new things
rewrite 3 policies
1 cover page
1 matrix
evaluation
Policy Changes Matrix
Policy Type
Current Text
Suggested Change
Business Reason
Project 1
Revised acceptable use policy – FOLLOW INST, REVISE CURRENT POLICY
Policy changes matrix – ATTACHED
Revised internet use policy – FOLLOW INST, REVISE CURRENT POLICY
Revised privacy policy – FOLLOW INST, REVISE CURRENT POLICY
Cover letter – 2 PAGES MAX
Policy revisions evaluation
INST
·
Review P1 Scenario
· Current Policy – Attached, revise the 3 policies.
· Complete policy changes matrix
· Create – Cover Letter
· Complete – Policy Revisions Evaluation essay.
Revised acceptable use policy
Begin reviewing and updating the first of three security policies for your own organization. Review
your organization’s current
acceptable use policy. Determine what changes are necessary and note your suggested changes on the
Policy Changes Matrix
.
Rewrite two to three sections of the acceptable use policy that may be in question and provide justification for your suggested modifications.
The new policy and the Policy Changes Matrix will be attached to the final deliverable in Step 8. Submit the new policy and table for feedback.
Revised internet use policy
Now, you will review and update the second of the three security policies for your organization. Review your organization’s current Internet Use Policy. Determine what changes are necessary and note your suggested changes on the Policy Changes Matrix. Rewrite two to three sections of the Internet use policy that may be in question and provide justification for your suggested modifications.
The new policy and the Policy Changes Matrix will be attached to the final assignment in Step 8. Submit the new policy and table for feedback.
Revised privacy policy
now you will review and update the last of the three security policies for your organization. Review your organization’s current privacy policy. Determine what changes are necessary and note your suggested changes on the Policy Changes Matrix. Rewrite two to three sections of the privacy policy that may be in question and provide justification for your suggested modifications.
The new policy and the Policy Changes Matrix will be attached to the final deliverable in Step 8. Submit the new policy and table for feedback.
Cover letter
After completing the revision process of the acceptable use policy, the Internet policy, and the privacy policy in the previous three steps, you will need to prepare a cover letter summarizing the justifications for your suggested modifications for the next team meeting. This cover letter (maximum two pages) will provide an explanation for the Policy Changes Matrix. Address the letter to the CEO, IT, and HR directors. Justifications should be in line with the business goals.
Submit your cover letter and table for feedback.
Policy revisions evaluation
Now that you have completed your analysis and revision of the three policies, provide a written evaluation of your organization’s cybersecurity policy to present at the next team meeting. Your evaluation should examine the completeness and compliance of the organization’s cybersecurity policy. Consider your organization and organization-related interests as you create your evaluation, and consider other aspects, such as how to prevent the failure of the cybersecurity policy.
Complete the following tasks as you write your evaluation:
· Differentiate among the various concepts of enterprise cybersecurity.
· Develop a high-level implementation plan for enterprise cybersecurity policies.
· Assess the major types of cybersecurity threats faced by modern enterprises (assessing risk).
· Discuss the principles that underlie the development of an enterprise cybersecurity policy framework.
· Articulate clearly and fairly others’ alternative viewpoints and the basis of reasoning.
· Identify significant, potential implications, and consequences of alternative points of view.
· Evaluate assumptions underlying other analytical viewpoints, conclusions, and/or solutions.
Attach the cover letter, revisions, and Policy Changes Matrix, and submit.
Privacy Policy
How is privacy different from security? Privacy refers to the right of an individual to have his or her personal information protected from voluntary disclosure by the holder of that information. Security protects the information from hacking or other types of involuntary disclosure. Amazon protects your privacy by not selling it to a third party; it makes the information secure by installing a firewall, patching the operating system, and using antivirus programs.
As the internet expands and related technologies are developed, concerns about privacy protection for individuals grow. The more we conduct personal and professional business in cyberspace, the more we expose our sensitive, personal information to third-party sources. Consumers must rely on organizations to protect their right to privacy.
Governments across the globe have used legislation to address issues of privacy. Although legislation in the European Union has favored the protection of the individual’s privacy, the United States tends to favor protecting the rights of the employer. Yet, there has been significant US legislation designed to protect privacy in several industries including finance, communications, and health services. In addition, the federal government has, after considerable pressure, moved to protect the privacy of its employees and the privacy of individuals who interact with the government.
Organizations and websites must demonstrate transparency and diligence to employees and customers by providing privacy policies. Privacy policies may be found on websites and also within an organization’s corporate policies. A privacy policy explicitly discloses the manner in which the personal information of a customer and/or employee is collected and used. Privacy policies clearly communicate expectations of privacy for all parties.
Privacy Policies
What Is a Privacy Policy?
