InfoTech Code of Conduct / Acceptable Use Policy
InfoTech Policy / Code of Conduct Date of Last Revision: December 2014
- This policy includes guidelines that govern the interaction by Authorized Users with all company-provided technological resources including but not limited to hardware, software, data (files, emails, spreadsheets, databases, streaming media, etc) and information, networks, computers, peripherals (cameras, printers, fax machines, etc), mobile devices (phones, smart phones, tablets), Software as a Service resources, and voice communication devices.
- Each Authorized User is expected to read, understand, and agree to abide by the code of conduct set forth in this policy.
- Failure to comply with any part of this policy may, at the full discretion of the Company, result in the suspension of any or all technology use and connectivity privileges, disciplinary action, termination of employment, and possibly legal action.
- This policy serves as a framework to guarantee productive use of technology and provide a basis by which to identify abuses that require corrective action in order to protect employees, customers, and the company's ability to continue to conduct business as well as to maximize uptime, minimize impact of threats, and ensure a safe computing environment.
- "The Company" refers to the legal entity under which each employee is employed including Daniel G. Schuster, LLC, Schuster Concrete Ready Mix LLC, DGS Construction, LLC, Freedom Concrete LLC, and other legal entity that falls under the common ownership or administrator of Daniel G. Schuster. This term can also refer to individual agents acting on behalf of the larger entity; for example, "The Company monitors Internet traffic" refers to specific approved agents acting on behalf of a larger legal entity.
- "Content" refers any visual or audible representation ideas or information that is created, viewed, stored, conveyed, or transmitted. Content is classified as follows:
- "Tier 1 Content" is content about the company or its individuals that is generally available to anyone as publicly available.
- "Tier 2 Content" is content that is Business Unit or Business Process specific which is not confidential but is intended only to be available to a subset of employees through security mechanisms (NTFS groups/permissions, SharePoint groups, etc) in order to prevent accidental deletion or unauthorized access.
- "Tier 3 Content" is content that is considered corporate confidential information which, if exposed, could compromise our competitive advantage or compromise corporate security. Examples include Bid Numbers, Financial Statements, Concrete Pricing, Mix Designs, Network and Computer Documentation, etc.
- "Tier 4 Content" is content related to the health care of an individual or that could be used to personally identify an individual. Examples include checks/direct deposit pay stubs, bank account / routing number, social security number, drivers license number, drug test results, tax information, DOT physical history, disability / medical history information.
Identity and Authentication
- An Identity is a representation of a specific person as they interact uniquely, through authentication, with technology.
- Authentication Mechanism is a method, or series of methods, (username/password, smart card, bio-metrics, etc) that provides validation that a specific individual is using the properly assigned identity.
- Authorized Users are those employees who have been given an Identity and an Authentication Mechanism.
- Authorized Users must guard authentication mechanisms to prevent unauthorized by:
- Using logoff/logout procedures on all workstations, laptops, web portals, and applications.
- Not leaving unattended any device which the user has logged in to already without first logging out.
- Refraining from sharing authentication mechanisms with anyone, except by request of the IT Department for the purpose of assisting in troubleshooting or problem resolution.
- Physically securing authentication mechanisms by locating them (or the documentation thereof) in places which are inaccessible to others.
- Securing mobile devices (both in software using encryption, PIN unlock codes, etc as well as physically) in a manor that prevents unauthorized access.
- Each Authorized User may only use his or her own authorization. Attempts to masquerade as another user is prohibited.
- All data and information residing on or passing through company networks or company-provided services, as well as originating from company business processes, remains the property of the Company. This includes all data in company provided Software as a Service tools such as Google Apps, TrakIt, ADP HR Benefits, etc.
- Ownership includes but is not limited to emails, voicemails, files stored on network drives, files stored on local computers, information or data contained on FTP sites or Software as Service applications, pictures taken on smart phones, and so on, regardless of whether the content would be considered personal or not.
- Technological resources that the Company provides are intended for uses that support organizational goals, objectives, or operations and are intended to be used within the context of assigned roles and responsibilities.
- Personal use of company provided technological resources is prohibited.
