Information Technology Security and Equipment Use Policy

I. PURPOSE

The purpose of this document is to set forth security and equipment use practices and policies required by CES. Its intent is to:

raise awareness of computer security
define the responsibilities of the user
assist users in recognizing potential problems
provide guidance to the user if a compromise in security is suspected

Information technology (IT) provides CES with the unprecedented ability to access, share, and process data in a private on-line environment. Along with the benefits of information technology, come increased risk. These risks include, but are not limited to, damage to equipment, loss of vital data, and the unauthorized access of confidential information. Given the nature of our work and the importance of safeguarding the integrity of our company and stakeholders, managing the aforementioned risk is everyone’s concern and responsibility. Risk management contains two critical components:

Education

IT users often do not recognize possible risks, and they may not be aware of measures that would minimize those risks. Every employee will receive security training annually to keep up with changes/updates in policy.

Policies

Policies are necessary to minimize the risk to the CES networks and equipment issued by CES.

Every employee will be required to sign the User Agreement, attached to this policy, signifying their understanding and obligation to adhere to this policy.

II. SCOPE

Users (defined as any CES employee operating any CES equipment, including use of the server or any other CES hardware/software) are responsible for the appropriate use of office supplied personal computers (PCs), laptops, and phones, and for actions taken with regard to the work created on them.

The CES network, and other CES computer resources, are designed to be used for official CES business. Care must be taken to guard against unauthorized computer access to CES (and stakeholder) information and to make proper use of the CES's computer resources.

Access to the Internet is provided for CES business. Each user needs to exercise individual responsibility and judgment to ensure acceptable and appropriate use of Internet services, as described in the Internet/Intranet policy section of this document. CES utilizes cybersecurity software to limit access to the Internet to help prevent inadvertently accessing inappropriate sites. It is based on a group of categories, i.e. adult material, gambling, and audio streaming.

Users are expected to conduct themselves professionally and refrain from transmitting documents or electronic mail, which contain indecent or obscene materials, profanity, or any form of discrimination or sexism.

All necessary business tools have been installed on office issued devices. Users must receive authorization for additional software or hardware needs through the IT Manager or IT personnel.

In order to provide clear guidance, the following policy areas have been incorporated into this document:

Security

Internet Access

Electronic Mail

Mobile phones/devices

Hardware and Software Installation

Wireless/WiFi

Cyber security

Attached to the end of this document is a user agreement which lists the major components of the aforementioned policies. All staff must sign the user agreement acknowledging their responsibility as it relates to protecting and insuring the integrity with these policies.

III. SECURITY

A. PHYSICAL SECURITY

IT equipment needs protection from physical hazards to avoid damage to computers, laptops, printers, keyboards, etc. and/or the loss of data. As such, the following measures should be taken:

Do not place liquids on or around the PC or keyboard and avoid dropping crumbs or any foreign materials onto or into the keyboard.

Do not place magnets on or near your computer equipment.

Avoid excessive heat and areas susceptible to water.

Protect the device and keyboard from dirt and dust, particularly when construction or other dust-producing activities occur.
Avoid plugging heaters and other appliances into outlets that share the same circuit as the IT device. Appliances may overload the circuit, causing damage or loss of data.

Mobile Technology Security

Mobile devices are particularly susceptible to theft because of their compact size. The devices should always be kept within sight or stored in a secure location. When traveling by car, mobile devices should be placed in a secure location, such as the trunk of your car before departure. Mobile devices should never be left unattended or in the open during field work/operations. The device should not be exposed to extreme temperatures hot or cold. X-rays from various security checkpoints such as those in the airport will not damage these devices. All CES issued mobile devices are required to have a complex password. Passwords, like the default four (4) digit passwords used on mobile phones and similar devices, are prohibited.

CES Documents

All CES correspondence is considered sensitive and confidential information. The handling and access of said correspondence must be treated as "Need-to-Know". Family members, friends or other personnel must not gain access to CES correspondence or other information intentionally or by accident. When removing correspondence from outside the premises via storage media, Virtual Private Network (VPN), or on a mobile device, office personnel must ensure that data is encrypted and password protected.

