A.8.1.3 1.8 - Guiding Principle: IT Systems Acceptable Use policy

1. Purpose, scope, and users

The purpose of this document is to let Resolver employees know what the guiding principle of using Company IT systems is and make employees aware of their responsibilities based on this principle.

We trust you to help us take care of our (Resolver, employees, customer, and partner) hardware, networks, systems, and IT services. Compromising our systems in any way is no laughing matter.

2. Reference documents

  • ISO/IEC 27001:2013 standard, control A.8.1.3

3. Considerations

If you ever have any questions about the acceptable use of our information systems, contact our IT team. They can help clarify the content of this document for you.

3.1  General use, data ownership, and property

As with most companies, the IT equipment and information systems you use to do your job are the property of Resolver. This includes all files, email, instant, and text messages created in our IT systems.

Our systems should be used for business purposes and operations, although we do understand that a reasonable amount of personal use may be included, as long as it doesn’t interfere with your day-to-day.

Uncertain about what’s reasonable? Chat with your manager.

  • Privacy:  we take steps to protect the privacy and confidentiality of data collected for business purposes; however, we can’t guarantee to protect personal items like photos you’re going to upload to Instagram.
  • Monitoring: as part of our internal auditing and compliance process, we regularly monitor our IT systems to make sure everything is above board. If not, we’ll have to respond.
  • Security and proprietary information: we have a pretty extensive “Confidentiality and Proprietary Rights” agreement that has lots of information concerning how to use and protect company information. If you need a refresher, ask your manager where to find this agreement.
  • Passwords: at a minimum, all your devices (computers, laptops, portable devices, and mobiles) must be password protected. Keep those passwords secure by not sharing them. When you step away from your machine, it should be locked and password protected.
  • Bugs: all equipment connected to our systems (owned by us or you) must be running approved anti-virus and anti-malware software. This should be frequently updated to ensure the safety of your device and our information systems.
  • Back-ups: you are responsible for backing up/synchronizing the information you work with and control to a network and/or cloud file storage service/device (ie. Box). Backups are expected on at least a monthly basis to the appropriate Resolver network folder for your department for data that is not deemed appropriate for cloud storage (i.e. Large databases or media files).  When in doubt ask a member of the IT department for guidance. A current copy of all corporate information must be maintained on the Resolver network at all times.
  • Traveling: take extra care when on the road. Avoid using unsecured public Wi-Fi networks to transfer work-related data.

3.2  Software

Resolver assists you by ensuring that all software is purchased, issued, and tracked by the company. Software installed on your computing devices should be relevant to your job function. If non-standard software is required, connect with our IT team.

  • Internet downloads: be extremely cautious with deciding whether or not to accept and/or execute Internet downloads and/or plug-ins.
  • No-no’s: never install peer-to-peer, newsgroup, torrent, or streaming services or any other content distribution applications or services to view or distribute copyrighted or geo-restricted material on our systems. This includes if you’re at home and connected to our network.
  • Our IP: you should never copy, share, borrow, or destroy any software that Resolver owns, licenses, or authors. We are a software company, and our business is dependent on the legally licensed use of the software.

3.3 IT Equipment

We’ll help you out by taking care of IT purchases. On your end, our equipment should stay in the family and not be shared with people who don’t work with us. Also, don’t disassemble our equipment. If anything is lost, stolen, or damaged, reach out to our IT team immediately.

4. Exits and departures

  • Leaving employment with us means that you need to return all Resolver owned hardware, software, and access devices including all systems/devices and or equipment, keys, key fobs, data, backups, program code, CDs, diskettes, printouts, and tapes obtained from Resolver.
  • Employees who ported a personal number over to the corporate account may retain their number when they leave.

5. Reasonable usage

  • If your Resolver-provided IT equipment is ever damaged or destroyed due to activities based outside of normal wear and tear, you may be held financially responsible for the damage or loss.

