Acceptable Use of IT Facilities Policy
Last Updated 21 Aug 2017 in Ways of Working
Overview
Our IT facilities are important to the running of our business. This policy outlines how colleagues should use these assets effectively and safely.
Key points covered:
- What is considered to be Society IT equipment
- Safe use of passwords, removable media and Society software
- What is acceptable use of email and the internet
1. Overview
This policy outlines the standards that all colleagues are expected to follow with regard to the secure and acceptable use of the Society’s IT facilities. It applies to all colleagues (whether employed on a full-time, part-time, fixed term or permanent basis), as well as agency staff and contractors.
2. Purpose
The purpose of this policy is to enable colleagues to use the Society’s IT Facilities in an effective, efficient, secure and ethical manner; and in a way that does not bring the Society or individual colleagues into disrepute whether inadvertent or deliberate, and to reduce the risk to IT assets including information assets relating to the Society’s customers and members.
3. Scope
3.1 Overview
The Society’s IT facilities include, but are not limited to, any computer (including laptops, tablet computers and Personal Digital Assistant (PDA’s)), server or data/voice networks, wireless networks and any mobile phones, desk phones provided and supported by the Society (includes interface with and use of public networks). The policy applies at all times, whether inside or outside working hours and any breach of this policy and/or misuse of the IT facilities may result in disciplinary action which may include dismissal.
3.2 Equipment Ownership
The hardware, network and telecommunications systems are the property of The Midcounties Co-operative and access to the equipment is provided as a tool to support Society’s business. Society equipment may be used for business, business related, and colleague personal use (if personal use is of an incidental nature and does not interfere with business activities). Usage and access to the Society’s equipment will only be granted through CIT on an as needed basis defined by Line Managers. The Society reserves the right to temporarily or permanently limit, withdraw or restrict use of, or access to, any IT facilities at any time and for any reason.
4. Responsibilities
All colleagues must ensure that they are aware of the IT policies and that they have read and understood the most recent versions which are available on the Intranet and Society E-Learning portals. Colleagues will also be required to declare that they have read and understood the IT policies by signing the appropriate form provided at the bottom of this policy upon joining the Society. The Society reserves the right to reissue this policy at any time and ask colleagues to review and re-sign the form if required.
All colleagues must understand that the documents, data/information created using the Society’s IT facilities, remain the property of the Society. It should be noted that this includes all emails sent and received using Society email addresses.
5. Policy
5.1 Secure Use of Computer Systems
5.1.1 Software Installation – Colleagues are not allowed to install or upgrade software on any PC without the specific permissions of the Society’s IT Group (known as Cooperative IT, CIT).
5.1.2 Hardware Integrity – It is the responsibility of each user to take all reasonable precautions to safeguard the physical security of the IT facilities. All systems must be reasonably protected against wilful and accidental damage, e.g. physical hazards such as liquid spills, not allowing unauthorised physical access to the machine.
5.1.3 Software Integrity- Colleagues must take reasonable precautions to safeguard computer systems and data/information in their care. Colleagues are not allowed to use programs, utilities and/or any other device to circumvent security measures, determine or identify passwords nor breach conditional access systems. Malicious programs can cause serious disruption to the Society’s systems. You must not allow these programs onto your system and must take all reasonable steps to avoid such programs being loaded onto the Society’s systems.
5.1.4 Networked devices/computers – Colleagues are not allowed to change or attempt to change network settings on any device without prior authorisation from the CIT Group.
5.1.5 Passwords – Colleagues must use always strong passwords. Ensure the following:
- Passwords must be changed every 60 days.
- Do not use guessable words or dictionary words.
- Passwords must not be written down, shared (not even to CIT) or disclosed to anyone, except upon termination colleagues will be required to hand over their access to their Line Managers prior leaving.
- Passwords must be at least 8 characters long, constructed using letters, number, uppercase, lower case and special characters, e.g. use $%^&*()£”!/\{}[] when constructing strong passwords.
- Colleagues who use a till must ensure that they use the correct till operator number and do not share their operator number and passwords with other colleagues. If you suspect that an account or password has been compromised, report the incident by logging an incident on ServiceNow and change all passwords.
5.1.6 FTP (File Transfer Protocol) Uploading – FTP is used to securely transfer files from one computer to another via the internet, this is generally used to transfer data to and from external contacts. Secure FTP must be used when transferring sensitive or confidential data/information. Anonymous FTP uploads are not allowed. Secure FTP sessions must be implemented through CIT.
