Is this policy enough? 2

[Albion]

This is our Internet and Computer acceptable use policy. The powers that be seem to think it is enough to cover the company under all circumstances. I on the other hand, after looking at sample policies on the internet, am starting to wonder why other companies have policies which are pages and pages long. Can you read my policy and let me know what you think? This way I can produce some evidence from people in the field to show the powers that be why we should keep or revamp the current policy. Any suggestions would be appreciated.


--
Our e-mail, computer and Internet systems are company property. These systems are in place to facilitate your ability to do your job efficiently and productively to that end, these systems are solely for business purposes, and any personal use is prohibited. We may intercept, monitor, copy, review and download any communications or files you create or maintain on these systems. These guidelines MUST be followed.

1: When using the Internet, confidential material must be properly encrypted to prevent interception by third parties.
2: E-mail messages may not reveal trade secrets, proprietary financial information, or infringe upon copyrighted materials.
3: All user passwords must be disclosed to the company. This includes logon and encryption passwords.

Your communications and use of our e-mail, computer and Internet systems will be held to the same standard as all other business communications. This includes compliance with our anti-discrimination and anti-harassment policies. We expect you to use good judgment in your use of our company’s system. [User name here] should be notified of unsolicited, offensive materials received by any employee on any of these systems.

Failure to abide by these rules or consent to any interception, monitoring, copying, reviewing and downloading of any communications or files is grounds for discipline, up to and including termination.
--

-cm

 

[kjonnnnn]

I was a legal assistant for 16 years, so I know that sometimes the length of a contract is determined by who wrote. Long is not always better, but you can be sure it covers EVERYTHING.

Your policy seems to cover what your company needs. I have few observations.

To be a really effective each employee should read and sign a copy of this policy. While most places dont do this, I am assuming your company is really tryn to be secure about trade secrets you company has. Truthfully, disclosing secrets, etc, would be cover in employment agreements and employee manuals. But if they want to cover it here no biggie.

As far as encryption, that might be something that should be directed at your IT staff moreso than regular users, most of which Im sure have no idea what that is.

Hope this helps.

 

[Voyager1]

kjonnnnn your observations are right on target, but allow me to make one:

Encryption may, at the present time, be a "nerd" thing, but going forward into Windows 2000 it is just a check box to encrypt a file. There is an administrative override for encrypted files.

I thing Albion's policy statements above are actually quite good. I may want to add "on request" to the statement regarding passwords. I wouldn't want to have to keep track of all the user passwords on a day-to-day basis.

IMHO - Bill

"You can get anything you want out of life, if you'll just help enough other people get what they want" - Zig Ziglar

 

[MasterRacker]

I'd say the policy is reasonably thorough. We have separate computer and Internet policies but they're both pretty short. The key, as I understand it is that we are required to sign statements at the end of each that we have read, understand and agree to abide by the policies. As I understand it, you really need that to avoid and pleas of ignorance. Jeff

If everything seems to be going well: you don't have enough information.......

 

[carp]

Concur with the above. Getting a signed copy is the only way you have of proving the employee actually saw the policy. It also sends a message to the employee that you are dead serious about this. When I was in charge of security, I actually had employees initial each section of the policy and then sign off on the bottom. This made it explicitly clear that not only had the employee been afforded the chance to read the policy, but that they were aware of each section.

 

[pivan]

1: When using the Internet, confidential material must be properly encrypted to prevent interception by third parties.
2: E-mail messages may not reveal trade secrets, proprietary financial information, or infringe upon copyrighted materials.
3: All user passwords must be disclosed to the company. This includes logon and encryption passwords.


How do you enforce the above?
Do you really have that kind of time in MIS to monitor your employees for this.

How many terminiations or suspensions have resulted from the above items.

Not being a wise guy, just very curious having grown up in a pure app dev environment.

Regards,
Ivan

In not now, when?
If not here, where?
If not us, who?

Just do it!!

 

[Albion]

Well, we only have 60 or so people who use computers here. Since we have instated the policy we have only had one user who broke it. He received a 5 day layoff for the infraction.

