{organization ogo] ‘Comment [DIG aia nts ecomert nthe by square aces [organization name] mateentet, ACCEPTABLE USE POLICY ode: ‘Comment [OKA]; The decunont cog system should te mane wh he ao ctr tite heumert code nese sua sytm etn, ti re may be deletes. Date of version: Created by “Approved by: Confidentiality level: ‘ozo stamps ay eed by cents of FS Sees. wn 2 7Clsanrcom nacre wth teas Aree,[organization name] confident evel Change history Date Version | Created by | Description of change ‘01/10/2013 [01 | Dejan Kosutic | Basic document outine Table of contents 1. PURPOSE, SCOPE AND USERS... 2. _ REFERENCE DOCUMENTS. 13. ACCEPTABLE USE OF INFORMATION ASSETS. 3.4. Orrnmons 3.2. AcceAREUSE. 3.3, RESPONSIBLITY FORASSETS 3.4, Promerteo acrwmes. 35, TARNGASSETSOF-STE 136, RETURWOFASSETSUPON TRNANATION OF CONTRACT 37. axcxupnoceoune 3.8, AwtiumusPRoTEcTON.. 3.9, AUTHORIZATIONS FORINFORMATION SYSTEM USE 3.10. _ UsERACCOUNTRESPONSIBUTES 3.11. PASWoRD RSPONSINTHES, 3.12. CLEAR DEsKaND CLEARSCREEN POLY 32.1. Cleor desk policy 3.122. Cleor screen poy 3.123. Protection of shared ocltes and equipment. 3.3, caver use 3.14. E-MALAND OTHER WESERGE KCIANGE METIOD.. BAS. COPYRIGHT nnn BAG. MOBRE COMPUTING nn 3.16.1. Introduction 3162. Bosirules 347, Teeworbne 3.18. MOWTORNGTHEUSE OF MFORMATION AND COMSMUNICATIN SYSTEMS. 3.419. meoenrs 4. MANAGING RECORDS KEPT ON THE BASIS OF THIS DOCUMENT.. 5. VAUDITY AND DOCUMENT MANAGEMENT. “ezepiable Use Poey ‘Ve Teri] Foe Tate] Page 2 oF ‘ozo hs tmp ay be ued by cents of FS Secs. wn 2 7Clsanrcom nacre wth teaser[organization name} [confidentiaity level) 1. Purpose, scope and users ‘The purpose ofthis document isto define clear rules forthe use of the information system and other Information assets in [organization name} ‘This document is applied tothe entire scope of the Information Security Management System (ISMS), Le. to all information systems and other information assets used within the ISMS scope. Users of this document are all employees of [organization name}. 2. Reference documents ISO/IEC 27001 standard, clauses A6.2.1,A6.22,A81.2,A813,A814,A931,A1125, AA126,A1128,A1129,A1224, A123.1,A125.1, 012.62, A13.2.3, A112 + Information Security Policy + [Information Classification Policy] * [Incident Management Procedure] + Inventory of Assets] [Operating Procedures for Information and Communication Technology] + [Information Transfer Policy] ‘chat ites Rees neces mk ebeedonthe rena lak enteament 3. Acceptable use of information assets 3.1, Definitions Information system — includes all servers and clients, network infrastructure, system and application ‘also includes the use of all internal or external services, such as Internet access, e-mall, etc. Information assets ~in the context of this Policy the term information assets is applied to portable computers, data storage media, etc. 3.2. Acceptable use Information sat may be ued coy SSS related tas, 3.3. Responsibility for assets aa ae tach Information asset has an owner desgnatedin the ventory of Assets. The ase ner ‘coat Strett 3.4. Prohibited activities “feaepiable Ue Paley ver frerion] fom te) 3 (©20 hstmplste ay eued bycents of FS Sees. wa h27Clsanrcom nacre wth the ass Aer[organization name} [confidentiality level Itis prohibited to use information assets in a manner that unnecessarily takes up capacity, weakens ee AST itis also prohibited: + todownioad image oF vie files when pen seen letters, play games, etc. ‘+ toinstall software on sess sh een He + touse Java applications, eyien see weet esin-sete eewrwiwe authorized by Ub tte) + touse cryptographic tools (encryption) on a local computer, Except i Nn NNN See ee te * todownload program code from external media #toinstall or use peripheral devices such as modems, memory cards or other devices for ae ee ee Ne ete ma ee ee ee ee erremene Classification Policy is allowed 35, Takingassets offsite Equipment, sensors sonnet site without prior jwritten permission by [job title). ee een ete taken off [As long as sad assets are ste he segue. Shee eee Se te Te gee who was {granted permission for their removal. 3.6. Return of assets upon termination of contract Upon termination of an employment contract or other contract on the basis of which various ee eo ee rie 6 me Ne me ee ee et information assets to [ob tite). 