Mobile Device Records

All employees with CES issued mobile devices must sign a property pass. The property pass consists of the user name, item tag number, item description, and serial number. The property pass also includes the signatures of said user and management staff. Assigned equipment is subject to regular updates and physical inventory spot checks at the request of the IT Manager or other senior level personnel.

Storage Media Handling

All media (i.e., Thumb Drives, CD’s, DVD’s, external portable drives, etc.) containing CES information should be treated as sensitive and confidential. Said media should be protected from dust, food, and extreme temperatures. Leaving media in direct sunlight will likely damage them. Storing media next to magnetic field producing objects like telephones, electrical appliances, motors, and speakers may damage or erase the files or data.

Storage Media Disposal

Used media (i.e., Thumb Drives, CD’s, DVD’s, etc.) should not be thrown in the trash as someone could conceivably recover sensitive CES information, even if the files are deleted. All used or non-serviceable storage media should be given to the IT Manager for proper disposal.

B. SOFTWARE SECURITY

Users of CES-provided IT technology are prohibited, unless specifically authorized, from installing any type of software through compact disks (CD’s), downloading from the Internet, or through any other medium. In addition, CES’s software must be used according to the manufacturer's licensing agreement and United States Copyright laws. Personnel are not allowed to make copies of any CES provided or copyrighted software except as authorized by the IT Manager.

Downloading unauthorized software may cause other programs to stop working, display unwanted ads, and slow down the networking system overall. Some programs from the Internet may contain malicious code or spyware that can cause harm, including stealing confidential information.

C. DATA BACKUPS

Network Backups

Network servers are backed up each evening. If a user inadvertently deletes a file from a network drive, IT staff may be able to recover the document. In those instances, systems staff should be contacted for assistance in determining if the document is salvageable.

Networked Workstations

Users whose PCs are part of a network should not save important information on the local hard drive or personal devices. Said drives may "crash" or be swapped out and replaced periodically in order to provide users with updated applications. Additionally, local drives are not backed up. IT staff are not responsible for data files that are stored on a local drive. The CES server is the proper location for storage of all files. Other directories may be used as well, as directed by the IT Manager or senior level personnel.

D. NETWORK ACCESS

Users should not attempt to gain access to network or local data for which they are not specifically authorized, nor attempt to break into ("hack") any other network or computer. Any contact with individuals who attempt illegal or unauthorized access to sensitive information should be reported to the IT Manager and/or other senior level personnel. The IT manager should also be immediately notified when a user becomes concerned that a person may be the target of actual or attempted policy violations or criminal activity involving CES (including but not limited to its IT equipment, network, devices, etc.).

Any communication through CES IT systems, to include computers, laptops, mobile devices, and telephones, may be monitored at any time. Monitoring is primarily used to ensure proper network functionality, protect against improper or unauthorized use or access, track Internet usage, verify the presence and functionality of applicable security features and procedures, and content analysis. Monitoring may result in the acquisition, recording, and analysis of any and all data communicated, transmitted, processed, or stored on CES computer and telephone systems by any user. If monitoring reveals possible evidence of criminal activity, said evidence may be forwarded to law enforcement personnel. IT staff and senior level personnel may be involved in the monitoring of IT systems.

Users are responsible for maintaining a reasonably secure workstation, whether working in the field, the office, or at home. It is very important that users log out of all applications before leaving for the day. When leaving the work area temporarily, the screen saver password option or log out should be used. The screen saver will come on after no more than 15 minutes of inactivity.

Password Protection

Passwords are used to prohibit unauthorized access onto a computer, mobile device, etc. Passwords are confidential and must be protected. "Hackers" can gain access by simply guessing a user’s password or by using programs designed to systematically run through the characters, both alpha and numeric, until a match is found. Passwords should contain at least eight non-blank characters, including uppercase and lowercase letters, numbers, and special characters (e.g. ^,@,*). They should not be the same as your user ID nor should they include names of family members, pets, social security numbers, birth dates, phone numbers or any information that could be readily learned or guessed.

