Acceptable Use Policy

Purpose

This policy specifies acceptable use of end-user computing devices and technology. Additionally, training is imperative to assuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.

Scope

  • Applies to all Wrkdn personnel who utilize company IT assets.
  • Company assets are those assets that are owned or managed by Wrkdn, which could include 
    •  Computers and mobile devices (Laptops, desktops, tablets, smartphones, etc.)
    • Networking equipment and infrastructure (Routers, switches, wireless access points, VPN solutions, etc.)
    • Software and applications (Operating systems, productivity software, line-of-business applications, cloud services (e.g., Office 365, Salesforce, AWS accounts), and any third-party tools licensed to or managed by Wrkdn.)
    • Storage and data (Company file shares, databases, servers, removable media (USB, external hard drives), cloud storage platforms (e.g., Google Drive, Dropbox), etc.)
    • Communication and collaboration systems (Email and messaging platforms (e.g., Slack, Teams), video conferencing (e.g., Zoom), intranet, company websites/portals, etc.)
    • Physical devices and property (Any company-issued hardware or equipment that might store or process data (printers, scanners, copiers) and any on-premises servers or data center equipment.)

Policy

Wrkdn policy requires that:

  • Employees, contractors and third party users must agree and sign the terms and conditions of their employment contract, and comply with acceptable use.
  • Employees will go through an onboarding process that familiarizes them with the environments, systems, security requirements, and procedures Wrkdn has in place. Employees will also have ongoing security awareness training that is audited.
  • Employee offboarding will include reiterating any duties and responsibilities still valid after terminations, verifying that access to any Wrkdn systems has been removed, as well as ensuring that all company owned assets are returned.
  • Wrkdn and its employees will take reasonable measures to ensure no corporate data is transmitted via digital communications such as email or posted on social media outlets. 
  • Wrkdn will maintain a list of prohibited activities that will be part of onboarding procedures and have training available if/when the list of those activities changes.
  • A fair disciplinary process will be utilized for employees that are suspected of committing breaches of security. Multiple factors will be considered when deciding the response, such as whether or not this was a first offense, training, business contracts, etc. Wrkdn reserves the right to terminate employees in the case of serious cases of misconduct.

Clean Desk/Work Area

Authorized users will ensure that all sensitive/confidential materials, hardcopy or electronic, are removed from their workspace and locked away when the items are not in use or an employee leaves his/her workstation. This will also increase awareness about protecting sensitive information. As such:

  • Employees are required to ensure that all sensitive/confidential information, hardcopy or electronic, is secure in their work area at the end of the day and when they are expected to be gone for an extended period.
  • Computer workstations must be locked when the workspace is not in use, and must be shut down completely at the end of the day.
  • Sensitive information must be removed from the desk and securely stored when the desk is unattended, and at the end of the day.
  • Laptops and other portable computing devices must be properly stored/secured.
  • File cabinets containing restricted or sensitive information must be kept closed and locked when not in use or when not attended.
  • Keys used for access to restricted or sensitive information must not be left at an unattended desk.
  • Passwords may not be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location.
  • Printouts containing restricted or sensitive information should be immediately removed from the printer.
  • Upon disposal restricted and/or sensitive documents should be shredded in the official shredder bins or placed in the lock confidential disposal bins.
  • Whiteboards containing restricted and/or sensitive information should be erased.
  • Treat mass storage devices such as external hard drives or USB drives as sensitive and always secure and encrypt them.
  • All printers and fax machines should be cleared of papers as soon as they are printed; this helps ensure that sensitive documents are not left in printer trays for the wrong person to pick up.

Employee Workstation Use

All workstations at Wrkdn are company owned, and all are laptop products running Windows, Mac OSX or Linux.

  • Workstations may not be used to engage in any activity that is illegal or is in violation of company policies.
  • Access may not be used for transmitting, retrieving, or storage of any communications of a discriminatory or harassing nature or materials that are obscene or "X-rated". Harassment of any kind is prohibited. No messages with derogatory or inflammatory remarks about an individual's race, age, disability, religion, national origin, physical attributes, sexual preference, or health condition will be transmitted or maintained. No abusive, hostile, profane, or offensive language is to be transmitted through the organization's system.
  • Information systems/applications also may not be used for any other purpose that is illegal, unethical, or against company policies or contrary to the company's best interests. Messages containing information related to a lawsuit or investigation may not be sent without prior approval.
  • Solicitation of non-company business, or any use of the company's information systems/applications for personal gain is prohibited.
  • Users may not misrepresent, obscure, suppress, or replace another user's identity in transmitted or stored messages.
  • Workstation hard drives must be encrypted
  • All workstations have firewalls enabled to prevent unauthorized access unless explicitly granted.