Our MIS department consists of one person, me. Do I keep track of everyones password? No. Do I know most of their passwords? Yes. I would say that 75% of my users do not have internet or email access so I don't need to worry much about their passwords because the only one they have is to get into the network.

And it's really not that difficult to monitor these people. It's simply a matter of going into Event Viewer once a day. And any administrator who doesn't check event viewer on his servers and Administrator's mail is stupid. I have all my log files from 6 servers going onto one server, it makes things a whole hell of a lot easier. Any software which can alert administrator by email uses that feature. So to answer your question, I have tons of time to look over this stuff.

-cm

P.S. I do appreciate everyones responce. It wasn't what I expected but at least now I have a better idea of what is really needed in a policy. It just seemed weird that many companies that I looked at have policies which define different infractions. One I looked at explained why Pornography was bad, why chain letters were bad, and why sending pictures as signatures was bad I just wondered if that information was necessary.

 

[kjonnnnn]

Tell us what were you expecting.....

I can see telling why explaining why certain things were bad.

At my previous company, somebody sent that dogone "dancing baby" to everyone ... 600 people .... at 2 meg a baby. Do the math.

Im like u, the only one here. If you've the time to monitor folks God bless ya.

 

[Albion]

It's not that I have the time, it's just that they expect me to make sure we have no security violations. So I am trying to make everything perfect.

-cm

 

[ManagerJay]

I just wrote our Internet/E-Mail acceptable use policy and they cam to about a 1 1/2 pages and looked very similar to yours.

One suggestion our attorney made is when people sign the policy, the signature block does not state they agree with the policy. Rather, the signature block states the user has received a copy of the policy.

And, she also suggested having a witness sign when the user receives their copy as well.

Jay

 

[Fds911]

Not wanting to make this sound like a product endorsement....

However, We have installed products by the names or MailMarshal and WebMarshal which will monitor your users for you...

WebMarshal allows full reporting on websites visited and bandwidth uilisation etc etc.. it allows sites to be blocked (by keyword.. xxx? ).

Mailmarshal screens email (great for blocking vbs scripts.. we use it to cut out mpgs, avi's etc to stop dancing baby issues) and will also scan the text of the message for particular keywords you may like examined (ie 'top secret').
If you were serious on protecting trade secrets you could embed a key word into the (for example) word document that MM would scan for.

On finding any suspect activity the administrator is notified based on a configuration of their choosing.

In a company of 350 email users and an IT Dept of 4 these tools are invaluable...

Cheers all..
(I guess it was a product endorsement)

F

 

[NinaToo]

Interesting discussion. Just a question or two:

The agency I work for has said that we may use the Internet for personal, non-work-related reasons during lunch and after-work hours. Would that be a reasonable policy to implement, rather than saying that employees can NEVER use the Internet for personal use?

I also worked until recently for another company which had similar polices in that they allowed a limited amount of time for personal Internet use as long as work got done.

Also neither my current employer nor my last employer limits in a significant way our personal email. Though they both have a firewall to keep out spam and graphic files which are too big. And anything pornographic isn't allowed. Above all, if someone is getting huge amounts of personal email, or else they subscribe to all sorts of email lists, they won't get their work done.

Both my current and former employer have written statements which are given out and the employee signs. Both prohibit the use of the Internet at any time to look at porn or run your own business or for gambling, etc. One guy got fired from my former company for looking at porn.

And of course, both employers have reserved the right to revoke all Internet access if it is mis-used.

Nina Too

 

[Albion]

If any employee uses the company internet for anything illegal the company is liable. That's the way I understand it to be. So by limiting internet use the company is protecting itself from litigation.

-cm

 

[NinaToo]

Are you sure that your company is liable for any illegal use by an employee? Because when my old employer fired the guy for looking at porn, they didn't feel the need to ban all personal Internet use.

Besides, even if they ban all personal Internet use, someone could still do something illegal -- and the company would still be liable. So banning all personal use, even if off-hours or during lunch, really isn't protecting your company from litigation.