Failure to protect passwords may allow individuals unauthorized access to the CES network and/or sensitive data. A password is the key to information stored on network drives. Passwords must be protected and must not be given to anyone other than supervisors or systems staff as required for business and support reasons. Passwords should never be provided to an outside party nor should they be transmitted over the phone, by e-mail, or by any other means. Persons attempting to gain unauthorized access may impersonate systems personnel, maintenance personnel, or other CES personnel. Passwords should not be written down unless absolutely necessary. Users who elect to write passwords down are responsible for keeping them in a secure location.

Password Changes and Selection

Passwords (such as those used to access the network, mobile devices, etc.) should be changed every 90 days and any time after a password has been provided to another user or to systems staff. If a user believes that his/her password has been compromised in any way, the password should be changed immediately. If assistance is required, systems staff should be contacted.

When selecting passwords, the following guidelines should be used:

Passwords should contain at least eight characters.
Passwords should not be reused.
Passwords should contain a combination of letters, numbers and special characters as they are more difficult to guess or decrypt. Example: Pr2tty@l!
Passwords should never be related to someone's identity, history or environment

Viruses

A virus is an executable file that replicates itself and attaches to other executable programs or macros in an unsolicited manner. A virus may be invisible to a user and do no apparent damage beyond spreading to other media or files across the network. However, a virus can also destroy data, damage data integrity, deny access to a service, and spread problems to other computers across the network.

CES has licensed software for use on all of CES's PCs, including laptops, as well as PCs used and/or owned by employees at home. All PCs should have this software installed and kept up-to-date both at work and at home. The software will scan files automatically, so once installed, there is no user action required to perform the virus scanning.

Users must ensure that all downloaded files are scanned for viruses. In addition, all media storage devices that leave the work area (e.g., for work or at home) or are obtained from an outside source should be scanned before being used in the workplace. Although some computer viruses may be undetectable, there are signs users can look for in order to assist systems staff in maintaining a secured network and operating environment. Possible signs of a virus include the following:

New file name appears or files are corrupted
New dates appear
File size grows without explanation
System will not boot up
Disk is unusable
Strange or unexpected messages appear on the screen
Hard disk crashes
Memory capacity decreases
Performance declines
Computer "freezes" or locks

Although none of the above symptoms is conclusive of a virus, they reflect some of the ways that a virus will exhibit itself.

If a user suspects a virus, he/she must contact the IT Manager immediately. In addition, the user should proceed as follows:

Stay calm
Disconnect from all networks (unplug network cable or turn off Wi-Fi)
Write down the error message or description of a problem and what you were doing when you realized something was amiss
Stop using the potentially-infected workstation and turn it off
Stay alert for possible reinfection once the virus is removed
Scan all storage media for possible infections

WARNINGS:

Be wary of files obtained from an outside source
Ensure that all files are scanned for viruses before they are copied to your local or network hard drive or at home from sources such as the Internet, a bulletin board, or an e-mail attachment
Be suspicious of email attachments from strangers
Be wary of messages with attachments from friends or associates that seem out of character

For example: any messages from associates with "I love you" in the subject line, or multiple messages with the same subject line

E. REMOTE ACCESS

Virtual Private Network (VPN)

VPN access to the network is provided by the IT Manager. This access is achieved through the Internet, usually via cable modem or DSL connectivity. Users wishing to use this on personal devices must have the local firewall enabled on their home computer.

IV. INTERNET ACCESS

A. ACCESS

Internet access is provided to those persons who have a valid business need. Its use is authorized for official CES business; however, minimal/limited use (that which does not interfere with official business and involves no additional expense to CES) is permissible.