5.1.7 Removable Media Use- Removable media such as USB flash drives, memory cards, mobile phones, laptops and PDA’s (also known as a handheld PC) must only be used with explicit authorisation from your Line Manager. Only CIT approved removable media devices must be used. Removable electronic media must be encrypted where possible and only encrypted devices must be used to store or transport sensitive or confidential data. Where possible the use of removable electronic media should be avoided and if used to transport sensitive or confidential data, the data must be removed as soon as possible after the need to have the data on the removable media.
Please Note: The above relates to the device, for information around the content please refer to the Data Protection Policy and PCIDSS Information Security and Acceptable Use Policy.
5.1.8 IT user identification and access- You must only access and use the Midcounties Co- operative Society network, systems and applications if you are authorised to do so. If you are granted access, it is to allow you to perform your duties efficiently and access has been granted for your sole use by means of a unique user account and password. You must not give details of your user account and password to anyone, including your Line Manager. If a colleague has a requirement for access to email, drives or applications on the Midcounties network while located outside Midcounties sites or offices, a VPN connection is required. This will be provided by CIT with the authorisation of your Line Manager (refer to section 5.6 for further detail).
5.1.9 Use of IT facilities for personal trading: Colleagues should not use Society’s IT facilities to solicit or distribute material connected with any business not owned by Midcounties.
5.2 Email Use
5.2.1 Overview
The Society will make reasonable efforts to maintain the integrity and effective operation of its email systems, but users are advised that those systems should in no way be regarded as a secure medium for the communication of sensitive or confidential information. Because of the nature and technology of electronic communication, the Society can assure neither the privacy of an individual user’s use of the Society’s email resources nor the confidentiality of particular messages that may be created, transmitted, received, or stored thereby.
While the Society has what we consider to be a strong virus protection system, care must be taken when opening email and email attachments. Colleagues must not open attachments from senders that they do not know or did not expect. If colleagues are unsure about any email or attachment, contact CIT or delete the message as soon as possible.
Email mailboxes and folders must be kept free of unnecessary emails that would not be considered business related. Retaining an excessive amount of email causes poor email performance, extended email backup times and utilises unnecessary storage space.
5.2.2 Unacceptable use of emails includes:
The creation and sending of messages which may be considered to be abusive or which may violate the dignity of a person or create an intimidating, hostile, degrading, humiliating or offensive environment (including, without limitation any messages that are sexist, racist, obscene, abusive or defamatory). Emails of this nature could make the Society and the individual colleague liable in a court of law, and also would be in breach of the Respect in the Workplace Policy.
The use of the email system to create or cause any detrimental impact on the Society or its systems.
The use of third party messaging systems other than those provided by the Society. Instant messaging systems are only permitted when required for daily functions or duties and approved by Line Managers.
Using or allowing large attachments such as games, screensavers and pictures, etc. to be received and/or circulated via the Society’s email system. Auto-forwarding of Society emails is not permitted.
Sending personal or sensitive information over the email system or via messaging systems. Sensitive information is information defined in the Data Protection Act 1998, refer to Data Protection Policy. PCIDSS standards must be followed in regards to credit/debit card information whether colleagues’ personal credit card data or that of the Society’s members or customers. Colleagues handling card payments must complete annual refresher PCIDSS training and read and understand the PCIDSS Information Security and Acceptable Use Policy.
Personal emails in the Society’s Email system will be subject to monitoring. It is advisable that colleagues do not send or forward personal emails that they do not wish to be read by a third party. Personal use of emails should be kept to a minimum while at work and such use is only permitted at an appropriate time such as your lunch break or before/after the start/end of your shift and with your manager’s permission to do so.
It should be noted that emails sent or received using the Society network may be subject to protected disclosure and the Society reserves the right to access user email accounts with the approval of CIO and / or GGM Colleague & Cooperative Services together with the relevant Group General Manager.
5.3 Internet and Intranet Use
The Society Intranet is private and confidential and should be treated as such by all colleagues. Colleagues must not disclose information on the Intranet to unauthorised individuals or third parties. To share or disclose the Intranet or information held on it to individuals not employed by the Society, written permission must be received from the Intranet Management Team (email: intranet@midcounties.coop).
Internet and Intranet misuse includes, but is not limited to:
Unreasonable or excessive time online (outside of job role remit), whether inside or outside core working hours. Accessing non-business websites including audio, film and software.
