Beruflich Dokumente
Kultur Dokumente
include the elements that are required for most network security
policies: privacy policy, acceptable use policy, authentication policy, Internet use policy, access
policy, auditing policy, and data protection policy. The security policy should also protect an
organization legally, and it should be a continual work in progress.
In compliance with the Convergys and DirecTv rules, the Convergys Corporation, and generally accepted industry
best practices, Convergys provides for the security and privacy of the data stored on, redirected through, or
processed by its technology resources. Convergys encourages the use of these technology resources, however they
remain the property of Convergys and are offered on a privilege basis only.
Throughout this policy, the term “staff” identifies full- and part-time employees, contractors, consultants,
temporaries, student assistants, volunteers, retired annuitants, vendors and other users including those affiliated with
third parties who access Convergys technology resources due to their job responsibilities. Management expects
staff to comply with this and other applicable Convergys policies, procedures, and local, state, federal, and
international laws. Failure to abide by these conditions may result in forfeiture of the privilege to use technology
resources, disciplinary action, and/or legal action.
The IT Policy Review Team regularly modifies this and other IT security related policies to reflect changes in
industry standards, legislation, technology and/or products, services, and processes at Convergys.
Privacy
Convergys reserves the right to monitor, duplicate, record and/or log all staff use of Convergys technology
resources with or without notice. This includes but is not limited to e-mail, Internet access, keystrokes, file access,
logins, and/or changes to access levels. Staff shall have no expectation of privacy in the use of these technology
resources.
Liability
Convergys makes no warranties of any kind, whether expressed or implied for the services in this policy. In
addition, Convergys is not responsible for any damages which staff may suffer or cause arising from or related
to their use of any Convergys technology resources. Staff must recognize that Convergys technology resource
usage is a privilege and that the policies implementing said usage are requirements that mandate adherence.
Staff Responsibilities and Accountability
Effective information security requires staff involvement as it relates to their jobs. Staff is accountable for their
actions and therefore they own any events occurring under their user identification code(s). It is staff’s responsibility
to abide by policies and procedures of all networks and systems with which they communicate. Access of personal
or private Internet Service Providers while using Convergys provided information technology resources or using
non- Convergys provided information technology resources to conduct Convergys business does not indemnify
any entity from the responsibilities, accountability and/or compliance with this or other Convergys policies. Staff
responsibilities include but are not limited to:
Access and release only the data for which you have authorized privileges and a need to know (including
misdirected e-mail)
Abide by and be aware of all policies and laws (local, state, federal, and international) applicable to computer
system use
Report information security violations to the Information Security Officer or designee and cooperate fully with
all investigations regarding the abuse or misuse of state owned information technology resources
Protect assigned user IDs, passwords, and other access keys from disclosure
Secure and maintain confidential printed information, magnetic media or electronic storage mechanisms in
approved storage containers when not in use and dispose of these items in accordance with Convergys policy
Log off of systems (or initiate a password protected screensaver) before leaving a workstation unattended
Use only Convergys acquired and licensed software
Attend periodic information security training provided by Convergys IT Security Branch
Follow all applicable procedures and policies
1.0 Purpose
The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private
Network (VPN) connections to the <Company Name> corporate network.
2.0 Scope
This policy applies to all <Company Name> employees, contractors, consultants, temporaries, and other
workers including all personnel affiliated with third parties utilizing VPNs to access the <Company Name>
network. This policy applies to implementations of VPN that are directed through an IPSec Concentrator.
3.0 Policy
Approved <Company Name> employees and authorized third parties (customers, vendors, etc.) may utilize
the benefits of VPNs, which are a "user managed" service. This means that the user is responsible for
selecting an Internet Service Provider (ISP), coordinating installation, installing any required software, and
paying associated fees. Further details may be found in the Remote Access Policy.
Additionally,
1. It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not
allowed access to <Company Name> internal networks.
2. VPN use is to be controlled using either a one-time password authentication such as a token
device or a public/private key system with a strong passphrase.
3. When actively connected to the corporate network, VPNs will force all traffic to and from the PC
over the VPN tunnel: all other traffic will be dropped.
4. Dual (split) tunneling is NOT permitted; only one network connection is allowed.
5. VPN gateways will be set up and managed by <Company Name> network operational groups.
6. All computers connected to <Company Name> internal networks via VPN or any other
technology must use the most up-to-date anti-virus software that is the corporate standard (provide
URL to this software); this includes personal computers.
7. VPN users will be automatically disconnected from <Company Name>'s network after thirty
minutes of inactivity. The user must then logon again to reconnect to the network. Pings or other
artificial network processes are not to be used to keep the connection open.
8. The VPN concentrator is limited to an absolute connection time of 24 hours.
9. Users of computers that are not <Company Name>-owned equipment must configure the
equipment to comply with <Company Name>'s VPN and Network policies.
10. Only InfoSec-approved VPN clients may be used.
11. By using VPN technology with personal equipment, users must understand that their machines are
a de facto extension of <Company Name>'s network, and as such are subject to the same rules and
regulations that apply to <Company Name>-owned equipment, i.e., their machines must be
configured to comply with InfoSec's Security Policies.
4.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including
termination of employment.