Audit My PC - Free Internet Security Audit

Firewall Test and web tools to check your security and privacy

Internet Usage Policy

Every organization has an internet usage policy and every one is different than the other; however, all internet usage policies have the same frequently asked questions. Below you’ll find common questions users ask when they review your internet usage policy and a sample policy that you are free to use for your organization’s internal use. Including similar questions will help your organization avoid unnecessary questions about your internet policy.

Internet Usage Policy – Termination Question

E-mail policy violated: Was termination legal?

Based on Pidd v. Berquist Company, 8/5/02.

How dare you?" said Ron Harrison, his face red with anger. "You read my personal e-mail?"

Supervisor Will Bane refused to allow Harry to deflect the blame. "That’s not the point," said Jill! "You had no business sending pornographic cartoons to co-workers on work time. And legally, your e-mail at work isn’t really personal.

This time, Harry’s face was red from sheer embarrassment. "All right, I’ll admit forwarding it was a bad decision. But it’s not all my fault – a friend outside the company downloaded it and e-mailed it to me. It’s not like I went searching for it myself." "Doesn’t matter," said Justin. "I know you know that behavior isn’t allowed. We still have the form you signed saying you fully understand our Internet and e-mail policy. It specifically says we don’t approve of employees doing non-related activities like playing computer games, downloading pornography or sending harassing e-mails."

Internet Usage Policy, Technicalities

"But wait just a minute, you said it yourself – we’re not allowed to download pornographic emails. I didn’t. As for sexual harassment – well none of the co-workers I sent the cartoon to have complained as far as I know. Legally, someone has to be offended for there to be sexual harassment, right?"

"Let’s not play word games," said Justin angrily. "You knew that what you were doing was wrong and you knew it would lead to your termination."

Harry sued the company for wrongful termination, saying technically he hadn’t broken company rules. Did the company win?

Yes. The company won.

Harry tried to get around the language in the company’s Internet and e-mail policy by having a friend download pornographic cartoons for him then e-mail them to him at work.

Harry thought he had skirted the firm’s internet usage policy because he didn’t download the cartoons himself, and because his co-workers didn’t complain when he forwarded copies to them.

But a judge said that while the company’s Internet and e-mail policy specifically referred to downloading pornography as misconduct, the policy also implied that misusing company equipment for similar purposes wouldn’t be tolerated either. In the end, the "spirit" of the company’s policy, was more important than Harry’s word-games.

Based on Pidd v. Berquist Company, 8/5/02.

Usage Policy – Email Forwarding Question

I’m concerned about the section that covers email forwarding. Can I send a non-work related email to my
private home account?

Answer: The section you refer to prohibits automated email forwarding without prior approval. Non-work related messages, such as medical appointments, can be sent to your home account.

Internet Policy – Other Account Questions

The policy states that using another account or representing another user is prohibited. That you may be held responsible for any abuse if you knowingly let someone use your account. Does that include a supervisor requesting you log on to a computer in your name so that the supervisor can use the computer under your name and password to conduct county business?

Answer: A supervisor can make this request. You may log the date, time and reason for this request. In most cases, the supervisor will have a floating account for times when the employee is not available.

Computer Access Policy – question

Who is a designated representative that has the right to enter my computer system to access and review information based on the internet usage policy?

Answer: Your immediate supervisor or above may enter your computer to access information. The computer system and all information contained within is the property of the County of JUIM.

Web Policy – Junk Mail Question

What is Junk Mail

Answer: Junk mail can have some or all of the following characteristics.

  • It is unsolicited.
  • It is from a someone you do not know.
  • It contains any form of advertising.
  • It contains offensive material.

Ponzi – Policy – Question

What is a "Ponzi"? I understand chain letters and pyramids which are similar, but not the same thing.

Answer: A type of pyramid scheme named after Carlo “Charles” Ponzi. Ponzi was born in Parma, Italy 1882 and then immigrated to the United States in November of 1903.

Network Monitoring – Policy – Question

What is network monitoring?

Answer: Watching the packets of information that cross the County of JUIM network wires. This type of activity is intentional and designed to reveal the underlying structure of the network and expose any potential weaknesses.

Port Scanning – Policy – Question

What is port scanning or security scanning?

