We encourage you to use IT to do business, but there are risks associated with it that you need to help us guard against.
This is the official policy for using IT and the data on it, in our organisation as our employee or contractor in a way that is acceptable to both you and us. IT is the combination of information, communications, and technology. We have invested in the best IT equipment and infrastructure and encourage you to use it for your own benefit and ours, but there are risks associated with it that you need to be aware of and guard against. The purpose of this policy is to explain those risks and set out how you need to help us manage them.
If you are our employee or contractor, then this policy applies to you and you must accept and adhere to it.
1. Application. This policy applies to you as our employee or contractor whenever you use IT in any way, anywhere, at any time. Its application is very broad because your use of IT could always pose a risk, no matter the circumstances. You are our:
- employee – if you have an employment contract with us, as an ordinary employee, manager, or executive officer; or
- contractor – if you have an agreement with us to provide goods or services.
2. Acceptance. You must accept this policy as a condition for us to enter into:
- an employment contract – with you as an employee; or
- a goods or services contract – for the provision of goods or services as a contractor.
3. Adherence. You must adhere to this policy once you have accepted it. We may take disciplinary action against you if you violate it. Please ask your manager to explain it to you if any parts are unclear.
4. Acceptable Standards
You may use IT to do business any way you can, provided that it meets our acceptable standards of use, content, and conduct.
1. Use. We encourage you to use IT for the acceptable purpose of doing business, but you may not use IT for any unacceptable purpose, including:
- excessive personal use – like browsing the Internet to the detriment of your work during office hours, using social media a lot at work, printing a significant number of personal documents, or any other activities that are detrimental to productivity;
- secondary business use – like running another business remotely, working for somebody else, or otherwise conducting any business not related to ours from our IT infrastructure or equipment;
- inappropriate communication – like sending messages to someone without their permission, sending chain emails to your fellow employers or contractors, or excessive social chatting over instant messaging;
- personal software – like installing your own software on our IT infrastructure or equipment without our permission; and
- inappropriate email use – like using your work email address for excessive personal correspondence or to sign up for newsletters, or web services not related to your work.
2. Content. You may use IT to publish any content – unless it is prohibited content, which includes:
illegal content that is prohibited by law – like child pornography, pirated content, or content that otherwise infringes someone else’s rights;
- harmful content that could cause harm to someone – like defamatory comments, fraudulent claims, or untrue statements;
- offensive content that could reasonably offend someone – like pornography, obscenities, or prejudicial or discriminatory statements; or
- impermissible content – contrary to any codes or standards that we subscribe to.
- Do not publish anything offensive, obscene, defamatory, threatening, harassing, bullying, discriminatory, hateful, racist, sexist, infringing of anyone's copyright, or that is likely to cause members of the public to view us negatively or bring us into disrepute, including political or religious statements, swearing or foul language, or attitudes towards the sex lives and ethnicity of others.
Do not publish anything offensive, obscene, defamatory, threatening, harassing, bullying, discriminatory, hateful, racist, sexist, infringing of anyone's copyright, or that is likely to cause members of the public to view us negatively or bring us into disrepute, including political or religious statements, swearing or foul language, or attitudes towards the sex lives and ethnicity of others.
3. Approval. Anything you publish which is contentious, potentially inflammatory, or a reasonable person would be concerned about publishing must be approved by management. Please ask your manager to look at what you intend to publish if you are unsure.
4. Discretion. You must exercise your discretion to ensure that anything you publish is not embarrassing or prejudicial to our organisation, yourself, or your family.
5. Conduct. We will not unnecessarily regulate how you conduct yourself through IT – but you must conduct yourself acceptably, which means that you must:
- be careful and cautious – use your common sense;
- be professional – check your spelling, grammar, and punctuation;
- be courteous and respectful – don’t be callous or rude;
- be honest – don’t lie or commit fraud;
- be kind – don’t harass, be hostile, or disparaging towards others;
- be productive – make sure that you what you do is not detrimental to you or your colleagues’ productivity;
- respect privacy – don’t unlawfully disclose personal information;
- respect intellectual property rights – don’t commit copyright infringement;
- respect the workplace – no inappropriate activities like computer games; and
- respect the environment – don’t print documents or email unnecessarily.
6. Personal use. This policy does not unreasonably limit your ability to use IT in your personal life. But, what you do in your personal capacity can reflect on us as your employer or person entering into a contract with you if someone can identify you as working for us. So, this policy applies to your personal use of IT whenever you do anything that can be linked back to us.
7. Responsibility. You are responsible for anything that you do with IT in your personal capacity.
You will handle customer, business, confidential, and restricted information – each of which is subject to certain restrictions.