And I'm afraid that it might cause some morale problems, especially if it gets known that other companies do allow personal Internet use off-hours.

Computer people are funny. Little things affect them. And they don't usually organize a union and picket, they just simply leave and find greener pastures elsewhere.

My old company's president established a "casual business" dress code a few years ago. Some of the older, more business-oriented folks squawked about it, saying that it was not "professional" for people to dress in business-casual; they wanted the old shirts-and-ties/stockings code.

But our company president answered that he felt he had to implement the casual dress code in order to keep top computer personnel there. Some of the top computer people who had left apparently had indicated on their exit interviews that one of the reasons was the dress code -- that other companies had casual dress codes.

I was there also when the company first put in Internet access. And they decided that it would be beneficial for morale to allow everyone to have it, and to allow limited personal use. Apparently they felt that they had measures and tools to monitor illegal use.

My current employer is a federal agency which also allows a casual dress code. And their Internet policy is explicit in that you can have personal use of the Internet during lunch and off-work time. You can surf the Internet during work hours if it's a slow period (i.e. awaiting specs), but only for job-related sites (such as Tek-Tips) where people can hone their work skills. I program in COBOL and CICS and there are some nice sites which discuss COBOL and how to use it.

Nina Too

 

[Albion]

Besides, even if they ban all personal Internet use someone could still do something illegal -- and the company would still be liable. So banning all personal use, even if off-hours or during lunch, really isn't protecting your company from litigation.

Whether you give people permission to use the Internet for their own needs or not, they will use it. Although I have a policy I have people here listening to Internet radio. The bosses say there is nothing wrong with it. Well is there? I think so, 10 people listening to internet radio and 5 people running real time stock tickers takes a lot of bandwidth which is needed for important company business.

People seem to only think of the legal ramifications but there are other reasons. I don't want someone complaining to me or threatening me because he bought something sold through an employee e-mail address. I don't want to start receiving porn spam because some idiot decided he wanted to read some page that popped porn banners up. I once got a complaint from a university because one of my users had posted profanity and defamation on their public Usenet group.

Comparing Internet access to dress code is like comparing apples and oranges. No one is going to hold the company liable because someone was wearing jeans. But the company can be held liable because a user had a warez site running. And I live by the rule that if you allow someone to have an inch they will attempt to take a mile. It's too bad that the few have to spoil it for the many but them’s the breaks.

I personally don't consider something like Tek-Tips a personal thing. There is great information here to help people complete their job. Basically, if the site isn't related to something in your job function it's off limits.

If you want to use the Internet, use it at home. If you don't have a computer, don't be a tight wad, and buy one. "But I'd rather spend my money on a bike/workout machine/car/hooker", well everyone has their priorities, and I refuse to accommodate to you just because you won't shell out a grand or two.

-cm

 

[NinaToo]

------------
" Whether you give people permission to use the Internet for their own needs or not, they will use it. Although I have a policy I have people here listening to Internet radio. The bosses say there is nothing wrong with it. Well is there? I think so, 10 people listening to internet radio and 5 people running real time stock tickers takes a lot of bandwidth which is needed for important company business. "
------------
And it looks like you lack the tools to enforce your rule. Which is worse than not having the rule, because if you have a rule which people feel that they can break with impunity, then you can get into touchy situations.

My old company, and also my current employer have installed software which blocks listening to the radio over the Internet -- both employers had decided that there was too much bandwidth involved and it cut down on work efficiency for work tasks which need Internet access.

We are allowed to bring personal radios or CD/tape players with earphones which we can listen to while working. And also both my old company and my current employer lets us listen to CD's on our company computer's CD-Rom drive, using "CD Player" software which Microsoft provides, as long as we use earphones so that we don't disturb the person next door.

