Acceptable Use Policy (A.8.1.3)

Objectives

  • In order to protect Breezy information assets and information systems, this Acceptable Use Policy is to protect both the company and the individual user. The policy defines how systems and infrastructure are to be accessed and utilized in an approved manner, which aligns with the morals, ethics and professional standards of Breezy HR.
  • Rather than being a restriction on Breezy culture of trust and integrity, this Acceptable Use Policy is designed to ensure individuals are aware of acceptable and unacceptable behavior so as not to expose the company or themselves to risks or consequential actions or liabilities, knowingly or accidentally.

Scope

The Breezy HR Acceptable Use Policy shall apply to all employees, contractors and third-party users of Breezy HR information assets, information systems and other resources provided by Breezy for the purpose of supporting the Applicant Tracking System from Breezy HR.

General Statements

  • Breezy information assets shall receive a classification according to their sensitivity. This classification shall determine how the information asset is to be managed, processed, stored, protected and disposed of, in accordance with the Breezy ISMS and Breezy HR Information Handling & Classification Policy.
  • Information systems and other Breezy resources are provided primarily for authorized company purposes only. Reasonable personal use of company equipment and resources shall be permitted, in accordance with this Acceptable Use Policy and the Engineering Manager, and providing this usage does not access (or attempt to access) any information assets being stored or processed on behalf of Breezy and/or its clients/users.
  • Under no circumstances shall users use information systems to access company information assets other than for their own legitimate business activities. Users shall not access, download, modify, copy, delete or transmit Breezy information other than in strict adherence to published policies and processes which control legitimate business activities.
  • Under no circumstances shall users engage in activities which interfere with the legitimate access or activities of other authorized users, or engage in any activity which could result in the denial of access or use of the service to others.
  • Under no circumstances shall users be permitted to engage in any activity which is illegal under international, national or local laws or regulations. Should there be any conflict between such legislation and any part of this Acceptable Use Policy, this shall be referred to Senior Management as soon as possible for investigation and resolution.
  • Acceptable use prohibits users from creating, processing, downloading, storing, sharing or communicating any material offensive in nature which, for clarity, includes words or images that contains:
  • ~Sexual images, language or suggestive behavior
  • ~Racial or ethnic commentary or opinions
  • ~Gender specific commentary or opinions
  • ~Offensive or derogatory comments about one or more persons’
  • ~~Age
  • ~~Sexual orientation
  • ~~Marital or partnership status
  • ~~Religious beliefs
  • ~~Political beliefs
  • ~~National or ethnic origin
  • ~~Disability
  • Breezy shall at all times promptly respond to requests for information arising from criminal investigations and legal proceedings, including electronically stored information, and therefore reserves the right to enter any of its information systems, and data repositories connected to them, to inspect, review, store or retrieve data within those systems.
  • Breezy shall have the right to monitor its employees’, contractors’ and third-party users’ access to and use of information assets, information systems, email and voicemail message repositories and other related resources provided by Breezy for the purpose of conducting its normal business activities.
  • This Acceptable Use Policy shall apply to all Breezy infrastructure, including but not limited to hardware assets (including servers, desktop computers, laptop computers, mobile telephones and tablets), software assets (including operating systems and application software), storage assets (including magnetic/optical media and USB devices) and use of network infrastructure.
  • If this Acceptable Use Policy does not provide sufficient information on a particular subject, it shall be referred to Senior Management for consideration and specific approval before the activity is permitted to take place.
  • Any employee found to have violated any of the requirements of this Acceptable Use Policy shall be subject to disciplinary action, which may include the termination of their employment with Breezy. Any contractor or third-party user found to have violated any of the requirements of this Acceptable Use Policy shall be dealt with as appropriate, including termination of engagement or formal escalation to the contractor’s or third-party user’s organization.

