Sie sind auf Seite 1von 7

Acceptable Use Policy

Update 10-15-2016

1. Overview
This policy is being used to enforce the rules and restrictions implemented
by Carolinas Medical Centers. This document is in use to protect Carolinas
Medical Centers employees, affiliates and company from illegal and or
damaging actions from individuals, either knowingly or unknowingly.

Networks including Internet/Intranet/Extranet-related systems, including but


not limited to the computer hardware, software, OS, external storage,
internal storage, employee and affiliate email accounts, Http browsing and
FTP are the legal property of Cleveland Medical Centers. These systems are
to be used for proprietary purposes and business use only. Serving the
interest of the company only. Please review the companies human resources
policies for more information.

Effective information security is a team effort in accordance with our clients


and our employees. It is the responsibility of every employee and or
client/vendor employee to know and follow these guidelines.

2. Purpose
The purpose of this policy is too outline the acceptable use policy of electronic
equipment including BYOD and PCs on the premises. These policies are in
place to protect the employee and Carolinas Regional Medical Centers.
Inappropriate use of the network and equipment can lead to virus attacks,
breach of confidentiality, and legal issues.

3. Scope
This policy applies to the use of information confidential and PHI, electronic
and computing devices(including BYOD) and network resources to conduct
Carolinas Medical Centers business or interact with internal networks and
business systems, whether owned or leased by Carolinas Medical Centers
the employee, or a vendors. All employees, contractors, business consultants
, vendors, and other workers at CMC and its subsidiaries are responsible for
implementing good judgment regarding appropriate use of confidential
information , electronic devices, and network internal and external resources
in accordance with CMC policies and standards, local laws, federal laws
and regulation. Exceptions to this policy are documented ___________.
This policy applies to employees, contractors, consultants, temporaries, and
other workers at CMC including all personnel affiliated outside parties. This
policy applies to all equipment that is owned or leased by CMC.

4. General Use and Ownership


4.1 CMC proprietary information stored on electronic and computing
devices whether owned or leased by CMC, the employee or a third party,
shall remain the property of CMC. You must ensure through legal or
whatever means possible that proprietary information is protected in
accordance with the Information Security guidelines and Data Protection
policy.
4.2 You have the responsibility of reporting the loss of use, theft, or
exposure of any confidential information.
4.3 You may access, use or share CMC information only with authorized
personnel to fulfill your job duties as an employee of CMC.
4.4 Employees, vendors and contract employees are responsible for
exercising good judgment regarding the use and distribution of personal
use. Individual departments within the company are responsible for
creating guidelines concerning personal use of Internet/Intranet/Extranet
systems. In the absence of such policies, employees should be guided by
departmental policies on personal use, and if there is any uncertainty, or
reason to believe information might be exposed employees should
consult their supervisor or manager.
4.5 For the security and protection of the company and maintenance
purposes, authorized personnel will be able to monitor and track events
on the network at any time.
4.6 CMC reserves the right to audit networks and systems on a random
basis to ensure compliance with this policy
4.2.0 Security and BYOD policies
4.2.1 All mobile devices connected to the network and or using proprietary
information shall be monitored and shall follow in accordance with the
regulations for company owned devices specified in the outline of this
policy.
4.2.2 Password policies shall follow the Password Policy guidelines. User
level and system level passwords are used to authenticate your use and shall
not be used to authenticate other users for any reason any violation of the
Password Guidelines policy is strictly prohibited and will result in possible
legal action and termination of employment. Password guidelines and rules
are outlines in the Password policy document.
4.2.3 Password rules and futher regulations shall be more specified in the
Password Policy Guidelines document. Passwords should follow the
standard of 10 characters with numbers letters and symbols.
4.2.3 Electronic equipment including BYOD equipment should be encrypted
with a password at all times and should be locked when not in use.
4.2.4 BYOD equipment can be used by authorized personnel on the network
but shall be subject to whipping if downloading PHI or other confidential
information. Read write and edit privledges on BYOD devices shall be
different than on company owned equipment.
4.2.5 You are responsible as the user for BYOD and the information that is
used on non CMC approved devices and is subject to the outline of this
policy.
4.3.0 Unacceptable use
4.3.1 The following activities and or actions are prohibited. Employees may
be exempted from these restrictions during the course of their legitimate job
responsibilities (e.g., systems administration staff/ information security staff
may have a need to disable the network access of a host and or persons if
that host or persons is disrupting productive services and responsibilities)
Under no circumstances is an employee of CMC authorized to engage in any
activity that is illegal under local, state, federal or international law while
utilizing Carolinas Medical Centers owned resources.