Unauthorised blogs (web-logs), games, and anything with the following content:
Gambling, pornographic or adult-oriented material or anything that may violate the dignity of a person or create an intimidating, hostile, degrading, humiliating or offensive environment (including, without limitation, websites promoting violence, any site that are of sexist, racist, obscene, abusive or otherwise inappropriate nature), or illegal under UK law. It should be noted that use of Intranet and Internet will be subject to monitoring by CIT.
Acceptable use of Internet and Intranet includes, but is not limited to:
Industry reports, economic information, business news, Social media or any other internet or intranet use deemed relevant for colleagues’ roles or functions.
Non-business use but acceptable use include, but is not limited to, news, weather, and responsible use of web-based email. Such use must be kept to a minimum and must be carried out during your lunch break or before/after the start/end of your shift. You Line Manager or PSG will be able to provide guidelines on this.
The above acceptable and unacceptable use of internet/intranet apply to laptop, tablet pcs, smartphones and other mobile devices.
Colleagues may access and download information from the Internet, subject to the following restrictions:
-
Downloading of freeware and shareware by users is prohibited.
-
Downloading of non-executable data files is permitted.
5.4 Use of your computer at work
Colleagues are reminded that whilst at work, the use of the IT facilities is intended for work purposes only. As stated above, colleagues must not, whilst in work time engage in using online games, games already loaded onto their PC such as Solitaire and to use emails for personal use. Guidance on email usage is covered in section 5.2 of this policy.
5.5 Mobile Devices and Telephone Use
Colleagues are reminded that Society mobile phones and land lines are supplied for business purposes only. Due care must be taken when using telephones, voicemail, answering machines, facsimiles and recording equipment (e.g. photographic, video and audio equipment) to ensure the protection of confidential or personal information at all times. All of the Society’s mobile phones must be password protected. Only IT authorised apps must be downloaded on the company mobile phones.
5.6 Remote Access Technologies
All colleagues are not automatically granted remote access privileges.
Any and all work performed for the Society’s IT facilities by any and all employees through a remote access connection of any kind, is covered by this policy. Work can include (but is not limited to) email correspondence, using intranet resources, and any other Society application. Remote access is defined as any connection to the Society’s network and/or applications from off-site locations, such as the colleague’s home, hotel room, wireless devices, etc.
The Society’s resources (i.e. computer systems, networks, databases, etc.) must be protected from unauthorised use and/or malicious attack that could result in loss of information, damage to critical applications, loss of revenue, and damage to public image. Society networks must not be accessed via unsecured wireless communication mechanisms. Therefore, all remote access privileges for Society colleagues to enterprise resources must employ only Society-approved methods.
Connection to another company’s network while connected to the Society’s network is prohibited. When connected to the Society network via VPN, all Internet browsing must go through the Society firewall. No split tunnelling is allowed. Do not provide login or email passwords to anyone, not even family members. Only Society approved VPN clients must be used. Remote access connections accessing sensitive society’s information must be encrypted in transmission. Accounts enabled for vendor access will immediately be deactivated after use.
6. Monitoring and Enforcement
6.1 Monitoring
Internet filters will be used to filter unsuitable content from downloads, log IP addresses and user details to keep on record.
Communications may be monitored at any time and any reasonable type of monitoring tools may be used to do so. Monitoring will include usage of all IT facilities and is not limited to PCs, mobile phones and desk phones. Prior warning may not always be given of such monitoring by the Society. Please refer to the Society’s Data Protection Policy for further information about the Data Protection Act of 1998.
6.2 Enforcement
You must abide by this policy at all times, whether inside or outside working hours. If you breach this policy, ignore or misuse the IT facilities available to you, this is likely to result in disciplinary action which, depending on the seriousness of the offence, can and will include dismissal.
6.3 Where to go for advice
If you need further information or advice on this Policy, you should discuss this with your Line Manager in the first instance or contact CIT by logging a service request through ServiceNow.
The guidelines in this Policy should be read in conjunction with the Society’s Data Protection Policy and PCIDSS Information Security and Acceptable Use Policy. This policy does NOT prohibit any of the Society’s users from making a protected disclosure (often known as “whistleblowing”) where applicable.
Policy name: |
Acceptable Use of IT Facilities Policy |
Date of last review: |
Aug 2019 |
Policy owner: |
PSG |
Issue number: |
PSG-SM-001 |