|
|
Advanced
How To Guides
Internal IT Security Policy and Procedures
Sample Policy Document
1.2
Access to "Company Name" Information
-
All information held on the networks including email,
file systems and databases are the property of "Company
Name" and staff should have no expectation
of privacy for this data.
-
Although it is not the general practice of "Company
Name" to monitor stored files, email messages
and Internet access for their general content, "Company
Name" reserves the right to do so for the protection
of staff, for system performance, maintenance, auditing,
security or investigative functions (including evidence
of unlawful activity or breaches to "Company
Name" policy) and to protect itself from potential
corporate liability.
-
Requests to access the computer account of a member
of staff who is absent from the office must be directed
to the IT Help Desk/relevant IT resource in writing
by the "Relevant Manager". The access
is given effect by changing the user's password
and allowing the "Relevant Manager" or
a colleague to access the account directly. Where
this access is granted it must be used for enquiry
purposes only.
-
Staff must not issue any information to third parties
unless they have authorisation to do so.
-
Users are only permitted to access electronic information
and data that they require to perform their duties.
-
If confidential information is lost, either through
loss of a notebook computer, backup media or other
security breach, the IT Help Desk/relevant IT resource
must be notified immediately.
-
All computers must be switched off at the end of
the day. This action erases residual information
contained in the computer's memory and assists with
overnight anti-virus software updates.
1.3
Data Protection Act
-
The Data Protection Act (1988) imposes responsibilities
on users regarding the processing of personal data.
Personal data refers to data relating to a living
individual who can be identified either from the
data, or from the data in conjunction with other
information held by an organisation. It is the responsibility
of all "Company Name" staff to ensure
that the principles of the Act are complied with.
A
summary of other relevant Irish legislation is included
in Appendix 1.
1.4
Personal use of computer systems
-
While "Company Name's" PCs and notebook
computers are provided for business use, it is acceptable
to use them for a limited amount of personal use.
This limited personal use of PCs is permitted provided
such use does not a) interfere with the user's job
commitments; or b) have a detrimental effect on
the computer or network's performance.
-
Staff must not use "Company Name's" systems
or the Internet for commercial activities that are
not related to the business of "Company Name".
|
|
