IT Use Policy
- In producing this policy Portsmouth Disability Forum (PDF) is seeking to protect both the charity’s and employees’ interests without imposing unnecessary restrictions.
- The purpose of this policy is to safeguard the confidentiality, integrity, availability and accessibility of PDF's IT systems and any company or client data stored on or processed by those systems.
- The policy applies to all staff, volunteers and contractors and covers all IT equipment used in the execution of PDF's business.
- Users are responsible for exercising good judgment with respect to personal use.
- All sensitive or vulnerable data transferred outside of PDF's intranet domain shall be encrypted and password protected.
- All staff, volunteers and contractors shall be governed by any relevant legislation (see list at end of this document) whilst working with PDF's IT systems.
- Use will be monitored to ensure compliance with this policy.
- Users are responsible for the security of all passwords which have been issued to them.
- Users shall be mindful of the threats posed to PDF's IT systems and any data stored upon those systems.
- Violation of this policy is subject to disciplinary action, up to and including termination of employment.
- No member of staff will be disciplined for damage to systems where all practical effort has been made to adhere to PDF’s IT Use Policy.
1.1 In publishing an IT Use Policy, PDF does not intend to impose restrictions that are contrary to its established culture of openness, trust and integrity. We are committed to protecting PDF's employees, partners and the charity from illegal or damaging actions by individuals, either knowingly or unknowingly.
1.2 Internet systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts and email addresses, are the property of PDF. These systems are to be used for business purposes in serving the interests of the charity, and of our clients and customers in the course of normal operations.
1.3 Effective security is a team effort involving the participation and support of every PDF employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know this policy, and to conduct their activities accordingly.
2.1 The purpose of this policy is to outline the acceptable use of Information and Communications Technology (ICT) equipment supplied by PDF. These rules are in place to protect the employee and PDF. Inappropriate use exposes us to risks including virus attacks, compromise of network systems and services, and legal issues. There are four major objectives to this policy:
- Confidentiality is about ensuring that only the people who are authorized to have access to information are able to do so. It's about keeping valuable information only in the hands of those people who are intended to see it.
- Integrity is about maintaining the value and the state of information, which means that it is protected from unauthorized modification. Information only has value if we know that it's correct. A major objective of this policy is thus to ensure that information is not modified or destroyed or subverted in any way.
- Availability is about ensuring that information and information systems are available and operational when they are needed. A major objective of this policy must be to ensure that information is always available to support critical business processes.
- Accessibility is about ensuring that, where possible, users can access information irrespective of disability; either physical or mental/cognitive.
3.1 This policy applies to employees, contractors, consultants, volunteers, temporaries, and other workers at PDF. This policy applies to all equipment that is owned or leased by PDF and any equipment used in connection with PDF’s business.
4.1 General Use and Ownership
4.1.1 While PDFs network administration endeavor to provide a reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of PDF.
4.1.2 Employees are responsible for exercising good judgment regarding the reasonableness of personal use. If there is any uncertainty, employees should consult their supervisor or PDF Principal Officer
4.1.3 PDF requires that any information being transferred outside of PDF’s intranet domain that users consider sensitive or vulnerable be encrypted and strong password protected. For guidelines on information classification, see PDF's Confidentiality and Disclosure of Information Policy for guidelines on encrypting and password protection.
4.1.4 All emails sent by PDF employees, trustees and volunteers in connection with their role must comply with the Companies Regulation 2006 which requires the display of the charities name, registered address, charity number, company registration number and place of registration
4.1.5 For security and network maintenance purposes, authorized individuals within PDF may monitor equipment, systems and network traffic at any time
4.1.6 PDF reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy
4.2 Security and Proprietary Information
4.2.1 Information contained on Internet systems should be classified in accordance with PDF’s Confidentiality Guidelines. Employees should take all necessary steps to prevent unauthorized access to this information
4.2.2 Keep passwords secure and do not share. Authorized users are responsible for the security of their passwords and accounts. Passwords must comply with PDF’s Password Guidelines. It may be necessary for IT Administrators to require access to your account/password for maintenance/troubleshooting purposes. Should this action be needed you will be advised to create a new secure password once any administrative work is completed. You should create or request a new password if the IT Administrator overlooks advising you to do so.
4.2.3 All servers, PCs and laptops should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less.
4.2.4 Use encryption of information in compliance with PDF's Confidentiality and Encryption Guidelines
4.2.5 Because information contained on portable computers and removable media is especially vulnerable, special care should be exercised.
4.2.6 All hosts used by the employee that are connected to the PDF's Internet/Intranet whether owned by the employee or PDF, shall be continually executing approved virus-scanning software with a current virus database.
4.2.7 Employees must exercise caution when using removable media or opening e-mail attachments, which may contain phishing scams, viruses, worms, or Trojan horse code.
4.2.8 Employees must be mindful of the threats posed whilst browsing the internet; in particular malware, adware, spyware and websites whose security has been compromised.
4.2.9 Staff must exercise caution when using emails on company business treating them as postcards therefore insecure.
4.3 Unacceptable Use
4.3.1 The following activities are, in general, prohibited.
4.3.2 Under no circumstances is an employee of PDF authorized to engage in any activity that is illegal under UK or International law while utilizing PDF-owned resources.
4.3.3 The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use.
5 The following activities are strictly prohibited, with no exceptions:
5.1 System and Network Activities
5.1.1 Installation or attempted installation of unauthorized software, fonts or browser add-ons.
5.1.2 Unauthorized changes to system configuration including but not limited to hardware and software.
5.1.3 Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations.
5.1.4 Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which PDF or the end user does not have an active license is strictly prohibited.
5.1.5 Introduction of malicious programs into the network or server (e.g. viruses, worms, Trojan horses, etc.)
5.1.6 Revealing your account password or allowing use of your account by anyone other than IT Administrators. This includes family and other household members when working away from PDF’s offices
5.1.7 Use of a computer or device in connection with PDF’s business that does not comply or does not allow compliance with PDF’s Anti Virus, Confidentiality, Encryption and Removable Media Guidelines
5.1.8 Accessing PDF’s Intranet using a computer or device that does not comply or does not allow compliance with PDF’s Anti Virus, Confidentiality, Encryption and Removable Media Guidelines.
5.1.9 Using a PDF computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws.
5.1.10 Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient
5.1.11 Circumventing user authentication or security of any host, network or account.
5.2 Email and Communications Activities
5.2.1 Sending unsolicited email messages, including the sending of ‘junk mail’ or other advertising material to individuals who did not specifically request such material (email spam).
5.2.2 PDF’s email system shall not be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair colour, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin
5.2.3 Unauthorized use of another staff members email account.
5.2.4 Creating or forwarding ‘chain letters’.
5.2.5 Using a PDF email address to register for products or services without appropriate authorization.
5.2.6 Sending of email without the appropriate company details included.
6.1 Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
7 Relevant Legislation
7.1 Staff, trustees and volunteers should be aware that the use of computing facilities is governed by legislation including:
- The Companies Regulation 2006
- The Data Protection Acts (1984 and 1998)
- The Disability Discrimination Act (1995and 2005)
- The Copyright, Designs and Patents Act (1988)
- The Computer Misuse Act (1990)
- The Criminal Justice and Public Order Act (1994)
- Amending the Obscene Publications Act (1956)
- The Protection of Children Act (1978)
- The Telecommunications Act (1984)
- The Human Rights Act (1998)
- The Regulation of Investigatory Powers Act, 2000.
8 Approval and Amendment History
Authorised at Trustees’ Meeting held on November 2011
Additional point 4.2.9
Improve email security