A privacy policy is a document that a website writes up to inform its users how it handles any personal information that is collected from users of the website or which users enter into the website. There are two main elements to a privacy policy:
· It explains how the website will protect the privacy of its users by not collecting, keeping, or sharing certain personal information.
· It makes the user aware of what kinds of personal information will be collected or asked for from the website, whether it will be shared or not, and—if it is to be shared—with whom.
Why Are Privacy Policies Important?
Many people don’t take the time to read website privacy policies, as many of them are long and filled with hard-to-understand legal terms. In fact, some people just assume that their personal information won’t be shared by a website simply because it has a privacy policy. Unfortunately, as we just explained, many privacy policies are as much (or more) about what a website will do with any information that it gets from you as they are about what a website won’t do with your information.
Understanding what a privacy policy does and doesn’t allow a website to do with respect to your personal information helps you to make an informed decision about your privacy on the Internet. If you feel that a website’s privacy policy gives it too much leeway to intrude into your personal life, you may want to consider using another website that has a stricter privacy policy. Or you may want to use some of the strategies and tools from other articles in this course to protect your privacy yourself, instead of expecting other websites to do it for you.
Things to Be Aware of in a Privacy Policy
We realize that we just mentioned that many privacy policies are difficult to read because they are lengthy and filled with legal-speak. However, you can make them slightly easier to digest—and gauge how well they will actually protect your privacy—by asking a few key questions.
10 Questions to Ask While Reading a Privacy Policy
· What information does the website require me to provide in order to use it?
· Does the website collect any information from me besides what is required to use it?
· By merely using the website, am I consenting to the website being able to collect information from me?
· What reason or reasons does the website give for collecting or requiring certain types of information from me (e.g., “deliver our services,” “improve my experience,” etc.)?
· Does the website share, sell, or trade any of the information that it collects from me with anyone else?
· If the website shares, sells, or trades my information, with whom do they do so? (Their partner services? Advertisers? The government? Law enforcement? Other groups?)
· When does the website release my information to anyone else? (Never? When they’re required to by law? When they fear that their own—or someone else’s—well-being is at stake? Whenever they want?)
· How long does the website keep any information that it collects from me? (Thirty days? Ninety days? A year? Until I close my account or otherwise request that they get rid of it? As long as they are required to by law? Until they deem that it’s no longer useful to them?)
· Does the website actually delete any information that they collect from me (whether I request it or they do so in keeping with their privacy policy), or do they simply remove any parts of it that could personally identify me?
· Does the website allow any other groups, besides themselves, to collect information from me while I use their website? If so, what are the privacy policies of these groups?
Project Scenario
After introducing yourself as the newly hired cybersecurity analyst, you look around the conference table at the others in your meeting. This multidisciplinary policy development team includes employees from HR, IT, finance and legal. After introductions are complete, Brian, an attorney from the legal department, begins to speak: “Upper management has tasked this team with reviewing the Internet usage policy, acceptable usage policy, and privacy policy. These are the types of policies that we encounter when we are required to sign or click the ‘I Agree’ box as we turn on our business computers or purchase software.”
Brian continues, “We will each need to consider our perspectives and roles on this team throughout the policy development process. We need to balance the writing of the revised policies from the standpoint of the customer and/or user while considering business goals.
“This also means that we will each need to keep in mind aspects such as protecting corporate data, ensuring customer privacy, corporate due diligence, and legal or regulatory compliance respective to our areas of expertise.”
Brian turns to you and says, “Since these three policies are focused on cybersecurity, you will conduct the initial review. Begin by evaluating and rewriting each policy. Then prepare a cover letter summarizing the justifications, including your written evaluation. Please have this ready for our next meeting one week from today.”
When you submit your project, your work will be evaluated using the competencies listed below. You can use the list below to self-check your work before submission.
Policy Components
Cybersecurity policies are critical to establishing and maintaining security of networks and data, communicating expectations to employees, and determining consequences for actions. Such policies represent an expression of expectations. Here are the key elements of a good cybersecurity policy:
· Definitions, which explain terms in the context of the organization’s mission and culture.
· Access to computers and data, which explains the processes for gaining access privileges and approvals, and the expectations regarding use of company IT assets. Password expectations would also be established herein.
· Use of external (e.g., mobile) devices, to include any restrictions on use of outside devices on internal company IT assets.
· Security procedures, explaining the reporting requirements should malicious acts be discovered.
· Internet use, to include acceptable use policy and what, if any, filtering might be used. This policy also explains personal use of the Internet on work-related computers.
· Data storage and recovery, defining storage requirements (length of time, type of data to be stored), and the expectations regarding recovering from unexpected outages or losses.
· Remote access, which explains expectations regarding remote access to company IT assets, and expectations regarding that privilege.