B. BACKGROUND INFORMATION

The Internet was designed for the open transmission of data. It is an unsecured network. As such, information on the Internet can be read and broadcast or published without the knowledge or consent of the author. Users should not expect messages they send or receive via the Internet to be private. Delivery and delivery times are not guaranteed due to unpredictable intermediary system and network outages, slowdowns, etc.

CES accesses the Internet on the network through the gateways managed by CES IT personnel. Network activity at any given time can greatly affect the speed of your connection. Each network site in the CES network has a limited amount of bandwidth (available capacity to transfer data between the local site and the circuit hub). Therefore, we are cautioned to limit use of the Internet to official business.

C. MONITORING

CES has implemented cyber security software to track and monitor all Internet access and block access to any inappropriate sites. Users must avoid accessing sites that would be an embarrassment to CES should that information be made public.

D. RESPONSIBLE INTERNET POLICIES

When accessing the Internet, employees must adhere to the same code of ethics that governs all other aspects of CES employee activity. Examples of permitted activities on the Internet include research in connection with work assignments, reading professional literature, and e-mail relating directly to official duties. Employees limit use of the Internet other than for authorized activities.

Employees are specifically prohibited from using the Internet for the following:

making unauthorized statements regarding company policies or practices

transmitting confidential information to unauthorized parties (such as that relating to contracts, procurement, or stakeholders)

making unauthorized commitments or promises that might be perceived as binding to the company

using subscription accounts or commercial services that are not expressly authorized

browsing web sites, performing research for personal interest, playing games or personal amusement except as otherwise identified in this document

sending or displaying messages or pictures that are offensive, harassing or discriminatory, or that are of an obscene or sexually explicit nature

using the network in a manner that could reflect poorly upon, or cause embarrassment to CES

Improper use or distribution of information is strongly prohibited. This includes copyright violation such as software piracy. The CES may incur legal liability for unauthorized copying of files or software even if the copy is used for official business.

Software may not be downloaded from bulletin boards, on-line forums, or the Internet as they may infringe on proprietary rights of others, or they may contain viruses.

Files downloaded from external sources are screened with CES authorized virus detection software installed on CES computers: however, no anti-virus software provides total protection, and caution must always be used. Should a virus be detected, the systems staff must be contacted immediately.

CES assumes no responsibility or liability for any membership or phone charges including, but not limited to, long distance charges, per minute surcharges and/or equipment or line costs incurred.

All personnel with authorized access to the CES’s Internet connection are provided a copy of this Internet Access Policy. Continued access constitutes the agreement that personnel have read and agree to the terms of the policy, monitoring, and reporting expressed therein.

V. ELECTRONIC MAIL (E-MAIL)

Electronic mail originated in any automated system application of CES is for official business purposes only.

CONDUCT

E-mail users are expected to conduct themselves in a professional manner and should refrain from using profanity and/or obscenities in any electronic communication. Keep in mind at all times that an e-mail can be easily copied or forwarded to anyone without the sender's knowledge.

Electronic mail is not a forum to solicit goods and services, which are not directly related to official business. E-mail is not a forum for charitable or religious activities unless expressly approved by CES.

INTERNET E-MAIL

Access to personal Internet e-mail accounts (such as AOL, Gmail, Hotmail, and Yahoo!) from within CES's private network is discouraged. Use of these accounts poses threats to the network technology infrastructure because they bypass existing network anti-virus protections at the gateways. Internet traffic may be blocked without notice to the user if e-mail content is considered a threat to the network.

For those who find it absolutely necessary to access a personal Internet e-mail account from within the network, the following guidelines are suggested as ways to reduce the risk of introducing a virus, worm, or other malicious software into the network:

Do not open any e-mail attachments unless you are absolutely sure they are safe. People naturally assume that the persons they are communicating with would not send them malicious e-mails, but senders are typically not aware that they are sending viruses. Worse, spoofing programs frequently indicate that an e-mail message is from a known user, when actually it is initiated by a virus.

