Internet access for all employees 8

[thegirlofsteel]

I am having problems with SPAM - I mean tons of spam. Our GFI mail essentials report says out of all the emails daily 75% are spam!! Anyway, I know the culprit has to be because we give all our staff free access to the internet. I have been on a campaign for over 10 years to go to a standardized desktop to no avail (we're a union shop).

Well, now with the SPAM and virus problems, I am just going to do it. Is there someone out there that has gone through the same type of change. I know I am going to get a back lash from the union but are there any laws that I can use in my favor to do this. Also, is there a way to only grant certain people internet access to certain sites??

Thank You!

 

[thegirlofsteel]

Is there anyone who can share a portion of their compuer policies with me. I'm reading over ours and it seems kinda weak! Here is a few excerpts.

On Software:

No employee may make any copy or install any software product in a manner that violates the software license. Specifically, backup copies of licensed software may be made only for the purpose of recovering from accidental loss of an original copy of a software product.

No PC user may install or run any software product on a company PC without the approval from the Executive Director or his/her designee. Any software found to reside on a PC in violation of this provision may be immediately removed or ordered removed. If you wish to install software on your computer, you must complete the “Software Authorization” form.

On Internet access:

Internet Access Agreement

Use of the Internet is to assist XXXXXXXXXX staff in the performance of their jobs and may be revoked at any time. Employees, as representatives of XXXXXXXXXX, are to limit use to work-related activities and continue to have the responsibility to present a professional image in their interactions on the Internet.

Internet services are worldwide in scope and include:

Electronic Mail exchange with universities, governments, non-governmental organizations, and private citizens

Access to university, government, and other databases and document repositories.

Access to professional information exchanges and bulletin boards

Access to wire service news items

Distribution of electronic copies of publications to the public

Use of the Internet must be based on respect for other users, good will, and cooperation. Department Internet facilities, like all XXXXXXXXX resources, may not be used for personal gain or advantage or for the gain or advantage of clients, contractors, providers or other persons unless authorized by law. After the initial three months, there will be a re-evaluation of need for continued access to the Internet.

Employees may not use XXXXXXXXXXXX facilities to:

Download software unless the employee has expressed written permission from the Information Systems Department

Market products or services
Engage in any prohibited political activity
Disrupt authorized use of Internet by others
Compromise the privacy of xxxx employees, people who use or come in contact with xxx programs or services, or other Internet users

Dishonesty, immorality, discourteous treatment of the public or other employees, and other behaviors that would discredit either the Department or the State of California are causes for disciplinary action.

 

[fredericofonseca]

all you say would be enough for you (IT Dept) to install and configure all and any software required to prevent the instalation of program within each individual computer, as well as to prevent access to certain site (maybe week this last one), provided that your users have taken knowledge in due time and within the legal requirements for them to have taken such notice. this varies from country to country, and eventually from state to state on countries that have this division e.g. your case.

As for lockdown of PC's it is pretty clear that they can not install any software without prior authorization and even then only if a license is available. One way of controling this is using software like ZenWorks (which is very good) at it).

Regards

Frederico Fonseca
SysSoft Integrated Ltd

http://www.syssoft-int.com

 

[phuzzy42]

Bottom line is the computers don't belong to the users, they belong to the business, and that's all they should be used for - no personal use allowed whatsoever, none. If the users don't like it, they can "work" for somebody else.

If your PC's are WinNT or later, you can lock machines down a lot tighter - remove Administrator access level from all network and local user accounts except for IT people. Since only Administrators can install software, that stops most of the illegal installation nightmare (including spyware and adware) since most software installs with the security level of the logged on user - if the user doesn't have enough security to install software, the bad software can't install itself either.

Once you've plugged that security hole you can clean the crap off the machines. Firewalls, intrusion protection, antivirus - use them.

There are many places you can get info on how to tighten security -

http://www.sans.org

as a good place to start.

Steve Harmon
Greenfield, Indiana

 

[zarkon4]

Here is a copy of our policy.

