Information and Technology Use Policy

Last Update Status: 18/03/2022

1. Overview

The Internet and Technology related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail and internet browsing are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations. POS Works’ intentions for publishing an Information and Technology Policy is to impose restrictions to protect POS Works established culture of openness, trust and integrity.

Effective IT security is a team effort involving the participation and support of every POS Works employee and associate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.

It is expected that all reasonable steps are taken to comply with the Australian Cyber Security Center’s published “Essential Eight” cyber security controls.

1. UTILIZE APPLICATION/PROGRAM CONTROLS:

Use application and program controls to prevent the execution of unapproved/malicious programs and installers.

2. PATCH APPLICATIONS:

Patch/mitigate computers with ‘high risk’ vulnerabilities. Use the latest version of applications including Flash, web browsers, Microsoft Office, Java, and PDF viewers.

3. CONFIGURE MICROSOFT OFFICE MACRO SETTINGS

Block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.

4. USER APPLICATION HARDENING.

Configure web browsers to block Flash (ideally uninstall it), ads, and Java on the internet. Disable unnecessary features in Microsoft Office web browsers, and PDF viewers.

5. RESTRICT ADMINISTRATIVE PRIVILEGES

Restrict operating systems and applications based on user duties. Regularly revalidate the need for privileges.

6. PATCH OPERATING SYSTEMS.

Patch/mitigate computers (including network devices). Use the latest operating system version. Don’t use unsupported versions.

7. USE MULTI-FACTOR AUTHENTICATION

Use MFA where possible particularly for programs that perform a privileged action or access an important (sensitive/high-availability) data repository.

8. REGULAR BACKUPS

Regular back-ups of important new/changed data, software, and configuration settings, stored disconnected, retained for at least three months.

2. Purpose

The purpose of this policy is to outline the acceptable use of computer equipment at POS Works. These rules are in place to protect the employee and POS Works. Inappropriate use exposes POS Works to risks including virus attacks, compromise of network systems and services, and legal issues.

3. Scope

This policy applies to the use of information, electronic and computing devices, and network resources to conduct POS Works business or interact with internal networks and business systems, whether owned or leased by POS Works, the employee, or a third party. All employees, contractors, consultants, temporary, and other workers at POS Works and its subsidiaries are responsible for exercising good judgment regarding appropriate use of information, electronic devices, and network resources in accordance with POS Works policies and standards, and local laws and regulation.

This Policy specifically deals with the following areas:

Software Installation
Password Policy
Password Construction
Email Policy
Clean Desk Policy
Acceptable Use Policy
Internet Policy

4. Policy Compliance

Management will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, business tool reports, internal and external audits, and feedback to the policy owner.

Non-Compliance

Violations of this policy may be subject to disciplinary action.

SOFTWARE INSTALLATION POLICY

Overview

Allowing employees to install software on company computing devices opens the organization up to unnecessary exposure. Conflicting file versions can prevent programs from running, the introduction of malware from infected installation software, unlicensed software which could be discovered during audit, and programs which can be used to hack the organization’s network are examples of the problems that can be introduced when employees install software on company equipment.

Policy

Employees may not install software on POS Works computing devices operated within the POS Works network.
Software requests must first be approved by the requester’s manager in writing or via email.
Software must be selected from an approved software list, maintained by the Information Technology department, unless no selection on the list meets the requester’s need.
The Information Technology Department will obtain and track the licenses, test new software for conflict and compatibility, and perform the installation.

PASSWORD POLICY

Overview

Passwords are an important aspect of computer security. A poorly chosen password may result in unauthorized access and/or exploitation of our resources. All staff, including contractors and vendors with access to POS Works systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

Policy

Password Creation

All user-level and system-level passwords must conform to the Password Construction Guidelines.
Users must use a separate, unique password for each of their work related accounts.
Users may not use any work-related passwords for their own, personal accounts.
It is highly recommended that some form of multi-factor authentication is used for any privileged accounts

Password Protection

Passwords must not be shared with anyone, including supervisors and coworkers. All passwords are to be treated as sensitive and confidential.
Passwords must not be inserted into email messages or other forms of electronic communication, nor revealed over the phone to anyone.
Passwords may be stored only in “password managers” authorized by the organization.
Any user suspecting that his/her password may have been compromised must report the incident and change all passwords.

PASSWORD CONSTRUCTION GUIDELINE

Overview

Passwords are a critical component of information security. Passwords serve to protect user accounts; however, a poorly constructed password may result in the compromise of individual systems, data, or network. This guideline provides best practices for creating secure passwords.

Statement of Guidelines

Strong passwords are long, the more characters you have the stronger the password.

We recommend a minimum of 13 characters in your password. In addition, we highly encourage the use of passphrases, passwords made up of multiple words. Examples include “It’s time for vacation” or “block-curious-sunny-leaves”. Passphrases are both easy to remember and type, yet meet the strength requirements.

