A. Information Classification
Our information, whether in electronic or physical form, can be categorized into three classifications. Due care must be taken to protect our information assets in accordance with the three classifications, as described within this Policy.
1. Confidential – Sensitive personally identifiable information (PII) used for business purposes within ID123 which, if disclosed through unauthorized means, could adversely affect our customers or personnel, and could have legal, statutory, or regulatory repercussions.
2. Internal – Information related to our business that if disclosed, accessed, modified or destroyed by unauthorized means, could have limited or significant financial or operational impact on us. Examples include: strategic plans, vendors‘ proprietary information, and responses to Requests for Proposals (RFPs), information protected by intergovernmental non-disclosure agreements or other non-disclosure agreements, and design documents.
3. Public – Information intended for unrestricted public disclosure in the course of our business. Examples include: press releases, public marketing materials, and employment advertisements.
B. Responsibility for Assets
1. Ownership of Assets – All information collected, stored and processed over our information technology systems is either the property of ID123 or our Clients. Our employees using our information technology systems have no expectation of privacy associated with the information they store in or send through these systems, within the limits of the federal, state and local laws of the United States and, where applicable, foreign laws.
2. Acceptable and Unacceptable Use of Assets –
a. To effectively conduct our business and operations, we makes available to authorized employees and third parties various information technology resources, including laptops, phones, tablets, e-mail services, chat applications, the Internet, and other communication and productivity tools. Use of these resources is intended for business purposes in accordance with Users‘ job functions and responsibilities.
b. Users must not allow any consultant, visitor, friend, family member, customer, vendor or other unauthorized person to use their network account, e-mail address or other company provided computer facilities. Users are responsible for the activities performed by and associated with the accounts we assign to them.
c. No User may use company provided Internet/Intranet access or our Confidential information to solicit or conduct any personal commercial activity or for personal gain or profit.
d. Users must not make statements on behalf of ID123 or disclose Confidential or Internal information unless expressly authorized in writing by senior management. This includes Internet postings, or bulletin boards, newsgroups, chat rooms, or instant messaging.
e. Users must protect Confidential or Internal information being transmitted across the Internet or public networks in a manner that ensures its confidentiality and integrity between a sender and a recipient. Confidential information such as Social Security numbers, credit card numbers, and electronic Protected Health Information (ePHI) must be transmitted using encryption software.
f. Internal information such as email lists must not be posted to any external information source, listed in telephone directories, placed on business cards, or otherwise made available to third parties without the prior express written permission of the Data Protection Officer.
g. Users must not install software on our network and computer resources without prior express written permission from Data Protection Officer. Person-to-person (P2P) applications, Voice over IP (VOIP), instant messenger (IM) applications, and remote access applications pose an especially high risk to ID123 and their unauthorized use is strictly prohibited. ID123 business must not be conducted on any device that allows P2P communication (such as file sharing music applications) without explicit approval from Data Protection Officer.
h. Users must not copy, alter, modify, disassemble, or reverse engineer any authorized software or other intellectual property in violation of licenses provided to or by ID123. Additionally, Users must not download, upload, or share files in violation of U.S. patent, trademark, or copyright laws. Intellectual property that is created for ID123 by its employees, vendors, consultants and others is property of ID123 unless otherwise agreed upon by means of third party agreements or contracts.
Users must not access the Internet, the Intranet or e-mail to use, upload, post, mail, display, or otherwise transmit in any manner any content, communication, or information that, among other inappropriate uses:
i. interferes with our official business;
ii. is hateful, harassing, threatening, libelous or defamatory, pornographic, profane, or sexually explicit;
iii. is deemed by our human resources department to offend persons based on race, ethnic heritage, national origin, sex, sexual orientation, age, physical or mental illness or disability, marital status, employment status, housing status, religion, or other characteristics that may be protected by applicable civil rights laws;
iv. impersonates a person (living or dead), organization, business, or other entity;
v. enables or constitutes gaming, wagering or gambling of any kind;
vi. promotes or participates in unauthorized fundraisers;
vii. promotes or participates in partisan political activities;
viii. promotes or participates in unauthorized advertising of our projects and any advertising of private projects;
ix. compromises or degrades the performance, security, or integrity of our information technology resources and information assets;
x. contains a virus, logic bomb, or malicious code;
xi. Constitutes participation in chain letters, unauthorized chat rooms, unauthorized instant messaging, spamming, or any unauthorized auto-response program or service.
3. Anti-Virus and Malware Protection – All computers MUST have an anti-virus application installed that offers real-time scanning protection to files and applications running on the target system. Our employees must only use email services on computers and laptops that provide scanning services for malware and phishing detection.