Writing Information Security Policies
Appendix C: SAMPLE ACCEPTABLE USE POLICY

Explanation from Appendix C

This document sets forth the policy of ______ (the Company) with regard to the use of, access to, review, and disclosure of various electronic communications, including those sent or received by Company employees. This information systems policy applies to all individuals using the Company’s computer and network systems, including employees, subcontractors, and consultants.

For the purposes of this document, "electronic communications" includes, but is not limited to, the sending, receipt, and use of information through the corporate electronic information network, the Internet, voice mail, facsimiles, teleconferencing, and all other on-line information services.

Information Systems are for Business Purposes
Information systems offered by the Company are provided to its users for the primary purpose of Company-related use.

Personal use is permissible on a limited basis. This limited personal use should not be during charged time and should not interfere with job performance. Personal messages may not be broadcast to groups of people or other employees except to appropriate forums (such as designated Usenet news groups). Permission for Company-wide broadcasting of personal messages must be obtained from your manager.

Monitoring and Privacy
Electronic communications through the Company’s information systems are the property of the Company to assist it in carrying out business. The Company treats all electronic communications sent, receive, or stored as business messages, including those for personal use. All users shall have no expectations of privacy with respect to any electronic message. While the Company will not do this routinely, it reserves the right to monitor, access, review, copy, store, or delete any electronic communications, including personal messages, from the system for any purpose and to disclose them to others, as it deems appropriate.

Data Retention Policy
The Company will retain email messages and any backup of such email for six months. Other computer system backups will be stored for only one year, or longer if required by contract.

Prohibited Activity and Use of Good Judgment
Use of electronic communications to engage in any communication or action that is threatening, discriminatory (based on language that can be viewed as harassing others based on race, creed, color, age, sex, physical, handicap, sexual orientation, or otherwise), defamatory slanderous, obscene, or harassing is prohibited. Electronic communications shall not disclose personnel information without authorization. The destruction or alteration of electronic communications with the intent to cause harm or injury to the Company or an employee of the Company is strictly prohibited.

Electronic communications shall not be used for any illegal purposes or violate the intellectual property rights of others. Employees shall not break into the computers or intercept the communications of other individuals.

Employees will use the same good judgment to prepare electronic communications as they would use in preparing a hard copy of a memorandum. The content of electronic communications may have significant business and financial consequences for individuals of the Company and may be inappropriately taken out of context. Because of the ease of sending these documents, extra care must be taken to ensure that they are not sent hastily. Please keep in mind that your messages may be read by someone other than the addressee. Accordingly, please ensure that your messages are courteous, professional, and business-like.

Intellectual Property and Licensing
The ease of copying through various electronic communications systems poses a serious risk of intellectual properly infringement. Each user must be aware and respect the rights of others.

Software that may be marked as "free," "public domain," and "public use" may be free for personal use, but not corporate use. In downloading software from the Internet, use of this software can violate copyright or licensing requirements. Always obtain approval from your manager or the Legal Department before using any publicly available software package.

Do not copy software licensed to the Company unless you are authorized under the Company’s license to do so.

Users may not install software that originally came from your home computer or elsewhere unless you can demonstrate from a written license that such use is permitted.

Do not copy software owned by the company without appropriate permissions.

Do not remove intellectual property notices of others.

Virus Protection
Users may not knowingly create, execute, forward, or introduce any computer code designed to self-replicate, damage, or otherwise impede the performance of any computer’s memory, storage, operating system, or software.

Software and other files may not be loaded on the Company’s computers unless a virus check is performed using an approved virus-scanning program. It is a violation of this policy to disable any virus-checking facilities installed on any system or network.

Disciplinary Action
Management reserves the right to revoke any user’s access privileges at any time for violations of this policy and conduct that disrupts the normal operation of the company’s information systems. Any conduct that adversely affects the ability of others to use the company’s systems and networks, or which can harm or offend others, will not be permitted. Violations to this policy can result in termination.

Authority may be exercised without notice and management disclaims responsibility for loss or damage to data and software as a result.

Acknowledgment
I acknowledge that I have read and will abide by the Company’s Information Security Policy.

Writing Information Security Policy’s Home Page...
Scott’s Home Page...

All questions, comments, and corrections may be e-mailed to the author Last update: October 09, 2011