Answer: Port scanning or security scanning in the context of this policy is the intentional act of looking for network vulnerabilities. Again, this is not something that you would do by accident.

Sniffing – Policy – Question

How would we know if we are network sniffing, pinged floods, packet spoofing, etc?

Answer: These are activities designed to monitor data or disrupt network traffic. It’s not something that is unintentional and would require effort and knowledge on the part of the user. If you’re doing it, you would be fully aware of it.

Internet Usage Policy Questions

If you have more internet usage policy FAQ’s, please let us know and we’ll be happy to post them.

Sample Internet Usage Policy

A computer usage policy can save your organization from a lawsuit. Below is a free computer policy you can use for your organization.

The objective of this policy is to define standards of conduct when employing the use of information technologies available through the County of MIUJ. These technologies include, but are not limited to, computers, computer files, software, as well as electronic mail, voice mail, Internet and Intranet.

Computer Usage Policy Details

The County of MIUJ expects all employees to use these information technologies solely for business purposes. Employees should not assume that any computer equipment or technologies, such as electronic mail and data are confidential or private. The County (or its designated representatives) maintains the right and ability to enter these computer systems to access and review any information.

This policy applies to all County of MIUJ employees, contractors, vendors and agents with County owned or personally-owned computer or workstation used to connect to the County of MIUJ network.

Disciplinary action will occur whenever a breach of security or hacking is detected and determined intentional or negligent. Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

If you are unsure as to an items appropriateness, consult the Information Technology department and/or the Manager’s office.

Security:

To protect the information contained on the County of Secura’s enterprise network there have been a number or security measures implemented. Each user is issued an account and password. This password will grant the user access to information based on their job requirements and security level.

For security purposes, your network account will expire and will require a new password at least every six months. You may change your password at any time. If you believe your password is known by another user, you should change it immediately. If you require assistance please contact your supervisor or the Information Technology Department.

Your password may not be given to anyone. If a person has requested the use of your network account, you may direct them to your supervisor or the Information Technology Department. In addition, using another’s account or representing another user is prohibited. You may be held responsible for any abuse if you knowingly let someone use your account.

Ways in which you can help protect the network are:

  • All PCs, laptops and workstations must be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off (control-alt-delete for Win2K/XP users) when the host will be unattended.
  • Never give your password to anyone.
  • Choose passwords that are not obvious and do not write them down. A good password includes a combination of letters, numbers and symbols that are 7 character or more.

Fraudulent Use or Behavior

Users must respect the integrity of computing and network systems; for example, users shall not intentionally develop or use programs that harass other users or infiltrate a computer, computing system, or network and/or damage or alter the software components of a computer, computing system or network.

Under no circumstances is an employee of the County of Secura authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing the County of MIUJ owned resources. An employee that suspects or is aware of such activity is required to notify their department head and the manager’s office immediately.

Network security is a very serious issue. Tampering with data or attempting to circumvent the flow of data is strictly prohibited.

If a user creates any liability on behalf of the County due to inappropriate use of the network, the employee agrees to indemnify and hold the County harmless, should it be necessary for the County to defend itself against such actions engaged in by the user.

The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use. An employee aware of any activity or activity by another employee that violates this policy is required to notify their department head and the Information Technology department immediately.

The following activities are strictly prohibited, with no exceptions:

System and Network Activities

  • Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by the County of MIUJ.
  • Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which the County of MIUJ or the end user does not have an active license is strictly prohibited.
  • Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question.
  • Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
  • Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.
  • Using a County of MIUJ computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user’s local jurisdiction.
  • Making fraudulent offers of products, items, or services originating from any the County of MIUJ account.
  • Making statements about warranty, expressly or implied, unless it is a part of normal job duties.
  • Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information.
  • Port scanning or security scanning is expressly prohibited unless authorized by the Information Technology Department.
  • Executing any form of network monitoring which will intercept data not intended for the employee’s host, unless this activity is a part of the employee’s normal job/duty.
  • Circumventing user authentication or security of any host, network or account.
  • Interfering with or denying service to any user other than the employee’s host (for example, denial of service attack).
  • Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user’s terminal session, via any means, locally or via the Internet/Intranet/Extranet.
  • Using a system other than those provided by the County of Secura to store files.