· Auditing, which describes frequency and type of review for cybersecurity and IT assets.
· Training, which explains requirements for maintaining or learning skills or policies needed for cybersecurity.
Your Organization’s Current Policies
Below, you will find three policies that are currently used by your organization. You will review and revise these policies (one in each step during Steps 4, 5, and 6).
Acceptable Use Policy for Employee Technology: Your Company
Policy/Revision Date: 77.00/11-16-2016
Previous Policy/Date: 77.00/11-16-2010
Originator: Chief Information Officer, Chief Information Security Officer, Human Resource Director
1. Purpose
Your Company has made a commitment to inform its employees of the proper guidelines to follow when utilizing technology resources. Your company is also required by law to inform employees of these policies. These resources are offered to employees to help them represent this company in an appropriate manner and complete their work while operating with the highest level of professionalism and integrity. Applicable individuals should respect the rights of others, refrain from abusing these resources, and comply with associated policies, local laws, and federal laws.
2. Applicability
Any and all employees who access and operate company-provided technology resources, or represent the company while accessing said resources, are required to adhere to this policy. Persons covered by this policy include, but are not limited to: employees or contractors of Your Company and sister companies or other affiliates, whose work may directly affect the view of our company’s moral standing.
3. Acceptable Use
All applicable technology users must adhere to the following guidelines:
a. Comply with applicable federal, state, and all other internal and external mandated laws, policies, rules, contracts, and licenses.
b. Protect company technology accounts by securing passwords and not sharing account information with others.
c. Access only his or her account and respect the privacy of others and their accounts. Note: If there is a concern about someone else’s security, notify your direct supervisor immediately.
d. Use company resources for business purposes only. Personal use is at the discretion of each employee’s immediate supervisor and should not affect the performance of an employee.
e. Use company-provided signatures and e-mail templates. Respond with professional etiquette in e-mails at all times.
f. Refrain from visiting or viewing inappropriate websites, including—but not limited to—pornography.
g. Protect confidential and proprietary information from unauthorized persons and those outside of the company domain.
h. Avoid participation in illegal actions at any time with technology resources.
i. Observe the following policies of Your Company: 77.10 E-mail Guidelines, 77.20 Mobile Device Guidelines, 77.30 Participation in Social Media Guidelines, and 77.40 Web Search Guidelines.
4. Security and Privacy
a. Employees and users of Your Company’s technology resources understand they give up the right of privacy in all said interactions with company resources.
b. It is at the discretion and right of Your Company to investigate all technology resources it owns and communications made by its employees at any time.
c. If it is suspected that a technology user at Your Company may be participating in illegal activity, potential harm of a person or operations, or other suspicious activity, Your Company may monitor usage and may do so without permission.
5. Enforcement of Improper Use
a. Your Company’s technology user will be notified of their noncompliance with the Acceptable Use Policy.
b. Violators and suspected violators of Your Company’s Acceptable Use Policy may be denied access to technology resources and disciplinary action may be taken, including possible termination, or other imposed penalties set by the company and civil or criminal statutes.
6. Related Policies
a. Policy 77.10 – E-mail Guidelines
b. Policy 77.20 – Mobile Device Guidelines
c. Policy 77.30 – Participation in Social Media Guidelines
d. Policy 77.40 – Web Search Guidelines.
Computer, Internet, and E-mail Usage Policy: Your Company
Policy
These guidelines are issued to protect and inform our personnel of the proper policies and procedures for accessing the Internet and using other technology resources on behalf of Your Company. Users are granted access to these technological resources to act as a representative of the company and must acknowledge and adhere to said usage requirements. Those who infringe upon these policies and procedures may face disciplinary action, up to termination and any legal action resulting from criminal offenses committed against the federal, state, and local laws.
Purpose
To define acceptable and unacceptable policies and procedures, relative to utilizing Internet and network infrastructure while working for Your Company.
Scope
All employees with access to the Internet, utilizing technology resources, or acting on behalf of Your Company are responsible for complying with this policy and applicable procedures.
1. Acceptable Use
a. Internet and technical applications should be utilized for official business purposes only.
b. Business purposes consist of work-related activities, but educational, professional development, and research are also authorized.
c. Personnel should contact their direct supervisor if there is any confusion as to what is acceptable use. Direct supervisors should utilize the services of the Technical Support Team if further clarification is needed.