1. Types. You will handle various types of information during your employment or contractor relationship with us, including:
- customer information – related to anyone that we provide with goods or services, including account numbers (which are most important);
- business information – relating to how we provide those goods or services;
- confidential information – that is only known to you through your employment or contractor relationship with us;
- restricted information – that should only be known to authorised employees or contractors and may not include you; and
2. Collection and generation. We collect and generate customer, business, confidential, and restricted information, but we do not collect or generate illegal information.
3. Access. We give you access to all types of information that we collect or generate subject to certain restrictions, but it is your responsibility to protect it by:
- only using it for the purpose that we gave you access to it for;
- storing it appropriately and creating any necessary backups;
- only retaining it for as long as is necessary for that purpose;
- not disclosing it to anyone that you shouldn’t be disclosing it to;
- ensuring that it is secure and not accessible to anyone who shouldn’t have access to it.
4. Restrictions. Each type of personal information is subject to the following restrictions:
- customer information – you must help us process this lawfully in terms of the relevant data protection laws;
- business information – you must not disclose this to anyone outside of our organisation;
- confidential information – you may not disclose this to any person that we have not authorised to receive it.;
- restricted information – you may not obtain or use this unless you have the right to obtain or use it; and
- illegal information – you may not process this at all.
5. Breach. We take information security very seriously and ask you to do the same, but security breaches can still happen. In the event of a security breach or if you suspect there has been one, you must notify us by email as soon as possible. The notification must contain sufficient information for us to limit the consequences of the security breach, including a description of the possible consequences, a description of the measures you have taken to handle the breach, recommendations for how we can limit the consequences of the breach, and the identity of the unauthorised person if it is known to you.
1. Channels. We provide you with access to communication channels so that you can do business by communicating with our customers, our prospects, and your fellow employees or contractors. But, these channels have risks associated with them that we need you to help us guard against. The channels we provide you with access to include:
- the Internet – a worldwide network of devices that is the backbone for all our other communications channels;
- email – a system for sending messages electronically including desktop mail clients linked to mail servers or webmail; and
- social media – various mass communications platforms including social and professional networking websites, video and photo sharing websites, blogs and micro-blogging websites, forums and discussion boards, and wiki websites.
2. Representation. You will be representing us whenever you transmit something over a channel that could be associated with us. You may not represent us contrary to the acceptable standards clause of this policy.
3. Internet. We encourage you to use the Internet to do business, but please be aware of the following risks and guard against them:
- online privacy – be careful with your personal information online and don’t give it to anyone you don’t trust;
- downloads – be careful when downloading anything from the Internet and make sure that you only download from reputable websites; and
- bandwidth – be conservative with our bandwidth, because South Africa is a country with expensive Internet infrastructure by international standards.
4. Email. We provide you with an email address and want you to use it to do business, but please be careful of the following risks:
- identification – make sure that your email identifies you to its recipient with your full name and not just your email address;
- disclaimers – ensure that your email contains all links to our relevant email disclaimers;
- signatures – be aware that an email from you to someone could constitute your electronic signature or consent if the contents of the message indicates a willingness to be bound, so be careful what you say in your emails;
- unsolicited messages – make sure that your messages aren’t unsolicited or the recipient may consider them to be spam;
- bulk sending – Bcc (Blind carbon copy) is the only option when you want to send a message to lots of other people while protecting the identity of the other recipients, so make sure that you understand when you should and shouldn’t use CC (Carbon copy);
- printing – paper is inefficient, it kills trees, and costs our organisation money, so please don’t print unless you really need to;
- contents – please don’t alter the contents of the original email when you forward it or reply unless absolutely necessary, in which case you should mark the changes clearly;
- file size – please don’t send emails or attachments that are too large, because we may need to limit the size of incoming and outgoing emails and attachments and delete any that are too big to conserve bandwidth and for security reasons; and
- deletions – please don’t delete any emails or attachments if there is any chance that the organisation may require them later.
5. Social media. We encourage you to use social media to do business, but subject to the following conditions:
- identification – you must identify yourself with your name and role within our organisation whenever you publish anything that could be connected to us;
- ·no agency – you may not publish anything purporting to be our opinion or published on our behalf without our written permission;
- representation – the mere fact that you work for us does not imply that we have authorised you to speak as our representative;
- confidentiality – you must only publish content on social media that consists of publicly available information and does not disclose any confidential information that you only know because you work for us;
- veracity – you must only publish content on social media if it consists of true and accurate information;
- compliance – anything that you publish on social media must comply with the relevant social media service's legal terms and any relevant copyright and other laws;
- removal – you must remove anything that you have published on social media that can be linked back to us if we inform you in writing that it is contrary to this policy;
- our intellectual property – anything that you publish on social media may not contain your work email address with us, our logos, trademarks, or anything else that could make it look like we have endorsed what you have published, unless we have given you written permission to do so;
- references – you may not refer to our customers or suppliers in anything that you post on social media without their permission; and
- attribution – you must also link back to the source of your statements whenever possible.