Email and Communications Activities

  • Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam).
  • Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages.
  • Unauthorized use, or forging, of email header information.
  • Solicitation of email for any other email address, other than that of the poster’s account, with the intent to harass or to collect replies.
  • Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type.
  • Use of unsolicited email originating from within the County of MIUJ’s networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by the County of Secura or connected via the County of MIUJ’s network.
  • Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).

To prevent potentially inadvertent transmission of sensitive information by all employees, vendors, and agents operating on behalf of the County of MIUJ, automatic email forwarding to an address outside the organization is unauthorized unless approved by the Information Technology Department.

General uses and actions that are also prohibited.

  • Any commercial use or any use for personal gain
  • Adding, removing, or modifying identifying network header information (aka "spoofing").
  • Attempting to impersonate any person by using forged headers or other identifying information.
  • Using a proxy server of any kind (other than the County of MIUJ’s internal proxy server).
  • Using any type of Anonymizer or any other means to mask, hide or modify your identity or activities electronically.
  • Using any type of program/script/command or other computer related device to send messages of any kind in place of the County of Secura Microsoft Exchange Server. To help prevent the transmission of viruses and other hostile programs, and where appropriate, all electronic messages must use and go through the County of MIUJ Exchange Server.
  • Facilitating use or access by non-authorized users, including sharing your password or other login information with anyone.
  • Obtain and/or use another user’s passwords without their knowledge and consent.
  • Attempt to gain access to files and resources to which you have not been granted permission.
  • Try to "crash", or unnecessarily retard, the network or computing systems.
  • Make copies of another user’s files without their knowledge and consent.
  • Print or plot posters and banners under another users account.
  • Steal, vandalize or obstruct the use of computing equipment, facilities, or documentation.

Software and Hardware

Software Piracy

The illegal use of software is prohibited. Most Pirating is a result of installing software on a computer without the legal right to do so. In order to use a computer program the organization must purchase the program from a reputable source and possess the license and software to use the program. The posting or uploading of copyrighted material without the permission of the owner of such material is also prohibited.

It is illegal to copy software or use software without meeting the above mentioned criteria and legal action may be taken against those not abiding by the law. If you would like more information or a copy of the law contact the Information Technology Department.

Games

All segments of the computer systems remain the County’s property and are furnished to employees for business use only. Entertainment through the use of computer games is not permitted.

Installing and/or downloading Software

You may not install software onto the computer or onto the network without the permission of the Information Technology Department. You may not download any software without the permission of the Information Technology department. Permission must be obtained prior to beginning the process of downloading software. If you require software not owned by the County of MIUJ, you may arrange to purchase it provided the software is required to perform work related tasks and approved by the Information Technology Department. Software includes but is not limited to scripts and commands.

Installing computer related hardware

You may not install hardware without permission of the Information Technology Department. Devices such as wireless access points, storage devices and network hardware may present a security risk or impede operations.

Viruses

The threat of a virus infection can arise from downloading files from the Internet, loading data into your computer from a diskette, or running an e-mail attachment. If you question the authenticity of data, you may have the Information Technology Department scan it for viruses. Please note that your computer is not immune from a computer virus so we encourage you to take caution when downloading information.

Intranet/Internet

The County of MIUJ’s Information Technology Department will provide approved staff with the ability to use the Internet as a source of global communication and research. The Internet is a powerful research and communication tool, as such; we must assume responsibility for using it in an appropriate manner.

We must remember to focus only on information contained within the scope of our job functions. The Information Technology department will periodically review the information or sites a user has visited. Any user action that violates the appropriate usage policy may result in revoking network privileges and may lead to legal action.

Pornographic Material and Vulgarity – the posting, uploading, or downloading of pornographic or vulgar messages, photos, images, sound files, text files, video files, newsletters, or related materials is strictly prohibited.

Email

Ownership

The e-mail system is the property of the County of MIUJ. All data and other electronic messages within this system are the property of the County of MIUJ. E-mail messages either composed or received on this system may be considered County records, depending on their content, and therefore may be subject to Freedom of Information Act requests and other legal disclosure.

Monitoring and Privacy

The County of MIUJ reserves the right to monitor all e-mail messages either composed or received in the e-mail system. It is possible that e-mail sent from the County’s system can be intercepted on the local system and on the Internet; therefore the user should not expect any degree of privacy regarding e-mail messages of any type. E-mail messages deleted by the user may be retrievable from the hard drive, backup tapes or the receiving or sending e-mail system.

