JUSTFAB JUSTFAB ACCEPTABLE USE POLICY - VERSION CONTROL
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
JustFAB
JustFAB Acceptable Use
Policy
Version Control
Version Date Author Modifications
1.0 6/24/2014 Jason Loomis, VP IT Initial release
Security/Operations
Page 1 of 81. Overview
The functioning and success of JustFAB is critically dependent on information
and information systems. If important information were disclosed to
inappropriate or unauthorized persons, the company could be held financially
liable by our customers and partners. The good reputation that JustFAB is
establishing is also directly linked with the way that it manages both information
and information systems. For example, if private customer information were to
be publicly disclosed, the organization’s reputation would be harmed as well as
subjecting JustFAB to serious risk of lawsuits. Executive management has
initiated and continues to support an information security effort. One part of
that effort is the definition of these information security policies.
To be effective, information security must be a team effort involving the
participation and support of every JustFAB worker who deals with information
and information systems. In recognition of the need for teamwork, this policy
statement clarifies the responsibilities of users and the steps they must take to
help protect JustFAB information and information systems.
2. Purpose
The purpose of this policy is to outline the acceptable use of computer
equipment, networks and infrastructure at JustFAB and to ensure rules are in
place to protect JustFAB workers and JustFAB.
3. Scope
This policy applies to employees, contractors, consultants, interns, vendors and
other workers at JustFAB, including all personnel affiliated with third parties.
This policy applies to all computer and network systems owned, leased, licensed
or administered by JustFAB. This includes, but is not limited to all operating
systems, computer systems, and application systems. The policy covers only
information handled by computers and networks. Although this document
includes mention of other manifestations of information such as voice and
paper, it does not directly address the security of information in these forms. For
information about the protection of information in paper form, see the
employee handbook.
4. Policy
4.1. Need to know
Access to information in the possession of, or under the control of JustFAB must
be provided based on a need to know. Information must be disclosed only to
people who have a legitimate business need for the information. Workers must
Page 2 of 8not attempt to access sensitive information unless the appropriate management
has granted them access. When a worker changes job duties, including
termination, transfer, promotion and leave of absence, his or her supervisor
must immediately notify Human Resources.
4.2. Information Classification
JustFAB has adopted an information classification system that categorizes
information into three groupings. All information under JustFAB control,
whether generated internally or externally, falls into one of these categories:
Secret, Confidential, or Public. All workers must familiarize themselves with the
definitions for these categories and the steps that must be taken to protect the
information within each of these categories. Details can be found in the JustFAB
Information Classification Standard. For purposes of this policy, “sensitive
information” is information that falls into either the Secret or Confidential
categories.
4.2.1. Secret
This classification label applies to the most sensitive business information that is
intended for use strictly within JustFAB. Its unauthorized disclosure could
seriously and adversely impact JustFAB, its customers, its business partners, and
its suppliers. Examples include but are not limited to merger and acquisition
documents, corporate level strategic plans, litigation strategy memos, reports on
breakthrough new product research, and Trade Secrets such as certain computer
code or programs.
4.2.2. Confidential
This classification label applies to less-sensitive business information that is
intended for use within JustFAB. Its unauthorized disclosure could adversely
impact JustFAB or its customers, suppliers, business partners, or employees.
Information that some people would consider to be private is included in this
classification. Examples include employee performance evaluations, customer
transaction data, strategic alliance agreements, unpublished internally-
generated market research, computer passwords, identity token personal
identification numbers, and internal audit reports. Personally Identifiable
Information, Credit Card information, and other applicable information is an
example of Confidential Information. If Information or a system has no label or
is not known, it is to be considered confidential and handled according to the
“confidential” rating noted within this policy.
Page 3 of 84.2.3. Public
This classification applies to information that has been approved by JustFAB
management for release to the public. By definition, there is no such thing as
unauthorized disclosure of this information and it may be disseminated without
potential harm. Examples include finalized product and service brochures,
advertisements, job opening announcements, and press releases.
4.2.4. Additional Information
For additional guidance on labeling and handling of secret and confidential
information refer to the JustFAB Information Classification Standard or contact
the IT Security Department.
4.3. User IDs and Passwords
JustFAB requires that each worker accessing multi-user information systems
have a unique user ID and a private password. Each worker is personally
responsible for the usage of his or her user ID and password. Passwords must
follow the guidelines below (for additional guidance, refer to the JustFAB
Information Security Policy on the selection of IT Security approved passwords.
Minimum password requirements
Your password must be at least 8 characters long
Your password cannot contain more than two consecutive
characters of your full name
Your password must contain characters from three of the four
following categories:
o English uppercase characters (A through Z)
o English lowercase characters (a through z)
o Base 10 digits (0 through 9)
o Non-alphabetic characters (all symbols)
Page 4 of 8Difficult-to-guess passwords - passwords must not be related to one’s
job or personal life or be common words found in a dictionary
(regardless of language).
Repeated password patterns - Users must not construct passwords
that are identical or substantially similar to passwords they have
previously employed.
Password storage - Passwords must not be stored in readable form in
batch files, automatic logon scripts, software macros, terminal
function keys, in computers without access control systems, or in
other locations where unauthorized persons might discover them.
Passwords must not be written down in some readily-decipherable
form and left in a place where unauthorized persons might discover
them.
Sharing passwords - Passwords must never be shared with or revealed
to others except when first created by IT.
Suspected unauthorized use - If a user believes that his or her user ID
and password are being used by someone else, the user must
immediately notify Info Sec
4.4. Release of Information to Third Parties
Unless it has specifically been designated as public information, all JustFAB
internal information must be protected from disclosure to third parties. Third
parties may be given access to JustFAB internal information only when a
demonstrable need to know exists and when a JustFAB non-disclosure
agreement has been signed. If sensitive information is lost, is disclosed to
unauthorized parties, or is suspected of being lost or disclosed to unauthorized
parties, the Security Department must be notified immediately.