6. Account security. We provide you with various credentials in the form of usernames and passwords to access various communication channel accounts. These credentials pose security risks to us if you don’t look after them. There is no such thing as absolute security, but there are various steps you can take to improve security. For this reason, please take the following account security steps:
- access controls – please respect credentials and other access controls, because they are there to ensure that only authorised employees and contractors have access to our communications channels necessary to do their jobs;
- password responsibility – you are responsible for all transactions made under your credentials, even if someone obtained them without your permission;
- password confidentiality – your password is only for your use and you are not allowed to share it with anyone else;
- password strength – you must use a sufficiently strong password that it is difficult to guess;
- password changes – you must change your password immediately if you suspect that someone else knows it or otherwise from time to time to reduce the chances of someone else knowing it;
- password management – you must not store your password so that others can find it, for example on paper or in a file on your device;
IT equipment includes both company devices that we provide to you and personal devices that you provide yourself. You may use IT equipment to access our IT infrastructure, provided that you comply with certain requirements.
1. Company devices. We provide you with IT equipment in the form of company devices that you use to access our IT infrastructure. A company device is any electronic device that we own or rent and give you the use of for the purpose of doing business and includes:
- both fixed devices, like desktop computers or servers, and portable devices, like laptops, tablets, and mobile phones;
- both the hardware and software on those devices; and
- both the onsite and offsite use of the devices.
2. Personal devices. You may provide your own IT equipment in the form of personal devices used to access our IT infrastructure. A personal device is any electronic devices that that we do not own or are not renting that you use for the purpose of doing business. Personal devices include any kind of:
- computer – like a desktop, laptop, tablet, or smartphone;
- removable storage device – like a memory stick, external hard drive, or SD card;
- communications device – like a cell phone, modem, or mobile data card; or
- storage media – like an optical or magnetic disk.
3. IT infrastructure. IT infrastructure is anything that provides you with access to information or communication channels and includes:
- information resources – like servers and network attached storage devices, and server-based applications;
- communication devices – like routers, switches, and modems; and
- the connections between those devices – like network cables or wireless networks; and
- peripherals – like printers, scanners, and copiers.
4. Device protection. You should take the following precautionary steps to protect your company and personal devices:
- password security – not save any passwords or other credentials anywhere on the device, including taping notes to the device itself or keeping notes inside the carry case of the device;
- data security – make sure that the data and software stored on it is protected and secure;
- environmental protection – not leaving the device in direct sunlight or where it is exposed to any other environmental hazards;
- cleaning – using a dust cloth and approved cleaning products instead of household chemicals or water to clean the device;
- physical protection – not dropping or knocking the device and checking the condition of its carrying case regularly;
- theft reporting – immediately report the theft of the device to us so that we can suspend all access to it and wipe it remotely if necessary.
5. General device requirements. The following requirements apply to both company and personal devices:
- device identification – you must identify your device and carry case correctly by physically writing your contact details on it;
- backups – you should generally only back up information to our servers, but you may backup information to your company or personal device if absolutely necessary provided that it is only a temporary measure and that you backup to our servers as soon as possible afterwards;
- remote lock – we may need to be able to lock your device remotely to prevent or thwart unauthorised access and we are allowed to install special software on it to do this;
- data wipe – we may need to be able to wipe your device remotely for security reasons or to prevent information from falling into the wrong hands and we are also allowed to install special software on it to do this.
6. Personal device requirements. You may use your personal devices to access our IT infrastructure, provided that you meet the following requirements:
- connection permission – you have permission from us to connect your personal device to our IT infrastructure;
- password protection – you enable passwords to access the operating system or login from the screensaver, or lock screen;
- encryption – you enable device encryption of all information in the operating system or other application whenever possible;
- unauthorised use – you do not let any unauthorised users use the device under any circumstances, including lending the device to an unauthorised user;
- secure communications – you use the necessary security software to establish a secure communication connection to our system when connecting to our IT infrastructure from off our premises;
- company software – you let us load software onto your personal device before you access our IT infrastructure so that we can manage all devices centrally and force certain security measures on them, like remote locking and data wiping;
- standards – your personal device meets certain standards in terms of operating system before we allow it to access our IT infrastructure, which we will provide to you on request;
- protection – your device has sufficient anti-virus and anti-malware software installed before we allow it to access our IT infrastructure;
- configuration – your device is configured in a standard way, which may mean that we may not allow certain non-standard configurations or software like unlocked or jailbroken devices;
6. Travelling risks. Please be aware of the following risks when travelling locally or internationally with your company or personal device:
- travelling abroad – all communications can and often are intercepted and recorded when travelling abroad;
- reading screens – do your best to prevent others from being able to see what is on your screen when travelling on aircraft, public transport, or sitting in public areas;
- hand luggage – reduce the chance of a device being damaged or stolen by keeping it in your hand luggage instead of checking it when travelling in aircraft;
- accommodation security – make sure that the device is locked away securely in a safe or other secure area when staying in accommodation like a hotel or guest house and not left exposed in your room, even if your room is locked;
- storage in vehicle – store your device securely out of sight in the boot when storing it in your vehicle;
7. Software. There are certain software licensing rules that you must comply with in our organisation:
- ownership – any software that you develop as our employee or contractor will be deemed to be our property;
- compliance – you must use any software in compliance with its licenses and any applicable agreements;
- copyright protection – you may not distribute copyrighted software without the legal right to do so;
- installation – you may not install software without checking with your manager that it is properly licensed;
- downloaded software – you may not install software downloaded from the Internet without permission from your manager; and
- unlicensed software – you may not install any software for which we do not have sufficient number of licenses for the number of users that want or need to use it.