The County of MIUJ Exchange Server may have the ability to automatically forward messages; unless otherwise approved by the Information Technology department, automatically forwarding any type of electronic mail is prohibited. One example would be setting up a rule to have all your work related email sent to your private account, such as yahoo or msn.

Major Points

  • Electronic mail is an important resource for communications and is an essential element in the County’s daily activities. Aside from increased speed and accessibility, electronic mail allows a certain amount of flexibility not experienced through memos or other traditional methods of communication. Because of this, we need to acknowledge the following key points:
  • Messages can be forwarded and copied very easily. It only takes a few keystrokes for a personal, and perhaps embarrassing, message to be sent to the wrong people. Good advice is not to send messages that could be damaging if made public or that cover sensitive material.
  • Know your recipient. Different people have different ideas of what is acceptable. Find out and respect each person’s wishes. Be respectful and exercise good taste. An e-mail account is not a license to abuse or insult people.
  • Be considerate of the recipient’s time. E-mail messages work best if they’re short and to the point.
  • Don’t send copies of e-mail to people unless they need to be copied. In addition to cluttering up their mailboxes, it can place them in an awkward position, making them feel as if they have to do something with the information. It also can be intimidating to the main recipient.
  • Unsolicited advertising is not acceptable. The selling of personal services or products toward personal financial gain is prohibited.
  • Be aware that e-mail can be archived and, under certain circumstances, may not be secure. Many on-line services and public e-mail providers protect the confidentiality of their subscribers’ e-mail, but some companies consider e-mail subject to scrutiny.
  • Don’t "cry wolf." Avoid "Urgent" or "Priority" unless it really is. Employ capital letters sparingly. Using them for an entire message is perceived by many as SHOUTING, and is harder to read.
  • In face-to-face conversation, we convey emotion and meaning through facial expressions and vocal inflections. That element of speech is absent in e-mail, so take care when expressing yourself, especially with the use of irony or humor.
  • Avoid sarcasm, unless you’re sure it will work, and think very carefully before using e-mail to express anger. With e-mail, once it’s sent, it’s gone. If you’re posting a message in a public forum, remember it can be read by a wide variety of people.

Harassment

E-mail at work is a privilege, not a right. The County of Secura is entrusted with a valuable communication tool that holds endless possibilities. If you receive an e-mail message that is harassing or inappropriate, you are expected to report it in writing to your supervisor, or any department head, and also send a copy to the Information Technology Department.

Remote Access

The purpose of the remote access portion of this policy is to define standards for connecting to the County of MIUJ’s network remotely. These standards are designed to minimize the potential exposure to the County of Secura from damages which may result from unauthorized use of County resources. Damages include the loss of sensitive or confidential data, intellectual property, damage to public image, or damage to critical County of MIUJ internal systems, etc.

It is the responsibility of County of MIUJ employees, contractors, vendors and agents with remote access privileges to County of Secura’s network to ensure that their remote access connection is given the same consideration as the user’s on-site connection to the County of MIUJ network.

General access to the Internet for County related use through the County of MIUJ network on computers is permitted for employees. The County of Secura employee bears responsibility for the consequences should the access be misused themselves, or by anyone with access to the computer.

Requirements

Remote access to the County of MIUJ network system of any kind, must first be authorized by the Information Technology department. Secure remote access must be strictly controlled. Control will be enforced via password authentication or public/private keys with strong passwords. For information on creating a strong password see the Password section of this policy.

County of MIUJ employees and contractors with remote access privileges must ensure that their County of MIUJ-owned or personal computer or workstation, which is remotely connected to County of MIUJ’s network, is not connected to any other network at the same time, with the exception of personal networks that are under the complete control of the user.

When you are finished accessing County resources remotely for a particular task, you should promptly disconnect from the County network.

County of MIUJ employees and contractors with remote access privileges to the County of MIUJ network must not use non-County of Secura email accounts (i.e., Hotmail,

Yahoo, AOL), or other external resources to conduct County of Secura business.