- Authorized Users are prohibited from propagating a software virus or worm.
- Authorized Users are prohibited from installing ANY software on company computers or devices, either from physical media, the Internet, or any other source (excluding Microsoft Auto-Update service packs, hot fixes, or security patches) without proper authorization from the IT Department.
- Authorized Users are prohibited from damaging or destroying data that belongs to the Company.
- Authorized Users are prohibited from attempts to circumvent protection policies that are in place, or otherwise attempt to exploit security loopholes.
- Authorized Users are prohibited from granting unauthorized access to computers, devices, software, or data. This includes giving an unauthorized employee logon information (such as username and password), leaving computers and/or software, peripherals, etc in places that are not secure (such as leaving doors unlocked at night).
- Authorized Users are prohibited from monitoring someone else’s data communications, or otherwise reading, changing, deleting, or copying someone else’s files or folders without proper consent from the author or authority from the Company.
- Employees are expected to be in compliance with all software licensing requirements at all times. Software licenses provided by the company may not be used for personal use and any software activation keys that are made visible (either intentionally or unintentionally) to an individual may not be copied or reused outside of their original intended purpose.
- Authorized Users are prohibited from connecting personal computers or devices to any company secure network (via wired or wireless connections).
- Use of personal email addresses (Yahoo!, Hotmail, Gmail, etc) for business correspondence is prohibited.
- Authorized Users are expected to refrain from viewing, creating, or distributing content that would infringe on the right of others, be considered offensive, violate confidentiality, or violate any existing company policy or applicable governmental law. Furthermore, content in any form that constitutes copyright infringement, forgery, impersonation, solicitation, fraud, slander, libel, intimidation, plagiarism, harassment, sexual innuendo, or that would be considered offensive, profane, pornographic, or containing nudity is prohibited.
- Authorized Users are expected to use professionalism and business etiquette and abide by company policies in all forms of data and communications and to operate within their assigned roles and responsibilities.
- Content created, stored, or transmitted in any form is expected to comply with all applicable laws, all company policies, and all company contracts where applicable.
- Viewing, copying, altering, or deleting of content in any form belonging to the Company or another individual without authorized permission is prohibited.
- Email is a privilege which must be used with respect and in accordance with the goals of the Company and within the context of assigned roles and responsibilities.
- Personal use of company provided email is prohibited. Freely available personal email addresses can be obtained (Gmail/Yahoo/Hotmail) for this purpose outside of the company network and off company time.
- The Company prohibits personal use of its email system and services for unsolicited mass mailings, non-company commercial activity, political campaigning, multi-level marketing, dissemination of chain letter, and use by non-employees.
- Company email addresses may not be submitted for any personal mailing lists or used in online shopping activities.
- Email may not be used to conduct personal business or social networking in any way.
- Tier 3 or Tier 4 data and information may not be sent through email without taking proper precautions including, but not limited to, using company-provided email encryption technology as well as ensuring that the recipient has legitimate business need for such information and, in the case of Tier 4 data, is under a business associate agreement.
- Access to the public Internet is provided through local area networks, wireless networks, or through company-provided mobile broadband capable devices.
- Access to the public Internet is provided by the company to Authorized Users in order to facilitate the achievement of company goals and objectives. The internet may not be used in any way that violates Company policies, rules, or administrative orders. Use of the Internet in a manner that is not consistent with the mission of the Company, misrepresents the Company, or violates any company policy is prohibited.
- The company does not guarantee the security or privacy of any information be transmitted to or from the Internet through company-provided methods.
- The internet may not be used for any illegal or unlawful purposes, including but not limited to, copyright infringement, obscenity, slander, fraud, defamation, plagiarism, harassment, intimidation, forgery, impersonation, gambling, soliciting for illegal pyramid schemes, and computer tampering (e.g. spreading computer viruses, hacking).
- Authorized Users may not use Internet connections from the corporate Local Area Network to check personal email.
- Authorized Users are expected to limit their personal use of the Internet. The Company recognizes legitimate non-business use of the Internet in ways that support employee’s wellbeing including researching, following company-provided external URL’s to resources, keeping up to date with news and current events, and checking weather, however employees are encouraged to do this with their own time and resources. Excessive personal use (>10 min/day) constitutes failure to comply.