9. Malicious software. Malicious software includes programmes like viruses, trojan horses, and spyware that are meant to disrupt and damage IT. We need you to help us protect against these threats by:
- not introducing any malicious software to our IT equipment or infrastructure for any reason;
- activating antivirus software and updating it regularly;
- updating operating systems and other critical software with security and related patches regularly; and
- not running software from unknown or disreputable sources.
10. Information security. We need you to help us protect any IT equipment or infrastructure from physical loss or damage through the following information security practices:
- take care of any IT equipment assigned to you;
- make sure that all data is stored securely, which means using electronic security measures in the case of data stored electronically and physical security measures in the case of data stored on physical security media;
- not making significant changes to IT equipment or infrastructure without permission from your manager;
- not removing any IT equipment from our premises without our permission;
- not connecting any unauthorised IT equipment to our IT infrastructure without our permission;
- not storing multiple versions of the same document unnecessarily
- not granting unauthorised users access to our IT infrastructure; and
- reporting security incidents.
11. Prohibited insecure conduct. You may not use IT equipment or infrastructure to do anything that would threaten our security or that of another system, including:
- unauthorized access – accessing or using any system without permission, including attempting to probe, scan, or test the vulnerability of a system or to breach any security or authentication measures used by a system;
- interception – monitoring of data on a system without permission;
- falsification of origin – forging TCP-IP packet headers, e-mail headers, or any part of a message describing its route or origin;
- monitoring or crawling – monitoring or crawling of system in a way that impairs or disrupts the system being monitored or crawled;
- denial of service – inundating a target with communications requests so the target either cannot respond to legitimate traffic or responds so slowly that it becomes ineffective;
- intentional interference – interfering with the proper functioning of any system, including any deliberate attempt to overload a system by mail bombing, news bombing, broadcast attacks, or flooding techniques;
- operation of certain network services – operating network services like open proxies, open mail relays, or open recursive domain name servers; or
- avoiding system restrictions – using manual or electronic means to avoid any use limitations placed on a system, such as access and storage restrictions.
It is important that you comply with this policy for the good of our organisation as a whole. We will monitor you and your fellow employees or contractors and enforce the policy in our discretion to ensure that you do.
1. Compliance. While we respect your right to decide how to do business within our organisation, there will always be certain organisation-wide policies that we will require everyone to comply with so that our organisation can run effectively. You must comply with all aspects of this policy, otherwise we may have to take steps to enforce it against you.
2. Monitoring. You will give us permission to monitor your conduct on any IT equipment and infrastructure when you log onto it or otherwise access it. We will respect your right to privacy to greatest possible extent, but your right to privacy is limited in the interests of the business and we have the right to monitor you, which includes the rights to:
3. Blocking. We may block and delete any information passing through our IT infrastructure. We also reserve the right to block any type of information that is deemed not to be in the best interests of our business.
4. Enforcement and exceptions. We may enforce this policy by taking disciplinary action against you if you violate it in any way. We may decide to relax or waive any aspect of this policy, but are under no obligation to do so.
Restrictions. We may restrict your access to IT at work if we do not believe that you are complying with this policy.
Liability. We will not accept any liability for your use of IT when used for personal use, and you indemnify us against any liability. You need to clearly understand that your use of IT may cause us to be held legally liable.
Indemnity. You indemnify us against any claims arising out of a breach of this policy.
Acceptance of terms. By accepting this policy, you are deemed to have read, understood, accepted, and agreed to be bound by all its terms.
Changes. We may change the terms at any time and where this affects your rights and obligations, we will notify you of any changes by email.
Enquiries. If you have any questions or concerns arising from this policy or the way in which we handle social media, please contact us by email firstname.lastname@example.org
Last updated: 28 June, 2021