Acceptable Use of assets Policy

Document Summary

Document Revision History

Document Review History

Table of Contents

1. Purpose 3

2. Scope 3

3. Policy 3

4. Associated documentation 8

5. Waiver 8

6. Enforcement and Violations 8

1. Purpose

   The purpose of this policy is to define the Acceptable use of Internet, Intranet, e-mails, Systems, Storage Media, Operating Systems, Application Software and business Information at Information Dynamics.

   ISO27001:2013 Domain Reference: A.8.1.3

   
   

2. Scope

   The scope of the policy will be applicable to all activities under the scope statement of Information Dynamics.

   
   

3. Policy

   1. Usage of Information Dynamics’ Information Systems

      1. Users are authorized to utilize Information Dynamics’ information resources for business purposes for which they have been authorized. Usage of Information Dynamics’ information systems and resources for personal usage or on behalf of external personnel (i.e. personal client, family member, political, religious, or charitable or school organization, etc.) is strictly prohibited.

   2. Introduction of Unauthorized Copies of Licensed Software & Hardware

      1. Introduction of unauthorized copies of licensed software & hardware (piracy/copyright & patent infringement) to Information Dynamics’ information resources and the copying of such material is strictly prohibited.

      2. The storage, processing, or transmittal of unauthorized copies of licensed software & hardware (piracy/copyright & patent infringement), by Information Dynamics’ personnel is strictly prohibited.

   3. Introduction of Freeware and Shareware Applications

      1. Introduction of freeware and shareware software whether downloaded from the Internet or obtained through any other media to Information Dynamics’ information systems shall be subject to a formal evaluation and approval process.

      2. Freeware and shareware applications shall be evaluated and tested by the IT Department and the business owners before installation on Information Dynamics’ Information Resources is permitted.

   4. Introduction of Pornographic Material

      1. Introduction of pornographic material into any Information Dynamics’ information systems environment is strictly prohibited. The storage, processing, or transmittal of pornographic material on Information Dynamics’ information systems, by Information Dynamics’ employees, contractors or associates is strictly prohibited and shall be dealt with strict disciplinary actions as per the laws of the land.

   5. Usage of Information Dynamics’ Information Resources to Store, Process,

      Download, or Transmit Data

      1. Usage of Information Dynamics’ information systems to store, process, downloads, or transmit data that can be construed as biased (politically, religiously, racially, ethnically, etc.) or supportive of harassment is strictly prohibited.

      2. Downloading, redistribution and printing of copyrighted articles, documents, or other copyrighted materials to Information Dynamics’ information systems are strictly prohibited. Information Dynamics’ is not responsible for such information and resulting legal actions.

      3. Receiving, printing, transmitting, or otherwise disseminating proprietary data, company secrets, or other confidential information in violation of company policy or proprietary agreements is strictly prohibited.

      4. Downloading inappropriate material such as picture files, music files, or video files for personal use is strictly prohibited.

   6. Due Diligence

      1. Each user has the responsibility to notify the IT Department and Business owners immediately of any evidence of or suspicion of any security violation.

      2. Each user has the responsibility to prevent unauthorized access, including viewing, of information resources in his possession or control.

   7. Introduction of Destructive Programs

      1. Introduction of destructive programs (e.g., viruses, self-replicating code) in order to cause intentional damage, interfere with others, gain unauthorized access, or inhibit production to Information Dynamics’ information systems is strictly prohibited.

   8. Removable Media Policy

      1. All media shall be stored in a secured, safe environment in accordance with manufacturer’s specification.

      2. All removable media shall be disabled by default for all employees. Information Dynamics’ users shall be authorized to use removable media after proper authorization.

      3. The usage of such media shall be strictly for professional purposes and users must comply with the terms of the Information Dynamics’ Information Security Policy. Any breach in these terms shall make the user subject to a disciplinary process.

      4. The contents of any re-usable media that are to be removed from the organization should be made unrecoverable, when no longer required.

         
         

   9. Mobile Device use

      1. Authorised Mobile Devices (e.g. Personal Digital Assistants, Black Berry, iPhone, iPads, android based devices, etc) issued by ID and authorized by ID shall be used for business purposes only. Only ID issued and approved devices shall be connected to ID network.

      2. Emails sent from Mobile devices must abide by ID Email Security policy.

         
         

      3. Anti-virus software (where possible) must be present on all mobile devices.

         
         

      4. Lost or stolen ID owned and authorized mobile devices must be reported to ID IT Service desk immediately, mentioning criticality of information stored on the device.

      5. Mobile devices issued by ID and authorized by ID must be checked for security compliance prior to configuration for use on corporate network.

      6. Mobile Devices shall not be left unattended and shall be physically secured wherever possible. Security PIN shall be used to lock the mobile devices.

      7. All Mobile device users shall abide with other security policies issued by ID.

         
         

      8. Mobile devices shall be issued after receiving a formal authorization from the concerned Head of Section.

      9. Mobile Device users shall be responsible for information held in their Mobile Devices and protect them against unauthorized access and modification.

      10. Insecure Mobile devices such as iOS jailbreak, root Android, etc shall not be connected to ID network.

          
          

          1. Email usage

             1. Users shall use only their own Information Dynamics’ official E-Mail account and shall not allow anyone else access to their account. Impersonation is not permitted. Users shall identify themselves by their real name.