Acceptable Use of Computers and Information Systems

  • All information systems and related resources shall be protected by passwords (which comply with the requirements of the Password Management Policy and other security controls as documented within the risk assessment for the information system concerned. Information Systems shall be protected by automatic time-out locking after a defined period of inactivity, or by users locking the system manually when not being used.
  • Users shall only attempt to access information systems and related resources they have specific authority to access. Disciplinary action shall be taken against any user found attempting to bypass security controls, accessing data not authorized for the user or using another user’s account. It shall not be permitted for a user to attempt to “hack” into information systems, data sources or other websites either internally or externally, and users shall at all times comply with the Breezy Access Control Policy.
  • All information systems and related resources shall be protected by anti-virus software and other software tools installed to protect their normal operations from unauthorized amendment or interference by rogue code. Operating systems and software applications shall be promptly updated with patches supplied by the vendor, but only once they have been properly evaluated, to ensure vulnerabilities are permanently addressed. Anti-virus software and other protective tools shall be reviewed frequently to ensure they are providing protection in accordance with the latest threat lists. All users within the scope of this policy shall at all times comply with the Breezy Malware Policy.
  • Users shall promptly cooperate and comply with instructions issued by Breezy in relation to the upgrading of hardware device firmware, where such upgrades have been assessed as being necessary to ensure the ongoing and secure operation of the hardware device.
  • Breezy information systems and related resources shall not be used to download, process, store or transmit any material Breezy considers (at its sole discretion) to be obscene, threatening, abusive, offensive to others, defamatory, indecent, racist, sexist, libelous, hateful or connected to criminal or illegal actions or intentions. In addition, acts relating to breaching copyrighted material, trade secrets or violating intellectual property shall also be forbidden.
  • Breezy’s network infrastructure shall only be used for the purposes for which it has been designed and implemented. Users shall not modify or disrupt any network connectivity, or purposefully undertake any activity which increases the volume or nature of network traffic so as to cause disruption to its normal operation. Breezy network resources shall not be used for transferring non-commercial data other than for “reasonable” use as found in this Policy. Breezy constantly monitors and records all network activity.
  • All software assets intended to be installed on Breezy information systems shall be submitted to formal change management approval, and shall only be authorized if:
  • ~they have been fully and properly evaluated for information security vulnerabilities
  • ~they have received specific authorization from change management for the installation
  • ~the company holds a valid software license for the intended installation
  • ~they are to be installed strictly in accordance with the vendor’s software license
  • ~the company has the ability to support the software with updates and security patches
  • Breezy reserves the right to monitor and audit instances of installed software on Breezy assets and systems. Any attempts by users to prevent or interfere with such monitoring or audits will be subject to disciplinary action as noted in this Policy.
  • Breezy shall not permit the connection of any personal external storage device, including external hard drives, USB memory sticks and memory cards to any Breezy system without prior permission from Senior Management issued against a valid business requirement. Dependent upon each individual request and the permission granted, sensitive or protectively marked information shall be protected by appropriate encryption. Any such data shall be securely and permanently removed and the device cleansed to acceptable levels at the first available opportunity: simple file deletion shall not be acceptable for this purpose.
  • The Computer Misuse Act 1990 covers the offenses of illegal accessing and using computer systems without authority, and also the unauthorized introduction of software into a computer system with the intention of either (a) affecting the normal operation of the computer system, or (b) interfering with any data or program stored or installed on the computer system. Users shall maintain awareness of the offenses covered by this law.