Do not open or follow any links in an e-mail unless you are absolutely sure they are safe. A common tactic of identity thieves and propagators of malicious software is to direct the recipient of an e-mail to a website which appears to belong to a real company or institution but which in reality is a phony site constructed for the purpose of identity theft or the spread of malicious software.

Use an Internet e-mail provider which provides virus scanning of e-mail and attachments, such as AOL Mail, Google Gmail, MSN Hotmail, or Yahoo! Mail.

Avoid advertising your e-mail over the Internet. In particular, limit the recipients of your e-mail messages to people and organizations you know. Do not arbitrarily hit "Reply All" to messages with mail lists or people you do not know. This helps reduce the possibility that your personal or CES e-mail name will be captured by spammers, phishers, or other malicious Internet users.

Avoid the use of automatic e-mail forwarding to personal Internet e-mail accounts. Automatic forwarding may result in sensitive company or personal information being forwarded over network connections that are subject to interception by malicious outside Internet users. Automatic forwarding can also result in the disruption of an entire company's e-mail service if a user's forwarded e-mail results in overflowing the user's personal web e-mail account - the outside e-mail server will reply with a non-delivery response, and the inside server will attempt to resend the undeliverable message, resulting in a never ending cycle which will effectively consume the company's e-mail services. A safer alternative to automatic e-mail forwarding is to keep up with e-mail while away from the office by using CES-issued remote access via a VPN connection back to CES or to use a CES-provided mobile device to receive e-mail which provides secure e-mail access to authorized off-CES network users.

The Internet is an unsecured network. As such, information and e-mail on the Internet can be read and broadcast or published without the knowledge or consent of the author. Most sites maintain records of all users or entities accessing their resources. These records may be open to inspection and publication without the user's knowledge or consent. If the activity of the user is other than official business, the publication of that activity could prove to be an embarrassment for the user's company and could result in disciplinary action.

Internet e-mail traffic is subject to inspection by a variety of persons and mechanisms, authorized and otherwise. Authorized personnel between the origin and destination of a message may have to inspect message contents in order to dispatch stalled deliveries or resolve other failures. Users should not expect the messages they send or receive via the Internet to be private.

Internet e-mail limitations:

Frequently an Internet user's e-mail software (i.e., Yahoo!, Hotmail, Gmail) will not be able to handle attachments.

Delivery and delivery times are not guaranteed due to unpredictable intermediary system and network outages, slowdowns, and polling intervals, etc.

Some messages may not be delivered even though the message was correctly addressed.

Receipt or non-receipt can only be confirmed through other positive means, not by inference or assumption. Note: The "Receipt Requested" feature may not be honored by some systems on the Internet. Users should not rely on this feature for Internet e-mail.

Delivery and response times on the Internet, as well as the CES Network, are determined by traffic and congestion on the network. Users should not rely on Internet e-mail for time-sensitive communications or guaranteed delivery. For example, sending large files such as digital images to a large number of recipients will delay other traffic and may overload the system causing failure. Users are encouraged to use discretion when forwarding large e-mail messages to group addresses or distribution lists.

Congestion on the network can be caused by the propagation of "chain letters" and "broadcasting" of lengthy messages to lists or individuals. These uses also place a burden on the shared data storage device of the e-mail post office and are not authorized.

Internet e-mail access grants users the ability to subscribe to a variety of e-mail news groups, list servers, and other sources of information. These services are a potentially valuable information tool for some e-mail users; but again, the potential for network congestion is high. Users should be cautioned on the widespread use of mailing lists and list servers. In general, low-volume business related lists should not be a problem.

ATTACHED FILES

Large file attachments should be used with discretion.

MAINTENANCE

It is the user's responsibility to delete and archive old e-mail messages and empty their trash and sent folders on a regular basis. A full trash folder may cause computer problems due to inadequate space available for the programs you want to run. The number of e-mail messages located in the in-box, trash, and sent items folder should not be excessive. If you are not familiar with deleting and/or archiving old e-mails, instructions can be obtained from by contacting systems staff.

