Acceptable Use Policy

1.1          Introduction

1.1               This Acceptable Use Policy (AUP) for IT Systems is designed to protect CISI, our employees, customers and other partners from harm caused by the misuse of our IT systems and our data. Misuse includes both deliberate and inadvertent actions.

The repercussions of misuse of our systems can be severe. Potential damage includes, but is not limited to, malware infection (eg, computer viruses), legal and financial penalties for data leakage, and lost productivity resulting from network downtime.

Everyone who works at CISI is responsible for the security of our IT systems and the data on them. As such, all employees must ensure they adhere to the guidelines in this policy at all times.  Should any employee be unclear on the policy or how it impacts their role they should speak to their manager or the Head of IT.
This policy has been reviewed and updated in 2018 ahead of the EU General Data Protection Regulation (GDPR) coming into force.

1.2          Definitions Used

Users - Everyone who has access to any of CISI’s IT systems. This includes permanent employees and also temporary employees, contractors, agencies, consultants, suppliers, customers and business partners.

Systems - All IT equipment that connects to the corporate network or accesses corporate applications. This includes, but is not limited to, desktop computers, laptops, smartphones, tablets, printers, data and voice networks, networked devices, software, electronically-stored data, portable data storage devices, third party networking services, telephone handsets, video conferencing systems, and all other similar items commonly understood to be covered by this term.

CISI computers - All CISI-built desktop PCs and laptops. It does not include CISI-owned Apple devices, such as iPhones or iPads.

Work time - Employee working hours as per contract of employment or any formal change agreed with CISI.

1.3          Scope

This is a universal policy that applies to all Users and all Systems. For some Users and/or some Systems where a more specific policy exists: in such cases the more specific policy has precedence in areas where they conflict, but otherwise both policies apply on all other points.

This policy covers only internal use of CISI’s systems, and does not cover use of our products or services by customers or other third parties.

Some aspects of this policy affect areas governed by local legislation in certain countries (eg, employee privacy laws): in such cases, the need for local legal compliance has clear precedence over this policy within the bounds of that jurisdiction. In such cases local teams should develop and issue users with a clarification of how the policy applies locally.

Staff members at CISI who monitor and enforce compliance with this policy are responsible for ensuring that they remain compliant with relevant local legislation at all times.

2.0          Computer Access Control – Individual’s Responsibility

2.1          Access to the CISI IT systems is controlled by the use of User IDs, passwords and/or tokens. All User IDs and passwords are to be uniquely assigned to named individuals when joining and consequently, individuals are accountable for all actions on CISI IT systems.

Individuals must not:

• Allow anyone else to use their username and password on any CISI IT system.
• Leave their user accounts logged in at an unattended and unlocked computer.
• Use someone else’s username and password to access CISI’s IT systems.
• Leave their password unprotected (for example writing it down).
• Perform any unauthorised changes to CISI’s IT systems or information.
• Attempt to access data that they are not authorised to use or access.
• Exceed the limits of their authorisation or specific business need to interrogate the system or data.
• Physically connect any non-CISI authorised device to the CISI network or IT systems.
• Store CISI data on any non-authorised CISI equipment.
• Give or transfer CISI data or software to any person or organisation outside CISI without the authority of CISI.

2.2          Line managers must ensure that individuals are given clear direction on the extent and limits of their authority with regard to IT systems and data. Please see Appendix A for further details.

3.0          Password Strength Policy

3.1          All CISI domain user accounts will require the use of ‘strong’ passwords to ensure the security and integrity of the CISI network.

3.2          The password policy is set as a rule within Active Directory and requires all passwords to comply with the following requirements:

• Must be at least 8 characters long
• Contain at least 1 uppercase character
• Contain at least 1 numeric
• Contain at least 1 symbol, i.e. £ or $

3.3          If not already in place, users will be prompted to strengthen their passwords when their existing password expires.

4.0          Internet and email Conditions of Use

4.1          Use of CISI’s internet and email is intended for business use. Personal use of the internet is

permitted where such use does not affect the individual’s business performance, is not detrimental to CISI in any way, is not in breach of any term and condition of employment and does not place the individual or CISI in breach of statutory or other legal obligations. No personal web mail sites may be accessed via a standard CISI networked device. However, personal email may still be accessed on a personal device via the CISI WiFi outside of work time. All individuals are accountable for their actions on the internet and email systems.

