Securities
Acceptable Use Policy (A.8.1.3)
Objectives
- In order to protect Breezy information assets and information systems, this Acceptable Use Policy is to protect both the company and the individual user. The policy defines how systems and infrastructure are to be accessed and utilized in an approved manner, which aligns with the morals, ethics and professional standards of Breezy HR.
- Rather than being a restriction on Breezy culture of trust and integrity, this Acceptable Use Policy is designed to ensure individuals are aware of acceptable and unacceptable behavior so as not to expose the company or themselves to risks or consequential actions or liabilities, knowingly or accidentally.
Scope
The Breezy HR Acceptable Use Policy shall apply to all employees, contractors, and third-party users of Breezy HR information assets, information systems, and other resources provided by Breezy for the purpose of supporting the Applicant Tracking System from Breezy HR.
General Statements
- Breezy information assets shall receive a classification according to their sensitivity. This classification shall determine how the information asset is to be managed, processed, stored, protected, and disposed of, in accordance with the Breezy ISMS and Breezy HR Information Handling & Classification Policy.
- Information systems and other Breezy resources are provided primarily for authorized company purposes only. Reasonable personal use of company equipment and resources shall be permitted, in accordance with this Acceptable Use Policy and Technology Manager guidance, and providing this usage does not access (or attempt to access) any information assets being stored or processed on behalf of Breezy and/or its clients/users.
- Under no circumstances shall users use information systems to access company information assets other than for their own legitimate business activities. Users shall not access, download, modify, copy, delete or transmit Breezy information other than in strict adherence to published policies and processes which control legitimate business activities.
- Under no circumstances shall users engage in activities that interfere with the legitimate access or activities of other authorized users, or engage in any activity which could result in the denial of access or use of the service to others.
- Under no circumstances shall users be permitted to engage in any activity which is illegal under international, national, or local laws or regulations. Should there be any conflict between such legislation and any part of this Acceptable Use Policy, this shall be referred to Senior Management as soon as possible for investigation and resolution.
- Acceptable use prohibits users from creating, processing, downloading, storing, sharing, or communicating any material offensive in nature which, for clarity, includes words or images that contain:
- ~Sexual images, language, or suggestive behavior
- ~Racial or ethnic commentary or opinions
- ~Gender-specific commentary or opinions
- ~Offensive or derogatory comments about one or more persons’
- ~~Age
- ~~Sexual orientation
- ~~Marital or partnership status
- ~~Religious beliefs
- ~~Political beliefs
- ~~National or ethnic origin
- ~~Disability
- Breezy shall at all times promptly respond to requests for information arising from criminal investigations and legal proceedings, including electronically stored information, and therefore reserves the right to enter any of its information systems, and data repositories connected to them, to inspect, review, store or retrieve data within those systems at any time.
- Breezy shall have the right to monitor its employee, contractor, and third-party user access to and use of information assets, information systems, email and voicemail message repositories, and other related resources provided by Breezy for the purpose of conducting its normal business activities.
- This Acceptable Use Policy shall apply to all Breezy infrastructure, including but not limited to hardware assets (including servers, desktop computers, laptop computers, mobile telephones, and tablets), software assets (including operating systems and application software), storage assets (including magnetic/optical media and USB devices) and use of network infrastructure.
- If this Acceptable Use Policy does not provide sufficient information on a particular subject, it shall be referred to Senior Management for consideration and specific approval before the activity is permitted to take place.
- Any employee found to have violated any of the requirements of this Acceptable Use Policy shall be subject to disciplinary action, which may include the termination of their employment with Breezy. Any contractor or third-party user found to have violated any of the requirements of this Acceptable Use Policy shall be dealt with as appropriate, including termination of engagement or formal escalation to the contractor’s or third-party user’s organization.
Acceptable Use of Computers and Information Systems
- All information systems and related resources shall be protected by passwords that comply with the requirements of the Password Management Policy and other security controls as documented within the risk assessment for the information system concerned. Information Systems shall be protected by automatic time-out locking after a defined period of inactivity, or by users locking the system manually when not being used.