2. Unacceptable Use
a. Personnel should not use the Internet for illegal, unlawful, or inappropriate purposes. Illegal, unlawful, or inappropriate categories include—but are not limited to—pornographic or obscene content, violent or threatening subject matter, fraudulent activity, or any other forms of related content.
b. E-mail and messaging services are strictly intended for Your Company business purposes. Bullying practices, disruptive behavior, and other continued actions that will interrupt the productivity of daily business functions will not be tolerated.
c. Internet use for private and entertainment purposes and for activities unrelated to Your Company duties should be avoided.
d. Internet use should not be exploited for external commercial or political purposes.
e. Company users should not access the network unless granted permission in an administration capacity.
f. Employees should not access, transfer, store, or distribute illegal copyrighted materials or files on the company’s network or property.
3. Proper Internet and E-mail Conduct
a. E-mail should be reflect a professional tone and the use of profane language is restricted.
b. Personnel should seek the approval of management before divulging private or personal information of any kind.
c. Users should act cautiously when handling sensitive information that will be sent via e-mail and should only be shared with essential stakeholders.
d. Your Company exercises the right to monitor and inspect any and all electronic activities that transpire on the company’s server.
4. Security Standards
a. Potential and explicit security issues should be reported at once to the user’s direct supervisor and the Technical Support Team.
b. Users should not share their passwords, allow another user to access their account, or perform operations under the account of another user.
c. If Your Company personnel is found to be a security risk or has had repeated security issues, an immediate restriction may be placed on his or her account.
5. Disciplinary Action
a. Violation of any of the abovementioned policies and procedures may result in immediate denial of access to the company network and corrective action up to termination.
b. If a criminal offense has been committed, federal, state, and local law enforcement will assume responsibilities and press charges. Your Company will provide information and cooperate to the fullest extent.
6. User Consent
a. I accept the terms and conditions within the Internet Use Policy and will respect these guidelines and procedures when utilizing the Your Company network and Internet.
b. By signing the Internet Use Policy, I agree and will adhere to any and all guidelines.
Full Name Printed______________________________
Signature______________________________
Date______________________________
Department______________________________
Privacy Policy: Your Company
Customer Protection Obligation
Your Company assumes the responsibility to its customers to disclose our privacy policy and practices for www.YourCompany.com. This policy applies exclusively to information collected by the Your Company website. It will report the following information:
· process to revise correct and update your personal information
· options available to you concerning your personal information
· specific personal information that is collected through http://www.yourcompany.com
· security process in place that protects information from improper conduct
Information Distribution, Collection, and Usage
Your Company will only collect and access information that has been provided by you directly, voluntarily, in any and all methods you deem appropriate. We may contact you via the methods you supplied us, to communicate specials, products, or services, or changes to this policy. At any time, you may contact us to be removed from any of these lines of communication.
Once received, sole ownership of your personal information will remain with Your Company. We vow to not freely provide, sell, or rent your information to any third party person or business. This information should be used for the purposes to complete your request.
Information Access and Control
You may notify Your Company at any time via phone or e-mail to change your communication preferences or opt out completely. You may take the following actions:
· inquire about and receive data we have on file about you, if any
· correct or update the contact information we have on record for you
· request to remove your data from our records
· address concerns and review our policies regarding use of your data
Personal Information Security
We ensure that all possible safeguards are taken to protect your information online and offline at Your Company. Encryption is introduced at collection and will remain during all phases of handling your sensitive information, such as, but not limited to, credit card data. If there is a question at any time, you may establish this security by confirming that your web page starts with “https.” Your information will only be available on a need to know basis and employees must be permitted to accept your information. Your personal information is housed within an environment of servers and computers that exemplifies the utmost level of security.
Privacy Policy Updates
Updates will be communicated on our website and you may submit a written request for the current policy.
Note: Please contact us immediately via phone at 555-555-5555 or via e-mail at policyconcerns@YourCompany.com if you believe you have witnessed instances where our privacy policy is not being followed.
Appendix A: Sample Acceptable Use Agreements and Policies from Forum Unified Education Technology Suite comprises public domain material from the National Center for Education Statistics, U.S. Department of Education.
Example of an Acceptable Use Policy
(courtesy of the Rochester School Department, Rochester, New Hampshire)
The [Name of Organization] recognizes the value of computer and other electronic resources to improve student learning and enhance the administration and operation of its schools. To this end, the [Governing Body Name] encourages the responsible use of computers; computer networks, including the Internet; and other electronic resources in support of the mission and goals of the [Name of Organization] and its schools.
Because the Internet is an unregulated, worldwide vehicle for communication, information available to staff and students is impossible to control. Therefore, the [Governing Body Name] adopts this policy governing the voluntary use of electronic resources and the Internet in order to provide guidance to individuals and groups obtaining access to these resources on [Name of Organization]-owned equipment or through [Name of Organization]-affiliated organizations.
