Acceptable Use Policy
Purpose
Big Ideas Computing Ltd. / dbFront Works ("(Company)", "us", "we", or "our") operates the dbFront.com website, the BigIdeas.ltd website and the dbFront application (hereinafter referred to as our "Services").
The purpose of the (Company) Acceptable Use Policy is to establish acceptable practices regarding the use of (Company) Information Resources in order to protect the confidentiality, integrity and availability of information created, collected, and maintained.
Audience
This Acceptable Use Policy applies to any individual, entity, or process that interacts with any (Company) Information Resource.
Acceptable Use
- Personnel are responsible for complying with (Company) policies when using (Company) information resources and/or on (Company) time. If requirements or responsibilities are unclear, please seek assistance from the Information Security Committee.
- Personnel must promptly report harmful events or policy violations involving (Company) assets or information to their manager or a member of the Incident Handling Team. Events include, but are not limited to, the following:
- Technology incident: any potentially harmful event that may cause a failure, interruption, or loss in availability to (Company) Information Resources.
- Data incident: any potential loss, theft, or compromise of (Company) information.
- Unauthorized access incident: any potential unauthorized access to a (Company) Information Resource.
- Facility security incident: any damage or potential unauthorized access to a (Company) owned, leased, or managed facility.
- Policy violation: any potential violation of this or other (Company) policies, standards, or procedures.
- Personnel should not purposely engage in activities that may
- harass, threaten, impersonate, or abuse others;
- degrade the performance of (Company) Information Resources;
- deprive authorized (Company) personnel access to a (Company) Information Resource;
- obtain additional resources beyond those allocated;
- or circumvent (Company) computer security measures.
- Personnel should not download, install, or run security programs or utilities that reveal or exploit weaknesses in the security of a system. For example, (Company) personnel should not run password cracking programs, packet sniffers, port scanners, or any other non-approved programs on any (Company) Information Resource. Approval will be granted to specific individuals tasked with Penetration Testing (Company) services and products.
- All inventions, intellectual property, and proprietary information, including reports, drawings, blueprints, software codes, computer programs, data, writings, and technical information, developed on (Company) time and/or using (Company) Information Resources are the property of (Company).
- The use of encryption should be managed in a manner that allows designated (Company) personnel to promptly access all data.
- (Company) Information Resources are provided to facilitate company business and should not be used for personal financial gain.
- Personnel are expected to cooperate with incident investigations, including any federal or provincial investigations.
- Personnel are expected to respect and comply with all legal protections provided by patents, copyrights, trademarks, and intellectual property rights for any software and/or materials viewed, used, or obtained using (Company) Information Resources.
- Personnel should not intentionally access, create, store or transmit material that (Company) may deem to be offensive, indecent, or obscene.
Access Management
- Access to information is based on a “need to know“.
- Personnel are permitted to use only those network and host addresses issued to them by (Company) IT and should not attempt to access any data or programs contained on (Company) systems for which they do not have authorization or explicit consent.
- All remote access connections made to internal (Company) networks and/or environments must be made through approved and (Company)-provided virtual private networks (VPNs).
- Personnel should not divulge any access information to anyone not specifically authorized to receive such information, including IT support personnel.
- Personnel must not share their personal authentication information, including:
- Account passwords,
- Personal Identification Numbers (PINs),
- Security Tokens (i.e. Smartcard),
- Multi-factor authentication information
- Access cards and/or keys,
- Digital certificates,
- Similar information or devices used for identification and authentication purposes.
- Access cards and/or keys that are no longer required must be returned to physical security personnel.
- Lost or stolen access cards, security tokens, and/or keys must be reported to physical security personnel as soon as possible.
- A service charge may be assessed for access cards, security tokens, and/or keys that are lost, stolen, or are not returned.
Authentication/Passwords
- All personnel are required to maintain the confidentiality of personal authentication information.
- Any group/shared authentication information must be maintained solely among the authorized members of the group.
- All passwords, including initial and/or temporary passwords, must be constructed and implemented according to the following (Company) rules:
- Must meet all requirements, including minimum length, complexity, and reuse history.
- Must not be easily tied back to the account owner by using things like username, social security number, nickname, relative’s names, birth date, etc.
- Must not be the same passwords used for non-business purposes.