             2. Each user shall take precautions to prevent unauthorized use of the E-Mail account.

             3. Forging of header information in E-Mail (including source address, destination address, and timestamps) is not permitted.

             4. Users shall not publish or distribute internal mailing lists to non-staff members.

             5. Information Dynamics’ Systems should not be used to transmit or receive trade secrets, copyrighted materials, or proprietary or confidential information unless it is digitally signed and encrypted and approved by the management.

             6. Under no circumstances is information received through unsecured E-Mail to be considered safe and trust the content.

             7. Web access of email is not permitted from untrusted public computers such as public internet café, public wireless access services or any untrusted computers if it is not a secure based connection. The users shall never save user ID and password on the computers while accessing the emails using web email access service.

             8. The spam or junk emails shall be deleted immediately by the users and same shall be notified to the Information Security Officer or Security Administrator for increasing the security of the spam filters.

             9. Attachments from unknown or untrusted sources should not be opened. All E-Mail attachments, regardless of the source or content, shall be scanned for viruses and other destructive programs before being opened or stored on any Information Dynamics’ computer system. All malicious emails and attachments shall be deleted permanently

             10. All Personnel shall perform a virus scan on all material that is transmitted to other users via E- Mail prior to sending it.

             11. Users shall not send unsolicited bulk mail messages (also known as “junk mail” or “spam”). This practice includes, but is not limited to, bulk mailing of commercial advertising and religious or political tracts. If at all large attachments need to sent, such attachments may be uploaded to the Intranet site and a link may be sent to all the intended readers to avoid the choking of the email bandwidth.

             12. Users shall not execute or install any programs, upgrades or patches that are received via E- Mail or download from the Internet.

          2. Documents reproduced using printers and photocopiers

             1. ‘Confidential information should never be sent to a network printer, without an authorized person retrieving it to safeguard its confidentiality during and after printing.

             2. Documents when printed in the network printer should be cleared/collected by the user immediately.

             3. Printers used for the production of output having direct financial value or confidential information must be kept in a secure location.

             4. Personnel using photocopiers must ensure that the documents (both original, copies and jammed ones if any) are not left at the photocopier after the copying work.

             5. Copying must be made only by persons with a need to know. Reproduced documents must bear the same security markings/classification as originals. When copies are made using outside facilities, care must be taken to protect the information security.

             6. When using the photocopiers employees shall ensure they do not make any copies of controlled documents. Any such copies will be made after prior approval and authorizations from the Head of Section.

                
                

          3. Social Media Usage Policy

             1. Information Dynamics’ employees shall not create or reserve any Information Dynamics’ domain names. Only the corporate communication department of Information Dynamics’ shall have the right to create or reserve and maintain Information Dynamics’ official social networking sites and domain and shall be maintained by authorized department and personnel.

             2. Employees or contractors involved in sharing views with external users on social networking websites shall be aware of this policy and should exercise extreme caution prior to publishing information related to Information Dynamics’. Employees shall not use social media sites (including the posting of information) for targeting colleagues and general public in areas such as but not limited to:

                • Email spamming or unsolicited messages.

                • Defame, abuse, harass, stalk, threaten or otherwise violate the legal and privacy rights.

                • Transmit, upload or download any material that potentially contains viruses, Trojan horses, worms, time bombs, or any other malicious code.

                • Post messages that have racial or sexual slur, political or religious solicitations, or any other message that is in appropriate and/or has the potential to cause Information Dynamics’ or its customers and business partners, harm, or embarrassment.

             3. Views expressed by employees or contractors on these sites are generally considered as that of the organization and hence they shall consider liabilities to Information Dynamics’ while publishing their opinion for the benefit of intended user community.

             4. Intellectual property rights policy shall be referred and complied with before posting technical references, research etc.

             5. Information Dynamics’ Employees shall exercise caution on posting personal information about themselves, their family, or colleagues. Privacy settings shall be used on the social media websites to protect personal information or messages.

                
                

          4. Information Dynamics’ – Right to Monitor

             1. The information and computing resources allocated to users are the property of Information Dynamics and Information Dynamics reserves the right to monitor the activities of the users on these facilities and audit systems and networks to ensure compliance with this policy.

             2. Information Dynamics reserves the right to monitor all users, including monitoring Internet and Intranet access, email and email attachments, where it is appropriate and legal to do so.

             3. Upon detection of any suspicious/abnormal activity, the ISSC committee and the HR shall take appropriate action.

                
                

4. Associated documentation

   • ISMS policies

   • End user agreement template

   
   

5. Waiver

   All waivers to this policy shall be managed as per the Waiver policy under the ISMS policies.

   
   

6. Enforcement and Violations

1. Violations of this policy and supporting policies shall result in corrective action by Management. Disciplinary action will be consistent with the severity of the incident as determined by an investigation and may include, but may not be limited to:

   • Issuance of warning letter to the employee detailing the violations and consequences of his actions and a reply from the employee

   • Loss of access privileges to information assets

   • Termination of employment/Contract

   • Other actions as deemed appropriate by Management and HR as per the Disciplinary Actions Policy of Information Dynamics’

An Internal audit shall be carried out once a year and a report on the compliance shall be submitted to the Management.