Approval Draft 1: Acceptable Use Policy.
Executive Summary.
The AUP (Acceptable Use Policy) for IT systems by employees is designed to protect Red Clay Renovations, our clients, partners and the employees themselves from any sort of harm arising from the misuse of our IT systems, data and other resources. Misuse covers both inadvertent and deliberate actions. The consequences of misusing Red Clay’s system can be severe since the potential damages range from but are not limited to malware infections, data breaches, legal and financial implications due to data leakages, and productivity losses arising from network downtimes.
This policy covers Red Clay’s IT systems including but not limited to the use of electronics, information, network resources, and computing devices to conduct business on behalf of Red Clay Renovations, or interact with business systems and internal networks, whether leased or owned by Red Clay Renovations, employees, or a third party. All employees, consultants, contractors, temporary staff, and other workers affiliated with Red Clay Renovations and its subsidiaries are thus responsible for exercising proper judgment regarding the use of the aforementioned systems in accordance with the policies and standards set by Red Clay Renovations, and applicable Local, State and Federal regulations. If any employee feels that a particular guideline is unclear or that they do not understand how a particular guideline it impacts their role, then they should consult their manager or nearest IT security officer (Sans.org, 2014).
AUP Policy.
Proprietary information stored on Red Clay Renovations computing devices whether leased or owned by the Red Clay, a third party of the employee, remains the sole intellectual property of Red Clay Renovations. You must, therefore, ensure through technical and legal means that such information is protected.
Every employee has the responsibility of promptly reporting loss, theft, and/or unauthorized disclosures of Red Clay Renovations proprietary information.
Employees are required to exercise proper judgment in regard to the personal use of information systems. In this case, individual departments and divisions are responsible for developing guidelines regarding the personal use of IT systems, and in the absence of such guidelines, employees should be guided by departmental policies outlining personal use. In the event of any uncertainties, employees should consult their immediate supervisors/managers.
For network maintenance and security purposes, only authorized IT personnel within Red Clay Renovations may monitor network traffic, equipment, and systems at any one time according to the company’s Audit Policy.
Red Clay Renovations reserves the right to perform random and unannounced audits of all its systems and networks periodically to ensure all employees comply with the outlined guidelines (Sans.org, 2014).
Accessing any data on an account or server for any other purposes than conducting business on behalf of Red Clay Renovations is strictly prohibited even if an employee has authorized access to the system.
The introduction of malware into IT systems and networks (e.g. worms, viruses, phishing emails and Trojan horse) is strictly prohibited.
Making fraudulent offers for items, services, and products seemingly originating from Red Clay Renovations is prohibited.
Circumventing systems authentication or the security of any network, account, user or host is prohibited.
It is expressly prohibited for any employee to provide information about Red Clay Renovations employees to any parties outside Red Clay Renovations (Sans.org, 2014).
Approval Draft 2: Bring Your Own Device (BYOD) Policy.
Executive Summary:
This policy document provides the guidelines, standards and behavioral rules required for the use of personally owned devices by Red Clay Renovations employees to access the company’s IT systems and services (Guérin, 2008). Access to these systems and their continued use will be granted on condition that the employee signs Red Clay Renovations Bring Your Own Device (BYOD) policies. The intention of this policy is to protect the confidentiality and integrity of Red Clay Renovations data, information, and other IT assets.
Red Clay Renovations shall respect the privacy of employees’ personal devices and shall only request access to the device by It security technicians for implementation of security controls and in response to legitimate device access request originating from administrative, criminal or civil proceedings (Guérin, 2008).
BYOD Policy.
Red Clay Renovations defines acceptable business uses of BYOD devices as those activities that support the company’s business either directly or indirectly.
Devices declared as BYOD devices cannot be used at any time to store and transmit proprietary data, illicit materials, engage in outside business, or harass other people.
Employees are allowed to use their BYOD devices to access Red Clay Renovations IT resources such as email, contacts, calendars, and documents.
Red Clay Renovations has a zero-tolerance policy for the use of BYOD devices for email and texting while driving. The company only permits hands-free talking when driving.
All BYOD devices should be presented to the It department for configuration of standard apps and proper job provisioning before they are allowed to access the Red Clay Renovations IT systems.
Security wise, all devices are required to be encrypted and password protected before they can be allowed to access company networks.
Tampered devices and devices that are not listed as supported devices by the company are strictly forbidden from access the company network.
Employees should understand that their devices can be wiped remotely if the device is stolen or lost, if the employee terminates his/her employment, or if the IT security department detects data breaches, policy infringements or other activities that could compromise the company’s data security (Guérin, 2008).