- Unique passwords should be used for each system whenever possible.
- User account passwords must not be divulged to anyone. (Company) support personnel and/or contractors should never ask for user account passwords.
- If the security of a password is in doubt, the password should be changed immediately.
- Personnel should not circumvent password entry with application remembering, embedded scripts or hard-coded passwords in client software.
- Security tokens (i.e. Smartcard) must be returned on demand or upon the termination of the relationship with (Company), if issued.
- In the event that an administrator must send a password for a newly created account, it should be sent via separate media distinct from the main response/request (e.g., e-mail and phone).
Clear Desk/Clear Screen
- Personnel should log off from applications or network services when they are no longer needed.
- Personnel should log off or lock their workstations and laptops when their workspace is unattended.
- Confidential or internal information should be removed or placed in a locked drawer or file cabinet when the workstation is unattended and at the end of the workday if physical access to the workspace cannot be secured by other means.
- Personal items, such as phones, wallets, and keys, should be removed or placed in a locked drawer or file cabinet when the workstation is unattended.
- File cabinets containing confidential information should be locked when not in use or when unattended.
- Physical and/or electronic keys used to access confidential information should not be left on an unattended desk or in an unattended workspace if the workspace itself is not physically secured.
- Laptops should be either locked with a locking cable or locked away in a drawer or cabinet when the work area is unattended or at the end of the workday if the laptop is not encrypted.
- Passwords must not be posted on or under a computer or in any other physically accessible location.
- Copies of documents containing confidential information should be immediately removed from printers and fax machines.
Data Security
- Personnel should use approved encrypted communication methods whenever sending confidential information over public computer networks (Internet).
- Confidential information transmitted via USPS or other mail service must be secured in compliance with the Information Classification and Management Policy.
- Only authorized cloud computing applications may be used for sharing, storing, and transferring confidential or internal information.
- Information must be appropriately shared, handled, transferred, saved, and destroyed, based on the information sensitivity.
- Personnel should not have confidential conversations in public places or over insecure communication channels, open offices, and meeting places.
- Confidential information must be transported either by an (Company) employee or a courier approved by IT Management.
- All electronic media containing confidential information must be securely disposed. Please contact IT for guidance or assistance.
Email and Electronic Communication
- Auto-forwarding electronic messages outside the (Company) internal systems is prohibited.
- Electronic communications should not misrepresent the originator or (Company).
- Personnel are responsible for the accounts assigned to them and for the actions taken with their accounts.
- Accounts must not be shared without prior authorization from (Company) IT, with the exception of calendars and related calendaring functions.
- Employees should not use personal email accounts to send or receive (Company) confidential information.
- Any personal use of (Company) provided email should not:
- Involve solicitation.
- Be associated with any political entity, excluding the (Company) sponsored PAC.
- Have the potential to harm the reputation of (Company).
- Forward chain emails.
- Contain or promote anti-social or unethical behavior.
- Violate municipal, provincial, federal, or international laws or regulations.
- Result in unauthorized disclosure of (Company) confidential information.
- Or otherwise violate any other (Company) policies.
- Personnel should only send confidential information using approved secure electronic messaging solutions.
- Personnel should use caution when responding to, clicking on links within, or opening attachments included in electronic communications.
- Personnel should use discretion in disclosing confidential or internal information in Out of Office or other automated responses, such as employment data, internal telephone numbers, location information or other sensitive data.
Hardware and Software
- All hardware must be formally approved by IT Management before being connected to (Company) networks.
- Software installed on (Company) equipment must be approved by IT Management and installed by (Company) IT personnel.
- All (Company) assets taken off-site should be physically secured at all times.
- Personnel traveling to a High-Risk location, must contact IT for approval to travel with corporate assets.
- Employees should not allow family members or other non-employees to access (Company) Information Resources.
Internet
- The Internet must not be used to communicate (Company) confidential or internal information, unless the confidentiality and integrity of the information is ensured and the identity of the recipient(s) is established.
- Use of the Internet with (Company) networking or computing resources must only be used for business-related activities. Unapproved activities include, but are not limited to:
- Recreational games,
- Streaming media,
- Personal social media,
- Accessing or distributing pornographic or sexually oriented materials,
- Attempting or making unauthorized entry to any network or computer accessible from the Internet.