All hosts that are connected to County of MIUJ internal networks via remote access technologies must use the most up-to-date anti-virus software, this includes personal computers; the anti-virus software must be running at all times on the device and must be approved by the Information Technology Department.

Personal equipment that is used to connect to County of Secura’s networks must meet the requirements of County of MIUJ-owned equipment for remote access.

Organizations or individuals who wish to implement non-standard Remote Access solutions to the County of MIUJ network must obtain prior approval from the Information Technology Department.

You are accountable for the activities performed under your logon id and are urged, therefore, to safeguard your passwords, charge numbers and data.

Terms and Definitions:

Anonymizer: A privacy service that allows a user to visit Web sites without allowing a visited Web site to gather information about them, such as their IP address.

Cable Modem: Cable companies such as AT&T Broadband provide Internet access over Cable TV coaxial cable. A cable modem accepts this coaxial cable and can receive data from the Internet at over 1.5 Mbps. Cable is currently available only in certain communities.

DMZ: De-militarized Zone. A network segment external to the production network.

DLCI: Data Link Connection Identifier (DLCI) is a unique number assigned to a Permanent Virtual Circuit (PVC) end point in a frame relay network. DLCI identifies a particular PVC endpoint within a user’s access channel in a frame relay network, and has local significance only to that channel.

Dial-in Modem: A peripheral device that connects computers to each other for sending communications via the telephone lines. The modem modulates the digital data of computers into analog signals to send over the telephone lines, then demodulates back into digital signals to be read by the computer on the other end; thus the name "modem" for modulator/demodulator.

Dual Homing: Having concurrent connectivity to more than one network from a computer or network device. Examples include: Being logged into the network via a local Ethernet connection, and dialing into AOL or other Internet service provider (ISP). Being on a County of MIUJ-provided Remote Access home network, and connecting to another network, such as a spouse’s remote access. Configuring an ISDN router to dial into County of MIUJ and an ISP, depending on packet destination.

DSL: Digital Subscriber Line (DSL) is a form of high-speed Internet access competing with cable modems. DSL works over standard phone lines and supports data speeds of over 2 Mbps downstream (to the user) and slower speeds upstream (to the Internet).

Email: The electronic transmission of information through a mail protocol such as SMTP. Programs such as Microsoft Outlook use SMTP.

Forwarded email: Email resent from internal networking to an outside point.

Frame Relay: A method of communication that incrementally can go from the speed of an ISDN to the speed of a T1 line. Frame Relay has a flat-rate billing charge instead of a per time usage. Frame Relay connects via the telephone company’s network.

Hacking: Widely used to describe people who gain illegal entrance into a computer system

ISDN: There are two flavors of Integrated Services Digital Network or ISDN, BRI and PRI. BRI is used for home office/remote access. BRI has two "Bearer" channels at 64kbit (aggregate 128kb) and 1 D channel for signaling info.

Intranet: The in-house Web site that serves the employees of the County of MIUJ.

Internet: Global network of computers used to communicate and provide information.

Network: The collaboration of computers and shared electronic information.

Packet sniffer or sniffing: A program running in a network attached device that passively receives all data-link-layer (and other) frames passing by the device’s network interface.

Piracy: The illegal copying of software for personal or commercial use.

Sensitive information: Information is considered sensitive if it can be damaging to the County of MIUJ or its customers’ dollar value, reputation, or standing.

Remote Access: Any access to the County of MIUJ’s network through a non-County of MIUJ controlled network, device, or medium.

Split-tunneling: Simultaneous direct access to a non-County of Secura network (such as the Internet, or a home network) from a remote device (PC, PDA, WAP phone, etc.) while connected into the County of MIUJ’s network via a VPN tunnel. VPN

Spamming: Sending copies of the same message to large numbers of newsgroups.

Spam: Unauthorized and/or unsolicited electronic mass mailings.

Unauthorized Disclosure: The intentional or unintentional revealing of restricted information to people who do not have a need to know that information.

User: Staff, vendor, or citizen employing the use of the information contained within the computer resources owned by the County of Secura.

Virtual Private Network (VPN) is a method for accessing a remote network via "tunneling" through the Internet.

Virus: Executable computer program that can attach itself to an item, such as a computer startup area (boot record), executable file or email. A virus may have a number of objectives – most are usually destructive.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *