The following topic-specific policies address various areas of concern. Notice whether the basic components — thesis statement, relevance, responsibilities, compliance — and additional information are included.
3.9.1 Example 1 — Internet Security Policy Introduction
The Company, through the Internet, provides computing resources to its staff to access information, communicate, retrieve, and disseminate organization and business-related information. Use of the public Internet by Company employees is permitted and encouraged where such use is suitable for business purposes in a manner that is consistent with the Company standards of business conduct and as part of the normal execution of an employee’s job responsibilities. In addition, the Company provides intranet facilities as a means of sharing timely organization and business-related information throughout the company.
As with all Company policies, this policy applies to all employees, con- tractors, consultants, as well as any other individuals utilizing the Company- provided Internet connection.
Policy Objectives
The Internet Security Policy has been implemented to:
Provide direction for the protection of Company-owned and controlled information assets.
Establish standards for providing desktop access to the Internet.
Identify safeguards to enable the exchange of Company information with other Internet users while protecting the business interests of the Company and the privacy right of the employees.
Identify enterprise responsibilities in regard to local, state, federal, or international regulations and laws governing electronic information exchange and commerce.
Internet Access Standards
The use of Company-provided access to the Internet is intended exclu- sively for management-approved activities.
All access to the Internet by employees must be done through the Company-provided method.
All publications/content files not classified as PUBLIC in accordance with the Company Information Classification Policy, must be approved by Corporate Communications.
All business cases for Internet initiatives must be submitted to ES Network Control and ES Information Security.
Company Internet users must report all security-related incidents to appropriate management upon discovery.
Company policies regarding Employee Standards of Conduct, Conflict of Interest, Company Ethics Policy, Equal Employment Opportunity and Diversity in the Workplace, Communication and Information Protection also apply to the Internet.
Employees must submit a completed Internet Usage and Responsibility Agreement prior to Company-provided Internet access (Exhibit 2).
3.9.2 Example 2 — A Telecommuting Policy Policy
The Company allows telecommuting where there are opportunities for improved employee performance, reduced commuting miles, and/or potential for savings for the Company or business unit.
Exhibit 2 Internet Usage and Responsibility Agreement Internet Usage and Responsibility Agreement
I, ____________________, acknowledge and understand that access to the Internet, as provided by the Company, is for Management approved use only. This supports Company policies on Standards of Conduct and Equal Employment Opportunity and Diversity, and among other things, prohibits the downloading of games, viruses, inappropriate materials or picture files, and unlicensed software from the Internet.
I recognize and accept that while accessing the Internet, I am responsible for maintaining the highest professional and ethical standards, as outlined in Company policy on Standards of Conduct.
I have read and understand the Company policies mentioned above and accept my responsibility to protect the Company’s information and good name.
Name ____________________ Date _______
40 Information Security Policies, Procedures, and Standards
Provisions
Business Units may implement telecommuting as a work option for certain employees based upon specific criteria and procedures consistently applied throughout the agency. Business Units opting to implement a telecommuting policy for their departments shall ensure that each employee request is considered in relation to the departmental operating requirements and cus- tomer needs.
Consideration may be given to employees who have demonstrated work habits and performance well suited to successful telecommuting.
Telecommuting criteria and procedures shall be evaluated to ensure its benefits and effectiveness.
The telecommuter’s conditions of employment shall remain the same as for non-telecommuting employees. Employee salary, benefits, and employer- sponsored insurance coverage shall not change as a result of telecommuting.
Business visits, meetings with Your Company customers, or regularly scheduled meetings with co-workers shall not be held at the home worksite.
Telecommuting employees shall not act as primary caregivers for depen- dents nor perform other personal business during hours agreed upon as work hours.
Tele-worksites shall be in the same state as the central worksite.
The Company shall provide tele-worksite office supplies. Equipment and software, if provided by the business unit for use at the tele-worksite, shall be for the purposes of conducting Company business.
The telecommuter shall normally provide home worksite furniture and equipment. The employee shall maintain a clean, safe workspace. In the case of injury occurring during telecommuting work hours, the employee shall immediately report the injury to the supervisor.
Responsibilities
Employees shall sign and abide by a telecommuting agreement between the employee and the supervisor. A model agreement, an addendum to this policy, may require modification to fit individual tele-worksite circumstances (Exhibit 3).
Telecommuting shall be voluntary. Unless otherwise provided in the agreement, either the Business Unit or the employee may discontinue the arrangement at any time, generally giving one week’s notice.
The agreement shall specify individual work schedules.
Exhibit 3 Model Telecommuting Agreement
MODEL TELECOMMUTING AGREEMENT TELE-WORKSITE
Travel between the tele-worksite and the central worksite shall not be reimbursed.
___ Home (Specify location in home) ___ Satellite
___ Other (Specify) Address:
Phone:
CENTRAL WORKSITE
Will there be any sharing of or changes in work space when telecommuting begins?
___ Yes ___ No If yes specify:
SCHEDULE
Telecommuting days: ___ Mon. ___ Tue. ___ Wed. ___ Thur. ___ Fri.
