologies’s workforce to the benefit of its business objectives. A certain amount of limited and responsible personal use is also permitted.
1.6 The wide range of information available on the 1836 Technologies Network, as well as the Internet, and the nature and risks associated with the use of the Internet raises concerns about security, integrity, confidentiality, monitoring and proper conduct.
1.7 Data Protection Statement.
1.7 1836 Technologies will monitor all user activity on the Internet at network level for the purposes specified in Section 4.1. Information recorded as part of this automated monitoring process includes user identification, domain names of websites visited, duration of visits, and files uploaded to or downloaded from the Internet. Staff must be made aware that this monitoring may reveal sensitive data about them, for example visits to websites which details the activities of a particular political party or religious group might indicate the political opinion or religious belief of that staff member, or self-help or health advice sites might identify a physical or mental health condition. By carrying out such activities using 1836 Technologies’s Internet access facilities, Staff consent to 1836 Technologies processing any sensitive personal data about them that may be revealed through monitoring.
Personnel who do not consent must take responsibility for the maintenance of their own personal privacy by not using 1836 Technologies systems to access this type of information.
The purpose of this policy is to define standards for systems that monitor and limit web use from any computer or host within 1836 Technologies's network. These standards are designed to ensure that 1836 Technologies assets network, and Internet are used in a safe and responsible manner, to ensure the confidentiality, integrity, and reliability of the 1836 Technologies network, and to prevent intrusions into 1836 Technologies’s network, breaches of personal and sensitive data, and ensure that employee web use by Personnel be monitored or researched in the event of an incident.
This policy applies to all 1836 Technologies employees, contractors, vendors, users, and agents with a 1836 Technologies-owned, contractor provided, government furnished or personally-owned computer or workstation connected to the 1836 Technologies network. This policy applies to all end user initiated communications between 1836 Technologies’s network and the Internet, including web browsing, instant messaging, file transfer, file sharing, and other standard and proprietary protocols. Server to Server communications, such as SMTP traffic, backups, automated data transfers or database communications are excluded from this policy.
This policy also explains what 1836 Technologies may do as an employer to lawfully monitor and report use of the system and investigate suspected systems breaches by Personnel or third parties as well as unlawful behavior.
4.1 Internet and Network Monitoring
4.1.1 1836 Technologies’s Information Technology Services (ITS) Group has incorporated intrusion detection capabilities into its Network so as to provide information relating to unauthorized or irregular behavior on any 1836 Technologies computer, network, or telecommunication system, and analyzing them for signs of possible incidents, which are violations or imminent threats or violation of computer security policies, acceptable use policies, or standard security practices. This is done to protect 1836 Technologies and customer resources and data maintained or stored on 1836 Technologies’s network.
4.1.2 To protect the integrity of 1836 Technologies’s Network and the data maintained on its Network, the (ITS) Group will monitor Internet usage, network traffic on the 1836 Technologies Network a well as all 1836 Technologies computers and devices, whether or not connected to the 1836 Technologies Network
4.1.3 Because information recorded by the automated monitoring systems can be used to identify an individual user and show, for example, a website or document that a user has been viewing and the time spent browsing, personnel must not assume privacy in their use of the 1836 Technologies’s systems, even when accessing the systems in their personal time i.e. out of paid working hours.
4.1.4. In the event that ITS finds inappropriate activity or infestation of a company asset, this information may then be shared with the appropriate 1836 Technologies management, the Incident Response Team, and the Legal Department. 1836 Technologies reserves the right to carry out detailed inspection, make a copy of any 1836 Technologies asset or devices containing 1836 Technologies data, where warranted, and to re-image any 1836 Technologies asset as needed.
4.2 Access to Web Site Monitoring Reports
Authorized ITS members, Incident Response Team members, and the Legal Department will have access to all reports and data if necessary in order to respond to a security incident. Internet Use reports that identify specific users, sites, teams, or devices will only be made available to personnel outside ITS upon written or e-mail request from an authorized Human Resources Representative.
4.3 Internet Use Filtering System
4.3.1 1836 Technologies Personnel shall not access, transmit, upload, download, print, display or otherwise disseminate the following types of material while on the 1836 Technologies Network or while using 1836 Technologies assets:
Any data capable of being transformed into obscene or indecent images or material
This includes obscene language, pornography, hostile material relating to gender, sex, race, sexual orientation, religious, political convictions, disability or information that would cause or promote incitement of hatred, violence or any other intimidating material that is designed or could be used to cause offence, annoyance, inconvenience, needless anxiety or which would contravene any Trust policy, in particular equal opportunities or harassment, or break any law.