- Users shall only attempt to access information systems and related resources they have specific authority to access. Disciplinary action shall be taken against any user found attempting to bypass security controls, accessing data not authorized for the user, or using another user’s account. It shall not be permitted for a user to attempt to “hack” into information systems, data sources, or other websites either internally or externally, and users shall at all times comply with the Breezy Access Control Policy.
- All information systems and related resources shall be protected by anti-virus software and other software tools installed to protect their normal operations from unauthorized amendment or interference by rogue code. Operating systems and software applications shall be promptly updated with patches supplied by the vendor, but only once they have been properly evaluated, to ensure vulnerabilities are permanently addressed. Anti-virus software and other protective tools shall be reviewed frequently to ensure they are providing protection in accordance with the latest threat lists. All users within the scope of this policy shall at all times comply with the Breezy Malware Policy.
- Users shall promptly cooperate and comply with instructions issued by Breezy in relation to the upgrading of hardware device firmware, where such upgrades have been assessed as being necessary to ensure the ongoing and secure operation of the hardware device.
- Breezy information systems and related resources shall not be used to download, process, store, or transmit any material Breezy considers (at its sole discretion) to be obscene, threatening, abusive, offensive to others, defamatory, indecent, racist, sexist, libelous, hateful, or connected to criminal or illegal actions or intentions. In addition, acts relating to breaching copyrighted material, trade secrets, or violating intellectual property shall also be forbidden.
- Breezy’s network infrastructure shall only be used for the purposes for which it has been designed and implemented. Users shall not modify or disrupt any network connectivity, or purposefully undertake any activity which increases the volume or nature of network traffic so as to cause disruption to its normal operation. Breezy network resources shall not be used for transferring non-commercial data other than for “reasonable” use as found in this Policy. Breezy constantly monitors and records all network activity.
- All software assets intended to be installed on Breezy information systems shall be submitted to formal change management approval, and shall only be authorized if:
- ~they have been fully and properly evaluated for information security vulnerabilities
- ~they have received specific authorization from change management for the installation
- ~the company holds a valid software license for the intended installation
- ~they are to be installed strictly in accordance with the vendor’s software license
- ~the company has the ability to support the software with updates and security patches
- Breezy reserves the right to monitor and audit instances of installed software on Breezy assets and systems. Any attempts by users to prevent or interfere with such monitoring or audits will be subject to disciplinary action, as noted in this Policy.
- Breezy shall not permit the connection of any personal external storage device, including external hard drives, USB memory sticks, and memory cards to any Breezy system without prior permission from Senior Management issued against a valid business requirement. Dependent upon each individual request and the permission granted, sensitive or protectively marked information shall be protected by appropriate encryption as defined in the Information Classification and Handling Policy. Any such data shall be securely and permanently removed and the device cleansed to acceptable levels at the first available opportunity: simple file deletion shall not be acceptable for this purpose.
- The Computer Misuse Act 1990 covers the offenses of illegal accessing and using computer systems without authority, and also the unauthorized introduction of software into a computer system with the intention of either (a) affecting the normal operation of the computer system, or (b) interfering with any data or program stored or installed on the computer system. Users shall maintain awareness of the offenses covered by this law.
Acceptable Use of Mobile Devices
- Users of Breezy-issued mobile devices, including laptops, mobile telephones, and Personal Electronic Devices (PEDs), shall at all times comply with the issued documented requirements detailing how they are to be accessed, used, stored, and protected. Such devices shall be protected by passwords that comply with the requirements of the Breezy Password Management Policy. Any actual or suspected loss, theft, or misuse shall be promptly reported as an Information Security Incident.
