1     Overview

The purpose of this policy is to establish acceptable and unacceptable use of electronic devices and network resources for CLIENT companies of CMD, in conjunction with its established culture of ethical and lawful behavior, openness, trust, and integrity.

CMD provides computer devices, networks, and other electronic information systems to meet missions, goals, and initiatives to employees of CLIENT, and must manage them responsibly to maintain the confidentiality, integrity, and availability of its information assets. This policy requires the users of information assets to comply with CMD policies and protects the company against damaging legal issues.

2     Scope

All employees, contractors, consultants, temporary and other workers at CLIENT company, including all personnel affiliated with third parties must adhere to this policy. This policy applies to information assets owned or leased by CLIENT or CMD, or to devices that connect to a CLIENT network or reside at CLIENT site.

Information Security must approve exceptions to this policy in advance.

3     Policy Statement

3.1      General Requirements

3.1.1         You are responsible for exercising good judgment regarding appropriate use of CLIENT resources in accordance with CMD policies, standards, and guidelines. CLIENT resources may not be used for any unlawful or prohibited purpose.
3.1.2         For security, compliance, and maintenance purposes, authorised personnel may monitor and audit equipment, systems, and network traffic per the Audit Policy. Devices that interfere with other devices or users on the CLIENT network may be disconnected. Information Security prohibits actively blocking authorised audit scans. Firewalls and other blocking technologies must permit access to the scan sources.
3.1.3        CMD may assess from time to time the usage of the CLIENT against similarly placed customers in order to ascertain a “Fair Use” by the CLIENT of resources, including help desk support by the CLIENT. If CMD deems that the CLIENT is over utilising resources provided by CMD, CMD at it’s absolute discretion may charge the CLIENT a premium rate to continue to provide resources at the assessed level, or may reduce the speed of response, or reduce the CLIENT’s access to services after provision of notice in writing to the CLIENT.

3.2      System Accounts

3.2.1         You are responsible for the security of data, accounts, and systems under your control. Keep passwords secure and do not share account or password information with anyone, including other personnel, family, or friends. Providing access to another individual, either deliberately or through failure to secure its access, is a violation of this policy.
3.2.2         You must maintain system-level and user-level passwords in accordance with the Password Policy.
3.2.3         You must ensure through legal or technical means that proprietary information remains within the control of CLIENT at all times. Conducting CLIENT business that results in the storage of proprietary information on personal or non-CLIENT controlled environments, including devices maintained by a third party with whom CLIENT does not have a contractual agreement, is prohibited. This specifically prohibits the use of an e-mail account that is not provided by CLIENT, or its customer and partners, for company business.

3.3      Computing Assets

3.3.1         You are responsible for ensuring the protection of assigned CLIENT assets that includes the use of computer cable locks and other security devices. Laptops left at CLIENT overnight must be properly secured or placed in a locked drawer or cabinet. Promptly report any theft of CLIENT assets to CMD and CLIENT Management.
3.3.2         All PCs, PDAs, laptops, and workstations must be secured with a password-protected screensaver with the automatic activation feature set to 10 minutes or less. You must lock the screen or log off when the device is unattended.
3.3.3         Devices that connect to the CLIEINT network must comply with the Minimum Access Policy.
3.3.4         Do not interfere with corporate device management or security system software, including, but not limited to, antivirus, CMD installed software, remote access software, and server management software.

3.4      Network Use

You are responsible for the security and appropriate use of CLIENT network resources under your control. Using CLIENT resources for the following is strictly prohibited:
3.4.1         Causing a security breach to either CLIENT or other network resources, including, but not limited to, accessing data, servers, or accounts to which you are not authorised; circumventing user authentication on any device; or sniffing network traffic.
3.4.2         Causing a disruption of service to either CLIENT or other network resources, including, but not limited to, ICMP floods, packet spoofing, denial of service, heap or buffer overflows, and forged routing information for malicious purposes.
3.4.3         Introducing honeypots, honeynets, or similar technology on the CLIENT network.
3.4.4         Violating copyright law, including, but not limited to, illegally duplicating or transmitting copyrighted pictures, music, video, and software.
3.4.5         Exporting or importing software, technical information, encryption software, or technology in violation of international or regional export control laws.
3.4.6         Use of the Internet or CLIENT network that violates CMD policies, CLIENT policies, or local laws.
3.4.7         Intentionally introducing malicious code, including, but not limited to, viruses, worms, Trojan horses, e-mail bombs, spyware, adware, and keyloggers.
3.4.8         Port scanning or security scanning on a production network unless authorized in advance by Information Security.

3.5      Electronic Communications

The following are strictly prohibited:
3.5.1         Inappropriate use of communication vehicles and equipment, including, but not limited to, supporting illegal activities, and procuring or transmitting material that violates CLIENT or CMD policies against harassment or the safeguarding of confidential or proprietary information.
3.5.2         Sending Spam via e-mail, text messages, pages, instant messages, voice mail, or other forms of electronic communication.
3.5.3         Forging, misrepresenting, obscuring, suppressing, or replacing a user identity on any electronic communication to mislead the recipient about the sender.
3.5.4         Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).
3.5.5         Use of a CLIENT e-mail or IP address to engage in conduct that violates CLIENT policies or guidelines. Posting to a public newsgroup, bulletin board, or listserv with a CLIENT e-mail or IP address which represents CLIENT to the public; therefore, you must exercise good judgment to avoid misrepresenting or exceeding your authority in representing the opinion of the company.

4     Enforcement

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment with the CLIENT. A violation of this policy by a temporary worker, contractor or vendor of the CLIENT, may result in CMD taking actions to restrict, educate or terminate services to the CLIENT.

5     Definitions


honeypot, honeynetNetwork decoys that serve to distract attackers from valuable machines on a network. The decoys provide an early warning for intrusion detection and detailed information on vulnerabilities.
SpamElectronic junk mail or junk newsgroup postings. Messages that are unsolicited, unwanted, and irrelevant.