[Name of Organization] Rights and Responsibilities
It is the policy of the [Name of Organization] to maintain an environment that promotes ethical and responsible conduct in all online network activities by staff and students. It shall be a violation of this policy for any employee, student, or other individual to engage in any activity that does not conform to the established purpose and general rules and policies of the network. Within this general policy, the [Name of Organization] recognizes its legal and ethical obligation to protect the well-being of students in its charge. To this end, the [Name of Organization] retains the following rights and recognizes the following obligations:
1. To log network use and to monitor fileserver space utilization by users, and assume no responsibility or liability for files deleted due to violation of fileserver space allotments.
2. To remove a user account on the network.
3. To monitor the use of online activities. This may include real-time monitoring of network activity and/or maintaining a log of Internet activity for later review.
4. To provide internal and external controls as appropriate and feasible. Such controls shall include the right to determine who will have access to [Name of Organization]-owned equipment and, specifically, to exclude those who do not abide by the [Name of Organization]’s acceptable use policy or other policies governing the use of school facilities, equipment, and materials. [Name of Organization] reserves the right to restrict online destinations through software or other means.
5. To provide guidelines and make reasonable efforts to train staff and students in acceptable use and policies governing online communications.
Staff Responsibilities
1. Staff members who supervise students, control electronic equipment, or otherwise have occasion to observe student use of said equipment online shall make reasonable efforts to monitor the use of this equipment to assure that it conforms to the mission and goals of the [Name of Organization].
2. Staff should make reasonable efforts to become familiar with the Internet and its use so that effective monitoring, instruction, and assistance may be achieved.
User Responsibilities
1. Use of the electronic media provided by the [Name of Organization] is a privilege that offers a wealth of information and resources for research. Where it is available, this resource is offered to staff, students, and other patrons at no cost. In order to maintain the privilege, users agree to learn and comply with all of the provisions of this policy.
Acceptable Use
1. All use of the Internet must be in support of educational and research objectives consistent with the mission and objectives of the [Name of Organization].
2. Proper codes of conduct in electronic communication must be used. In news groups, giving out personal information is inappropriate. When using e-mail, extreme caution must always be taken in revealing any information of a personal nature.
3. Network accounts are to be used only by the authorized owner of the account for the authorized purpose.
4. All communications and information accessible via the network should be assumed to be private property.
5. Subscriptions to mailing lists and bulletin boards must be reported to the system administrator. Prior approval for such subscriptions is required for students and staff.
6. Mailing list subscriptions will be monitored and maintained, and files will be deleted from the personal mail directories to avoid excessive use of fileserver hard-disk space.
7. Exhibit exemplary behavior on the network as a representative of your school and community. Be polite!
8. From time to time, the [Name of Organization] will make determinations on whether specific uses of the network are consistent with the acceptable use practice.
Unacceptable Use
1. Giving out personal information about another person, including home address and phone number, is strictly prohibited.
2. Any use of the network for commercial or for-profit purposes is prohibited.
3. Excessive use of the network for personal business shall be cause for disciplinary action.
4. Any use of the network for product advertisement or political lobbying is prohibited.
5. Users shall not intentionally seek information on, obtain copies of, or modify files, other data, or passwords belonging to other users, or misrepresent other users on the network.
6. No use of the network shall serve to disrupt the use of the network by others. Hardware and/or software shall not be destroyed, modified, or abused in any way.
7. Malicious use of the network to develop programs that harass other users or infiltrate a computer or computing system and/or damage the software components of a computer or computing system is prohibited.
8. Hate mail, chain letters, harassment, discriminatory remarks, and other antisocial behaviors are prohibited on the network.
9. The unauthorized installation of any software, including shareware and freeware, for use on [Name of Organization] computers is prohibited.
10. Use of the network to access or process pornographic material, inappropriate text files (as determined by the system administrator or building administrator), or files dangerous to the integrity of the local area network is prohibited.
11. The [Name of Organization] network may not be used for downloading entertainment software or other files not related to the mission and objectives of the [Name of Organization] for transfer to a user’s home computer, personal computer, or other media. This prohibition pertains to freeware, shareware, copyrighted commercial and non-commercial software, and all other forms of software and files not directly related to the instructional and administrative purposes of the [Name of Organization].
12. Downloading, copying, otherwise duplicating, and/or distributing copyrighted materials without the specific written permission of the copyright owner is prohibited, except that duplication and/or distribution of materials for educational purposes is permitted when such duplication and/or distribution would fall within the fair use doctrine of US copyright law (Title 17, USC).
13. Use of the network for any unlawful purpose is prohibited.
14. Use of profanity, obscenity, racist terms, or other language that may be offensive to another user is prohibited.
15. Playing games is prohibited unless specifically authorized by a teacher for instructional purposes.
16. Establishing network or Internet connections to live communications, including voice and/or video (relay chat), is prohibited unless specifically authorized by the system administrator.
