Security & Compliance
< Back to Article ListIS-10 Acceptable Use Policy
Last updated: 24 October 2024 at 11:46:06 UTC by Russell Briggs
Acceptable Use Policy
Document Ref No |
IS-10 |
Version No |
V1 |
Last review date |
16/10/2021 |
Approved by |
Dom Tyler |
Next review |
16/10/2022 |
Contents
1.Purpose, scope and users 3
2.Acceptable use of information assets 3
2.1.Definitions 3
2.2.Acceptable use of Company Data 3
2.3.Data location and laptop backup 3
2.4.Personal Use of Equipment 3
2.5.User Owned Devices 3
2.6.Prohibited activities 4
2.7.Remote Working 4
2.8.Return of assets upon termination of contract 4
2.9.Antivirus protection 4
2.10.Mobile device access control 4
2.11.User account responsibilities 4
2.12.Password responsibilities 4
2.13.Clear desk and clear screen policy 5
2.13.1.Clear desk policy 5
2.13.2.Clear screen policy 5
2.14.Internet use 5
2.15.Maintaining Security Controls 5
2.16.E-mail and other message exchange methods 5
2.17.Copyright 6
2.18.Incidents 6
3.Document management 6
4.Version history 6
1. Purpose, scope and users
The purpose of this document is to define clear rules for the use of information systems and other Recycly information assets.
This document is applied to the entire scope of the Information Security Management System (ISMS), i.e. to all information systems and other information assets used within the ISMS scope.
Users of this document are all employees of Recycly .
2. Acceptable use of information assets
2.1. Definitions
Information system – includes all servers and clients, network infrastructure, system and application software, data, and other computer systems and components which are owned or used by the organisation or which are under the organisation's responsibility. The use of an information system also includes the use of all internal or external services, such as Internet access, e-mail, cloud services etc.
Information assets – in the context of this Policy, the term information assets is applied to information systems and other information/equipment including paper documents, mobile phones, portable computers, data storage media, etc.
2.2. Acceptable use of Company Data
All company data remains the property of Recycly at all times. Company information and data may be used only for the purpose of executing company-related tasks unless specifically authorised by management.
2.3. Data location and laptop backup
All company data should be stored on an appropriate Google Drive where possible, so that it is securely backed up. Data saved only to a laptop local drive could be lost.
2.4. Personal Use of Equipment
Personal use of company supplied mobile equipment such as laptops and mobile phones is permitted in line with this policy and the Mobile Device and Remote Working Policy.
2.5. User Owned Devices
User owned devices may be used for work purposes where required. User owned devices must be secured in line with this policy and Mobile Device and Remote Working Policy. Recycly reserves the right to remove company data, or access to it, from user owned devices at any time.
2.6. Prohibited activities
It is prohibited to use information assets in a manner that unnecessarily takes up capacity, weakens the performance of the information system or poses a security threat. It is also prohibited:
● to download image or video files which are pornographic, offensive, or illegal.
● to install software on a local computer without management authorisation.
● to download files or program code from unsafe sources.
● to install or use peripheral devices such as memory cards or other devices for storing and reading data (e.g. USB flash drives) without permission.
2.7. Remote Working
Users are expected to exercise reasonable care and take the following precautions when working remotely:
● Take appropriate steps to protect the laptop from theft.
● Location services must always be enabled to ensure we are able to locate the device if it is ever lost or stolen.
● Assets must never be left unattended in public areas.
● Where possible, assets should not be left unattended in a parked vehicle. Where there is no alternative, they should be locked in the boot.
2.8. Return of assets upon termination of contract
Upon termination of an employment contract or other contract, the employee/contractor must return all information assets (including equipment, data, software, documents) to their line manager.
2.9. Antivirus protection
Antivirus software must be installed on each computer with activated automatic updates. This also applies to user owned devices that are used for work activities.
2.10. Mobile device access control
Users must comply with the Mobile Device and Remote Working Policy. Access to Mobile devices must be encrypted and protected by PIN/Password or equivalent access control.
2.11. User account responsibilities
The user must not, directly or indirectly, allow another person to use their access rights (i.e. username and password), and must not use another person’s access rights unless absolutely required and authorised by management.
2.12. Password responsibilities
Users must comply with the Password Policy when selecting and using passwords.
2.13. Clear desk and clear screen policy
2.13.1. Clear desk policy
If the authorised person is not at their workplace, all Confidential documents and data storage media must be removed from the desk or other places (printers, photocopiers, etc.) to prevent unauthorised access.
Such documents and media must be stored in a secure manner in accordance with the Information Classification Policy.
2.13.2. Clear screen policy
If the authorised person is away from their PC/Tablet/Smartphone, Confidential information must be removed from the screen.
During business hours, the clear screen policy is implemented by locking the screen with a password. If the equipment will be unattended for an extended period e.g., overnight, the policy is implemented by logging off all systems and switching the equipment off where possible.
2.14. Internet use
The Internet may be accessed. The IT Department may block access to some Internet pages for individual users, groups of users or all employees at the organisation. The user must not try to bypass such restrictions. If access to some web pages is blocked, the user may submit a request for authorisation to access such pages.
The user must regard information received through unverified websites as unreliable. Such information may be used for business purposes only after its authenticity and correctness have been verified.
The user is responsible for all possible consequences arising from unauthorised or inappropriate use of Internet services or content.
2.15. Maintaining Security Controls
The user must not attempt to bypass security controls without prior management authorisation
2.16. E-mail and other message exchange methods
Message exchange methods inc. email, telephones, SMS text messages, instant messaging, social media messages, download of files from the Internet and transfer of data via FTP.
Users may only send messages containing true information. It is forbidden to send material with disturbing, unpleasant, sexually explicit, offensive, slanderous or any other unacceptable or illegal content. All communications must also be compliant with the Data Protection Policies.
Should a user receive a malicious email, they should follow the Incident Management Procedure.
If sending a message with classified content, the user must protect it in line with the ISMS and Data Protection policies.
2.17. Copyright
Users must not make unauthorised copies of software owned by the organisation, except in cases permitted by law and Recycly Management.
Users must not copy software or other original materials from other sources. And are liable for all consequences that could arise under the intellectual property law.
2.18. Incidents
Each employee, supplier or third party who is in contact with Recycly data and/or systems must report any system weakness or event indicating a possible security incident as specified in the Incident Management Procedure.
3. Document management
This policy shall be available to all Recycly Employees and any Third Parties where required. The policy must be reviewed and, if necessary, updated at least once a year. Notice of significant revisions shall be provided to Recycly Employees via email.
4. Version history
Summary of Change |
Date of Change |
Author |
Version No |
First Draft |
16/10/2021 |
Dom Tyler |
1 |
|
|
|
|
|
|
|
|