Acceptable Use Policy

Contents

1.      Purpose, scope and users                                                                                                               3

2.      Acceptable use of information assets                                                                                      3

2.1.       Definitions                                                                                                                                   3

2.2.       Acceptable use of Company Data                                                                                        3

2.3.       Data location and laptop backup                                                                                         3

2.4.       Personal Use of Equipment                                                                                                   3

2.5.       User Owned Devices                                                                                                                3

2.6.       Prohibited activities                                                                                                                 4

2.7.       Remote Working                                                                                                                        4

2.8.       Return of assets upon termination of contract                                                           4

2.9.       Antivirus protection                                                                                                                4

2.10.         Mobile device access control                                                                                          4

2.11.         User account responsibilities                                                                                         4

2.12.         Password responsibilities                                                                                                 4

2.13.         Clear desk and clear screen policy                                                                              5

2.13.1.      Clear desk policy                                                                                                                5

2.13.2.      Clear screen policy                                                                                                            5

2.14.         Internet use                                                                                                                           5

2.15.         Maintaining Security Controls                                                                                       5

2.16.         E-mail and other message exchange methods                                                             5

2.17.         Copyright                                                                                                                                6

2.18.         Incidents                                                                                                                                  6

3.      Document management                                                                                                                     6

4.      Version history                                                                                                                                   6

1.    Purpose, scope and users

The purpose of this document is to define clear rules for the use of information systems and other Accellier information assets.

This document is applied to the entire scope of the Information Security Management System (ISMS), i.e. to all information systems and other information assets used within the ISMS scope.

Users of this document are all employees of Accellier.

2.    Acceptable use of information assets

2.1.         Definitions

Information system – includes all servers and clients, network infrastructure, system and application software, data, and other computer systems and components which are owned or used by the organisation or which are under the organisation's responsibility.  The use of an information system also includes the use of all internal or external services, such as Internet access, e-mail, cloud services etc.

Information assets – in the context of this Policy, the term information assets is applied to information systems and other information/equipment including paper documents, mobile phones, portable computers, data storage media, etc.

2.2.         Acceptable use of Company Data

All company data remains the property of Accellier at all times. Company information and data may be used only for the purpose of executing company-related tasks unless specifically authorised by management.

2.3.         Data location and laptop backup

All company data should be stored on an appropriate Google Drive where possible, so that it is securely backed up. Data saved only to a laptop local drive could be lost.

2.4.         Personal Use of Equipment

Personal use of company supplied mobile equipment such as laptops and mobile phones is permitted in line with this policy and the Mobile Device and Remote Working Policy.

2.5.         User Owned Devices

User owned devices may be used for work purposes where required. User owned devices must be secured in line with this policy and Mobile Device and Remote Working Policy. Accellier reserves the right to remove company data, or access to it, from user owned devices at any time.

2.6.         Prohibited activities

It is prohibited to use information assets in a manner that unnecessarily takes up capacity, weakens the performance of the information system or poses a security threat.  It is also prohibited:

●       to download image or video files which are pornographic, offensive, or illegal.

●       to install software on a local computer without management authorisation.

●       to download files or program code from unsafe sources.

●       to install or use peripheral devices such as memory cards or other devices for storing and reading data (e.g. USB flash drives) without permission.

2.7.         Remote Working

Users are expected to exercise reasonable care and take the following precautions when working remotely:

●       Take appropriate steps to protect the laptop from theft.

●       Location services must always be enabled to ensure we are able to locate the device if it is ever lost or stolen.

●       Assets must never be left unattended in public areas.

●       Where possible, assets should not be left unattended in a parked vehicle. Where there is no alternative, they should be locked in the boot.

2.8.         Return of assets upon termination of contract

Upon termination of an employment contract or other contract, the employee/contractor must return all information assets (including equipment, data, software, documents) to their line manager.

2.9.         Antivirus protection

Antivirus software must be installed on each computer with activated automatic updates. This also applies to user owned devices that are used for work activities.

2.10.     Mobile device access control

Users must comply with the Mobile Device and Remote Working Policy. Access to Mobile devices must be encrypted and protected by PIN/Password or equivalent access control.

2.11.     User account responsibilities

The user must not, directly or indirectly, allow another person to use their access rights (i.e. username and password), and must not use another person’s access rights unless absolutely required and authorised by management.

2.12.     Password responsibilities

Users must comply with the Password Policy when selecting and using passwords.

2.13.     Clear desk and clear screen policy

2.13.1.  Clear desk policy

If the authorised person is not at their workplace, all Confidential documents and data storage media must be removed from the desk or other places (printers, photocopiers, etc.) to prevent unauthorised access. 

Such documents and media must be stored in a secure manner in accordance with the Information Classification Policy.

2.13.2.  Clear screen policy

If the authorised person is away from their PC/Tablet/Smartphone, Confidential information must be removed from the screen.

During business hours, the clear screen policy is implemented by locking the screen with a password.  If the equipment will be unattended for an extended period e.g., overnight, the policy is implemented by logging off all systems and switching the equipment off where possible.

2.14.     Internet use

The Internet may be accessed. The IT Department may block access to some Internet pages for individual users, groups of users or all employees at the organisation. The user must not try to bypass such restrictions. If access to some web pages is blocked, the user may submit a request for authorisation to access such pages.

The user must regard information received through unverified websites as unreliable. Such information may be used for business purposes only after its authenticity and correctness have been verified.

The user is responsible for all possible consequences arising from unauthorised or inappropriate use of Internet services or content.

2.15.     Maintaining Security Controls

The user must not attempt to bypass security controls without prior management authorisation

2.16.     E-mail and other message exchange methods

Message exchange methods inc. email, telephones, SMS text messages, instant messaging, social media messages, download of files from the Internet and transfer of data via FTP.

Users may only send messages containing true information. It is forbidden to send material with disturbing, unpleasant, sexually explicit, offensive, slanderous or any other unacceptable or illegal content.  All communications must also be compliant with the Data Protection Policies.

Should a user receive a malicious email, they should follow the Incident Management Procedure.

If sending a message with classified content, the user must protect it in line with the ISMS and Data Protection policies.

2.17.     Copyright

Users must not make unauthorised copies of software owned by the organisation, except in cases permitted by law and Accellier Management.

Users must not copy software or other original materials from other sources. And are liable for all consequences that could arise under the intellectual property law.

2.18.     Incidents

Each employee, supplier or third party who is in contact with Accellier data and/or systems must report any system weakness or event indicating a possible security incident as specified in the Incident Management Procedure.

3.    Document management

This policy shall be available to all Accellier Employees and any Third Parties where required. The policy must be reviewed and, if necessary, updated at least once a year. Notice of significant revisions shall be provided to Accellier Employees via email.

4.    Version history