A Network Security Policy 

include the elements that are required for most network security
policies: privacy policy, acceptable use policy, authentication policy, Internet use policy, access
policy, auditing policy, and data protection policy. The security policy should also protect an
organization legally, and it should be a continual work in progress.

In compliance with the Convergys and DirecTv rules, the Convergys Corporation, and generally accepted industry
best practices, Convergys provides for the security and privacy of the data stored on, redirected through, or
processed by its technology resources. Convergys encourages the use of these technology resources, however they
remain the property of Convergys and are offered on a privilege basis only.
Throughout this policy, the term “staff” identifies full- and part-time employees, contractors, consultants,
temporaries, student assistants, volunteers, retired annuitants, vendors and other users including those affiliated with
third parties who access Convergys technology resources due to their job responsibilities. Management expects
staff to comply with this and other applicable Convergys policies, procedures, and local, state, federal, and
international laws. Failure to abide by these conditions may result in forfeiture of the privilege to use technology
resources, disciplinary action, and/or legal action.
The IT Policy Review Team regularly modifies this and other IT security related policies to reflect changes in
industry standards, legislation, technology and/or products, services, and processes at Convergys.
Privacy
Convergys reserves the right to monitor, duplicate, record and/or log all staff use of Convergys technology
resources with or without notice. This includes but is not limited to e-mail, Internet access, keystrokes, file access,
logins, and/or changes to access levels. Staff shall have no expectation of privacy in the use of these technology
resources.
Liability
Convergys makes no warranties of any kind, whether expressed or implied for the services in this policy. In
addition, Convergys is not responsible for any damages which staff may suffer or cause arising from or related
to their use of any Convergys technology resources. Staff must recognize that Convergys technology resource
usage is a privilege and that the policies implementing said usage are requirements that mandate adherence.
Staff Responsibilities and Accountability
Effective information security requires staff involvement as it relates to their jobs. Staff is accountable for their
actions and therefore they own any events occurring under their user identification code(s). It is staff’s responsibility
to abide by policies and procedures of all networks and systems with which they communicate. Access of personal
or private Internet Service Providers while using Convergys provided information technology resources or using
non- Convergys provided information technology resources to conduct Convergys business does not indemnify
any entity from the responsibilities, accountability and/or compliance with this or other Convergys policies. Staff
responsibilities include but are not limited to:
Access and release only the data for which you have authorized privileges and a need to know (including
misdirected e-mail)
Abide by and be aware of all policies and laws (local, state, federal, and international) applicable to computer
system use
Report information security violations to the Information Security Officer or designee and cooperate fully with
all investigations regarding the abuse or misuse of state owned information technology resources
Protect assigned user IDs, passwords, and other access keys from disclosure
Secure and maintain confidential printed information, magnetic media or electronic storage mechanisms in
approved storage containers when not in use and dispose of these items in accordance with Convergys policy
Log off of systems (or initiate a password protected screensaver) before leaving a workstation unattended
Use only Convergys acquired and licensed software
Attend periodic information security training provided by Convergys IT Security Branch
Follow all applicable procedures and policies