Internet/Intranet Access and Use

Use of Wrkdn computers, networks, and Internet access is a privilege granted by management and may be revoked at any time for inappropriate conduct carried out on such systems, including, but not limited to:

  • Sending chain letters or participating in any way in the creation or transmission of unsolicited "spam" that is unrelated to legitimate Company purposes;
  • Engaging in private or personal business activities, including excessive use of instant messaging and chat rooms;
  • Accessing networks, servers, drives, folders, or files to which the employee has not been granted access or authorization from someone with the right to make such a grant;
  • Making unauthorized copies of Company files or other Company data;
  • Destroying, deleting, erasing, or concealing Company files or other Company data, or otherwise making such files or data unavailable or inaccessible to the Company or to other authorized users of Company systems;
  • Misrepresenting oneself or the Company;
  • Violating the laws and regulations of federal, state, city, province, or local jurisdictions in any way;
  • Engaging in unlawful or malicious activities;
  • Deliberately propagating any virus, worm, Trojan horse, trap-door program code, or other code or file designed to disrupt, disable, impair, or otherwise harm either the Company's networks or systems or those of any other individual or entity;
  • Using abusive, profane, threatening, racist, sexist, or otherwise objectionable language in either public or private messages;
  • Sending, receiving, or accessing pornographic materials;
  • Causing congestion, disruption, disablement, alteration, or impairment of Company networks or systems;
  • Using recreational games; and/or
  • Defeating or attempting to defeat security restrictions on company systems and applications.

Such access will be discontinued upon termination of employment, completion of contract, end of service of non-employee, or disciplinary action arising from violation of this policy. In the case of a change in job function and/or transfer, the original access code will be discontinued, and only reissued if necessary and a new request for access is approved.

All user IDs that have been inactive for thirty (30) days will be revoked. The privileges granted to users must be reevaluated by management annually. In response to feedback from management, systems administrators must promptly revoke all privileges no longer needed by users.

Teleworking

Requirements

  • Secure remote access must be strictly controlled with encryption (i.e., Virtual Private Networks (VPNs)) and strong pass-phrases. Refer to the Encryption Policy and the Password Policy for further information.
  • Authorized Users must protect their login and password, without exception.
  • While using a Wrkdn-owned computer to remotely connect to the company's network, authorized users must ensure the remote host is not connected to any other network at the same time, with the exception of personal networks that are under their complete control or under the complete control of an authorized user or third party.
  • The most up-to-date antivirus software must be used on all computers. Third party connections must comply with requirements as stated in the Vendor Management Agreement.
  • Equipment used to connect to Wrkdn's networks must meet the requirements for remote access and device use as stated in the Acceptable Use Policy, Asset Management Policy, and System Access Control Policy.

Remote Access Tools

All remote access tools used to communicate between Wrkdn assets and other systems must comply with the following policy requirements:

  • Multi-factor authentication (such as authentication tokens and smart cards that require an additional PIN or password) is required for all remote access tools
  • The authentication database source must be Active Directory or LDAP, and the authentication protocol must involve a challenge-response protocol that is not susceptible to replay attacks. The remote access tool must mutually authenticate both ends of the session.
  • Remote access tools must support the Wrkdn application layer proxy rather than direct connections through the perimeter firewall(s).
  • Remote access tools must support strong, end-to-end encryption of the remote access communication channels as specified in the Encryption Policy.
  • All antivirus, data loss prevention, and other security systems must not be disabled, interfered with, or circumvented in any way.

Mobile Endpoint and Storage Devices

Protecting endpoint devices issued by Wrkdn or storing company data is the responsibility of every employee. This pertains to all devices that connect to the company network, regardless of ownership. Mobile endpoint and storage devices are defined to include: desktop systems (in telework environment), laptops, PDAs, mobile phones, plug-ins, Universal Serial Bus (USB) port devices, Compact Discs (CDs), Digital Versatile Discs (DVDs), flash drives, modems, handheld wireless devices, wireless networking cards, and any other existing or future mobile computing or storage device, either personally owned or Wrkdn owned.

Mobile endpoint devices must meet the requirements for use as stated in the Asset Management Policy. Personnel are prohibited from disabling or modifying endpoint security controls.