- Information on mobile devices, including laptops, mobile telephones, and Personal Electronic Devices (PEDs), shall be kept to an absolute minimum to ensure in the event of loss, theft, misuse, or damage, that risk exposure and liability have been kept to an absolute minimum. Any data which is to be stored on mobile devices shall be encrypted in accordance with the Information Classification and Handling Policy and Cryptographic Control Policy: if encryption is technically not possible, the data storage shall not be permitted. Users of mobile devices shall periodically review the device to purge all unnecessary or historic data.
- Personally owned mobile devices (e.g. laptops, smartphones, etc.) shall only be used on Breezy business or connected to Breezy resources strictly in accordance with the requirements contained within the LTG Bring Your Own Device Policy.
- The use of mobile telephones shall be in accordance with the Acceptable Use of Telephony Systems section of this Policy.
Acceptable Use of Email Systems
- Breezy shall permit reasonable use of Breezy email facilities for personal use, subject to Technology Director approval. All such personal use shall be processed, stored, and screened as if it were a business communication and shall be made available for inspection as required. The company reserves the right to restrict personal use of email systems at any time.
- Users shall be aware of the consequences and risks of opening emails (and attachments to emails) which may be infected with viruses or other malware. Users shall, at all times, comply with the Breezy Malware Policy. When opening a Word or Excel document which requests “macros to be enabled”, this shall always be answered “no” unless the macro is from a trusted source and the content is expected by the recipient.
- All Breezy-authored emails shall receive classification review, by email author, prior to transmission to ensure proper security classification and handling procedures are followed in alignment with the Information Classification & Handling Policy.
- Breezy email systems shall not be used for:
- ~Commercial ventures not related to the Company, including sending spam or bulk email messages.
- ~The transmission or receipt of messages which contain “offensive material”, as defined in this Policy.
- ~Sending communications that, by virtue of their content or frequency, may be considered to be a form of harassment by the message recipient.
- Users of Breezy email systems for work-related purposes or for posting information to work-related forums or discussion groups shall ensure:
- Proper care is taken to address the communication correctly, so as to minimize the opportunity of the message being non-delivered or accidentally misrouted.
- ~Unless the intended recipient is committed to a contractual non-disclosure agreement, only information authorized to be in the public domain can be sent.
- ~Unless the intended recipient is committed to a contractual non-disclosure agreement covering the intended purpose of the email, information shall not be sent that discloses Breezy HR locations, operations, or employee or client information.
- ~Unless specifically authorized by the Chief Executive Officer, any posting or opinions expressed in work-related forums or discussion groups shall specifically state the posting or opinion does not reflect Breezy’s position or opinion.
- ~They conduct themselves in a professional manner with courtesy, integrity, and professionalism, which aligns with Breezy’s corporate standing.
- ~Users shall ensure any/all messages or posts do not violate copyright or intellectual property rights.
Acceptable Use of Internet & Web-Based Groups
- Access to the Internet is provided primarily for authorized business purposes and for the conducting of normal Breezy business. Reasonable personal use of this facility shall be permitted. Users shall not access, attempt to access, or perform search activities for websites that contain “offensive material”, as defined in this Acceptable Use Policy.
- Software (including tools and utilities) shall not be downloaded from the internet to Breezy information systems without the prior agreement of Change Management following the stages outlined in Acceptable Use of Computers and Information Systems and completion and approval of an OTS Software Registration Form.
Acceptable Use of Telephony Systems
- Breezy telephone systems (including fax facilities) are provided primarily for authorized business purposes and for the conducting of normal Breezy business. A reasonable number of personal calls shall be permitted with Manager approval. Users shall keep their personal calls short, making calls to landline destinations where possible instead of mobiles, and shall not make international calls unless for business reasons.
Responsibilities
All individuals specified within the scope of this Acceptable Use Policy shall have individual responsibility for complying with each and every aspect of this policy. The requirement to comply with Breezy policies is included within the Terms and Conditions of Employment and is noted within each individual’s job specification.
The Technology Director and Personnel Manager shall be responsible for progressing any breaches of this Acceptable Use Policy to disciplinary action.