© SANS Institute 2001, Author retains full

rights
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Electronic Mail (E-Mail) Policy
Convergys electronic mail services (e-mail) policy provides staff with guidelines for permitted use of the
Convergys e-mail technology resource. The policy covers e-mail coming from or going to all Convergys owned
personal computers, servers, laptops, paging systems, cellular phones, and any other resource capable of sending or
receiving e-mail.
Ownership
Convergys owns all e-mail systems, messages generated on or processed by e-mail systems (including backup
copies), and the information they contain. Although staff members receive an individual password to access the
email systems, e-mail and e-mail resources remain the property of Convergys.
Monitoring
Convergys monitors, with or without notice, the content of e-mail for problem resolution, providing security,
or investigative activities. Consistent with generally accepted business practices Convergys collects statistical
data about its technology resources. Convergys technical staff monitors the use of e-mail to ensure the ongoing
availability and reliability of the systems.
Accountability
Staff may be subject to loss of e-mail privileges and/or disciplinary action if found using e-mail contrary to this
policy. Staff must maintain the confidentiality of passwords and, regardless of the circumstances, never share or
reveal them to anyone. The Information Security Officer (ISO) must provide express written permission before
sensitive information is forwarded to any party outside of the Convergys. Staff should contact the ISO with
questions regarding the appropriateness of information sent through e-mail.
Ethical Behavior and Responsible Use
Convergys provides e-mail systems to staff to facilitate business communications and assist in performing
daily work activities.
Ethical and Acceptable
Communications and information exchanges directly relating to the mission, charter, and work tasks of
Convergys
Announcements of laws, procedures, hearings, policies, services, or activities
Notifying staff of Convergys sanctioned employee events, such as the holiday party, bake sales, arts and craft
fairs, retirement luncheons, and similar approved activities
Respecting the legal protection provided by all applicable copyrights and licenses
Practicing good housekeeping by deleting obsolete messages
Unethical and Unacceptable
Violating any laws or Convergys policies or regulations (e.g. those prohibiting sexual harassment,
incompatible activities, or discrimination)
Submit, publish, display, or transmit any information or data that contains defamatory, false, inaccurate,
abusive, obscene, pornographic, profane, sexually oriented, threatening, racially offensive, discriminatory, or
illegal material
Compromising the privacy of staff, customers, or data and/or using personal information maintained by
Convergys for private interest or advantage
Engaging in any activities for personal gain, performing personal business transactions, or other personal
matters (e.g. sending sports pool or other gambling messages, jokes, poems, limericks, or chain letters)
Intentionally propagating, developing, or executing malicious software in any form (e.g. viruses, worms,
trojans, etc.)
Viewing, intercepting, disclosing, or assisting in viewing, intercepting, or disclosing e-mail not addressed to
you
Distributing unsolicited advertising
Accessing non-Convergys e-mail systems (e.g. Hotmail, Yahoo!) using Convergys owned resources

1.0 Purpose
The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private
Network (VPN) connections to the <Company Name> corporate network.
2.0 Scope
This policy applies to all <Company Name> employees, contractors, consultants, temporaries, and other
workers including all personnel affiliated with third parties utilizing VPNs to access the <Company Name>
network. This policy applies to implementations of VPN that are directed through an IPSec Concentrator.
3.0 Policy
Approved <Company Name> employees and authorized third parties (customers, vendors, etc.) may utilize
the benefits of VPNs, which are a "user managed" service. This means that the user is responsible for
selecting an Internet Service Provider (ISP), coordinating installation, installing any required software, and
paying associated fees. Further details may be found in the Remote Access Policy.
Additionally,
1. It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not
allowed access to <Company Name> internal networks.
2. VPN use is to be controlled using either a one-time password authentication such as a token
device or a public/private key system with a strong passphrase.
3. When actively connected to the corporate network, VPNs will force all traffic to and from the PC
over the VPN tunnel: all other traffic will be dropped.
4. Dual (split) tunneling is NOT permitted; only one network connection is allowed.
5. VPN gateways will be set up and managed by <Company Name> network operational groups.
6. All computers connected to <Company Name> internal networks via VPN or any other
technology must use the most up-to-date anti-virus software that is the corporate standard (provide
URL to this software); this includes personal computers.
7. VPN users will be automatically disconnected from <Company Name>'s network after thirty
minutes of inactivity. The user must then logon again to reconnect to the network. Pings or other
artificial network processes are not to be used to keep the connection open.
8. The VPN concentrator is limited to an absolute connection time of 24 hours.
9. Users of computers that are not <Company Name>-owned equipment must configure the
equipment to comply with <Company Name>'s VPN and Network policies.
10. Only InfoSec-approved VPN clients may be used.
11. By using VPN technology with personal equipment, users must understand that their machines are
a de facto extension of <Company Name>'s network, and as such are subject to the same rules and
regulations that apply to <Company Name>-owned equipment, i.e., their machines must be
configured to comply with InfoSec's Security Policies.
4.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including
termination of employment.