INFORMATION SYSTEMS ACCESS AND USE POLICY
To safeguard the confidential and proprietary information developed by {Company Name} as well
as the information entrusted to {Company Name} by its employees, customers, and suppliers, the company
has adopted the following policy:
The use of any information technology equipment owned, leased or rented by {Company Name} for non-business purposes is strictly prohibited. All information transmitted by, received
from, or stored in {Company Name} systems is considered to be the confidential property of {Company Name} and is to be used solely for Lewis business purposes. Any person using {Company Name}’s systems is not permitted to access, copy, transmit or otherwise retrieve any stored
information or communication unless necessary for {Company Name} business purposes.
{Company Name}'s systems allow for the transmission and receipt of both internal and
external electronic mail messages. Electronic mail is to be used for Lewis business purposes only.
{Company Name}. will not tolerate the sending of inappropriate, obscene, harassing or
abusive language or materials. Expressly prohibited is the transmission of any sort of racist,
sexist or other discriminatory comments. The sending of offensive materials, chain letters and
the conduct of illegal activities through electronic mail is not permitted and will not be tolerated.
The illegal transmittal or printing of copyrighted materials is also prohibited.
Company systems may also be connected to on-line computer information services and the
Internet for a variety of business-related purposes. The costs associated with establishing and
maintaining such services are significant in terms of line charges, monthly access fees, etc.
Further, there is a significant labor cost associated with access to these services. For these
reasons, any person accessing the Internet or other on-line services should have legitimate {Company Name} related business purposes for doing so and should limit any time spent on such services.
To ensure that the use of {Company Name}’s systems is consistent with legitimate
business interests, authorized representatives of the company may monitor and/or audit the use
of such equipment and communications. All messages and documents on {Company Name} systems may be
saved for some period of time and deleted messages and documents may be recoverable. As a
condition of employment and continued employment, all Lewis employees are required to sign an
Information Systems Access and Use Acknowledgement Form. Applicants for employment are
required to sign this form on acceptance of an employment offer by the company.
Violations of this policy may result in discipline up to and including discharge.

INFORMATION SYSTEMS ACCESS AND USE ACKNOWLEDGMENT FORM
As a prerequisite for and as a condition of being allowed continued access to any information technology
equipment owned, leased, or rented by {Company Name}, I state the following:
By my signature below, I acknowledge that I have received, read and agree to abide by the
{Company Name} Information Systems Access and Use Policy and that I am further
bound by the representations made in this Acknowledgment Form.
I understand that all information transmitted by, received from, or stored in {Company Name} systems is the
property of {Company Name}. I agree not to access, copy, transmit or otherwise retrieve
any program, file or other information stored in company systems except for {Company Name} business purposes.
I understand that {Company Name} systems are to be used solely for {Company Name} business purposes and not for personal reasons. As such, I understand and agree that I have no
expectation of personal privacy in connection with the use of {Company Name} systems or with the
transmission, receipt, or storage of any information in company systems.
I consent to {Company Name} and/or its authorized representative monitoring and/or
auditing my use of Lewis’ systems or any information stored on those systems at any time in
{Company Name} sole and absolute discretion. Such monitoring an/or auditing may include, but is not
limited to, accessing, printing and reading all electronic mail or other information or files
entering, leaving, or stored in {Company Name} systems, regardless of any personal
passwords I may utilize.
I further understand and agree that my failure to follow any aspect of {Company Name} Information Systems Access and Use Policy may lead to disciplinary action up to and
including termination of my employment. I also understand that Lewis may hold me civilly or
criminally liable for any intentional or reckless damage I cause to {Company Name}
systems or information stored therein.
Name (please print)
Signature
Date

 

[Dollie]

We found the basis for our computer usage policy on the internet and then put in details specific to our company.

It's very similar to what Zarkon posted. Signing a policy like this eliminates any "I didn't know that" excuses for just about any scenario including yours.

