Appropriate Use Policy
Document Date | 12/8/2023 1:13:29 PM |
Revision | 10/28/2023 9:50:22 PM |
Version | 2.0 |
Approved By | troy@hubvia.com |
Owner | jennifer@hubviacms.com |
Contents
Purpose
The purpose of the Appropriate Use Policy is to establish the requirements for using Hubvia’s technology and network resources. It describes Hubvia employees’ roles and responsibilities in ensuring the availability and integrity of Hubvia’s technology. It also defines the level of confidentiality needed to safeguard data belonging to Hubvia, its employees, clients, business partners, and vendors. Further, it defines what is required to be compliant with the laws and that are related to information protection and copyright. Lastly, it outlines the consequences for non-compliance to the policy.
This policy is subsumed under the Master Information Security Policy and its related documents. All items related to approval, compliance and enforcement, transition to compliance, policy exceptions, periodic review, and standards development are detailed there.
Scope / Applicability
This Policy applies to all users who have authorized access to Hubvia’s data and/or systems. All users must read this Policy and comply with it.
Specifically, this Policy applies to all Hubvia employees, contractors, consultants, temporary staff, and interns (collectively “Employees”) and employees of third-party companies doing business with Hubvia, including clients and vendors. Subject to applicable local law, this Policy applies to Hubvia globally.
In this Policy, “Hubvia technology” refers to technology provided by Hubvia, such as electronic systems, data, and devices, whether supplied, maintained or administered internally, by third party suppliers, vendors, or provided as a service.
Policy
Consequences of Breaching this Policy
A breach of this Policy may cause damage to Hubvia’s reputation or lead to legal action. Thus, failure to comply with this Policy, whether intentional or not, will be taken very seriously.
Employees who violate this Policy may be subject to disciplinary action up to and including dismissal. Further information about Hubvia’s disciplinary process can be accessed in the HR Handbook.
A violation of this Policy by contractors, agents, suppliers of services to Hubvia, or any other authorized user of Hubvia technology not employed by Hubvia, may result in termination of their engagement with Hubvia, termination of the relationship between Hubvia and the company they work for, or termination of access. Additionally, Hubvia may choose to take legal action against the individual who committed the breach, or against the company who the individual works for.
All employees are responsible for ensuring they understand how this Policy applies to them. All questions about the Policy, suggested changes, or suspected compliance breaches, should be directed to the appropriate line manager, or the contract owner (for contractors, or employees/agents of a supplier of services to Hubvia).
Using Technology
Limited Personal Use
Hubvia technology should be used primarily for conducting company business. While brief and occasional personal use is acceptable, the use of Hubvia technology to promote outside business activities is not permitted. Permission for such personal use is subject to compliance with the procedures and rules set out in this Policy.
Hubvia monitors activity on its systems to protect its information technology assets. Subject to applicable local law, users of Hubvia’s technology assets should have little or no expectation of privacy regarding email, instant messaging, Internet, or other computer use.
Employees must not allow their personal use of Hubvia’s technology, including the Internet, email, or electronic files, to adversely impact the performance of Hubvia’s technology. Hubvia’s decision to allow limited personal use does not constitute the company’s acceptance of any direct or indirect liability which may result from such use. All employees will be liable for their own actions when using Hubvia’s technology for personal purposes.
User Accounts and Authorization
Hubvia may issue one or more user accounts (including administrator accounts), passwords, security cards, codes, other access methods (including two-factor authentication methods), or physical security access cards to its employees according to the requirements of their job. Currently Hubvia uses username, password, and MFA to authenticate to the Hubvia environment. This requires your username,username, password, and MFA authorization to authenticate into the VPN, as well as your separate username, password and MFA authorization to access systems.
The combination of VPN user accounts, username, password, and MFA and passwords is highly sensitive information and must be protected. All employees will be held accountable for how their accounts are used and for all actions associated with them. This responsibility cannot be delegated.
Employees must not share their user IDs, passwords, secret questions, security cards, codes, or other access methods (including username, password, and MFA) with anyone. All actions taken with an employee’s user ID will be attributed to him/her regardless of who used them to gain access.
Password Storage
Due to the complex password requirements across the organization’s platforms, the use of a password vault is permitted. Please refer to the User Conduct Standard for specifics around vault use and control.
Maintaining Security of our Network
Unless explicitly stated in the job description, or detailed in the service contract, it is not permitted to:
- Connect unauthorized devices to the Hubvia’s wired or wireless networks, including but not limited to: personal network devices, wireless access points, and storage devices, except when connected to guest wireless networks.
