IT - Acceptable

Usage
Policy

1
REVISION HISTORY
Version Author Date of Sections Affected
Number Revision
1 XXXX All

AUTHORIZATION

Prepared by Date

Reviewed By

Approved By

2
 Table of Contents:

1. SCOPE..........................................................................................................................3

2. POLICY STATEMENT..............................................................................................3

2.1 USAGE OF COMPANY INFORMATION ASSETS.......................................3

2.2 REPORTING INCIDENTS................................................................................4

2.3 PASSWORD USE................................................................................................5

2.4 VIRUS PROTECTION.......................................................................................5

2.5 PHYSICAL SECURITY.....................................................................................6

2.6 HANDLING CONFIDENTIAL INFORMATION...........................................6

3. COMPLIANCE WITH THE POLICY.....................................................................6

4. VIOLATION OF THE POLICY................................................................................6

4.1. CONSEQUENCES OF VIOLATION OF THE POLICY...............................6

5. CONTACT ROLE FOR CLARIFICATIONS REGARDING THE POLICY......7

3
Scope
This policy applies to all users of information assets including COMPANY employees,
employees of temporary employment agencies, vendors, business partners, and
contractor personnel and functional units regardless of geographic location.

Policy Statement
The purpose of the Acceptable Usage Policy is to ensure that Company’s information
assets are used in a security conscious manner and not used to perform any
unscrupulous or illegitimate activities.

1 Usage of Information Assets

 Users are only authorized to utilize Company’s information assets for business
purposes for which they have been authorized. Usage of Company’s
information assets for personal use or on behalf of a third party (i.e., personal
client, family member, political or religious or charitable or school
organization, etc.) is strictly prohibited.
 Usage of Company’s information assets to store, process, download, or
transmit data that can be construed as biased (politically, religiously, racially,
ethnically, etc.) or supportive of harassment is strictly prohibited.
 Receiving, printing, transmitting, or otherwise disseminating proprietary data,
company secrets, or other confidential information in violation of company
policy or proprietary agreements is strictly prohibited.
 Downloading inappropriate material such as picture files, music files, or video
files for personal use is strictly prohibited.
 Users should terminate active sessions when finished, unless they can be
secured by an appropriate locking mechanism, e.g. a password protected screen
saver.
 Users are prohibited from changing the configuration of, removing, de-
activation of or otherwise tampering with any virus and malicious software
prevention / detection software that has been installed on systems used by
them.

1.1 Introduction of Unauthorized Copies of Licensed Software

 Introduction of unauthorized copies of licensed software into Company’s
information systems is prohibited.
 The storage, processing, or transmittal of unauthorized copies of licensed
software, by COMPANY personnel / associates is strictly prohibited.

1.2 Introduction of Open-source, Freeware and Shareware

Applications
 Introduction of Open-source, Freeware and Shareware Applications whether
downloaded from the Internet or obtained through any other media into
Company’s information systems will be subject to a formal evaluation and
approval process.

4
  Open-source, Freeware and Shareware Applications should be evaluated and
tested by the Competence Head and System Engineers before installation on
COMPANY Information Resources. They must verify the legal implications of
using the same in the COMPANY information systems.

1.3 Introduction of Pornographic Material

 Introduction of pornographic material into Company’s information systems is
strictly prohibited. The storage, processing, or transmittal of pornographic
material on Company’s information systems, by COMPANY employees,
employees of temporary employment agencies, vendors, business partners, and
contractor personnel is strictly prohibited.

1.4 Due Diligence

Each user has the responsibility to notify the Head – IT immediately of any
evidence of or suspicion of any security violation with regard to:
 Unauthorized access to network, telecommunications, or computer
systems.
 The apparent presence of a virus on a desktop or laptop.
 Apparent tampering with any file for which the user had established
restrictive discretionary access controls.
 Violation of this Policy or any other IT policy by COMPANY employees,
employees of temporary employment agencies, vendors, business partners, and
contractor personnel.
 To prevent unauthorized access, including viewing, of information assets in
his possession or control.