SECURITY

Each user is responsible for the security of his/her e-mail account, which means that CES logins and messages must not be made available to unauthorized users at any time.

When leaving the work area during the workday, users should ensure that they have a password-protected screen saver activated. This will assure others cannot access a user’s e-mail while they are away. Employees are not to read other employees' e-mails without prior permission. Unauthorized access to information which is related to an employee's assigned duties may result in disciplinary action.

An employee's supervisor or manager retains the right to examine an employee's emails for management and security purposes.

Systems staff and other computer maintenance personnel may, on rare occasions, inadvertently see user messages as a consequence of doing normal maintenance and troubleshooting. Authorized personnel on any node between the origin and destination of a message may have to inspect message contents in order to dispatch stalled deliveries or resolve other failures. Passwords are protected by changing them frequently. Do not share or repeatedly use the same passwords. A person who gains access to your e-mail account will be able to read all of your e-mail, and may send messages to others in your name.

VI. MOBILE DEVICES

Mobile devices are intended to assist staff with carrying out their assigned duties while in the field or traveling on CES business. Mobile Devices are provided to employees of CES to support CES’s official business and/or due to the nature of the work/position. This privilege carries additional responsibilities and can be revoked, as outlined below, if used inappropriately. All staff issued mobile devices must sign a “Property Pass.”

GUIDELINES

Certain mobile devices are issued to all employees and certain administrative employees.

A list of all assigned mobile telephone numbers is published and distributed to staff for official use only. Said numbers are confidential and should only be given out in accordance with this policy.

Employees are encouraged to use their company issued mobile telephones as much as possible, especially when doing field work. Mobile telephones are to be used for official company business; however, minimal/limited use (that which does not interfere with official business and involves no additional expense to the company) is permissible. Unauthorized or improper personal use of company mobile devices may result in loss of the privilege, limitation of the privilege, disciplinary or adverse action, criminal penalties, or financial responsibility for the costs of improper use.

Each mobile device is password protected due to the availability of emails, the Internet, as well as confidential information, such as addresses or telephone numbers of company/stakeholders, etc. Mobile devices are setup to retrieve company email and provide access to the company’s internal private network. In light of the email capability on mobile devices, staff should use caution when discussing and/or transmitting any information that is confidential, sensitive, or personal while using these features. Under no circumstances should staff send/receive email messages while operating a motor vehicle.

Mobile devices should be kept in the possession of the assigned employee at all times, especially when in the field. Mobile devices are not to be left unattended in vehicles or elsewhere. Said equipment shall only be used by staff of CES, except in an emergency if the employee needs assistance.

Any damage, malfunction, loss or theft of a mobile device assigned to a staff member shall be immediately reported to his/her immediate supervisor, who shall then notify the IT Manager. Thefts will also have to be reported to local law enforcement. Employees with assigned mobile devices may incur the cost of the mobile device and its attachments if said items are lost, stolen, or damaged due to negligence on the part of the employee. Pursuant to the policy, the IT Manager along with senior level personnel will determine the employee’s culpability in each matter.

All employees with a mobile device that will access the CES network must enroll in any mobile device manager (MDM) deemed necessary by the IT Manager, which allows the management of large-scale deployments of mobile devices. The MDM will provide the ability to quickly enroll devices within the CES Network, configure and update device settings over-the-air, enforce security policies and compliance, secure mobile access to CES's resources, and remotely lock and wipe managed devices. Any instructions for enrollment in any MDM will be given by the IT Manager or senior level personnel.

All employees with mobile devices are required to have certain accounts linked to their office email address. These accounts will be used to download all office related applications. On an as needed basis and with the approval of the IT Manager and/or senior level personnel, applications will be purchased and sent to each individual user account. Notification of purchase will be sent via email. Upon receipt of said email, staff members will need to login to their account and install the new application. For those who have been issued multiple mobile devices, downloaded applications will be synched between each devices.

Applications downloaded for personal use must be in adherence with this policy and will be removed once the equipment is returned. CES is not responsible for reimbursement of any paid application. Only applications found on the aforementioned accounts are permitted on CES issued devices.

