Internet and Email Policy

Internet and email policies are not only meant for IT people but also required to be conveyed to all employees on the importance of its usage, handling and managing it. A comprehensively defined and charted internet policy helps employees enjoy the vast benefits of the internet, while being wary of its potential risks. It ensures that employees use the internet effectively, states what is allowed and what is not with procedures to minimize risks.

This policy template is available for download in Word format.

With this Internet and Email Policy template, you can:

• Create awareness about employees' responsibilities towards technology usage
• Ensure protection against virus from devices or unknown websites
• Understand the need for physical security of mobile devices
• Understand risks to company networks and data

In just a few minutes, you will be able to create the Internet and Email Policy. This template covers vital information like:

• Do’s and Don’ts by employees regarding internet usage
• Rights of IT Security team to track user activities
• Rights of regulatory authorities to track user activities
• Understand copyrights policy when downloading material for use

Internet and Email Policy

Objective

The intent of this policy is to establish guidelines for the employees using < Company Name Here >’s network facilities, including computer hardware, printers, software, e-mail and internet access tools, collectively called “Information Technology Assets”. This policy is in place to protect < Company Name Here > and it’s employees from any inappropriate use of these assets which may lead to risks including virus attacks, compromise of network systems and services, confidential data, Company’s intellectual properties and related legal issues.

Scope and Applicability

This policy applies to employees, contractors, consultants and temporary staff at < Company Name Here > including all personnel affiliated with third party vendors. This policy is owned by < Name of the Person > and reachable @ < Contact Number > and < email address >

Policy / Process

Security & Confidentiality

• All information about the company, its clients, prospects, suppliers or employees is confidential and proprietary and shall not be divulged to anyone other than persons who have a right to know or are authorized to receive such information. Disclosure of information to such persons will only be done after getting the NDA signed with him/her.
• The company should get the NDA signed by all the Employees, Contractors, Temporary staff, Interns or any such person or organisation in need of information / data, before any such access is provided to them.
• This basic policy of caution and discretion in handling of confidential information extends to both external and internal disclosure.
• Confidential information obtained as a result of employment with the organization is not to be used by employees for the purpose of furthering any private interest or as a means for making personal gains.

ID Badge Policy

• Id cards are to be displayed prominently at all times in and around the Company premises

Clear Desk Clear Screen Policy

• Employees shall keep their systems locked if they are leaving their desks.
• Screensavers shall be activated if the systems are not being used for more than 2 minutes.
• Sensitive documents are stored securely and handled with care.
• Sensitive or critical business information shall be kept in a secured central location.
• Sensitive or classified information, when printed, shall be cleared from the printers immediately.
• Unwanted printed material containing confidential information needs to be shredded immediately.

Personal Assets

• Employees shall not carry any personal computing device like laptops, pen-drives, CDs, etc., within the premises unless authorized by the ITM.

Protection of Company Assets

• Employees shall take adequate care to protect company assets.
• Company assets to be used strictly for the company’s business purposes only.
• All assets should be reviewed/monitored monthly and all critical assets like servers, firewall, switches, DG, UPS, physical access control, visitor registers, material movement registers, should be reviewed/monitored at least twice a week or as per the Management’s requirement.

Assessment Movements

• Employees shall not move company assets without authorization by their respective Managers. The Manager will consult with the Facilities / IT department to approve / reject such movement or plan and execute the movement.

Communication

• Employees shall take appropriate care not to compromise on information security while using various modes of communication like email, verbal discussions and phone.

Copyrights Policy

• Possessing or obtaining unauthorized copies of copyrighted materials including software, hardware designs, company related documents and products are strictly prohibited

Protection Against Virus from Mobile Devices (Laptops)

• Anti-virus software must be installed on laptops and configured to scan files as they are installed or copied to the laptop
• Do not disable virus scan feature
• Update Antivirus software regularly
• Loading or installing non-business related items onto the laptop is discouraged.
• Any virus infection on the mobile device should immediately be informed to the IT Manager and the device should be disconnected from the network. If possible,the mobile device must be switched off.
• All critical data shall always be backed up before proceeding on an extended travel.
• In situations where the removable media or mobile device is used outside the office premises or during travel, all items (CDs, paper, pen drives, mobile devices) containing the organization's information property shall be guarded. If they are to be discarded, then they should be disposed off according to the “IT Asset Disposal section” in the IT policy of the organization.
• Mobile devices provided by the organization shall be used only for the company's business purposes, by the employees.

Physical Security of Mobile Devices

• Users must take all preventive measures towards physically securing their allotted mobile devices.
• All laptops acquired for or on behalf of the organization shall always remain the organization’s property. Each employee provided with a laptop is responsible for the security of that laptop, regardless of whether the laptop is used in the office, at his/her residence or in any other location such as a hotel, conference room, car or airport, etc.
• Laptop computers must not be:
  • Left to be viewed in an unattended area, even for a short period of time,
  • Left in a vehicle overnight,
  • Kept in extreme temperatures
• A laptop displaying sensitive information and being used in a public place, e.g. on a train, aircraft or bus, must be positioned such that the screen cannot be viewed by others.
• When leaving a laptop unattended for any extended period, e.g. long breaks during office hours or overnight, users must physically secure it with a cable lock or lock it away in a robust cabinet or alternatively lock the door of an individually occupied office.
• In vulnerable situations, e.g. public areas such as airport lounges, hotels and conference centers, etc., the laptop must never be left unattended.
• Laptops should be carried as hand luggage whenever permitted while traveling.
• Where any of the above rules are either inappropriate or impractical, the owner is responsible for taking all reasonable steps to minimize the risk of loss or damage to the laptop.
• Mobile users connecting to the web from external locations like their home or a hotel room are vulnerable to virus attack. It is recommended to have a personal firewall installed as an effective layer of security.
• In case of any accident, theft, damage or harm to the laptop or any of its components /accessories, the user must report the incident to the Manager & IT Department immediately.

Protection of Sensitive Data on Mobile Devices

• All sensitive information must be updated / stored on the main network servers by the user.
• It is the responsibility of each employee to ensure that confidential and sensitive data is protected from unauthorized users.
• It is the responsibility of the laptop owner to ensure safety of business & important data. Local IT team should be requested for backup & archiving on a regular basis as per the backup policy. IT team shall not be responsible for any loss of the data due to failure of the hardware.
• Keep the laptop in a locked and secured environment when not being used for a long period.

Right to Trace User Activity

• Company reserves the right to monitor or audit computer facilities, user workstation, email access, internet access, network traffic, file transfer activity, etc., as a regular maintenance exercise or for any suspected abuse, unauthorized or illegal activities.

Employee Responsibility Towards Business Continuity

• Understand the safety aspects in the work environment
• Participate in fire drills
• Prevent actions/activities that could cause a disaster such as bringing in inflammable material into the premises
• Follow fire safety procedures at all times
• Keep personal and emergency contact information updated
• Report any observed safety or security lapse immediately to BCP and IT Teams

Email

• Email is to be used for the company’s business purpose only
• The company’s confidential information must not be shared outside of the company, without authorization, at any time
• Employees should not conduct personal business using the company computer or email
• The < Company Name Here > email group lists must be shared with < Company Name Here > users only and must not be shared with any external or public domain
• Sensitive content like source code, customer contacts, project documents, organizational strategy information and any other proprietary information of the company must not be sent to personal email addresses
• Personal email must not be used as contact address for official purposes
• Official email must not be used for publishing, distributing or disseminating any inappropriate, profane, defamatory, infringing, obscene, indecent or unlawful material
• Official email must not be used for surveys, contests, chain emails, junk e-mail, spamming, unsolicited messages or messages that have racial or sexual slur, political or religious solicitations
• Official email must not be auto forwarded to any personal email or public email domains

Spam Filtering

• Employees must not open emails from dubious sources
• Employees must not reply to spam or click on links, including ‘unsubscribe' facilities, in spam
• Employees must not accept spam-advertised offers
• Employees must block incoming mail from known spammers
• Employees must not post official email addresses on publicly available sites or directories. If one must do so, look for options, such as tick boxes, that allow one to opt out of receiving further offers or information
• Employees must not disclose personal information to any online organization unless they agree (in their terms and conditions or privacy policy) not to pass information on to other parties

Social Networking Sites

• Social networking sites allow photographs, videos and comments to be shared with thousands of other users. However, it shall not be appropriate to share work-related information in this way. < Company Name Here > employees should be mindful of the information they disclose on social networking sites. They shall not act in a manner that would bring disrepute to < Company Name Here >.
• Employees shall not:
  • Store, send or distribute confidential information, copyright material or other content which is subject to third party intellectual property rights, unless you have a lawful right to do so.
  • Do anything, including store, send or distribute material which defames, harasses, threatens, abuses, menaces, offends, violates the privacy of or incites violence or hatred against any person or class of persons or which could give rise to civil or criminal proceedings.

Blogging

• Personal blogs, micro blogs and websites should not reveal confidential information about < Company Name Here >. This might include aspects of < Company Name Here> policies or details of internal < Company Name Here > discussions. If in doubt about what might be confidential, staff members should consult their reporting manager.
• Personal blogs, micro blogs and websites should not be used to attack or abuse colleagues. Staff members should respect the privacy and the feelings of others.
• If a staff member thinks something on their blog, micro blog or website gives rise to concerns about a conflict of interest, and in particular concerns about impartiality or confidentiality, this must be discussed with their reporting manager.
• If a staff member is offered payment to produce a blog or microblog for a third party, this could constitute a conflict of interest and must be discussed with their reporting manager.

General Internet Access

• Internet use brings the possibility of breaches to the security of confidential company information. Internet use also creates the possibility of contamination to our system via viruses or spyware. Spyware allows unauthorized people, outside the company, potential access to company passwords and other confidential information.
• Users :
  • Shall comply with country/region specific moral codes at all times
  • Shall not use company computers or other electronic equipment to obtain, view, or reach any pornographic or otherwise immoral, unethical or non-business-related internet sites
  • Internet must not be used for downloading, publishing, distributing or disseminating any inappropriate, profane, defamatory, infringing, obscene, indecent or unlawful material
  • Shall not download files such as music files, video files or other large files unless they are specifically warranted for the user’s official duties

Remote Access

• Care should be exercised when working in public places such as internet cafés, airport lounges or hotel lobbies.
• It is advisable to clear out browser cache and temp files after logging out of non -< Company Name Here > systems or applications.
• While working from home or other remote locations, adhere to the company’s IT policy.

Special Circumstance and Exception

Any Deviation to this policy has to be approved by ITM. Any changes to the policy has to be approved by HR, Legal and Compliance.

Non-compliance and Consequence

Non compliance of this policy, like misuse of office equipment for personal work or negligent damage or attending to personal work during office hours without the explicit permission of Manager or HR and any such acts that construe to be a violation of this policy, will be viewed seriously by HR and appropriate action will be initiated, including termination of employment contract.