However, the program files which would allow for Internet radio are disabled. And we are not allowed to download programs from the Internet due to concerns about viruses. So therefore, no Internet radio listening.
----------------
" People seem to only think of the legal ramifications but there are other reasons. I don't want someone complaining to me or threatening me because he bought something sold through an employee e-mail address. I don't want to start receiving porn spam because some idiot decided he wanted to read some page that popped porn banners up. I once got a complaint from a university because one of my users had posted profanity and defamation on their public Usenet group. "
-----------------
But if people use the Internet despite rules which prohibit it, then how would the complaints be stopped?

Also, my agency has detailed rules about liability and illegal use, and the consequences thereof. They are very specific and we have to sign the rules when we receive a copy. Some forms of illegal use can lead to immediate termination, it has been made crystal-clear.

If some guy accesses porn and as a result, you get a bunch of spam, you should be able to immediately terminate him. Which is what actually happened at my old company; the guy got caught accessing porn, and he was outta there very quickly.
-------------
"Comparing Internet access to dress code is like comparing apples and oranges. No one is going to hold the company liable because someone was wearing jeans. But the company can be held liable because a user had a warez site running. And I live by the rule that if you allow someone to have an inch they will attempt to take a mile. It's too bad that the few have to spoil it for the many but them’s the breaks. "
-------------
But you might wind up losing people and having a turnover problem. So in that way, allowing/disallowing Internet access might be similar to allowing/disallowing casual dress.

Have you lost anyone due to your no-personal-use-at-anytime policy? Just curious.

Nina Too

 

[Albion]

And it looks like you lack the tools to enforce your rule. Which is worse than not having the rule, because if you have a rule which people feel that they can break with impunity, then you can get into touchy situations.


No, not lack of tools, lack of upper management authority. UM likes to play favorites. But that's not the problem. Every day there's something new coming out; Direct Connect, BearShare, AudioGalaxy, Streaming Film. There's about 30 different ways to stream audio, half of which I probably don't know about. Are you going to dedicate $50k/year to an employee who's main job is finding new ways to abuse the policy and then blocking them?


But if people use the Internet despite rules that prohibit it, then how would the complaints be stopped?


You can't stop everything. No matter what software or "tools" you put in place someone's always going to find a hole and abuse it. But you can stop most of the recreational abusers and that's what policies are for. You will always have that one guy who likes to find the holes. If I had a guy who continued to find ways into and through the system I'd probably promote him to a security position. Make it his job to stop people like himself.


But you might wind up losing people and having a turnover problem. So in that way, allowing/disallowing Internet access might be similar to allowing/disallowing casual dress.


I've never lost a single person because they couldn't use the Internet. I have lost a person because they did. Work is for working not playing; otherwise you wouldn't be getting paid. Most people work for 8 hours, if you can't deal with personal Internet use at some point in the other 16 hours of the day then maybe you need to re-adjust your priorities. Hey, no one said you had to go to the gym for 3 hours after work every day. You could use those 3 hours for your personal Internet experience, I simply don't care what you do on your time. I'm your employer, not your babysitter, mother, best friend, or priest, and I pay you to get a job done, not to look force feedback steering wheels on eBay.

If you want to create Romper Room and destroy the already crumbling work ethic then be my guest. But don't complain to me when our work ethic gets to the point where you have to weed though 1000 applicants just to get someone who's actually willing to do some work.

-cm

 

[iza]

"I simply don't care what you do on your time. I'm your employer, not your babysitter, mother, best friend, or priest, and I pay you to get a job done, [...]" --> so then why do you care if people use the internet or not ? you're acting as if you were their father !!!!
as long as people get their job done, why would you be over their shoulder checking *how* they're doing it ???
as you're saying, it's not a problem of "lack of tools, [it's a] lack of upper management authority" - meaning, if the job is interesting enough and the management guys do their job allright, then you won't even think of surfing away ... if the managers NEED to monitor you, they don't trust you and worst, they've not been doing their job and have to try to get things ok ... too late !
please check FAQ183-874

 

[NinaToo]

Exactly. No one here is saying that people should be allowed to go on the Internet for personal use during work hours. Iza and I are talking about after or before work hours.