CES is the owner of the telephone number. Any communications sent on employer-distributed devices are company-owned property. The employee should have no expectation of privacy with respect to said communication, and they are subject to review by CES.

Staff assigned a mobile device should strive to use the equipment with discretion and frugality so as not to exhaust the assigned data per device.

Employees may give out their assigned telephone number for work-related purposes, if deemed appropriate and necessary by the employee.

In the event of an emergency, mobile devices may be the only means of communication between personnel. Therefore, staff must keep their mobile devices with them, fully charged, voicemail setup and operational at all times so that other staff or supervisors may contact them when urgent situations occur. It is understandable that, at times, it may not be possible to respond immediately. If out of the office or on leave, efforts should be made to periodically check the mobile devices for any missed calls, voice messages, or emails, which may require immediate action.

Special Note: Staff members have the option of transferring their office line to their mobile devices, when out of the office, during the workweek/workday. Staff who elect not to do so shall make sure that the email notification system is established so as to receive voicemail messages via mobile device and email (if available).

Staff of CES must return all CES property immediately upon request or separation from employment

B: USAGE GUIDELINES

Outgoing calls as well as incoming calls affect usage.

Monthly billing reports for all users are reviewed monthly by the Systems Administrator. If a pattern of abuse is found, the user will be asked to meet with senior level personnel and his/her supervisor.

If excessive usage causes an overage in data, the user may be required to reimburse the company for additional costs.

VII. HARDWARE AND SOFTWARE INSTALLATION

PERSONAL HARDWARE

In the interest of protecting the CES network, no user may connect a privately owned laptop, or other type of device to the Network, unless authorized and instructed to do so by the IT Manager or senior level personnel. Without proper instruction, the connection of foreign (privately owned) devices may introduce computer threats into the Network.

No personal hardware (i.e., an external CD ROM drive, USB hard drive, etc) may be installed, with the exception of speakers/headphones. Users may bring in and hook up amplified speakers or headphones to use with their PCs.

PERSONAL SOFTWARE

Systems staff will maintain an inventory of software installed on all CES computers. All computers are subject to inspection and scanning at any time to ensure that only authorized software is installed.

PRIVATELY-OWNED SOFTWARE

Installing or downloading employee-owned software, including screen savers, on CES PCs is prohibited. (However, a static background image, or "wallpaper", is not a software program and is permissible.) Only CES-procured licensed copies of software should be installed, maintained, and utilized on CES-owned computer equipment. Some of the reasons for this position are:

The installation of personal software not procured and installed by CES exposes our computer resources to the threat of computer viruses. While all CES PCs are installed with anti-virus software, new "strains" of computer viruses appear regularly, and the best prevention for virus infection is by minimizing exposure to them.

Installing employee-owned software on CES PCs may be in violation of software copyright and licensing agreements. The use of software in violation of licensing agreements exposes our company to possible compensatory damages as well as punitive action.

Since systems staff has no experience supporting these programs, the effect that employee-owned software may have upon systems components such as network hardware, operating systems, and PCs is unknown. This makes the task of troubleshooting and supporting authorized systems software and components more difficult and hampers system staff's ability to provide timely, quality support.

COPYRIGHTED SOFTWARE

Copyrighted software must not be reproduced, except as permitted by the terms and conditions of the contract under which it was purchased. All applicable laws must be obeyed and the use of pirated software is prohibited. All copyrighted software is to be procured, installed and tested by the systems staff.

DEMONSTRATION SOFTWARE

To avoid contract violations and to ensure that all software is obtained from legitimate sources, individual users are not authorized to accept demonstration software. Demonstration or trial software may only be obtained through normal procurement channels prescribed by CES and any such procurement must be approved and facilitated by the IT Manager.

CES-DEVELOPED SOFTWARE

CES-developed software may be occasionally distributed directly to employees by CES. All CES-developed software must be scanned for viruses prior to installation. Systems staff must be contacted prior to installing software and/or to assist in the software installation.