Disclaimer
1. The [Name of Organization] cannot be held accountable for the information that is retrieved via the network.
2. Pursuant to the Electronic Communications Privacy Act of 1986 (18 USC 2510 et seq.), notice is hereby given that there are no facilities provided by this system for sending or receiving private or confidential electronic communications. System administrators have access to all mail and will monitor messages. Messages relating to or in support of illegal activities will be reported to the appropriate authorities.
3. The [Name of Organization] will not be responsible for any damages you may suffer, including loss of data resulting from delays, nondeliveries, or service interruptions caused by our own negligence or your errors or omissions. Use of any information obtained is at your own risk.
4. The [Education Agency Name] makes no warranties (expressed or implied) with respect to:
· the content of any advice or information received by a user, or any costs or charges incurred as a result of seeing or accepting any information; and
· any costs, liability, or damages caused by the way the user chooses to use his or her access to the network.
5. The [Name of Organization] reserves the right to change its policies and rules at any time.
User Agreement (to be signed by all adult users and student users above grade 5)
I have read, understand, and will abide by the above Acceptable Use Policy when using computer and other electronic resources owned, leased, or operated by the [Name of Organization]. I further understand that any violation of the regulations above is unethical and may constitute a criminal offense. Should I commit any violation, my access privileges may be revoked, school disciplinary action may be taken, and/or appropriate legal action may be initiated.
?????????????????????????
User Name (please print)
?????????????????????????
User Signature Date
Parent Agreement (to be signed by parents of all student users under the age of eighteen)
As parent or guardian of [please print name of student] __________________________, I have read the Acceptable Use Policy. I understand that this access is designed for educational purposes. [Name of Organization] has taken reasonable steps to control access to the Internet, but cannot guarantee that all controversial information will be inaccessible to student users. I agree that I will not hold the [Name of Organization] responsible for materials acquired on the network. Further, I accept full responsibility for supervision if and when my child’s use is not in a school setting. I hereby give permission for my child to use network resources, including the Internet, that are available through [Name of Organization].
?????????????????????????
Parent Name (please print)
?????????????????????????
Parent Signature Date
Risk Management of Email and Internet Use in the Workplace by John Ruhnka and Windham E. Loopesko from The Journal of Digital Forensics, Security and Law is available under a
Creative Commons Attribution-NonCommercial 4.0 International
license.
Internet Use Policy
John Ruhnka, University of Colorado, Denver & Windham E. Loopesko, University of Colorado, Denver
4. OBJECTIVES OF CORPORATE INTERNET USE POLICIES
While preserving the confidentiality of internal operations, proprietary information and confidential client data, and avoiding legal liability from inadvertent, unauthorized or harmful acts of employees are primary goals for corporate email and internet use policies, they are not the only goals.
Corporations must also factor in other objectives not always consistent with limiting legal liability.
4.1 Reducing Lost Productivity
The concern among many businessmen from about 2000 was that allowing internet access in the workplace could result in a great increase in employee non-work activities. Available content on the internet has expanded far beyond TV fare since 2000 to include Facebook, streaming video and music sites, fantasy sports teams, on-line shopping, eBay, financial web sites and bank account access, news feeds, blogs and Twitter. Clearly, excessive employee non-work internet use during working hours can impose significant costs on a company; one source cites productivity loss as the top reason for instituting an “acceptable use policy” (AUP) for company email and internet (Smith, 2013).
Also, employee perceptions that “everyone” is engaging in non-work-related email and internet use can rapidly spread. However, employees increasingly reject the idea of strictly defined “work” and “non-work” hours, believing they can be more productive engaging in company business at any time and from any place–on devices that they choose.
4.2 Protecting Tangible and Intangible Assets
Increasingly sophisticated hackers are constantly developing tools to penetrate corporate networks–almost always to the potential detriment of the company and its clients. They may be working for criminal enterprises, or for competitors or foreign governments, but their goal is the same–to gather as much valuable information for as long as possible. Citibank and Sony are only two of the largest and best-known victims of such attacks. Email remains the most popular way to introduce malware into corporate networks (Cisco, 2013).
4.3 Controlling Internet Costs
Many non-business internet uses (e.g., streaming video, movies and music downloads, and internet music and television feeds) are “bandwidth hogs”. While these applications may not directly cost the corporation, their cumulative use can easily consume a substantial portion of a corporation’s available bandwidth, which can require major expenses to expand the corporation’s network capabilities.
4.4 Attracting Talented Employees
If human capital is a company’s most valuable asset, avoiding unnecessary barriers to attracting the best future employees may require considerable adaptations in a corporation’s internet use and access policies. CISCO argues that preventing or limiting employee access to social media can put companies at a competitive disadvantage, and that by accepting social media, companies provide their employees with the tools–and the culture–to be more productive, innovative and competitive.