- Download or install programs and software, including plug-ins, fixes, and games. No software, even if a current license is held, is to be installed or removed without prior approval obtained through the Hubvia’s software request process.
- Circumvent or attempt to circumvent Hubvia’s (or its business units’) policies or procedures.
- Circumvent or attempt to circumvent Hubvia’s technology security mechanisms. By way of example, modifying file permissions, changing security settings, mapping network ports, disabling audit and logging systems, disabling anti-virus programs, or any other actions that circumvent security are not permitted.
- Possess or use a tool or device that Hubvia reasonably suspects may be used to circumvent security mechanisms or breach Hubvia’s (or a business unit’s) policy or procedure, unless its use or possession is required to fulfill the job function or contracted service and is authorized by Hubvia’s Security and Risk officer. Examples are password cracking programs, malicious code, port scanners, packet sniffer, network mapping tools and other security testing or exploit development tools.
- Do anything with malice, intent, or willingly to disrupt, damage, impair, interrupt, slow down or affect the functionality of the Hubvia technology, the Internet or any equipment, network or software owned or used by any third party, except to the extent that such slowdown or effect on the functionality of the Hubvia technology, the Internet or any equipment or network or software owned or used by any third-party results from their normal use.
- Knowingly use the Hubvia technology, the Internet and/or social networking sites in any way that may damage or disrupt any computer software or hardware.
- Knowingly upload, transmit or post any material that contains viruses, worms, time-bombs, keystroke loggers, spy ware, ad ware, Trojan Horses or any other harmful files, programs or other similar computer code designed to adversely affect the operation of any computer software or hardware.Ownership of Information and Applications
Hubvia owns the rights to all data and files on any Hubvia system or may hold data and files on behalf of clients and vendors on Hubvia systems. Such data and files may include, but are not limited to: voice mail, email, messages, electronic documents, databases, videos, and instant messages. Hubvia also owns the rights to all applications and related files and structures developed at its expense or legally acquired. Subject to applicable law, these data or these applications may not be taken for a personal use during employment or engagement with Hubvia or upon the end of employment or engagement with Hubvia.
Subject to applicable law and/or any individual rights in relation to personal data under such applicable law, Hubvia’s rights to ownership of such data and files extend to all personal (non-business) data introduced into Hubvia’s systems. If an individual does not wish to grant Hubvia this right, they should not use Hubvia’s systems, including guest wireless networks, for housing and transmitting such data.
Hubvia owns the rights to all data and files as such, upon the leave or termination of an employee, Hubvia may grant the employee’s line manager access to the employee’s email or files, as required to fulfill the job function.
Unacceptable Use of Hubvia’s Technology
When using Hubvia technology, Employees and employees of third-party companies doing business with Hubvia must not:
- Use social networks or other web sites in violation of their posted terms and conditions, such as by scraping contact information through automated means.
- Impersonate another person or entity or create a false identity for the purpose of misleading another.
- Do anything that would interfere with another user’s enjoyment of or ability to use the Internet appropriately. This includes actions that would discourage another person or commercial entity from engaging Hubvia’s services or from forming a business relationship, of any nature, with Hubvia.
- Send, upload, post or otherwise make available, or procure the sending of, any unsolicited or unauthorized advertising, promotional materials, “junk mail”, “spam”, “chain letters”, “pyramid schemes” or any duplicative or unsolicited messages.
- Make fraudulent, misleading offers of products, items, or services. Any offers made for or on behalf of Hubvia must be authorized by the business.
- Make statements about warranties or guarantees (expressly or implied) unless it is a part of an employee’s normal job duties and has been agreed with their line manager.
- Publicly disclose any confidential or sensitive information without prior approval from the information owner.
- Make or circulate commercial, religious, or political statements.
- Use Hubvia’s network to conduct illegal or objectionable activities.
- Use technology in a way that violates Hubvia’s HR policies.If an Employee receives a communication or information from a colleague, third party or individual outside of Hubvia that is felt to be abusive, obscene, discriminatory, racist, harassing, derogatory, defamatory and/or inappropriate and/or otherwise breaches this Policy, they should report such communication or information to their line manager.
Reducing the Risk of using the Internet
An email received from unknown sources, with or without attachments or web site links, should be considered spam (unsolicited commercial email) or phishing (an attempt to attack a user machine orHubvia’s technology, or steal user credentials or identity). Opening the message could potentially trigger malware. Employees should not open the message if they recognize it as spam or phishing and should not forward it, instead, it must be reported to the Information Technology department.
All Hubvia employees and employees of third-party companies doing business with Hubvia must make all reasonable efforts to follow the below good practice:
- Confirm the identity of the sender of any email message via another communication channel (e.g. contact the sender by telephone).
