Project 1: Policy Analyses
Step 4: Rewrite the Current Acceptable Use Policy
In the first three steps, you reviewed the process of creating security policies, reviewed components of a proper policy, and identified evaluation criteria to measure against existing policies. Now, you are ready to analyze and revise your own organization’s policies. Such analysis is likely to be qualitative for some aspects, quantitative for other aspects, and a hybrid for still other aspects of the policy. As such, your choice of measures and analytical techniques must be reasonable and justifiable.
Begin reviewing and updating the first of three security policies for your own organization. Review your organization’s current policies, with attention to its acceptable use policy. Determine what changes are necessary and note your suggested changes on the Policy Changes Matrix. Rewrite two to three sections of the acceptable use policy that may be in question and provide justification for your suggested modifications.
The new policy and the Policy Changes Matrix will be attached to the final assignment. Submit the new policy and table for feedback.
Your Organizationâ€™s Current Policies
Below, you will find three policies that are currently used by your organization. You will review and revise these policies (one in each step during Steps 4, 5, and 6).
Acceptable Use Policy for Employee Technology: Your Company
Policy/Revision Date: 77.00/11-16-2016
Previous Policy/Date: 77.00/11-16-2010
Originator: Chief Information Officer, Chief Information Security Officer, Human Resource Director
Your Company has made a commitment to inform its employees of the proper guidelines to follow when using technology resources. Your company is also required by law to inform employees of these policies. These resources are offered to employees to help them represent this company in an appropriate manner and complete their work while operating with the highest level of professionalism and integrity. Applicable individuals should respect the rights of others, refrain from abusing these resources, and comply with associated policies, local laws, and federal laws.
Any and all employees who access and operate company-provided technology resources, or represent the company while accessing said resources, are required to adhere to this policy. Persons covered by this policy include, but are not limited to: employees or contractors of Your Company and sister companies or other affiliates, whose work may directly affect the view of our company’s moral standing.
- Acceptable Use
All applicable technology users must adhere to the following guidelines:
- Comply with applicable federal, state, and all other internal and external mandated laws, policies, rules, contracts, and licenses.
- Protect company technology accounts by securing passwords and not sharing account information with others.
- Access only his or her account and respect the privacy of others and their accounts. Note: If there is a concern about someone elseâ€™s security, notify your direct supervisor immediately.
- Use company resources for business purposes only. Personal use is at the discretion of each employeeâ€™s immediate supervisor and should not affect the performance of an employee.
- Use company-provided signatures and email templates. Respond with professional etiquette in emails at all times.
- Refrain from visiting or viewing inappropriate websites, includingâ€”but not limited toâ€”pornography.
- Protect confidential and proprietary information from unauthorized persons and those outside of the company domain.
- Avoid participation in illegal actions at any time with technology resources.
- Observe the following policies of Your Company: 77.10 E-mail Guidelines, 77.20 Mobile Device Guidelines, 77.30 Participation in Social Media Guidelines, and 77.40 Web Search Guidelines.
- Security and Privacy
- Employees and users of Your Companyâ€™s technology resources understand they give up the right of privacy in all said interactions with company resources.
- It is at the discretion and right of Your Company to investigate all technology resources it owns and communications made by its employees at any time.
- If it is suspected that a technology user at Your Company may be participating in illegal activity, potential harm of a person or operations, or other suspicious activity, Your Company may monitor usage and may do so without permission.
- Enforcement of Improper Use
- Your Companyâ€™s technology user will be notified of their noncompliance with the Acceptable Use Policy.
- Violators and suspected violators of Your Companyâ€™s Acceptable Use Policy may be denied access to technology resources and disciplinary action may be taken, including possible termination, or other imposed penalties set by the company and civil or criminal statutes.
- Related Policies
- Policy 77.10 – Email Guidelines
- Policy 77.20 – Mobile Device Guidelines
- Policy 77.30 – Participation in Social Media Guidelines
- Policy 77.40 – Web Search Guidelines.
Computer, Internet, and Email Usage Policy: Your Company
These guidelines are issued to protect and inform our personnel of the proper policies and procedures for accessing the Internet and using other technology resources on behalf of Your Company. Users are granted access to these technological resources to act as a representative of the company and must acknowledge and adhere to said usage requirements. Those who infringe upon these policies and procedures may face disciplinary action, up to termination and any legal action resulting from criminal offenses committed against the federal, state, and local laws.