On a side note, are you a member of the union, or do you just have to deal with members of the union? What section of the union rules state that employers must give completely free range of internet and network resources? (If it's access to one then it's access to all.) Who owns the computers, your company or the union? Who owns the proprietary information that is held on those computers, your company or the union? Who's job is it to protect that information including the assets the information is distributed to, your company's, or the union's?

It seems to me that the union shouldn't have any say about what union workers can and cannot do on computers during COMPANY TIME. (Other than worrying about ergonomics.) This completely negates any type of computer or usage policy a company may have, and jeopardizes more than the union realizes. Or, on the other hand, they do know what they're doing, and are grinning about it whilst network administrators are pulling their hair out in grief.

Unions were formed to protect the workers, not to give them unrestricted freedoms to do whatever the hell they want to while on the clock. I would be questioning the true intentions of the union (while covering my rear at the same time).

(Sorry, got worked up a bit. Maybe I should take a walk...)

 

[svanels]

The corporate software policy should end with something like:

1) Management has the right to revoke all IT privileges in case of serious violations of above mentioned policy

2) Management has the obligation to provide the right alternative tools to comply with company objectives


My interpretation of point 2:
1) Give the offender a typewriter
2) Give the offender a pencil
3) Give the offender a broom (Our mission is to work in a environmentally sound environment...)
4) Give ....



Steven

 

[thegirlofsteel]

Thank You All. I have the electronic version of our policy. I of course have to have it approved by our directors and then have it reveiwed by the union (aarg). I have even offered myself to the lions den at our all staff meeting to explain (beg) for them to comply!!

You are all so great!!! Your posts have helped me tremendously!!! Thanks for the support!

 

[Dollie]

The best of luck to you! Introducing and implementing policies isn't a fun thing to do, but once the policy is in place, you'll find your life is a lot easier!

Again, good luck. Please let us know how you make out.

 

[rosieb]

thegirlofsteel
This is probably telling you what you already know... but, in your meeting, stress how this policy is designed to protect, rather than restrict:

It protects the organisation's systems, their data, their legal responsibility to protect sensitive data.

It protects your clients/customers data, as required by law.

It also protects employees from unknowingly breaking a variety of laws. I'm not sure about US law; but is it possible that if if data was "stolen" an individual could possibly be found to be personally negligent.

It is necessary to conform to legislation /accepted standards.

Rosie
"Don't try to improve one thing by 100%, try to improve 100 things by 1%

 

[GwydionM]

Where I work, no one can download anything except a technical section. No one has a CD or floppy drive on their PC, and if something must be loaded then it is filtered first. Internet access is free, except during high-risk times, though we are not supposed to use it for personal stuff except outside work hours.

We don't get spam. Nothing except rubbish from our own Marketing department, the only people to use high-priority flags for complete trivia.

Regarding access, it's also worth advising people to click their history and see how much is shown. If they've been visiting Wild Women Of Wongo, there is the undeniable evidence. History can be erased, but I suspect the network managers have their own copy.

------------------------------
An old man who lives in the UK

 

[Gareth1978]

As has already been said, set up a proxy server - this will allow you to grant/deny internet access on a per user basis. Consider purchasing an activity logging package - we use Surfcontrol and it's quite good. You can use it to specify what people can and can't view. Down to being able to produce a fixed list of sites and specifying that that's all users can see.

If your really interested in what our policies are then here is mine (we are based in the UK so any mention of laws is reflected):

3. Policies

Internet usage

Access to the internet will be restricted and will only be made available to staff with the written authority of the relevant Director grade. Internet access is provided solely for use in relation to work related business.

Internet usage will be monitored periodically and those found to no longer have a business case for access will have it removed. All internet activity is logged centrally and access to certain websites will not be available. The downloading of software of any description from the internet is strictly prohibited. The owner of the user login to whom internet access is assigned will be responsible for all content viewed using their login – the excuse that someone else was using it will not be acceptable. If users have any doubts as to the security of their login credentials then they should contact the IT helpdesk for assistance.

Authorisations will be need to be renewed on an annual basis.

