[Company Name] Information Security Policy Introduction Violations Administration Contents Statement of responsibility Manager responsibilities IT department responsibilities The Internet and e-mail Policy Acceptable use Unacceptable use Downloads Employee responsibilities Copyrights Monitoring Computer viruses Background IT responsibilities Employee responsibilities Spyware IT responsibilities Employee responsibilities Access codes and passwords IT responsibilities Employee responsibilities Supervisor’s responsibility Human resources responsibility Physical security Employee responsibilities Copyrights and license agreements Legal reference Scope IT responsibilities Employee responsibilities Civil penalties Criminal penalties Acknowledgment of Information Security Policy Procedure Signature Additional resources Version history Tell us what you thinkPage 1 Copyright ©2005 CNET Networks, Inc. All rights reserved. To see more downloads and get your free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.htmlInformation Security Policy Version 2.0 April 7, 2005 This set of guidelines on corporate information security, which originally published in 2001, came to us from TechRepublic member Henry Dumas. We’ve updated it so that it can serve as a framework for your own information security policy or to compare to the one your organization has on the books. You can use it as a stand-alone document or incorporate it into your current set of company policies. Dumas said that to ensure that employees understand the policy, the company provides a copy for each worker. Employees also attend a meeting to help them understand why the policy is so important to the company. After reading the policy, workers sign a form acknowledging that they have read the policy and understand it. We’ve included that form in this download. To make sure that the business is following its own guidelines, you may want to conduct routine compliance audits. .Information Security Policy [Company Name] Information Security Policy Introduction Computer information systems and networks are an integral part of business at [Company Name]. The company has made a substantial investment in human and financial resources to create these systems. The enclosed policies and directives have been established in order to: • Protect this investment. • Safeguard the information contained within these systems. • Reduce business and legal risk. • Protect the good name of the company. Violations Violations may result in disciplinary action in accordance with company policy. Failure to observe these guidelines may result in disciplinary action by the company depending upon the type and severity of the violation, whether it causes any liability or loss to the company, and/or the presence of any repeated violation(s). Administration The information technology department (IT department) is responsible for the administration of this policy. Contents The topics covered in this document include: • Statement of responsibility • The Internet and e-mail • Computer viruses • Spyware • Access codes and passwords • Physical security • Copyrights and license agreements Statement of responsibility General responsibilities pertaining to this policy are set forth in this section. The following sections list additional specific responsibilities. Manager responsibilities Managers and supervisors must: 1. Ensure that all appropriate personnel are aware of and comply with this policy. 2. Create appropriate performance standards, control practices, and procedures designed to provide reasonable assurance that all employees observe this policy. IT department responsibilities The IT department must: 1. Develop and maintain written standards and procedures necessary to ensure implementation of and compliance with these policy directives. 2. Provide appropriate support and guidance to assist employees to fulfill their responsibilities under this directive. Page 2 Copyright ©2005 CNET Networks, Inc. All rights reserved. To see more downloads and get your free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html.Information Security Policy The Internet and e-mail The Internet is a very large, publicly accessible network that has millions of connected users and organizations worldwide. One popular feature of the Internet is e-mail. Policy Access to the Internet is provided to employees for the benefit of [Company Name] and its customers. Employees are able to connect to a variety of business information resources around the world. Conversely, the Internet is also replete with risks and inappropriate material. To ensure that all employees are responsible and productive Internet users and to protect the company’s interests, the following guidelines have been established for using the Internet and e-mail. Acceptable use Employees using the Internet are representing the company. Employees are responsible for ensuring that the Internet is used in an effective, ethical, and lawful manner. Examples of acceptable use are: • Using Web browsers to obtain business information from commercial Web sites. • Accessing databases for information as needed. • Using e-mail for business contacts. Unacceptable use Employees must not use the Internet for purposes that are illegal, unethical, harmful to the company, or nonproductive. Examples of unacceptable use are: • Sending or forwarding chain e-mail, i.e., messages containing instructions to forward the message to others. • Broadcasting e-mail, i.e., sending the same message to more than 10 recipients or more than one distribution list. • Conducting a personal business using company resources. • Transmitting any content that is offensive, harassing, or fraudulent. Downloads File downloads from the Internet are not permitted unless specifically authorized in writing by the IT manager. Employee responsibilities An employee who uses the Internet or Internet e-mail shall: 1. Ensure that all communications are for professional reasons and that they do not interfere with his/her productivity. 2. Be responsible for the content of all text, audio, or images that (s)he places or sends over the Internet. All communications should have the employee’s name attached. 3. Not transmit copyrighted materials without permission. 4. Know and abide by all applicable company policies dealing with security and confidentiality