It seems that there is a morale problem where you work (please correct me if I'm wrong). Because you say that you lack Upper Management authority, and that your Upper Management is playing favorites and isn't consistently enforcing the policy which is in place. I can see how this can lead to discouragement and difficulties.

As for blocking Internet audio, I believe that a systems administrator need only go into the Media Player program (assuming you have Windows NT) and disable and/or delete the EXE files which would allow the employees to link onto radio/video sites.

Nina Too

 

[Albion]

so then why do you care if people use the internet or not ? you're acting as if you were their father !!!!


According to a September 2000 eMarketer study, 31% of office time online is non-work related. The average online time is about 50 hours a month. 31% of 50 hours is 15.5 hours a month or 186 hours a year that are spent on non-work related Internet journeys.

According to DataMasters the average US computer related salary is $74,527.59. 8% (186 hours out of a total 2210 hours a year is 8%) of that is $5962.21 plus ISP charges that is lost every year in employee productivity. That's a lot of cash to allow my users to use the Internet. How’d you like that much more money coming off your check every year? I can just see it now, right below Federal Tax is a section called Internet Use Fund.

Let's say I have an IT staff of 20 people ranging from Help desk to Senior Software Engineers. That means I'm tossing away $119,244.14 dollars every year to personal Internet use. If you owned a company, would you walk down to your bank, withdraw $120k, toss it into a bucket, and light it on fire once a year? I think not.

Then there’s the legality issue. Not only am I saving the company money by disallowing Internet use. I am also reducing the liability the company could suffer from the abuse of that Internet usage.

The key term here is reducing. Obviously I am not going to be able to eliminate the problem all together but if I can reduce the chance of a problem by 80% I've just possibly saved the company thousands if not millions of more dollars they might have had to pay out in litigation.


No one here is saying that people should be allowed to go on the Internet for personal use during work hours. Iza and I are talking about after or before work hours.


When the speed limit was 55 mph how fast did the average driver drive? When the drinking age was 18, how young were kids buying alcohol? When using the Internet before work, how many people kept using it for 10 minutes after their start time? When given an inch people will try to take a mile: it's a proven fact. If I allow my people to use the Internet on company property after hours or at lunch there will be people who attempt to abuse that privilege. So by eliminating it all together I remove a greater number of employees from the pool of those who would have used it otherwise.

I don't care what anyone says but 20% is better then 50% is better then 90%. If I can go from 90% of my people using the Internet at $107,219.72 dollars per year with no non-use policy to 20% at $23,848.83 per year I am a much happier camper. That's just over $80k I can use for raises, better health insurance, better work environment, newer equipment, etc.

Like I said before, 16 hours of your 24-hour day are spent not at work. Why can’t people do their surfing then? Why does it have to be at their work place? The work place is for work not play.

I don’t accept the, “I don’t have a computer” excuse either. Computers aren’t that expensive anymore. If your priorities do not include a computer on your shopping list then I guess you don’t get to use the Internet. You really could consider this stealing if you wanted to look at it that way. People refuse to spend their money on a computer so they steal the company’s money instead?


As for blocking Internet audio, I believe that a systems administrator need only go into the Media Player program (assuming you have Windows NT) and disable and/or delete the EXE files which would allow the employees to link onto radio/video sites.


People aren't entirely computer stupid anymore. Hell, a quick jaunt over to download.com's audio section shows 247 players found. Not to mention all the video players that are out there. You think they don't know how to get and install a media player?

There’s also the problem of running illegal software on work computers. How many people do you know who are running WinZip shareware after its expiration date? Hey, that’s another large sum of money to shell out if you get caught. And all because my people wanted to listen to audio files after I removed media player.


It seems that there is a morale problem where you work (please correct me if I'm wrong).


I think I worded that wrong. The attitude of the bosses here is, "It won't happen to us." So they allow the problem to continue. But, my opinion is not at all related to how things work in my company. It’s just my opinion.

I apologies if my opinions don’t agree with how you envision your work experience to be. But no one said work was supposed to be fun, it’s work. Fun is what you do with the money you make working not what you do while making that money.

-cm