Individuals must not:

• Use the internet or email for the purposes of harassment or abuse.
• Use profanity, obscenities, or derogatory remarks in communications.
• Access, download, send or receive any data (including images), which CISI considers offensive in any way, including sexually explicit, discriminatory, defamatory or libellous material.
• Use the internet or email to make personal gains or conduct a personal business.
• Use the internet or email to access betting sites.
• Use the email systems in a way that could affect its reliability or effectiveness, for example distributing chain letters or spam.
• Place any information on the Internet that relates to CISI, alter any information about it, or express any opinion about CISI, unless they are specifically authorised to do this.
• Send unprotected, commercially sensitive or confidential information to an external email address. Even if the data has been password protected the target email addresses still need to be verified as legitimate.
• Make unauthorised official commitments through the internet or email on behalf of CISI.
• Download copyrighted material such as music media (MP3) files, film and video files (not an exhaustive list) without appropriate approval.
• In any way infringe any copyright, database rights, trademarks or other intellectual property.
• Download any software from the internet without prior approval of the IT Department.
• Connect CISI devices to the internet using non-standard connections.

Please see Appendix A for further details.

5.0          Social Media Sites

5.1          The CISI has a number of cyber security measures in place to help protect our systems from malicious external attacks, including antivirus software and firewall protection. Our antivirus software also provides an additional layer of security on all web browser activity without compromising the legitimate use of the internet.

5.2              Social media sites should not be accessed during work time, unless your manager has authorised you to use them for business use.

5.3              Under no circumstances should commercially sensitive information regarding the CISI be disclosed on personal and social media sites.

5.4              Please remember you are personally responsible for the content you publish on social media sites and you need to be mindful that messages will be public for many years. What you find funny, may look different to others and seem inappropriate in the future. If you feel even slightly uneasy about something you are about to write, then chances are you should not do it. If inappropriate content is found to have come from CISI machines, further action will be taken.

5.5          Our web filtering tool details the category of sites a user is able to access and a list of blocked categories. Blocked categories include using personal webmail accounts such as Hotmail, Gmail and Yahoo on CISI PCs.

6.0          Clear Desk and Clear Screen Policy

6.1          In order to reduce the risk of unauthorised access or loss of information, CISI enforces a clear desk and screen policy as follows:

• Computers must be logged off/locked or protected with a screen locking mechanism controlled by a password when unattended.
• Care must be taken to not leave confidential material on printers or photocopiers and employees should ensure papers are not left in meeting rooms after meetings.
• All business-related printed matter must be disposed of using confidential waste bins or shredders.
• All outstanding work, and especially any sensitive/irreplaceable documents, should be locked away at the end of each working day.

7.0          Working Offsite

7.1          It is accepted that laptops and mobile devices will be taken offsite. The following controls must be applied:

• Equipment and media taken offsite must not be left unattended in public places and not left in sight in a car.
• Laptops must be carried as hand luggage when travelling.
• Information should be protected against loss or compromise when working remotely (for example at home or in public places). Laptop encryption must be used.
• Particular care should be taken with the use of mobile devices such as laptops, mobile phones, smartphones and tablets. They must be protected at least by a password or a PIN and, where available, encryption.
  
  

7.2          The Institute encourages and supports staff in maintaining an optimal work-life balance.

Many staff have laptops and/or company provided software for their home computers which allow them to continue to work out of the office or at home.  However, it is not expected staff should work anymore, or any fewer, than their contracted and core hours.  Staff are also not expected to work whilst on holiday, and any non-business-related data or call fees incurred on company devices whilst on holiday may be charged back to the member of staff.

8.0          Mobile Storage Devices

8.1          Mobile devices such as memory sticks, CDs, DVDs and removable hard drives must be used only in situations when network connectivity is unavailable or there is no other secure method of transferring data. Only certain CISI staff who have registered with IT have access to USB ports on their Desktop PCs. All other users’ USB ports have been locked down and cannot be used for transferring data to mobile storage devices such as memory sticks and CDs.

8.2          Data transported on mobile storage devices should be encrypted using a password.

9.0          Software

9.1          Employees must use only authorised software on CISI computers. Authorised software must be used in accordance with the software supplier's licensing agreements. All software on CISI computers must be approved and installed by the CISI IT department.

Individuals must not:

• Store personal files such as music, video, photographs or games on CISI computers.
• Download unauthorised 3^rd party software.

10.0        Viruses

10.1       The IT department has implemented centralised, automated virus detection and virus software updates within the CISI network. All CISI PCs and laptops have antivirus software installed to detect and remove any virus automatically.