4.3.2 1836 Technologies Personnel cannot:
i. Intentionally circumvent security mechanisms such as cracking passwords, exploiting system vulnerabilities, or using systems in excess of granted privileges;
ii. Intentionally write, compile, copy, propagate, execute, or attempt to introduce any malicious computer code designed to self-replicate, damage, or otherwise hinder the performance of any computer system. Such software may be referred to as malware virus, bacteria, worm, or a Trojan Horse; and
iii. Transmit, upload, post or discuss Personal Identifiable Information (PII), Protected Health Information (PHI), or sensitive Government or 1836 Technologies company data with any third party without prior written authorization; or
4.3.3 In addition to the above, the Internet may not be accessed and used for any of the following:
Any activity that infringes copyright
Transmission of unsolicited commercial or advertising material
Any activity that would violate the privacy of others
Any activity that would risk bringing the organization into disrepute or place the Trust in a position of liability
Cause damage or disruption to organizational systems
Any activity that would violate the laws and regulations of the European Union
Not to be used for any secondary paid employment or voluntary services
Not to be used to run a personal business
4.3.4 The IT Department reserves the right to block access to Internet websites and protocols that are deemed inappropriate for 1836 Technologies’s corporate environment. The following protocols and categories of websites are examples of the type of websites that may be blocked:
If a site is blocked, then 1836 Technologies Personnel may only access that blocked site with prior written permission if appropriate and necessary for business purposes. If any Personnel need access to a site that is blocked and appropriately categorized, they must submit a request to their appraisal manager. They will then present all approved exception requests to ITS in writing or by email, and ITS will evaluate the request and consider unblocking that site or category.
5.1 1836 Technologies personnel are expected to report suspected violations of this policy to the Legal Department.
5.2 Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
6.0 Special Approval for European Union (EU) Users
Due to privacy concerns within the EU, special approvals and consents from the 1836 Technologies Personnel must be undertaken before a deep packet inspection is started. 1836 Technologies ITS will first ask the affected 1836 Technologies Personnel permission to conduct a further analysis of their packet payloads to determine the cause of the alert. The user will then be informed of their options, and if they agree to the inspection, they will be required to complete the attached EU Consent Form. If the user consents to ITS inspecting the packet payload, ITS will then examine the packets captured. If the user denies ITS’ request, the user may be disconnected from the 1836 Technologies Network if it is determined that his/her computer will continue to pose a risk to the 1836 Technologies Network.
Hacking Sites - Sites that provide content about breaking or subverting computer security controls.
Incident - A reported security event or group of events that has proven to be a verified information technology security breach. An incident may also be an identified violation or imminent threat of violation of information technology security policies, or a threat to the security of system assets. Some examples of possible information technology security incidents are, but are not limited to:
Internet - an unclassified electronic communications network that connects computer networks and organizational computer facilities around the world.
Internet Filtering – Using technology that monitors each instance of communication between devices on the corporate network and the Internet and blocks traffic that matches specific rules.
Intrusion detection - The process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices.
IP Address – Unique network address assigned to each device to allow it to communicate with other devices on the network or Internet.
Peer to Peer File Sharing – Services or protocols such as BitTorrent and Kazaa that allow Internet connected hosts to make files available to or download files from other hosts. Social Networking Services – Internet sites such as Myspace and Facebook that allow users to post content, chat, and interact in online communities.
Phishing – attempting to fraudulently acquire sensitive information by masquerading as a trusted entity in an electronic communication.
SMTP – Simple Mail Transfer Protocol. The Internet Protocol that facilitates the exchange of mail messages between Internet mail servers.
SPAM – Unsolicited Internet Email.
User ID – User Name or other identifier used when an associate logs into the corporate network.
8.0 Revision History
__/2010 – Draft Completed, ________________
DRAFT EU Consent Form
I, _____________________, having been informed of my right not to have a search made of the computer systems hereinafter mentioned without a search warrant and of my right to refuse consent to such a search, hereby authorize 1836 Technologies International, Inc., Information Technology Services, to conduct a complete search of the computer system : ______(insert host name of the computer here)______ and its communications used to conduct 1836 Technologies business. This search includes the deep packet inspection of all communications between the aforementioned computer and the internet in an effort to safeguard the 1836 Technologies network from malicious activities.
You are hereby authorized by me to take from this location any property which you need to complete your analysis, assessment, and/or resolution of a possible privacy or internet security incident. This written permission is being given by me voluntarily and without threats or promises of any kind. I have not been threatened, placed under duress or promised anything in exchange for my consent. I have read and understand this form. I understand the English language and have been able to communicate with the 1836 Technologies ITS representatives regarding the possible privacy and/or IT security incident.
I understand that I this consent only applies to this incident and that my further consent will be required for any future incidents that may occur.