Poor, or weak, passwords have the following characteristics:

Contain eight characters or less.
Contain personal information such as birthdates, addresses, phone numbers, or names of family members, pets, friends, and fantasy characters.
Contain number patterns such as aaabbb, qwerty, zyxwvuts, or 123321.
Are some version of “Welcome123” “Password123” “Changeme123”

In addition, every work account should have a different, unique password. To enable users to maintain multiple passwords, we highly encourage the use of ‘password manager’ software that is authorized and provided by the organization. Whenever possible, also enable the use of multi-factor authentication.

EMAIL POLICY

Overview

Electronic email is often the primary communication and awareness method within an organization. At the same time, misuse of email can post many legal, privacy and security risks, thus it’s important for users to understand the appropriate use of electronic communications.

Policy

All use of email must be consistent with POS Works policies and procedures of ethical conduct, safety, compliance with applicable laws and proper business practices.
POS Works email account should be used primarily for POS Works business-related purposes; personal communication is permitted on a limited basis, but non-POS Works related commercial uses are prohibited.
Email should be retained only if it qualifies as a POS Works business record. Email is a POS Works business record if there exists a legitimate and ongoing business reason to preserve the information contained in the email.
The POS Works email system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Employees who receive any emails with this content from any POS Works employee should report the matter to their supervisor immediately.
Using a reasonable amount of POS Works resources for personal emails is acceptable, but non-work related email shall be saved in a separate folder from work related email. Sending chain letters or joke emails from a POS Works email account is prohibited.

CLEAN DESK POLICY

Overview

A clean desk policy can be an important tool to ensure that all sensitive/confidential materials are removed from an end user workspace and locked away when the items are not in use or an employee leaves his/her workstation. It is one of the top strategies to utilize when trying to reduce the risk of security breaches in the workplace. Such a policy can also increase employee’s awareness about protecting sensitive information.

Policy

Employees are required to ensure that all sensitive/confidential information in hardcopy or electronic form is secure in their work area at the end of the day and when they are expected to be gone for an extended period.
Computer workstations must be locked when workspace is unoccupied.
Computer workstations must be shut completely down at the end of the work day.
Any Restricted or Sensitive information must be removed from the desk and locked in a drawer when the desk is unoccupied and at the end of the work day.
File cabinets containing Restricted or Sensitive information must be kept closed and locked when not in use or when not attended.
Keys used for access to Restricted or Sensitive information must not be left at an unattended desk.
Laptops must be either locked with a locking cable or locked away in a drawer.
Passwords may not be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location.
Printouts containing Restricted or Sensitive information should be immediately removed from the printer.
Upon disposal Restricted and/or Sensitive documents should be shredded in the official shredder bins or placed in the lock confidential disposal bins.
Whiteboards containing Restricted and/or Sensitive information should be erased.
Lock away portable computing devices such as laptops and tablets.
Treat mass storage devices such as CDROM, DVD or USB drives as sensitive and secure them in a locked drawer

All printers and fax machines should be cleared of papers as soon as they are printed; this helps ensure that sensitive documents are not left in printer trays for the wrong person to pick up.

ACCEPTABLE USE POLICY

Policy

The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).

Under no circumstances is an employee of POS Works authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing POS Works- owned resources.

The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use.

The following activities are strictly prohibited, with no exceptions:

Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by POS Works.
Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which POS Works or the end user does not have an active license is strictly prohibited.
Accessing data, a server or an account for any purpose other than conducting POS Works business, even if you have authorized access, is prohibited.
Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question.
Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.
Using a POS Works computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user’s local jurisdiction.
Making fraudulent offers of products, items, or services originating from any POS Works account.
Making statements about warranty, expressly or implied, unless it is a part of normal job duties.
Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, “disruption” includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
Executing any form of network monitoring which will intercept data not intended for the employee’s host, unless this activity is a part of the employee’s normal job/duty.
Circumventing user authentication or security of any host, network or account.
Introducing honeypots, honeynets, or similar technology on the POS Works network.
Interfering with or denying service to any user other than the employee’s host (for example, denial of service attack).
Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user’s terminal session, via any means, locally or via the Internet/Intranet/Extranet.
Providing information about, or lists of, POS Works employees to parties outside POS Works.

Internet Policy

Overview

Internet connectivity presents the company with new risks that must be addressed to safeguard the facility’s vital information assets.

Access to the Internet by personnel that is inconsistent with business needs results in the misuse of resources. These activities may adversely affect productivity due to time spent using or “surfing” the Internet. Additionally, the company may face loss of reputation and possible legal action through other types of misuse.

Access to the Internet will be provided to users to support business activities and only on an as-needed basis to perform their jobs and professional roles.