1.5 Computer Games

Playing computer games in the COMPANY premises is prohibited during office
hours (shift timing) of the Data Center Facility. Users should not install any
computer games (except default operating system games) in COMPANY
information systems.

1.6 Introduction of Destructive Programs

Introduction of destructive programs (e.g., viruses, self-replicating code) in order
to cause intentional damage, interfere with others, gain unauthorized access, or
inhibit production to Company’s information systems, is strictly prohibited.

1.7 External Services

a. All users should limit their usage of external services (such as bulletin board,
on-line service provider, Internet site, and commercial data base) for authorized
business purposes.

2 Reporting Incidents
Incident is defined as the occurrence of any exceptional situation that could
compromise the Confidentiality, Integrity or Availability of Information and
information systems of COMPANY. It is related to exceptional situations or a
situation that warrants intervention of senior management, which has the potential to
cause injury or significant property damage. Software malfunctions, virus, theft, etc.

5
 and any violations of Company’s security policies shall also be considered an
incident.
 If any user comes across any exceptional situation as mentioned above
he/she should immediately inform the Head – IT.
 The users should not try and test the weaknesses, since it might be
interpreted as misuse of the system.
 All the incidents should be escalated as per the defined Incident
Management Policy.

3 Password Use
Passwords provide a means of validating a user’s identity and thus to establish access
rights to information systems. All users should:
 Keep their passwords confidential.
 Should change the initial passwords immediately.
 Avoid keeping a paper record of passwords, unless this can be stored securely.
 Change passwords whenever there is any indication of possible system or
password compromise.
 Select quality passwords which are:
-Easy to remember.
-Not based on anything somebody else could easily guess or obtain using person
related information (such as names, telephone numbers, and dates of birth).
-Free of consecutive identical characters or all-numeric or all-alphabetical groups.
-Password should contain at least one numeric and one special character if the
system supports.
 Change passwords at regular intervals (passwords for privileged accounts should
be changed more frequently than normal passwords), and avoid re-using or cycling
old passwords.
 Not include passwords in any automated log-on process, e.g. stored in a macro or
function key.
 Not share individual user passwords.
 The user should contact the System Engineers/Administrators for getting the
account unlocked.

4 Virus Protection
 Users should not open any files attached to an email from an unknown, suspicious
or untrustworthy source.
 Users should not open any files attached to an email whose subject line is
questionable or unexpected.
 Users should delete chain/junk emails and not forward or reply to any of the
chain/junk mails. These types of email are considered Spam, which is unsolicited
and intrusive that clogs up the network.
 Users should exercise caution when downloading files from the Internet, and
should download them only from a legitimate and reputable source. Verify that an
anti-virus program checks the files on the download site. If you're uncertain, don't
download the file and contact IT Personnel.
 Users should back up the files on a regular basis.

6
  When in doubt, always err on the side of caution and do not open, download, or
execute any files or email attachments.

5 Physical Security
 Users should not allow any unauthorized person to enter the COMPANY premises.
 Users should not enter into COMPANY premises without ID badges and they
should always display their ID badges within COMPANY premises.
 Users should disclose voluntarily all their belongings, to security personnel, while
entering and going out of COMPANY premises.
 Users should not take in or out any equipment from COMPANY premises, without
authorization.

6 Handling Confidential Information

 Confidential/restricted information should always be transmitted through trusted
communication links and not through public networks.
 Confidential information stored or transported in computer-readable storage media
(such as magnetic tapes or CDs) should be appropriately protected from the reach
of unauthorized individuals.

Compliance with the Policy

Compliance with the Acceptable Usage policy is mandatory. COMPANY Department
Heads shall ensure continuous monitoring within their departments. Compliance with
the Acceptable Usage Policy shall be a matter for periodic review by the Head – IT.

Violation of the Policy

Any employee who discovers a breach of this policy shall notify the Head –IT.
Violations of the policies of COMPANY shall result in disciplinary action by the
management.

4.1. Consequences of violation of the Policy

Disciplinary action shall be consistent with the severity of the incident, as
determined by an investigation, and may include, but not be limited to:
 Loss of access privileges to information assets, and
 Other actions as deemed appropriate by Management, Human Resources, and
the Legal Department.