6. Personal devices and IT system access

Any computing devices (laptops, smartphones, etc.) not owned by Resolver which are used to connect to the company’s IT systems are subject to the following requirements:

  • Devices must implement reputable anti-malware/virus software (e.g., Malwarebytes, Norton, Symantec, Bit defender, etc.) configured to perform continuous and/or scheduled scanning and frequently update the virus signatures.
  • Devices must implement a desktop firewall that is set up to restrict access.
  • Devices must-have software security updates applied immediately on release from the vendor.
  • Devices must use a unique account to connect to Resolver and establish a strong password syntax for the account (refer to Resolver’s Password policies for details.) This account should not be accessible to non-Resolver Employees.
  • When connecting remotely into the office, users must NOT save their password on their device’s VPN connection. You should have to enter your password every time you connect.
  • Devices must not share Resolver’s VPN connection with any other local accounts.
  • When using Remote Desktop from home, users must NOT set up their username and password to be remembered for that connection setting.

7. Unacceptable Use

The activities listed in this section are strictly forbidden. These lists are not exhaustive, and employees should exercise common sense about the activities described below. Employees may be exempted from some restrictions during their regular job activities; however, under no circumstances are employees authorized to engage in any illegal activities.

7.1  System and Network Prohibited Activities

  • Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated”, “cracked” or other software products that are not appropriately licensed for use by Resolver.
  • Unauthorized copying or distribution of copyrighted material including, but not limited to, digitization of photographs from magazines, books, or other copyrighted sources, copyrighted music, fonts, and the installation of any copyrighted software for which Resolver or the end-user does not have a valid active license.
  • Exporting software, technical information, encryption software or technology, in violation of applicable export control laws.
  • Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, malware, etc.).
  • Revealing your account passwords to others or allowing the use of your account by others, including family and other household members when IT Systems are used from home.
  • Using Resolver’s IT Systems to actively engage in procuring or transmitting material that violates sexual harassment or hostile workplace laws in the local jurisdiction.
  • Making fraudulent offers of products, items, or services originating from any Resolver account.
  • Effecting security breaches or disruptions of network communications.
  • Port scanning or security scanning.
  • Network monitoring that reads or intercepts data not intended for the Employee’s host.
  • Circumventing user authentication or security of any of Resolver’s IT Systems.
  • Interfering with or denying service to any of Resolver’s IT Systems (for example, denial of service attack).
  • Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user’s terminal session, via any means, locally or via the Internet/Intranet/Extranet.

7.2  Email, IM, and General Communications Prohibited Activities

  • Sending unsolicited email messages, including the sending of “junk mail” or other advertising material to individuals who did not specifically request such material (email spam).
  • Any form of harassment via email, IM, telephone, or paging, whether through language, frequency, or size of messages.
  • Unauthorized use or forging of email header information.
  • Heavy access to entertainment videos or other non-work-related videos/content.
  • Accessing inappropriate videos/content (i.e., pornography)
  • Solicitation of email for any other email address, other than that of the poster’s account, with the intent to harass or to collect replies.
  • Creating or forwarding “chain letters”, “Ponzi” or other “pyramid” schemes of any type.
  • Use of unsolicited email originating from within Resolver’s networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by Resolver or connected via Resolver’s IT Systems.
  • Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).

8. Definitions

“Employeesmeans all Resolver employees, contractors, consultants, and temporary workers at Resolver, including all personnel working for Resolver on behalf of third parties.

“IT Systems” means all IT equipment and/or infrastructure that is owned, leased or provided for use by Resolver including, but not limited to, personal computer (PC) equipment, servers, mobile devices, printers, telephony equipment, fax machines, software, operating systems, storage media, network accounts, electronic mail, Resolver-hosted websites, Resolver-hosted FTP sites, routers, switches, network infrastructure, network traffic, and intranet access.

“Confidential information” means any information or material which is proprietary to Resolver, whether owned or developed by Resolver, which is not generally known other than by Resolver, and which may have obtained through any direct or indirect contact with Resolver.

“Security breaches” include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a System or account that the employee is not expressly authorized to access.

“Disruptions” include, but are not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.

“Personal Use” is defined as personal matters and business, excluding soliciting for commercial ventures, political or religious causes, or other outside organizations that are not partners, clients, or contractually obligated to Resolver.

9. Validity and document management

This document is valid as of July 2020.

The owner of this document is an HR team who must check and, if necessary, update the document at least once a year.

EFFECTIVE ON: September 2020

REVIEW CYCLE: Annual at least and as needed

REVIEW, APPROVAL & CHANGE HISTORY: Last time reviewed and approved in August 2020 by Resolver’s Information Technology Security team.