Acceptable Use of Mobile Devices

  • Users of Breezy issued mobile devices, including laptops, mobile telephones and Personal Electronic Devices (PEDs) shall at all times comply with the issued documented requirements detailing how they are to be accessed, used, stored and protected. Such devices shall be protected by passwords which comply with the requirements of the Breezy Password Management Policy. Any actual or suspected loss, theft or misuse shall be promptly reported as an Information Security Incident.
  • Information on mobile devices, including laptops, mobile telephones and Personal Electronic Devices (PEDs) shall be kept to an absolute minimum to ensure in the event of loss, theft, misuse or damage, the  risk exposure and liability has been kept to an absolute minimum. Any data which is to be stored on mobile devices shall be encrypted in accordance with Breezy requirements: if encryption is technically not possible, the data storage shall not be permitted. Users of mobile devices shall periodically review the device to purge all unnecessary or historic data.
  • Personally owned mobile devices (e.g. laptops, smart phones etc.) shall only be used on Breezy business or connected to Breezy resources strictly in accordance with the requirements contained within the LTG Bring Your Own Device Policy.
  • The use of mobile telephones shall be in accordance with the Acceptable Use of Telephony Systems section of this Policy.

Acceptable Use of Email Systems

  • Breezy shall permit reasonable use of Breezy email facilities for personal use, subject to Engineering Manager approval. All such personal use shall be processed, stored and screened as if it were a business communication and shall be made available for inspection as required. The company reserves the right to restrict personal use of email systems at any time.
  • Recipients of email messages shall be aware of the consequences and risks of opening emails (and attachments to emails) which may be infected with viruses or other malware. Users shall, at all times, comply with the Breezy Malware Policy. When opening a Word or Excel document which requests “macros to be enabled”, this shall always be answered “no” unless the macro is from a trusted source and the content is expected by the recipient.
  • Breezy email systems shall not be used for:
  • ~Commercial ventures not related to the Company, including sending spam or bulk email messages.
  • ~The transmission or receipt of messages which contain “offensive material”, as defined in this Policy.
  • ~Sending communications which, by virtue of their content or frequency, may be considered to be a form of harassment by the message recipient.
  • Users of Breezy email systems for work-related purposes or for posting information to work-related forums or discussion groups shall ensure:
  • ~Proper care is taken to address the communication correctly, so as to minimize the opportunity of the message being non-delivered or accidentally misrouted.
  • ~Unless the intended recipient is committed to a contractual non-disclosure agreement, only information authorized to be in the public domain can be sent.
  • ~Unless the intended recipient is committed to a contractual non-disclosure agreement covering the intended purpose of the email, information shall not be sent which discloses Breezy HR locations, operations or employee or client information.
  • ~All email communications shall include the standard Breezy HR email footer message, which includes information regarding opinions expressed in the email message and actions to be taken in the event of message mis-delivery.
  • ~Unless specifically authorized by the Chief Executive Officer, any posting or opinions expressed in work related forums or discussion groups shall specifically state the posting or opinion do not reflect Breezy’s position or opinion.
  • ~They conduct themselves in a professional manner with courtesy, integrity and professionalism, which aligns with Breezy’s corporate standing. Users shall ensure any/all messages or posts do not violate copyright or intellectual property rights.

Acceptable Use of Internet & Web Based Groups

  • Access to the internet (or World Wide Web “www”) is provided primarily for authorized business purposes and for the conducting of normal Breezy business. Reasonable personal use of this facility shall be permitted. Users shall not access, attempt to access or perform search activities for websites which contain “offensive material”, as defined in this Acceptable Use Policy.
  • Software (including tools and utilities) shall not be downloaded from the internet to Breezy information systems without the prior agreement of Change Management following the stages outlined in Acceptable Use of Computers and Information Systems.

Acceptable Use of Telephony Systems

  • Breezy telephone systems (including fax facilities) are provided primarily for authorized business purposes and for the conducting of normal Breezy business. A reasonable number of personal calls shall be permitted with Manager approval. Users shall keep their personal calls short, making calls to landline destinations where possible instead of mobiles, and shall not make international calls unless for business reasons.

Responsibilities

All individuals specified within the scope of this Acceptable Use Policy shall have individual responsibility for complying with each and every aspect of this policy. The requirement to comply with Breezy policies is included within the Terms and Conditions of Employment, and is noted within each individual’s job specification.

The Engineering Manager and Personnel Manager shall be responsible for progressing any breaches of this Acceptable Use Policy to disciplinary action.