- Company Internet access may not be used for social networking (Facebook, Twitter, etc), instant messaging, peer-to-peer file sharing or networking, personal voice communications (via unapproved VOIP providers), personal online shopping, or any other activity that places or consumes excessive bandwidth, presents security concerns, or consumes employee’s time and energy with no tangible benefit to the Company.
- Streaming audio or video for non-business use is prohibited.
- Authorized Users may not disseminate any Tier 2 or Tier 3 data over the Internet without ensuring that proper safeguards are in place to guard company confidential data.
- Authorized Users may not disseminate any Tier 4 data over the Internet including but not limited to Social Security Numbers, Bank Accounts, or other personal/private data regarding specific individuals without ensuring that the recipient is a participating Business Associate under formal agreement with legitimate need to know and that the transmission of the data is secured using industry standards including SSL encryption.
Internet Postings (Social Media)
- Internet Postings include the contribution of images, videos, text, or other content to multi-media and social network websites such as MySpace, Facebook, YouTube, LinkedIn, as well as any other site which leverages the public Internet to share information with one or more individuals (Blogs or Wikis, discussion forums, self-hosted web sites, and so on).
- Your personal Internet postings should not disclose any information that would be considered confidential or proprietary to the Company including any Tier 2, Tier 3, or Tier 4 information. Furthermore, your personal Internet postings may not include any content (including but not limited to company documents, photographs, etc) that is owned by the company.
- If you choose to comment on any issue in which the Company is involved you must clearly identify yourself as an employee of the Company in your postings or blog sites and include a disclaimer that the views are your own and not those of the Company.
- Because you are legally responsible for your postings, you may be subject to liability if your posts are found to be defamatory, harassing, or in violation of any applicable law (including copyright infringement).
- Employees are expected to refrain from posting derogatory comments about the Company or any other employees and are encouraged to leverage internal conflict resolution channels to resolve any disputes.
Hardware and Peripherals
- Hardware and Peripherals refers to any electronic device provided by the Company that stores, captures, transmits, collects, or presents data and information in any way. This includes but is not limited to computers, printers, phones, cables, fax machines, scanners, monitors/displays, keyboards, mice, tablets, network equipment, removable media, laptops, smart phones, tablets, mobile phones, and business extensions.
- Hardware and Peripherals are assigned to employees or facilities for business use only. Hardware and Peripherals are not a "perk" or a function of status, achievement, or longevity of employment, but rather are assigned in ways that facilitate achievement of company goals and objectives.
- Reasonable wear and tear through normal use is expected, however, excessive damage of hardware due to deliberate misuse of willful neglect or loss of hardware will result in penalties which may include revocation of hardware and peripherals or the replacement of damaged or lost equipment at the employee's expense in the form of payroll deduction.
- Users are expected to return hardware immediately at the request of the IT Department or at the end of employment and hereby agree that failure to do so will result in the user bearing the cost of replacement through payroll deduction. In addition, the Company reserves the right to retain the final paycheck of a terminated employee until assigned Hardware and Peripherals are returned or replaced.
- Authorized Users are prohibited from performing an act that negatively impacts the operation of hardware and peripherals.
- Hardware that is assigned for individual use (laptop, tablet, smart phone, etc) may not be used by another other individual without permission from the IT Department to do so. Family, friends, kids, colleagues, or any other individual are prohibited from using such hardware.
- Reasonable care and common sense is expected when using hardware and peripherals in order to maximize longevity. For example:
- Removing smart phones and tablets from vehicles to prevent prolonged exposure to the sun, exposure to theft, extreme heat, or extreme cold is expected.
- Refraining from use in the rain or high humidity environments is expected.
- Situations that could result in damage or loss such as exposure to high voltages or magnets, potential of dropping devices onto hard surfaces, potential for water exposure, potential for loss, etc are expected to be avoided.