4.4.0 System and network Activities


4.4.1 Violations of the rights of any person or outside party and vendor
protected by copyright, patent or other intellectual property, or similar laws
or regulations, including, but not limited to, the installation or distribution of
"illegal copyrighted " or other software products that are not appropriately
licensed for use by CMC.
4.4.2 Unauthorized copying of copyrighted material including, digitization
and distribution of photographs from magazines, books,
internet/intranet/extranet or other copyrighted sources, copyrighted music,
and the installation of any copyrighted software for which CMC or the end
user does not have an active license or authorization to use is strictly
prohibited.
4.4.3. Accessing data, confidential information, a server or an account for
any purpose other than conducting CMC business, research and work even if
you have authorized access, is prohibited.
4.4.4 Exporting software that you have no legal bounds or patent, encryption
software or technology, is illegal. The appropriate management should be
consulted prior to export of any material that is in question.
4.4.5 The use of malicious programs into the network or server (e.g., viruses,
worms, Trojan horses, e-mail bombs, key loggers etc.).
4.4.6 Revealing your account password or log in information to others or
allowing use of your account by others. This includes family and other
household members and anyone other than yourself when work is being
done at home.
4.4.7 Using a CMC computing asset to engage in procuring or transmitting
material that is in violation of sexual harassment, discrimination, or hostile
workplace laws in the user's local jurisdiction.
4.4.8 Making fraudulent offers of products, or services originating from any
CMC account.
4.4.9 Making statements about warranty, or other non-accepted policies and
promises expressly or implied, unless it is a part of normal job duties.
4.4.10 Port scanning or security scanning and or network sniffing is
expressly prohibited unless prior notification to Infosec is made.
4.4.11 Introducing honeypots, honeynets, or similar technology on the CMC
network is prohibited.
4.4.12 The use of DOS is strictly prohibited on the network.
4.4.13 Providing confidential information to outside sources and
unauthorized parties is prohibited.
4.5 Email and Communication Unauthorized use
When using company resources to access and use the Internet, users must
understand they are the face of and represent the company. Whenever
employees state an affiliation to the company, they must also clearly indicate
that "the opinions expressed are my own and not necessarily those of the
company". Questions may be directed to the IT Department
1. Sending unsolicited email messages, including the sending of "spam" or
other advertising material to individuals who did not specifically request
such material is prohibited and can result in disconnection from
communication services.
2. Any form of harassment via email, telephone or instant messaging,
whether through language, frequency, or size of packets and or messages.
3. Unauthorized use, or forging, of email header information or POP3
headers.
4. Spoofing of email for any other email address, other than that of the users
account, with the intent to harass or to collect replies.
5. Use of unsolicited email originating from within CMC's networks of other
Internet/Intranet/Extranet service providers on behalf of, or to advertise, any
service hosted by CMC or connected to CMC 's network shall result in dis
6.0 Blogging and Social Media
6.1.1 The use of social media by unauthorize personnel and departments in
company business hours and company owned devices is strictly prohibited.
6.1.2 The use of social media and blogging by employees on company
owned equipment and the use or confidential proprietary information on
social media or in blogs is strictly prohibited.
6.1.3 Social media shall not and will not be accessed on company owned
property and on personal devices on the network due to the nature of the
information as an employee, vendor and contract employees is strictly
prohibited.
7.0 Policy Compliance
7.1 Compliance Measurement The IT security team will verify mandated
compliance to this policy through various methods, including but not limited
to, business tool reports, network monitoring, internal and external audits
through the use of security guidelines and tools.
7.2 Exceptions Any exception to the policy must be approved by the IT team
and or HR and Management in advance.
7.3 Non-Compliance An employee, contractor, vendor or outside party found
to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.
8.0 Related standards Policies and Processes
Data Classification Policy
Data Protection Standard
Minimum Access Policy
Password Policy

Revision Date Personnel


10/30/16 Matthew Meadows

Das könnte Ihnen auch gefallen