4.5. Physical Security to Control Information Access
Access to every office, computer machine room, and other JustFAB work area
containing sensitive information must be physically restricted to those people
with a need to know. When not in use, Secret/Confidential information must
always be protected from unauthorized disclosure. Workers must position their
computer screens such that unauthorized people cannot look over their shoulder
and see the Secret/Confidential information displayed.
4.6. Network Connections
All JustFAB computers that store Secret/Confidential information and that are
permanently or intermittently connected to internal computer networks must
Page 5 of 8have a password-based access control system. Users working with all other types
of computers must employ the screen saver passwords that are provided with
operating systems, so that after a period of no activity the screen will go blank
until the correct password is again entered. Multi-user systems throughout
JustFAB must employ automatic log off systems that automatically terminate a
user’s session after a defined period of inactivity.
It is prohibited to enable your computer as a hotspot while connected to the
JustFAB corporate or wireless networks. Only approved IT network devices are
allowed on the JustFAB corporate network, this includes, but is not limited to,
wireless access points, network hubs/switches, and media devices such as
Sonos/Roku for example.
When using JustFAB computers, JustFAB workers must not establish connections
with external networks including, but not limited to, Internet Service Providers,
anonymizers, or remote access software to non-JustFAB systems, unless these
connections have been approved by the IT Security Department.
4.7. Internet Access
Workers are provided with Internet access to perform their job duties. All
information received from the Internet should be considered to be suspect until
confirmed by reliable sources. Secret/Confidential information, including, but
not limited to, passwords and credit card numbers, must not be sent across or
placed on the Internet unless this information is encrypted and such
transmission has been authorized. These and related considerations are
discussed in greater detail in the Internet Communications Standard and the
Electronic Mail Standard. Using company provided Internet access to view or
store to offensive or objectionable material or information is
prohibited. Workers are prohibited from using company provided Internet
access to engage in any actions that violate any federal, state or local laws or
regulations. These and related considerations are discussed in greater detail in
the Internet Communications Standard and the Electronic Mail Standard.
4.7.1. Electronic Mail
Every JustFAB worker who uses computers in the course of their regular job
duties will be provided JustFAB email address. A personal Internet service
provider electronic mail account or any other electronic mail address must not
be used for JustFAB business. These and related considerations are discussed in
greater detail in the Electronic Mail Standard. Using electronic mail to send
offensive or objectionable material or information is prohibited. Workers are
prohibited from using the company’s electronic mail to transmit or receive any
information in violation of federal, state or local laws or regulations, including
Page 6 of 8trade secrets. These and related considerations are discussed in greater detail in
the Internet Communications Standard and the Electronic Mail Standard.
4.8. Security Software
All personal computers provided by JustFAB may have security software installed
and enabled. Workers must not bypass, tamper, modify, remove or disable any
security software.
4.8.1. Malicious software
All computers connected to the JustFAB network must have approved anti-
malware software installed as applicable. Any non-JustFAB managed anti-
malware software must have the most current updates. Anti-malware screening
software must be used to scan all software and data files coming from third
parties. This scanning must take place before new data files are opened and
before new software is executed. If workers suspect infection by malware they
must immediately stop using the involved computer, disconnect from the
network, and notify the JustFAB Servicedesk.
4.9. Software
JustFAB computers and networks must not run software that comes from
sources other than other JustFAB, knowledgeable and trusted user groups, well-
known systems security authorities, or established computer, network, or
commercial software vendors. Users must not copy software provided by
JustFAB to any storage media, transfer such software to another computer, or
disclose such software to outside parties without advance permission from their
manager.
4.10. Backup Responsibility
Backups are not generally provided for personal computers. Any data that may
require a backup located on the user’s personal computer, must be
copied/moved to a JustFAB provided network resource. Third party backup
solutions are strictly prohibited.
4.11. Right to Search and Monitor
JustFAB management reserves the right to monitor, inspect, or search at any
time all JustFAB information systems, networks, files and emails. This
examination may take place with or without the consent, presence, or
knowledge of the involved workers. All searches of this naturewill be conducted
after the approval of the Legal and Security departments has been obtained.
Because JustFAB computers and networks are provided for business purposes
only, and at all times remain the property of JustFAB, workers have no
Page 7 of 8expectation of privacy associated with the information they store in or send
through these information systems, networks and/or devices.
4.12. Personal Use
JustFAB information systems are intended to be used for business purposes only.
Incidental personal use is permissible if the use does not consume more than a
trivial amount of resources that could otherwise be used for business purposes,
does not interfere with worker productivity, does not preempt any business
activity and is appropriate within a business environment.
4.13. Security Testing
Unless specifically authorized by the IT Security Department, JustFAB workers
must not acquire, possess, trade, or use hardware or software tools that could
be employed to evaluate or compromise information systems security. Without
this type of approval, workers are prohibited from using any hardware or
software that monitors the traffic on a network or the activity on a computer.
5. Violation and Incident Reporting
All JustFAB workers must report suspected violations of this policy or any other
Information Security policy or standard. Additionally, all JustFAB workers will
report to the IT Security Department any actual or suspected security issues or
losses including, but not limited to, system intrusions, malicious software
infestations, and other conditions that might jeopardize JustFAB information or
JustFAB information systems.
6. Enforcement
Failure to comply with, or violation of, these polices may subject workers to
disciplinary warnings and/or disciplinary action including possible termination
and prosecution.
Page 8 of 8You can also read