PUBLIC DOMAIN SOFTWARE

Public domain software (freeware) refers to programs that are not copyrighted and that may be distributed at no cost. Public domain software must be approved by the IT Manager and/or senior level personnel. If it is approved for installation, the software media will be virus-scanned and the software installation will be handled by IT staff.

SHAREWARE

Shareware is copyrighted software. Accordingly, it is not acceptable for a user to install a shareware program on a CES PC or laptop.

OFFICE HARDWARE ON PERSONAL COMPUTERS/LAPTOPS

In some cases, installation of a CES owned piece of hardware, such as a printer, scanner, or monitor may be approved for use on non CES-owned equipment for specific work-related purposes. If this need arises, users must first obtain approval from the IT Manager or other senior level personnel. When a piece of equipment is checked out, a property pass must be filled out with information about the item and signatures must be recorded by the custodial officer (IT Manager). In these situations, the user may perform the installation himself/herself, or the user may bring his or her PC/laptop to systems staff for installation, configuration and testing. Such tasks will be performed by the systems staff, as time permits.

OFFICE SOFTWARE ON PERSONAL COMPUTER/LAPTOPS

Some software licensing agreements include a provision for use on all employees' home computers. An example of allowable software is Kaspersky Anti-Virus. The use of software in violation of licensing agreements exposes our office to possible compensatory damages as well as punitive action. The user is responsible for installing and supporting allowable CES-owned software on home PCs and laptops.

VIII. WIRELESS/ WIFI

Wireless security policies are necessary to help protect CES from unnecessary vulnerabilities and attacks. Users must conduct themselves appropriately on a WiFi connection just as they would on a "hard-wire" connection. All users, by accessing the network, agree to the following terms of use:

Only authorized users may access this network.

Any form of file sharing, or peer-to-peer (P2P) applications are prohibited. This includes the use of Internet Relay Chat (IRC) or any other applications used in file sharing.

The wireless network is for office use only and may not be shared by unauthorized personnel.

Users are expected to keep their passwords secure and confidential. Giving your password is explicitly forbidden.

Users will be limited to a single login session at a time using the network username and password. If a user attempts to login when another session is already active, he/she may get the following error: "There are already other user sessions in progress. Continue will result in termination of the other session. Please select from one of the following options: (Continue the Session) (Cancel).”
Users should avoid extended periods of high bandwidth usage or any unnecessary network traffic.

Users are expected to adhere to all current IT and acceptable use policies issued by CES.

Anyone found in violation of this policy shall be subject to possible loss of wireless network connectivity and/or possible administrative or legal action (if necessary). If a sustained pattern of suspected activity is confirmed, the IT Manager will inform the appropriate senior level CES personnel. If required, continued monitoring will be performed, and if deemed necessary, the IT Manager will initiate content analysis. Findings of said analysis will be limited to the IT Manager, senior level CES personnel, and law enforcement personnel, if necessary. Future disposition of information and subsequent actions will be at the discretion of senior level CES personnel.

IX. WEB FILTERING SOLUTIONS

Unmanaged Internet access presents many challenges and introduces unnecessary risk. CES uses leading Web filtering solutions that will help CES manage productivity, reduce legal liability and improve bandwidth to make employee Internet use efficient and effective.

Kaspersky Internet Security is an internet security suite developed by Kaspersky Lab compatible with Microsoft Windows and Mac OS X. KIS offers protection from malware, as well as email spam, phishing and hacking attempts, and data leaks. This Web-based tool runs on most fully supported browsers. Our office will use Google Chrome. CES presently blocks access to adult content, gambling, and audio streaming for all staff. Social media sites can be accessed by CES personnel and IT staff for official work purposes and limited personal use.

Users should contact their supervisor or the IT Manager if there are any questions regarding the Information Technology Security and Equipment Use Policy. Upon review of this policy, users are required to sign the IT Security and Equipment Use Policy User Agreement.