ISP003.3.1 Acceptable Use Policy


Purpose

Information systems provide access to both data and processes required to support most business functions.  They have contributed to substantial improvements in both productivity and customer service.  However, the use of information systems to access customer or financial data, electronic mail (Email), the Internet, and remote access to business systems introduce risk.  The purpose of this policy is to define end user acceptable use criteria for organizational systems.

Standards 

Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and SFTP are the property of Mission Global. These systems are to be used for business purposes in serving the interests of the company, and of our clients in the course of normal operations. Please review Human Resources policies for further details. Effective security is a team effort involving the participation and support of every employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.
General Use and Ownership
While Mission Global's network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of Mission Global.  
Mission Global’s security systems have been designed for the secure storage and management of client and business data. Users are not permitted to use these services to store personal .
Employees are responsible for exercising good judgment regarding the reasonableness of personal use. If there is any uncertainty, employees should consult their supervisor or manager. 
The Information Systems Department recommends that any information that users consider sensitive or vulnerable be encrypted. All information relating to an individual’s privacy must be protected. 
For security and network maintenance purposes, authorized individuals within Mission Global may monitor equipment, systems, and network traffic at any time. 
Mission Global reserves the right to audit network systems and internet use on a periodic basis to ensure compliance with this policy.

Unacceptable Use

The following activities are, in general, prohibited. Employees/Contractors may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services). 
Under no circumstances is an employee/contractor of Mission Global authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing Global-owned resources. 
The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use. 

System and Network Activities:

The following activities are strictly prohibited, with no exceptions: 
•    Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by Mission Global
•    Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which Mission Global or the end user does not have an active license is strictly prohibited. 
•    Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question. 
•    Introduction of malicious programs into the network or servers (e.g., viruses, worms, Trojan horses, email bombs, etc.). 
•    Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home. 
•    Using a Mission Global computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction. 
•    Making fraudulent offers of products, items, or services originating from any Mission Global Financial Review account. 
•    Making statements about warranty, expressly or implied, unless it is a part of normal job duties. 
•    Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes. 
•    Port scanning or security scanning is expressly prohibited unless prior notification to Information Systems Department is made. 
•    Executing any form of network monitoring which will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty. 
•    Circumventing user authentication or security of any host, network or account. 
•    Interfering with or denying service to any user other than the employee's host (for example, denial of service attack). 
•    Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet. 
•    Providing information about, or lists of, Mission Global employees and/or contractors to parties outside Mission Global. 
•    The use of social media products (e.g. Twitter/Facebook) is not acceptable for business purposes due to inherent security risks.  Installation and use of such products is prohibited on Mission Global assets and/or networks. 
Unacceptable use of Email and Communications Activities
•    Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam). Transmitting of client confidential and/or proprietary information, loan documents, and personally identifiable information is strictly prohibited.
•    Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages. 
•    Unauthorized use, or forging, of email header information. 
•    Solicitation of email for any other email address, other than that of the poster's account, with the intent to harass or to collect replies. 
•    Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type. 
•    Use of unsolicited email originating from within Mission Global's networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by Mission Global or connected via Mission Global's network. 
•    Posting the same or similar non-business related messages to large numbers of Usenet newsgroups (newsgroup spam).
Unacceptable use of Remote Access
•    Do not type a User ID or password while someone is watching.
•    Do not permanently store passwords on a notebook and/or PC.  This includes permanent storage for use in automatic login scripts.
•    Do not leave the notebook and/or PC unattended and remotely logged on to the Mission Global network in any public place. 
•    Do not share dynamic password token cards, smart cards, fixed passwords, or any other access devices or access parameters with any other person.
Management responsibilities
Managers will ensure all users within their area of responsibility comply with the Information Security Policy and standards.
•    Managers are properly briefed on the  information security roles and responsibilities
•    Managers are responsible for ensuring the proper training and adherence of all users they are responsible for
•    Managers are responsible for implementation and oversight of necessary disciplinary action should that be required
Information security awareness, education and training
All Users of Mission Global will receive periodic training and awareness including updates regarding the Information Security Policy and standards.
•    Awareness training will commence with a formal induction process conducted before any user is granted access to services and/or company assets.  This training will introduce users to security policies, procedures, and expectations outlined in the ISP manual.
•    Ongoing training will be conducted and or reviewed at least yearly with each user to address the following:
o    Legal responsibilities
o    Business controls
o    Log-on procedures
o    Disciplinary process

Disciplinary process:

A formal disciplinary process has been implemented for all Users who have committed a breach of information security.  All violations are dealt with by management up to and including immediate termination.
•    The disciplinary process ensures correct and fair treatment for employees who are suspected of committing breaches of security. 
•    Disciplinary action is leveled in a graduated response that takes into consideration factors such as the nature and gravity of the breach and its impact on business, whether or not this is a first or repeat offence, whether or not the violator was properly trained, relevant legislation, business contracts and other factors as required. 
•    Serious cases of misconduct will result in instant removal of duties, access rights and privileges, including immediate escorting out of the site, if necessary.
Management of information security incidents
Responsibilities and procedures for the management of security incidents to ensure a quick, effective and orderly response to Information Security incidents:
•    It is the responsibility of any user to immediately report any security incident directly to the Information Systems (IS) manager via Mission Global’s secure online help desk system (https://support.gfreview.com). User must provide a detailed description of security incident. 
•    It is the IS Manager’s responsibility to immediately notify the Chief Operating Officer, department leads and Network/Systems Administrator(s) of any reported, observed or suspected security incidents. 
•    All reported or identified security incidents will be treated as severe in nature and extreme caution taken to ensure the safety of personnel, networks and data infrastructure. The IS Manager is responsible for implementing measures necessary to contain any non-compliance or breach.
•    All findings and appropriate resolutions must be logged and documented in Mission Global’s online help desk system. 
•    All resolutions to any finding must be scheduled, documented, and approved in Mission Global’s Change Control System.
•    It is the Chief Operating Officer’s (COO) responsibility to determine notification and disclosure responsibility.
•    All employees found in violation of the employee confidentiality agreement are subject to disciplinary action up to and including termination.
Termination or change of employment
Termination responsibilities
Responsibilities for employment termination including change of employment falls on the direct manager or supervisor of a given user.
Upon termination of employment management and/or supervisors will reaffirm on-going security requirements and legal responsibilities where appropriate including but not limited to any confidentiality/non-disclosure agreement(s) as well as all the terms and condition of employment for no less than 2 years.
Return of assets
Users must surrender all of the organisation’s assets in their possession upon termination of their employment, contract or agreement.
Removal of access rights
All access rights of Users to Mission Global information systems will be deleted or disabled immediately upon the termination of an employment agreement or contract. This may include a remote wipe of any remote device that has access to the Mission Global email system.  This wipe may or may not cause the unintended loss of data and/or settings on a remote device and Mission Global is not responsible for any unintended loss of data or settings.

Acknowledgement Form:

Digital Signature *
Digital Signature
By typing my name here, I acknowledge receipt of the above Information Security Acceptable Use Policy. I have watched the current "Security Awareness Training Video" and I have read and understand the Security Policy and will comply with all of its provisions. I understand that failure to comply with the Security Policy will result in disciplinary action, up to and including termination.