If telecommuter must come into the office on a scheduled telecommuting day, may another day be substituted? ___ Yes ___ No
Telecomutting time: Start _____ Finish _____ Total Hours Per Day _____
Lunch _____ to _____
EQUIPMENT
The Company is not responsible for any private property used, lost, or damaged.
The Company may pursue recovery from the employee for property that is deliberately or negligently damaged or destroyed while in the employee’s care, custody, or control. The Company is responsible for the deductible on Company property unless otherwise specified in this agreement under OTHER
ARRANGEMENTS. Employees are advised to contact their insurance agent and a tax consultant for information regarding home worksites.
In the event of equipment failure, the employee may be assigned to another project and/or work location. The employee shall surrender all Company-owned
equipment and data documents immediately upon request.
What equipment will be used?
ITEM --- INVENTORY NO. --- OWNER (list)
Will there be a modem connection to a state LAN or mainframe? ___ Yes ___ No Is there any other computer security issue? ___ Yes ___ No
(continued)
42 Information Security Policies, Procedures, and Standards
If yes to either question, has advice been obtained from Information Protection? ___ Yes ___ No
COMMUNICATION
Will the following be utilized:
Call forwarding? ___ Yes ___ No
Answering machine or voice mail? ___ Yes ___ No Receptionist or co-workers take calls? ___ Yes ___ No
How will incoming calls to the central worksite be answered on telecommuting days?
The employee agrees to call the office to obtain messages at least ___ times a day.
Call in times: (list)
The employee shall promptly notify the supervisor when unable to perform work assignments due to equipment failure or other unforeseen circumstances.
Other procedures: (list) ARRANGEMENTS
Date telecommuting to begin: _______
Intervals for telecommuting agreement review: ________
Agency policy for payment of business telephone and data calls from the tele- worksite: (attach)
The employee and supervisor plan to participate in ODOE-sponsored training and assistance?
___ Yes ___ No TERMINATION
Unless specified in OTHER ARRANGEMENTS, the Company and/or employee may discontinue this arrangement at anytime generally giving one week’s notice.
OTHER ARRANGEMENTS
Additional conditions agreed upon by the employee and supervisor: (list)
I have read and understand both the telecommuting policy and this agreement and agree to abide by and operate in accordance with their terms and conditions.
I agree that the sole purpose of this agreement is to regulate telecommuting and that it neither constitutes an employment contract or an amendment to any existing contract.
Employee _________________ Supervisor ___________________ Date ______
Exhibit 3 Model Telecommuting Agreement (continued)
Compliance
Company management has the responsibility to manage corporate information, personnel, and physical property relevant to business operations, as well as the right to monitor the actual utilization of all corporate assets.
Employees who fail to comply with the policies will be considered to be in violation of Your Company’s Employee Standards of Conduct and will be subject to appropriate corrective action.
3.9.3 Example 3 — Information Classification Policy
Information is a company asset and is the property of the Your Company.
Your Company information includes information that is electronically gener- ated, printed, filmed, typed, stored, or verbally communicated. Information must be protected according to its sensitivity, criticality, and value, regardless of the media on which it is stored, the manual or automated systems that process it, or the methods by which it is distributed.
Provisions
To ensure the proper protection of corporate information, the Owner shall use a formal review process to classify information into one of the following classifications:
Public: Information, that has been made available for public distribution through authorized company channels. (Refer to Communication policy for more information.)
Confidential: Information, that, if disclosed, could violate the privacy of individuals, reduce the competitive advantage of the company, or could cause significant damage to Your Company.
Internal Use: Information, that is intended for use by employees when conducting company business. Most information used in Your Company would be classified Internal Use.
Declassification
The Owner is to establish a review process for all information classified as Confidential, and reclassify it when it no longer meets the criteria established for such information.
Responsibilities
Employees are responsible for protecting corporate information from unau- thorized access, modification, destruction, or disclosure, whether accidental or intentional. To facilitate the protection of corporate information,
44 Information Security Policies, Procedures, and Standards
employee responsibilities have been established at three levels: Owner, Custodian, and User.
1. Owner: Your Company management of an organizational unit, depart- ment, etc. where the information is created, or that is the primary user of the information. Owners are responsible to:
a. Identify the classification level of all corporate information within their organizational unit.
b. Define and implement appropriate safeguards to ensure the confi- dentiality, integrity, and availability of the information resource.
c. Monitor safeguards to ensure their compliance and report situations of noncompliance.
d. Authorize access to those who have a business need for the information.
e. Remove access from those who no longer have a business need for the information.
2. Custodian: Employees designated by the Owner to be responsible for maintaining the safeguards established by the Owner.
3. User: Employees authorized by the Owner to access information and use the safeguards established by the Owner.
Compliance
Company management has the responsibility to:
Manage corporate information, personnel, and physical property rele- vant to business operations, as well as the right to monitor the actual utilization of all corporate assets.
Ensure that all employees understand their obligation to protect com- pany information.
Implement security practices and procedures that are consistent with Your Company policies and the value of the asset.
Note variance from established security practice and for initiating cor- rective action.
Employees who fail to comply with the policies will be considered to be in violation of Your Company Employee Standards of Conduct and will be subject to appropriate corrective action.