Individuals must not:

• Remove or disable anti-virus software.
• Attempt to remove virus-infected files or clean up an infection, other than by the use of approved CISI anti-virus software and procedures.
  

11.0        Telephony (Voice) Equipment Conditions of Use

11.1        Use of CISI voice equipment is intended for business use. Individuals should keep to a minimum the use of CISI’s voice facilities for sending or receiving private communications on personal matters. All non-urgent personal communications should be made at an individual’s own expense using alternative means of communications.

Individuals must not:

• Use CISI’s voice for conducting private business.
• Make hoax or threatening calls to internal or external destinations.
• Accept reverse charge calls from domestic or international operators, unless it is for business use.

12.0        Smart and Mobile phone usage

12.1        Individuals supplied with company mobile phones must abide by the following:

• These devices remain the property of the Institute and this IT policy governing the use of applications and the internet still applies. These devices must be password protected at all times.
• The individual should take care of the Smart or Mobile phone, and return it to the Institute in the condition in which it was issued (save normal wear and tear).  If it is lost or broken due to gross negligence, the member of staff may be asked to make a contribution towards its replacement.
• An individual with a Smart or Mobile phone is neither expected, nor under any obligation, to initiate, read or respond to any message or email received on their device, outside the hours of 08:00 to 18:00 Monday to Friday (UK times or the equivalent if on business overseas).    
• An individual is free to choose to operate their device outside these hours but that is their choice and not a requirement.
• The Institute will only pay for the data bolt-on, when a member of staff is travelling aboard on business and you must ensure you inform the Operations Director when the trip is being planned.
  
  

12.2        Company mobile phones may be used for personal use on condition:

• The majority of the calls are made for business use.
• They are not used as a mechanism for payment from the contract, i.e. texting donations, entering competitions, etc.
• Usage thresholds are not breached. These are regularly monitored.

13.0        Actions upon Termination of Contract

13.1       All CISI equipment and data, for example laptops and mobile devices including telephones, smartphones, USB memory devices and CDs/DVDs, must be returned to CISI at termination of contract. This also applies to documents, papers and any other CISI property.

13.2       All CISI data or intellectual property developed or gained during the period of employment remains the property of CISI and must not be retained beyond termination or reused for any other purpose.

14.0        Monitoring and Filtering

14.1       All data that is created and stored on CISI computers and CISI owned digital devices is the property. Wherever possible, CISI will avoid opening emails which appear to be of a personal nature and will need to seek authorisation from HR or the Chief Executive Officer in order to do so.

14.2       IT system monitoring will take place where appropriate, and investigations will be commenced where reasonable suspicion exists of a breach of this or any other policy. CISI has the right (under certain conditions) to monitor activity on its systems, including internet and email use, in order to ensure systems security and effective operation, and to protect against misuse.

14.3       Any monitoring will be carried out in accordance with audited, controlled internal processes, the GDPR, the UK Data Protection Act 1998 (as amended for the GDPR), the Regulation of Investigatory Powers Act 2000 and the Telecommunications (Lawful Business Practice Interception of Communications) Regulations 2000.

14.4        This policy must be read in conjunction with:

• Computer Misuse Act 1990
• Data Protection Act 1998
• EU General Data Protection Regulation

15.0       Responsibilities

15.1       It is your responsibility to report suspected breaches of security policy without delay to your line management, the IT department or via the IT Help Desk.

15.2       All breaches of information security policies will be investigated. Where investigations reveal misconduct, disciplinary action may follow in line with CISI disciplinary procedures.

16.0       Enforcement

16.1       CISI will not tolerate any misuse of its systems and will discipline anyone found to have contravened the policy, including not exercising reasonable judgment regarding acceptable us.

16.2       While each situation will be judged on a case-by-case basis, employees should be aware that consequences may include the termination of their employment.

16.3       Use of any of CISI’s resources for any illegal activity will usually be grounds for summary dismissal, and CISI will not hesitate to cooperate with any criminal investigation and prosecution that may result from such activity.

Document Owner and Approval

The Data Protection Officer (DPO) is the owner of this document and is responsible for ensuring that the policy is reviewed in line with the requirements stated above, and at least annually.

Change History Record

Appendix A – Device Usage Summary

Below is a grid summarising what is acceptable in terms of use by device type:

*The CISI email account may be set up on those personal smart phones where the owner has sought authorisation from their line manager/IT and they have agreed to password protect their device. If the device is subsequently lost or stolen CISI has the right to remotely wipe the data from the device.