5. WHAT SHOULD AN EFFECTIVE EMAIL AND INTERNET POLICY CONTAIN?
It is one thing to create an AUP for workplace email and internet but another– in a world where increasing numbers of employees consider access to the internet a right and claim they are willing to ignore or circumvent an employer’s internet use policies if they find them overly constraining–to enforce it.
5.1 Elements of an Acceptable Use Policy
No one is suggesting that not having an AUP is an option today. Every sizable business needs to have a formal risk management policy for email and internet use. Widespread agreement exists that the following elements need to be included:
5.1.1 Contractual Agreement
The AUP should be a written agreement with each employee and agent of the corporation having email and internet access; all employees should sign the AUP and acknowledge an understanding of its requirements as a prerequisite to gaining password access to the corporate network.
5.1.2 Corporate Ownership of Information
The AUP should clearly state that any information produced, collected or stored on the company’s email servers, internal networks and internet system is company property–even if the information was obtained from third-party web sites.
5.1.3 Monitoring
The AUP should indicate that the corporation reserves the right to monitor anyand all employee access to and usage of its internal networks and internet system, including the volume of traffic and tracking web sites visited (although monitoring of specific content will not occur except in cases of a suspicion of improper behavior).
5.1.4 Retention
The AUP should indicate that all workplace emails and network transmissions are the property of the company, that they will be stored and retained indefinitely, and that the company has the right to demand access to any employee’s PCs, laptops, iPads or other electronic devices used for company business in the event of litigation or internal, regulatory or law enforcement investigations in which data generated or stored on such devices may be potentially relevant.
5.1.5 Sanctions
Sanctions for violation of the email and internet use policy must be described and should include progressive steps, from initial verbal warnings up through dismissal and referral for criminal prosecution for repeated and/or serious offenses.
5.2 The Traditional View of Acceptable Use Policies
Differences of opinion exist over how to describe permitted and prohibited email and internet related activities. The traditional view (often advanced by vendors of solutions for creating and monitoring AUP policies) is that internet use policies should contain long and detailed lists of prohibited behaviors. For those following this “laundry list” approach, a list of prohibited email and internet activities often includes:
· Violating copyright laws or licensing agreements through unauthorized reproduction or distribution of copyrighted or protected materials.
· Using company computers to gain unauthorized access to external computer systems.
· Connecting unauthorized equipment to the company’s network.
· Making unauthorized attempts to circumvent data protection devices.
· Associating unapproved domain names with a company-owned IP address.
· Performing an act that interferes with the normal operation of any company hardware or software.
· Installing or running on any computer a program intended to damage or place excessive load on a computer system (e.g., viruses, Trojan horses or worms).
· Engaging in activities that waste or overload company computing resources.
· Using company resources for any non-work related commercial activity.
· Using email, social media or company-owned or sponsored hardware or services to harass or threaten others, or sending materials that might be deemed defamatory, derogatory, prejudicial, sexually offensive or unwanted.
· Initiating, propagating or perpetuating electronic chain letters.
· Sending inappropriate mass mailings, including “spamming”, “flooding” or “bombing”
· Forging a user or machine identity electronically.
· Transmitting or reproducing materials that are slanderous or defamatory, that violate existing laws or regulations, or are otherwise inappropriate in a workplace environment.
· Transmitting images, text or internet links that could be considered lewd, obscene or sexually explicit.
5.3 An Alternative Risk-based View of Acceptable Use Policies
We suggest, however, that alternate risk management approaches may make more sense in many instances–focusing on controlling only those potential risks relevant to a corporation’s or organization’s specific activities. For example, a company engaged in design and manufacture of laptop computers necessarily works with critical proprietary information (e.g., R&D project designs, patent applications, trade secrets, manufacturing know how). Some of this information is owned and some is licensed from third parties–but all needs to be continuously protected to avoid potentially large economic damage and legal liability if improperly communicated, disclosed or accessed. The same need for protection of confidential client information would apply to law, accounting or consulting firms dealing with intellectual property, financial data, litigation, strategic acquisitions or other client information that requires protection against disclosure or inadvertent access. The same level of intellectual property safeguards would not be necessary for a pizza chain that provides online ordering and delivery scheduling. But the pizza business still needs to safeguard customer credit or debit card information, and both the computer manufacturer and the pizza business are equally exposed to potential workplace sexual harassment claims by employees resulting from use of company email or internet access.
Businesses embracing a “risk-focused” approach usually will retain the right to monitor employee compliance with specified or prohibited behaviors but may limit surveillance to activities at higher risk of employee misuse and spend more time making sure that employees understand the consequences of a failure to comply. Such more focused AUPs are more likely to be understood and followed–and to gain “buy-in” from a workforce that increasingly considers information security and liability avoidance as the IT department’s problem–and not theirs (Cisco, 2013).