In the event of any misuse of internet access being discovered the users access will be suspended immediately.

Email usage

The main purpose for the provision by the contract of IT facilities for email is for use in connection with the approved business activities of the contract.

IT facilities provided by the contract for email should not be used:

• For the transmission of unsolicited commercial or advertising material, chain letters, press releases, or other junk-mail of any kind.
• For the unauthorised transmission to a third party of confidential material concerning the activities of xx company name xx• For the transmission of material such that this infringes the copyright of another person, including intellectual property rights
• For activities that unreasonably waste staff effort or networked resources, or activities that unreasonably serve to deny service to other users
• For activities that corrupt or destroy other users' data
• For activities that disrupt the work of other users







General Standards of Use

IT facilities provided by the Contract for email should not be used:

• for the creation or transmission (other than for properly supervised and lawful research purposes) of any offensive, obscene or indecent images, data, or other material, or any data capable of being resolved into obscene or indecent images or material
• for the creation or transmission of material which is designed or likely to cause annoyance, inconvenience or needless anxiety
• for the creation or transmission of material that is abusive or threatening to others, or serves to harass or bully others
• for the creation or transmission of material that either discriminates or encourages discrimination on racial or ethnic grounds, or on grounds of gender, sexual orientation, marital status, disability, political or religious beliefs.
xx company name xx is committed to fostering a working environment free of discrimination where everyone is treated with dignity and respect
• for the creation or transmission of defamatory material
• for the creation or transmission of material that includes false claims of a deceptive nature
• for so-called 'flaming' i.e. the use of impolite terms or language, including offensive or condescending terms
• for activities that violate the privacy of other users
• for the creation or transmission of anonymous messages, i.e. without clear identification of the sender
• for the creation or transmission of material which brings the contract or its parent company into disrepute.
• The sending of an external email should be considered the equivalent to sending a letter on company headed note paper.
.
The I.T Department in conjunction with the Contract Management board will exercise its discretion in judging reasonable bounds within the above standards for acceptability of material transmitted by email.
In relation to the personal use of Contract IT facilities for email, if users are in any doubt about what constitutes acceptable and appropriate use, they should seek the advice and guidance of their Manager.

Legal Consequences of Misuse of Email Facilities

In a growing number of cases involving the civil or criminal law, email messages (deleted or otherwise) are produced as evidence in a permanent written form.
There are a number of areas of law which apply to use of email and which could involve liability of users or the Contract.

These include the following:
Intellectual property.
Anyone who uses email to send or receive any materials that infringe the intellectual property rights of a third party may be liable to that third party if such use is not authorised by them.

Obscenity.
A criminal offence is committed if a person publishes any material which is pornographic, excessively violent or which comes under the provisions of the Obscene Publications Act 1959. Similarly the Protection of Children Act 1978 makes it an offence to publish or distribute obscene material of a child.
Defamation. As a form of publication, the Internet is within the scope of legislation relating to libel where a statement or opinion is published which adversely affects the reputation of a person, group of people or an organisation. Legal responsibility for the transmission of any defamatory, obscene or rude remarks which discredit an identifiable individual or organisation will rest mainly with the sender of the email and may lead to substantial financial penalties being imposed.

Data Protection.
Processing information (including photographs) which contains personal data about individuals requires the express written consent of those individuals. Any use of personal data beyond that registered with the Data Protection Commissioner will be illegal.

Discrimination.
Any material disseminated which is discriminatory or encourages discrimination may be unlawful under the Sex Discrimination Act 1975, the Race Relations Act 1976 or the Disability Discrimination Act 1995 where it involves discrimination on the grounds of sex, race or disability.

System capacities

All email accounts have a predefined limitation in terms of the disk space available for storing of messages. It is each users responsibility to housekeep their own mail box – the system will issue warnings as you approach the limitations.
Remember when deleting messages to also ensure you empty the deleted items folder.
External email access will only be granted with the authority of the relevant assistant director.


**One day, I will find a question that no one else has answered........and will also know the answer to it ! **