The Internet usage Policy applies to all Internet users (individuals working for the company, including permanent full-time and part-time employees, contract workers, temporary agency workers, business partners, and vendors) who access the Internet through the computing or networking resources. The company’s Internet users are expected to be familiar with and to comply with this policy, and are also required to use their common sense and exercise their good judgment while using Internet services.

Policy

Allowed Usage

Internet usage is granted for the sole purpose of supporting business activities necessary to carry out job functions. All users must follow the corporate principles regarding resource usage and exercise good judgment in using the Internet. Questions can be addressed to the IT Department.

Acceptable use of the Internet for performing job functions might include:

Communication between employees and non-employees for business purposes;
IT technical support downloading software upgrades and patches;
Review of possible vendor web sites for product information;
Reference regulatory or technical information.
Research

Personal Usage

All users of the Internet should be aware that the company network creates an audit log reflecting request for service, both in-bound and out-bound addresses, and is periodically reviewed.

Users who choose to store or transmit personal information such as private keys, credit card numbers or certificates or make use of Internet “wallets” do so at their own risk. The company is not responsible for any loss of information, such as information stored in the wallet, or any consequential loss of personal property

Prohibited Usage

Activities that are strictly prohibited include, but are not limited to:

Acquisition, storage, and dissemination of data which is illegal, pornographic, or which negatively depicts race, sex or creed is specifically prohibited.
The company prohibits the conduct of a business enterprise, political activity, engaging in any form of intelligence collection from our facilities, engaging in fraudulent activities, or knowingly disseminating false or otherwise libelous materials.

Accessing company information that is not within the scope of one’s work. This includes unauthorized reading of customer account information, unauthorized access of personnel file information, and accessing information that is not needed for the proper execution of job functions.
Misusing, disclosing without proper authorization, or altering customer or personnel information. This includes making unauthorized changes to a personnel file or sharing electronic customer or personnel data with unauthorized personnel.
Deliberate pointing or hyper-linking of company Web sites to other Internet/WWW sites whose content may be inconsistent with or in violation of the aims or policies of the company.
Any conduct that would constitute or encourage a criminal offense, lead to civil liability, or otherwise violate any regulations, local, state, national or international law including without limitations export control laws and regulations.
Use, transmission, duplication, or voluntary receipt of material that infringes on the copyrights, trademarks, trade secrets, or patent rights of any person or organization. Assume that all materials on the Internet are copyright and/or patented unless specific notices state otherwise.
Transmission of any proprietary, confidential, or otherwise sensitive information without the proper controls.
Creation, posting, transmission, or voluntary receipt of any unlawful, offensive, libelous, threatening, harassing material, including but not limited to comments based on race, national origin, sex, sexual orientation, age, disability, religion, or political beliefs.
Any form of gambling.
Unauthorized downloading of any shareware programs or files for use without authorization in advance from the IT Department and the user’s manager.

Bandwidth both within the company and in connecting to the Internet is a shared, finite resource. Users must make reasonable efforts to use this resource in ways that do not negatively affect other employees. Specific departments may set guidelines on bandwidth use and resource allocation, and may ban the downloading of particular file types.

Software License

The company strongly supports strict adherence to software vendors’ license agreements. When at work, or when company computing or networking resources are employed, copying of software in a manner not consistent with the vendor’s license is strictly forbidden. Questions regarding lawful versus unlawful copying should be referred to the IT Department for review or to request a ruling from the Legal Department before any copying is done.

Similarly, reproduction of materials available over the Internet must be done only with the written permission of the author or owner of the document. Unless permission from the copyright owner(s) is first obtained, making copies of material from magazines, journals, newsletters, other publications and online documents is forbidden unless this is both reasonable and customary. This notion of “fair use” is in keeping with international copyright laws.

Expectation of Privacy

Users should consider their Internet activities as periodically monitored and limit their activities accordingly.

Management reserves the right to examine E-mail, personal file directories, web access, and other information stored on company computers, at any time and without notice. This examination ensures compliance with internal policies and assists with the management of company information systems.

E-mail Confidentiality

Users should be aware that clear text E-mail is not a confidential means of communication. The company cannot guarantee that electronic communications will be private. Employees should be aware that electronic communications can, depending on the technology, be forwarded, intercepted, printed, and stored by others. Users should also be aware that once an E-mail is transmitted it may be altered. Deleting an E-mail from an individual workstation will not eliminate it from the various systems across which it has been transmitted.

Maintaining Corporate Image

When using company resources to access and use the Internet, users must realize theyrepresent the company. Whenever employees state an affiliation to the company, they must also clearly indicate that “the opinions expressed are my own and not necessarily those of the company”.

Company Materials

Users must not place company material (examples: internal memos, press releases, product or usage information, documentation, etc.) on any mailing list, public news group, or such service. Any posting of materials must be approved by the employee’s manager and the public relations department and will be placed by an authorized individual.