- Removable media includes, but is not limited to, portable USB memory sticks (flash drives, thumb drives, jump drives, key drives), memory cards (SD, Compact Flash, Memory Stick, etc), USB card readers that allow connectivity to a PC, portable music players (iPods, Zune, or other devices with flash or hard drive based memory that support internal storage), PDA’s as well as cell phone handsets and smart phones that supports a data storage function, digital cameras, removable memory-based media (DVDs, CDs, BlueRay disks, floppy disks) as well as any hardware that provides removable storage capabilities through interfaces such as WiFi, WiMAX, irDA, Bluetooth, USB, or wired network.
- Non-sanctioned use of removable media to backup, store, and otherwise access any Company data is strictly prohibited.
- Introduction of any personal removal media device onto the network, either directly or through connectivity via a company computer, is prohibited.
- Any removable media must be authorized by the IT Department for use. The IT Department will provide any removable media that is deemed a business necessity.
- Tier 4 data and information is prohibited from being stored on any removable media at any time.
- Remote Access refers to the interaction with technological resources provided by the company which are accessed through the public Internet from outside the company firewall or which require traversal through the company firewall. Examples include, but are not limited to, a VPN Connection that create a persistent tunnel into the corporate network, an SSL VPN connection which creates provides access to resources through a standard web browser securely, a remote desktop connection (Citrix, Remote Desktop Services, VMware View Desktop, etc) that provides a desktop or application.
- Mobile Computing / Remote Access is a privilege that requires dual approval from both the IT Department as well as an employee's supervisor and is intended for the purposes of conducting specific tasks related to an individual's job role which support the achievement of company goals and objectives.
- Attempts to gain unapproved remote access are prohibited.
- Proper precautions must be taken to ensure that personal computers, if used, are free of viruses, spyware, key loggers, etc including installing antivirus software and firewalls. Verification of this may be required prior to approval of remote access.
- Proper precautions must be taken to ensure that wireless networks, if used, are secure from man-in-the-middle attacks or hacking through encryption.
- Devices used outside the company local area network (Ethernet or WiFi) for remote access may not contain any Tier 3 or Tier 4 information. In addition, remote access may not be used to copy any company data locally to personally owned computers or to transmit any file from personally owned computers back to company systems.
Software as a Service
- Software as a Service (SaaS) refers to any application or web portal that contains company data or information which is not hosted on company networks or servers (does not require remote access) but rather is provided by a service provider over the public Internet. Examples include, but are not limited to:
- ADP Workforce Now
- Google Apps for Business
- Software as a Service often contains company confidential information as well as personal/sensitive information which must be guarded from unauthorized use or disclosure. Access to these systems from home or external computers in any way must be treated with utmost care and is limited by the following restrictions:
- Tier 4 Information and Data may not be printed to home computers or remote printers
- Creating or storing offline representations of data and information (creating PDFs from web pages, generating screen captures, keeping downloaded files, etc) is prohibited.
- Saving data or information from SaaS systems to personal computer data volumes (C:\ My Documents, etc) or personal cloud services is prohibited.
Monitoring / Privacy
- The Company actively monitors Internet activity. The Company employs filtering software to limit access to sites and services on the Internet. If the Company discovers activities which do not comply with applicable laws or company policies, records retrieved may be used to document the wrongful conduct in accordance with due process.
- All email and messaging transmitted on company email systems is monitored. This monitoring may include, but is not limited to, inadvertent reading by IT staff during the normal course of managing the email system, review by the IT Director / System Administrator or legal team during the electronic discovery phase of litigation, observation by management in cases of suspected abuse, randomly monitored by the IT Director / System Administrator for periodic audit, and by employee’s supervisor(s) to monitor efficiency.
- Archival and backup copies of email and messaging are kept despite end-user deletion in compliance with the company's records retention practices.
- Business telephone extension activity is monitored with call reporting logs and additionally may be subject to call recording and retrieval to facilitate training, to ensure that customer receive appropriate levels of customer service, to ensure complete and accurate information, to resolve disputes, to investigate alleged misconduct, or to monitor efficiency or effectiveness. Calls of a personal nature (conversations with doctors, etc) should be made on personal cell phones.
- The Company reserves the right to monitor any data or information that is considered company property (see "Ownership" section)
The use of mobile devices in the workplace is governed by the company Mobile Device Policy.