While social media is gaining in importance in corporate activities, email remains the primary means of communication–and hence the primary focuses for corporate efforts to limit employee-caused legal liabilities or outside threats. To that end, many companies are using software such as Compuscan that inserts disclaimers of liability for prohibited email use into all corporate email communications. However, such disclaimers are an imperfect shield at best–no court case has yet allowed a company to escape liability for damaging emails through use of a blanket disclaimer contained in the email. Disclaimers are more effective if they are targeted at specific areas of the business where liability is more likely–for an electrical contractor’s customer and vendor communications–“no bids or estimates are binding unless and until approved in writing by the VP for Finance”–and not simply attached to every email that company employees send.
6. STEPS IN IMPLEMENTING EFFECTIVE INTERNET USE POLICIES AND PROTECTING THE COMPANY FROM LEGAL LIABILITY
The changing state of the law on corporate liability for electronic communications and evolving employee attitudes and expectations make across-the-board recommendations for corporate internet and email use policies difficult–other than the recommendation every corporation or organization should have an AUP tailored to its specific workplace activities and risk exposures (indeed, the failure to have an AUP might be almost conclusive evidence of corporate negligence in litigation involving inappropriate employee emails or network activities). However, some general recommendations are possible:
· Analyze and understand the specific types of communications your company is actually sending and receiving and specific legal liabilities that are involved.
· Consult employees periodically as to how they are using the internet and email systems; do not simply rely on use statistics.
· Develop and mandate employee education programs (for both new hires and existing employees) about the potential for specific corporate liability for inappropriate communications.
· Implement monitoring software to follow all activities that the company decides to prohibit in its internet use policy (although it should be used only on a random basis or when cause for suspicion exists).
7. CONCLUSION
The continuing exposure to legal liability for corporate email and electronic communications and the importance of such communications in litigation and governmental investigations are unlikely to slow so long as corporate email and internet usage continue to gain importance in internal and external business activities. But increasingly companies are moving to “risk-focused” instead of “laundry list” approaches to controlling internet and email use. To use this riskfocused approach, corporate risk management policies and employee educational activities for employee internet and email use need to be periodically revisited and revised, and corporations need to continuously seek employee “buy-in” and cooperation, to meet the most important legal exposures associated with specific corporate and employee activities.
REFERENCES
CFO Journal. (2013, August 21). The Wall Street Journal, August 13 2013. Retrieved from http://blogs.wsj.com/cfo/2013/08/13/the-morning-ledger-cfos-seek-securityfrom- cybercrime/
Cisco Systems. (2013). Cisco 2011 annual security report. Retrieved from http://www.cisco.com/en/US/prod/collateral/vpndevc/security_annual_report_2011 (pp. 6-8)
Compuscan. (2013).Email disclaimer. Retrieved from https://www.compuscan.co.za/ about-us/132-email-disclaimer
Sony insurer doesn’t want to pay for data breaches.(2013). ITPro. Retrieved from http://www.itpro.co.uk/635140/sony-insurer-doesn-t-want-to-pay-fordata-breaches
Watch porn at work–a guide for employers and managers. (2013). Mailguard. Retrieved from http://www.mailguard.com.au/blog/porn-at-work/
National Legal Research Group, Inc. (2013). Internet acceptable use policies for law firms and other employers. Retrieved from http://www.nlrg.com/internet-acceptable-use-policies-for-law-firms-and-otheremployers/
PBT Consulting. (2013). Research: Employees spend entirely too much time accessing the internet while at work. Retrieved from http://tommytoy.typepad.com/tommy-toy-pbt-consultin/2010/09/researchemployees-spending-entirely-too-much-time-surfing-the-web-while-atwork.html
Pingdom. (2013). Internet 2011 in numbers. Retrieved from http://royal.pingdom.com/2012/01/17/internet-2011-in-numbers/on May 21, 2013.
Ponemon Institute Research Report. (2013). Cost of data breach study: Global analysis.Retrieved from https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382
Radicati, S., & Hoang, Q. (2013). Email statistics report, 2011-2015. Retrieved from http://www.radicati.com/wp/wp-content/uploads/2011/05/Email-Statistics-Report-2011-2015-Executive-Summary
Smith, A. (2013). Citi–Millions stolen in May hack attack. CNN. Retrieved from http://money.cnn.com/2011/06/27/technology/citi_credit_card/index.htm
Yarow, J. (2013). 107,000,000,000,000. Business Insider. Retrieved from http://articles.businessinsider.com/2011-01-14/tech/30078145_1_hours-ofvideo-uploaded-big-number-facebook
Zubulake v. UBS Warburg [case study]. (2003).