- Or otherwise violate any other (Company) policies.
- Access to the Internet from outside the (Company) network using a (Company) owned computer must adhere to all of the same policies that apply to use from within (Company) facilities.
Mobile Devices and Bring Your Own Device (BYOD)
- The use of a personally owned mobile device to connect to the (Company) network is a privilege granted to employees only upon formal approval of IT Management.
- All personally owned laptops and/or workstations must have approved virus and spyware detection/protection software along with personal firewall protection active.
- Mobile devices that access (Company) email must have a PIN or other authentication mechanism enabled.
- Confidential information should only be stored on devices that are encrypted in compliance with the (Company) Encryption Standard.
- (Company) confidential information should not be stored on any personally owned mobile device.
- Theft or loss of any mobile device that has been used to create, store, or access confidential or internal information must be reported to the (Company) Security Team immediately.
- All mobile devices must maintain up-to-date versions of all software and applications.
- All personnel are expected to use mobile devices in an ethical manner.
- Jail-broken or rooted devices should not be used to connect to (Company) Information Resources.
- (Company) IT Management may choose to execute “remote wipe” capabilities for mobile devices without warning (see Mobile Device Email Acknowledgement).
- In the event that there is a suspected incident or breach associated with a mobile device, it may be necessary to remove the device from the personnel’s possession as part of a formal investigation.
- All mobile device usage in relation to (Company) Information Resources may be monitored, at the discretion of (Company) IT Management.
- (Company) IT support for personally owned mobile devices is limited to assistance in complying with this policy. (Company) IT support may not assist in troubleshooting device usability issues.
- Use of personally owned devices must be in compliance with all other (Company)
- (Company) reserves the right to revoke personally owned mobile device use privileges in the event that personnel do not abide by the requirements set forth in this policy.
- Texting or emailing while driving is not permitted while on company time or using (Company) Only hands-free talking while driving is permitted, while on company time or when using (Company) resources.
Privacy
- Information created, sent, received, or stored on (Company) Information Resources are not private and may be accessed by (Company) IT employees at any time, under the direction of (Company) executive management and/or Human Resources, without knowledge of the user or resource owner.
- (Company) may log, review, and otherwise utilize any information stored on or passing through its Information Resource
- Systems Administrators, (Company) IT, and other authorized (Company) personnel may have privileges that extend beyond those granted to standard business personnel. Personnel with extended privileges should not access files and/or other information that is not specifically required to carry out an employment-related task.
Removable Media
- The use of removable media for storage of (Company) information must be supported by a reasonable business case.
- All removable media use must be approved by (Company) IT prior to use.
- Personally owned removable media use is not permitted for storage of (Company) information resources or material.
- Personnel are not permitted to connect removable media from an unknown origin without prior approval from the (Company)
- Confidential and internal (Company) information should not be stored on removable media without the use of encryption.
- All removable media must be stored in a safe and secure environment.
- The loss or theft of a removable media device that may have contained any (Company) information must be reported to the (Company)
VoiceMail
- Personnel should use discretion in disclosing confidential or internal information in voicemail greetings, such as employment data, internal telephone numbers, location information or other sensitive data.
- Personnel should not access another user’s voicemail account unless it has been explicitly authorized.
- Personnel must not disclose confidential information in voicemail messages.
Incidental Use
- As a convenience to (Company) personnel, incidental use of Information Resources is permitted. The following restrictions apply:
- Incidental personal use of electronic communications, Internet access, fax machines, printers, copiers, and so on, is restricted to (Company) approved personnel; it does not extend to family members or other acquaintances.
- Incidental use should not result in direct costs to (Company).
- Incidental use should not interfere with the normal performance of an employee’s work duties.
- No files or documents may be sent or received that may cause legal action against, or embarrassment to, (Company) or its customers.
- Storage of personal email messages, voice messages, files and documents within (Company) Information Resources must be nominal.
- All information located on (Company) Information Resources is owned by (Company) and may be subject to open records requests and may be accessed in accordance with this policy.
Waivers
Waivers from certain policy provisions may be sought following the (Company) Waiver Process.
Enforcement
Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.
Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.
Version History
Modified Date | Reason / Comments |
---|---|
2023-01-09 | Initial Version |
Sourced | FRSecure |
Social Media