- Exercise care when using or providing your work email address on the Internet so that the risk of becoming a target for spam and phishing attacks is minimized.
- Enter login IDs and passwords only on login screens that can be clearly recognized as legitimate. Any requests to provide a user login ID and password, or the login ID and password for any account a user has access to, either within or outside the company, should be treated as suspicious and reported to the Systems Team.
- A request for user login ID and password received from any individual from within Hubvia or any of its vendors, either in a message or in a phone call, should be treated as an attempt to steal user credentials.
- Beware of pretexting – individuals appearing to be or representing themselves as others, particularly executives. No executive in the company will ever ask an employee by electronic messaging to wire transfer funds quickly and confidentially for some “extremely confidential deal”, without following normal financial approval processes.
- Leadership of our company will never text staff from an unknown number requesting financial transfers, gift card purchases, or any login information. If you are ever texted by someone presenting themselves as a member of leadership requesting those things, please report it to Information Technology as soon as possible.
Monitoring of Hubvia’s Technologies
Subject to local law and local procedures, users should have no expectation of privacy when using any of Hubvia technology or in any information or communications transmitted to or from, received or printed from, or created, stored, or recorded on the Hubvia technology, including in situations involving personal use. This is true regardless of the use of encryption, the deletion of the information or communications, or any other factor. Using any automated or non-automated means, these communications and information, and the Hubvia technology, may be monitored, accessed, retrieved, copied, stored, read, seized and/or disclosed by or at the direction of Hubvia or law enforcement for any purpose.
Investigations
Hubvia reserves the right to carry out confidential investigations, retrieve the contents of email, messages, postings, files or check searches which have been made on the Internet for purposes including:
- To monitor whether the use of Hubvia technology or the Internet or social media is legitimate and in accordance with this Policy.
- To find lost email, messages, postings, files or to retrieve email, messages, postings, files lost due to computer failure.
- To assist in the investigation of wrongful acts, including but not limited to assisting law enforcement agencies and in the investigation of sexual or other harassment claims, and suspected breaches of Hubvia policies.
- To assist with investigations in relation to conflicts of interest with Hubvia’s business interests.
- To comply with any legal obligation to which Hubvia is subject.Such investigations will be made within the limits described above under the above section, and in accordance with applicable laws.
Intellectual Property and Copyright
Hubvia complies with all copyright, trade secret, patent, and other intellectual property laws. All Hubvia employees and employees of third-party companies doing business with Hubvia are expected to comply with these laws and related regulations. Examples of violation include but are not limited to digitization or distribution of photographs from magazines, books, musical albums or other copyrighted material and the installation of any copyrighted software for which Hubvia does not have an active license.
Therefore, all Hubvia employees and employees of third-party companies doing business with Hubvia:
- May not download or install materials such as graphic images, photographs, video files, audio files and other copyrighted documents unless they have a license or permission to use them.
- Must obtain permission from the copyright owner before transmitting a copyrighted item to a third party or posting it on the Internet from Hubvia’s network or computers.
- Required to comply with vendor software agreements and licensing terms while using Hubvia’s technology.Hubvia has the right to block access to peer-to-peer software and networks to support this Policy.
Protecting Confidential Information
Hubvia employees and employees of third-party companies doing business with Hubvia must not share confidential information belonging to Hubvia, its Employees, partners, vendors, or clients with any party that does not have a legitimate business need for it and in accordance with any applicable confidentiality agreement.
Without authorization, it is not permitted to publish Hubvia confidential information or confidential information of a client, vendor, or company Employee on any social media site or non-company web site or file sharing service, whether public or limited access, including, for example, Twitter, Facebook, LinkedIn, Google+, and YouTube.
Clear Desk Policy
To assist in enabling the protection of confidential and client data, Hubvia has initiated a clear desk policy. This requires employees to keep their desks free from confidential or private information when the desk is unattended. This is inclusive of both physical media like paper and portable storage like USB keys. Locking these items away in a locked box or out of sight is the best way to comply.
Securing Personal Devices
Portable devices housing any Hubvia data must be encrypted; laptops must have current security protection software that is regularly updated.
The connection technology will enforce settings to require passwords, lock the device after a set idle period, lock the device after a series of password failures, and enable device wipe by Hubvia. It is implied that a user accepts these conditions if they are willing to host Hubvia’s data on their personal devices.
Sanctioned Technology for Business Use
You are required to seek Information Technology department’s approval before using online, cloud, and other technologies for business purposes, if they have not been provided by Hubvia. The InfoSec Team will review requests to use such technologies on a case-by-case basis.