To define acceptable and unacceptable policies and procedures, relative to utilizing internet and network infrastructure while working for Your Company.
All employees with access to the internet, using technology resources, or acting on behalf of Your Company are responsible for complying with this policy and applicable procedures.
- Acceptable Use
- Internet and technical applications should be utilized for official business purposes only.
- Business purposes consist of work-related activities, but educational, professional development, and research are also authorized.
- Personnel should contact their direct supervisor if there is any confusion as to what is acceptable use. Direct supervisors should use the services of the Technical Support Team if further clarification is needed.
- Unacceptable Use
- Personnel should not use the internet for illegal, unlawful, or inappropriate purposes. Illegal, unlawful, or inappropriate categories includeâ€”but are not limited toâ€”pornographic or obscene content, violent or threatening subject matter, fraudulent activity, or any other forms of related content.
- Email and messaging services are strictly intended for Your Company business purposes. Bullying practices, disruptive behavior, and other continued actions that will interrupt the productivity of daily business functions will not be tolerated.
- Internet use for private and entertainment purposes and for activities unrelated to Your Company duties should be avoided.
- Internet use should not be exploited for external commercial or political purposes.
- Company users should not access the network unless granted permission in an administration capacity.
- Employees should not access, transfer, store, or distribute illegal copyrighted materials or files on the companyâ€™s network or property.
- Proper Internet and Email Conduct
- Email should reflect a professional tone, and the use of profane language is restricted.
- Personnel should seek the approval of management before divulging private or personal information.
- Users should act cautiously when handling sensitive information that will be sent via email and should only be shared with essential stakeholders.
- Your Company exercises the right to monitor and inspect any and all electronic activities that transpire on the company’s server.
- Security Standards
- Potential and explicit security issues should be reported at once to the user’s direct supervisor and the Technical Support Team.
- Users should not share their passwords, allow another user to access their account, or perform operations under the account of another user.
- If Your Company personnel is found to be a security risk or has had repeated security issues, an immediate restriction may be placed on his or her account.
- Disciplinary Action
- Violation of any of the abovementioned policies and procedures may result in immediate denial of access to the company network and corrective action up to termination.
- If a criminal offense has been committed, federal, state, and local law enforcement will assume responsibilities and press charges. Your Company will provide information and cooperate to the fullest extent.
- User Consent
- I accept the terms and conditions within the Internet Use Policy and will respect these guidelines and procedures when utilizing the Your Company network and Internet.
- By signing the Internet Use Policy, I agree and will adhere to any and all guidelines.
Full Name Printed ______________________________
Customer Protection Obligation
- process to revise correct and update your personal information
- options available to you concerning your personal information
- specific personal information that is collected through http://www.yourcompany.com
- security process in place that protects information from improper conduct
Information Distribution, Collection, and Usage
Your Company will only collect and access information that has been provided by you directly, voluntarily, in any and all methods you deem appropriate. We may contact you via the methods you supplied us, to communicate specials, products, or services, or changes to this policy. At any time, you may contact us to be removed from any of these lines of communication.
Once received, sole ownership of your personal information will remain with Your Company. We vow to not freely provide, sell, or rent your information to any third party person or business. This information should be used for the purposes to complete your request.
Information Access and Control
You may notify Your Company at any time via phone or email to change your communication preferences or opt out completely. You may take the following actions:
- inquire about and receive data we have on file about you, if any
- correct or update the contact information we have on record for you
- request to remove your data from our records
- address concerns and review our policies regarding use of your data
Personal Information Security
We ensure that all possible safeguards are taken to protect your information online and offline at Your Company. Encryption is introduced at collection and will remain during all phases of handling your sensitive information, such as, but not limited to, credit card data. If there is a question at any time, you may establish this security by confirming that your web page starts with “https.” Your information will only be available on a need to know basis and employees must be permitted to accept your information. Your personal information is housed within an environment of servers and computers that exemplifies the utmost level of security.
Updates will be communicated on our website, and you may submit a written request for the current policy.