For storage devices,

  • A risk analysis will be conducted prior to the use or connection to the company network, unless previously approved.
  • Detection of incidents must immediately be reported to the [RESPONSIBLE PARTY, e.g., information security team].
  • Stolen mobile devices must immediately be reported to the [RESPONSIBLE PARTY, e.g., information security team].

Procedures

Wrkdn requires all workforce members to comply with the following acceptable use requirements and procedures, such that:

  • All workforce members are primarily considered as remote users and therefore must follow all system access controls and procedures for remote access.
  • Use of Wrkdn computing systems is subject to monitoring by Wrkdn IT and/or Security teams.
  • Employees may not leave computing devices (including laptops and smart devices) used for business purposes, including company-provided and BYOD devices, unattended in public.
  • Device encryption must be enabled for all mobile devices accessing company data, such as whole-disk encryption for all laptops.
  • All email messages containing sensitive or confidential data will be encrypted.
  • Employees may not post any sensitive or confidential data in public forums or chat rooms. If a posting is needed to obtain technical support, data must be sanitized to remove any sensitive or confidential information prior to posting.
  • All data storage devices and media must be managed according to the Wrkdn Data Classification specifications and Data Handling procedures.
  • Employees may only use photocopiers and other reproduction technology for authorized use.
  • Media containing sensitive/classified information should be removed from printers immediately.
  • The PIN code function will be used on printers with such capability, so that the originators are the only ones who can get their print-outs and only when physically present at the printer.

Protection Against Malware

Wrkdn protects against malware through malware detection and repair software, information security awareness and appropriate system access and change management controls. This includes:

  • Restrictions on Software Installation
    • Only legal, approved software with a valid license installed through a pre-approved application store will be used. Use of personal software for business purposes and vice versa is prohibited.
    • The principle of least privilege will be applied, where only users who have been granted certain privileges may install software.
    • Wrkdn will identify what types of software installations are permitted or prohibited.
  • Anti-malware or equivalent protection and monitoring must be installed and enabled on all endpoint systems that may be affected by malware, including workstations, laptops and servers.
  • Controls that prevent or detect the use of unauthorized software (e.g. application allowlisting) will be implemented.
  • Controls that prevent or detect the use of known or suspected malicious websites (e.g. blocklisting) will be implemented.
  • Vulnerabilities that could be exploited by malware will be reduced, e.g. through technical vulnerability management.
  • Wrkdn will conduct regular reviews of the software and data content of systems supporting critical business processes; the presence of any unapproved files or unauthorized amendments should be formally investigated.
  • Malware detection and repair software will be installed and regularly updated to scan computers and media as a precautionary control, or on a routine basis; the scan carried out will include:
    • Any files received over networks or via any form of storage medium, for malware before use;
    • Electronic mail attachments and downloads for malware before use; this scan should be carried out at different places, e.g. at electronic mail servers, desktop computers and when entering the network of the organization;
    • Web pages for malware.
  • Wrkdn will determine the defense principles, effective placement, and configuration of malware detection and repair tools based on risk assessment outcomes; considerations will include:
    • Evasive techniques of attackers (e.g. the use of encrypted files) to deliver malware or the use of encryption protocols to transmit malware;
    • Protection against the introduction of malware during maintenance and emergency procedures, which can bypass normal controls against malware;
    • Implementing a process to authorize temporarily or permanently disable some or all measures against malware, including exception approval authorities, documented justification and review date.
  • Defining procedures and responsibilities to deal with malware protection on systems, training in their use, reporting and recovering from malware attacks.
  • Preparing appropriate business continuity plans for recovering from malware attacks, including all necessary data and software backup and recovery arrangements.
  • Implementing procedures to regularly collect information, such as subscribing to mailing lists or verifying websites giving information about new malware.
  • Implementing procedures to verify information relating to malware, and ensure that warning bulletins are accurate and informative; managers should ensure that qualified sources, e.g. reputable journals, reliable Internet sites or suppliers producing software protecting against malware, are used to differentiate between hoaxes and real malware; all users should be made aware of the problem of hoaxes and what to do on receipt of them.
  • Isolating environments where catastrophic impacts may result.
  • Where possible, disable USB ports, prohibit writable media use, and restrict read-only media to legitimate commercial sources and allowlisted software. 

Build your automation in minutes

Want to access our ready-to-use automation projects library?

Request A Demo

Enterprise-Grade AI Workforce in One Click

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Quick Links
HomeResearchPrivacyAcceptable Use
Others Links
blogsContact
Social Media
LinkedinX

WRKDN © 2024, All Rights Reserved