You may not store any company, client or vendor data on any unsanctioned file sharing service, including Dropbox, iCloud, iPhone backup, OneDrive, et cetera.
End users of the HubOnsite app who have files stored locally on their device, should ensure that these files are not marked for backup to their personal online back up locations.
Note: Hubvia employees should never have a reason to backup and store any of the above mentioned data, in any location other than sanctioned file sharing locations.
Conducting Business Using Email
Email and faxes are the only electronic means for conducting official business with Hubvia’s clients, vendors, and business partners.
The email system managed by Hubvia‘s Information Technology team constitutes the official record of email for the company. Employees must use their Hubvia email accounts when conducting business on behalf of Hubvia. It is not permitted to use personal email accounts.
External email containing confidential information must be secured using encrypted transmission or encrypted archive.
Examples of confidential information are:
- sensitive personal information
- personal information /personally identifiable information
- sensitive business information, such as customer information
- tender or bid proposal documents
- instructions that may be deemed as valuableHubvia reserves the right to monitor all email for viruses, malicious content, or otherwise in accordance with this Policy and applicable laws. Hubvia may block incoming and outgoing email messages and access to attachments to ensure effective use of the system in accordance with applicable law. Depending on the circumstances, you may be advised when Hubvia has prevented the delivery of an email.Employees and employees of third-party companies doing business with Hubvia should take care with the content of email messages, as incorrect or improper statements can give rise to claims for discrimination, harassment, defamation, breach of confidentiality or breach of contract. As email can be easily forwarded to multiple recipients, Employees should assume that email messages may be read by persons other than the intended recipients.
Email messages may be disclosed in legal proceedings and provided to individuals in response to a subject access request under privacy legislation, in the same way as paper documents. Deletion from a user’s inbox or archives does not mean that an email cannot be recovered for the purposes of disclosure. All email messages should be treated as potentially retrievable, either from the main server or using specialist software, in accordance with Hubvia policies and applicable law.
Employees and employees of third-party companies doing business with Hubvia should not:
- Send or forward messages which are abusive, obscene, discriminatory, racist, or harassing.
- Contribute to system congestion by sending or forwarding trivial messages (such as chain mail, junk mail, cartoons, or jokes), or unnecessarily copying or forwarding email to those who do not have a real need to receive them.
- Agree to terms, enter contractual commitments or make representations by email unless appropriate authority has been obtained.
- Send messages from another employee’s computer or under an assumed name unless specifically authorized.Shared mailboxes must have a responsible person assigned to monitor them.Unauthorized use, or forging, of email header information is prohibited.
Solicitation of email for any other email address, other than that of the poster’s account, with the intent to harass or to collect replies is prohibited.
Employees who receive a wrongly delivered email should notify the sender but should not respond to spam or phishing email.
Legal Compliance
Hubvia complies with all laws and regulations that are appropriate to its business and its operating locations. These laws may address requirements for privacy, security, intellectual property protection and copyright among others. Examples include, but are not limited to:
- Hubvia is required to abide by all laws and regulations requiring the appropriate treatment of personal information and responses to a breach. Therefore, employees are required to treat these data consistent with laws, regulations, and related policies. Further information on the process for responding to security incidents is provided in the Hubvia Security Incident Response Policy.
- Hubvia complies with all document retention requirements, as appropriate for each country or region. Employees are responsible for knowing the retention periods and complying with the timelines associated with electronic documents managed in their line of business, country, or region.Hubvia will comply with all court orders and enforceable subpoenas that request information on its network and systems. During legal action, Hubvia will protect the requested data from being deleted. You may not destroy evidence or circumvent measures taken to protect lawful requests for information.
- You will be informed if data (including email) needs to be preserved for legal investigations.
- You may be required to provide information on any legal or regulatory matter that you are involved in.
- You may be required to provide your computer or mobile device (used in connection with work) to comply with legal investigations.Training
Hubvia will provide training to its employees on a variety of information security policies and topics.
- When required, employees must satisfactorily complete training on security awareness (covering policy and external threats) and privacy.
- Developers must complete the web application security training course. Employees using a third-party vendor for development should ensure they undergo the web application security training.
- Hubvia may provide training in the form of simulated social engineering events, such as simulated phishing messages, and may measure each user’s success in resisting such attacks. Employees may be offered training on social engineering, phishing, and related topics. This training may be offered as mandatory to those employees who repeatedly succumb to simulated or actual phishing attacks. Completion status will be provided to the employee’s line manager or, for contractors, consultants, and vendors with access to Hubvia technology, their business sponsor. Failure to complete required information security training may result in disciplinary action up to and including dismissal.