Approval Draft 3: Digital Media Sanitization, Reuse, & Destruction Policy.
Executive Summary.
Technology devices and components often contain parts that cannot be simply disposed of and thus require proper disposal techniques that are compliant with the law and also environmentally friendly. Digital media devices such as USB flash drives, hard disks, CD-ROMs and other storage media may contain sensitive company data. In order for Red Clay Renovations to protect its data, and digital storage media must be properly erased before disposal. However, simple formatting or erasing isn’t always sufficient since the data can still be recovered using advanced data recovery techniques. In this regard, special tools are required to completely erase data prior to media disposal (Kissel, Regenscheid, Scholl, & Stine, 2017).
The purpose of the Digital Media Sanitization, Reuse, & Destruction Policy is to define the policies and guidelines for disposing of technology components and equipment owned by Red Clay Renovations (Kissel, Regenscheid, Scholl, & Stine, 2017). It applies to technology devices and equipment that Red Clay Renovations no longer requires and includes but is not limited to computers, laptops, hard drives, smartphones, peripherals, backup storage devices, network equipment and even printed media. All Red Clay Renovations subsidiaries and affiliates are required to comply with this policy.
Policy.
All digital media devices that have reached the end of their useful life should be sent to Red Clay Renovations IT department for proper sanitization and disposal for secure erasing in accordance with the most recently updated best industry practices.
No digital media devices or technology equipment may be sold to any person other than through the processes outlined in this policy.
Technology devices owned by Red Clay Renovations shall not be disposed of via dumps, skips, and landfills. Instead, these devices shall be sent to certified waste management agencies for recycling, reusing and/or proper disposal.
Equipment that is still operation but has outlived its usefulness in the company shall be sanitized (erased) and availed for sale to employees.
All sales of outdated equipment must go through a lottery process to randomly select the person who has the opportunity to purchase the equipment being disposed of.
Prior to leaving the company premises either via sale or disposals, all media devices and equipment owned by Red Clay Renovations must first be eliminated from the IT assets inventory system.
References:
Guérin, N. (2008). Security Policy for the use of handheld devices in corporate environments (1st ed., pp. 3-12). SANS Institute. Retrieved from https://www.sans.org/reading-room/whitepapers/pda/security-policy-handheld-devices-corporate-environments-32823
Kissel, R., Regenscheid, A., Scholl, M., & Stine, K. (2017). NIST Special Publication 800-88 |Revision 1: Guidelines for Media Sanitization (1st ed., pp. 1-24). National Institute of Standards and Technology (NIST). Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf
Sans.org. (2014). SANS Consensus Policy Resource Community: Acceptable Use Policy (1st ed., pp. 1-7). SANS Institute 2014. Retrieved from https://www.sans.org/security-resources/policies/general/pdf/acceptable-use-policy
Bibliography.
Berry, M. BYOD Policy Template. IT Manager Daily. Retrieved 17 January 2017, from http://www.itmanagerdaily.com/byod-policy-template/
Guérin, N. (2008). Security Policy for the use of handheld devices in corporate environments (1st ed., pp. 3-12). SANS Institute. Retrieved from https://www.sans.org/reading-room/whitepapers/pda/security-policy-handheld-devices-corporate-environments-32823
Haferkamp, R. (2014). How to Write the Acceptable Use Policy your Business Needs. Central National Bank - Waco. Retrieved 17 January 2017, from https://www.cnbwaco.com/blog/how-to-write-the-acceptable-use-policy-your-business-needs/
Hassell, J. (2012). 7 Tips for Establishing a Successful BYOD Policy. CIO.com. Retrieved 17 January 2017, from http://www.cio.com/article/2395944/consumer-technology/7-tips-for-establishing-a-successful-byod-policy.html
InfoSec. (2014). InfoSec Resources - Information Security Policies. Resources.infosecinstitute.com. Retrieved 17 January 2017, from http://resources.infosecinstitute.com/information-security-policies/#gref
Kissel, R., Regenscheid, A., Scholl, M., & Stine, K. (2017). NIST Special Publication 800-88 |Revision 1: Guidelines for Media Sanitization (1st ed., pp. 1-24). National Institute of Standards and Technology (NIST). Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf
Sans.org. (2014). SANS Consensus Policy Resource Community: Acceptable Use Policy (1st ed., pp. 1-7). SANS Institute 2014. Retrieved from https://www.sans.org/security-resources/policies/general/pdf/acceptable-use-policy