3.7. Backup procedure {The user must [specify backup procedure metho] isi in sn ee = me ae 6 am, 3.8. Antivirus protection [name of antivirus software] must be ssh seh eee lh eter ete updates, 3.9. Authorizations for information system use Users of the sheen ses sap se ete Shee Stherntine sete ee for which they have been explicitly authorized by the asset owner. Users may USC ee So See a Se se ee te Nee te Fe FOF ‘hich they have been granted access rights. Users see ne Information system security controls. 3.10. User account responsibilities Weceabie Use oliy SSC ve om ae] ——SSSCSCS~S*C« ge TO (©20 hstmplste ay eued bycents of FS Sees. wa h27Clsanrcom nacre wth the ass Aer [Comment (OK9]: Seki whale] ‘Remon 814s marked at rape the Steer of opti ‘Comment [OKI0}: Docc iis whole | “napa in the Steer of opts [comment OF ese —-— Pe ‘Comment [OKI2}: Aue regener bse on theres of sess Inout ass one was ona ‘Comment [OKA3}: Ds whole ‘ent conta aS221. marked ot ‘naples inthe Sateen opie[organization name} [confidentiality level ‘The user must not, directly or indirectly, allow another person to use his/her access rights, Le. me ee ee ee ae ee ee ee eee names is forbidden, ‘The owner of the user uss sh he ES ne ee performed through this user account. 3.11. Password responsibilities Users must apply good security practices when selecting and using passwords: + passwords must not i ut suhag eget and system administrators ‘© passwords rust i eh ee = seen by Hob title) + user-generated sesh ss see se Hema ey hemo ‘or electronic distribution, etc) ‘passwords rust be ti he hh HR Ge HR may oral, written have Deen amarante as ety ea + strong passwords must be selected, in the following way: Using atleast twelve characters et es eee ne eee ee ee ee ne ee me ee ee Using atleast one special character ‘a password must not be a dictionary word, dialectal or jargon word from any ree ne ee ore oe eee © passwords must not be based on personal data (e.g. date of birt, address, name of {amily member, etc) + passwords must be sheets He © password must be yey Ss eee eee + passwords must not be stored in an sess uN Hg ‘+ passwords used for private purposes rust si Settee ee 3.12. Clear desk and clear screen policy ‘Comment [OKA7}: Ossie i whole Pay const sept doce Allinformation classified as eens oe Seen ener © ener ee Information Classification Policy are regarded as sensitive inthis tern. 3.12.1. Clear desk policy ‘emment [HAE] De iw —_—-— If the authorized person isnot at his/her workplace, all paper documents, as wel as data storage = ee en eee ee ree ae te ee ee ee ee photocopiers, etc} to prevent unauthorized access ‘Such documents and se se ee Ee See ew the Information Classification Policy. Weceabie Use Poly SSS ve om ae] ——SSSCSCSCS~S~*« TO (©20 hstmplste ay eued bycents of FS Sees. wa h27Clsanrcom nacre wth the ass Aer[organization name} [confidentiality level 3.12.2. Cleorsereenpoley ‘Gomme ORID} Bos wise lal nthe Stree of opis Re acme ae 5 me ee meme eee ce maar a Oe ee Se the screen, and access must be denied to all systems for which the person has authorization. In the case of short absence (up to 30 minutes), the clear screen policy is implemented by logging out ee Ae ee ee en ce ee ‘Comment [O20]: Aa th tem Sienthe ranaton| ee ee es ee ‘turing off the workstation 3.12.3, Protection of shored facilites and equipment Comment (OKA Bae hen ‘Towser etgpeity Documents containing st esentutl, Sn ‘copy machines. Faclties for dispatch and reception of mall [specify faclities and their location] are protected by nN eo ne ee re re ee ee ete Shared fax machines tty ene at ee ee see ye a protection when the authorized person is absent ~ eg, locking the facility, etc Unauthorized use of printers, photocopiers, ss sli senetengenet For copying ON ne ee ae re ee ee em ae PIN numbers, access cards, etc). 3.13. Internet use Internet may be accessed only through the organization's local network with appropriate Me ete oe ee ene ee a ne ne eo wireless network or other devices for direct Internet access is forbidden. Uiob tite] may block access to some Internet pages for individual users, groups of users or all a ee ae ee eee me ee te ne me ee: me nee cine ne a ee ‘such restriction autonomously. ‘The user must regard information sss aah eer eee as unreliable, Such information may be = % Suse epee oe Shee © Sethe ee eee have been verified, “The user's responsible or in he noone AN Use ‘of Internet services or content. ‘omen KARI Doe is woke 3.14, Email and other message exchange methods senfemruatszsunetets sent ‘Message exchange methods other than electronic mala inl download of is from the oy ee ee a eS ene em ee sm te [erties machines, sending SMS text messages, portable mela, and forums and socal networks. ‘Comment [OK24} Tess sd eae ss ‘ecepiale Use Pay ‘ve Tei] Fo Tate) Page 6otIO (©20 hstmplste ay eued bycents of FS Sees. wa h27Clsanrcom nacre wth the ass Aer[organization name} [confidentiality level In accordance with [Operating Procedures for information and Communication Technology / ee ee eee mene ee meee ne Fe ew em ee ‘who is allowed to use communication channels, ie. defines which activities are forbidden. Users may only send messages containing true information. Itis forbidden to send materials with ee nee me ee me ee me ee ee ee ee ee ee ne been established or to persons who did not require such information. ‘Should a user receive a seuss Selene we Gob title). If sending a message with 2 jit seer eeunnn He ge Saaas ‘The user must save each message si i si othr ere tener ‘method specified by [jb title). Each e-mall message must contain aj Sy Sen communication eee ee ee ee ee en ee ee ee ‘organization's viewpoint. 3.15. Copyright Users must mot make ifs NST HE TINT, except in cases permitted by law, by the owner or {jb tte, Users must not sass st a fr al ‘consequences that could arise under the intellectual property law. 3.16. Mobile computing _ 3.16.1. introduction “Mobile computing equipment ih =f ee tts eters smart phones, memory cards and other mobile js gE en TOU NET data, 3.16.2. Basic rules ‘Special care should be taken when mobile sigs Nt or other forms of Cena ee ee em eg me ee me Unprotected areas outside the organization's premises ‘The person taking mobile computing equipment off-premises must follow these rules ‘+ mobile computing equipment carrying important, sensitive or critical information must not ce nmaten (onan eae een aan © ewan nt ‘Comment [OK29}: Toe ses be used to secure the equipment ‘control A.11.2.6'8 marked a Inaplcable Intie statment of Aptebiy ‘ecepiale Use Pay ‘ve Tei] Fo Tate) Page FoFIO (©20 hstmplste ay eued bycents of FS Sees. wa h27Clsanrcom nacre wth the ass Aer[organization name} [confidentiality level © WHEN USING Se EN eR te AP Se ee ‘cannot be read by unauthorized persons ‘+ updates of patches and other system settings are performed [specify how this is technically Implemented, © see ae hm te Immplemerted, «© se-stem ems t h emmet 2 the Person ay le a a A ge = Se a Ups of data [specify how this s technically implemented, or make reference to a document defining the process) © COnECtiNg 10 AN se eg {data and is performed [specify how this is soe Seen © Gute ten toa ‘document defining the process) ‘© Information = sie -svseetins se oui See thetiee fhe fs mandatory for the entire hard disk or only for sensitive files, etc] ‘+ protection of je gE SRNR the [Information Classification Policy) + INCE Ob TS RV ss ‘equipment must be applied inline wit the Clear Desk and Clear Screen Policy Uo title} is responsible for jn i sn le ee NEE ‘computing equipment outside the organization's premises. 3.17. Teleworking ‘Comment [DX3O]: Dut is whee - - 7 a care emit Moble Gee wd Tetewornt ‘eleworking means that information = ~via © se sei ms oaks Ce perform the work ouuide the organizaon Teleworing docs SODpememmmmaneme | |care inne ‘outside the organization's premises ‘topos te Sateen ot “Teleworking must be authorized by jb tite] by [speciy the authorization method}. Uj title] i responsible for ji NE nn the following: + protection of mobil si seni He greet tn + PIEVENtiOn OF a A Se Se NY oF he ee ee Se (Stbised es soa teleworking activity is performed appropriate configuration © s= semes se Se eng = he ee '* protection of the sg eR sr materials that may be protected by intellectual property rights '* process for return of mpm se he se Set tee minimum level of sagen ee ey ee See te permitted and forbidden type of activities 3.18, Monitoring the use of information and communication systems All data which is created, stored, sent or received through the information system or other ne ee a ag ie ee ‘whether itis personal or not, is considered the ownership of [organization name] Users agree that authorized je etn iE He boy such js fl ett a violation of the users' privacy. Teceabie Uae Poliy SSC ven om ae] ——SSSCSCSCS~*« TO (©20 hstmplste ay eued bycents of FS Sees. wa h27Clsanrcom nacre wth the ass Aer[organization name} [confidentiality level ee eee eet and blocking forbidden ‘methods of communication and firing forbidden content. 3.19. Incidents Each employee, supplier or third person who isin contact with data and/or systems of [organization specified inthe incident Management Procedure. 4, Managing records kept on the basis of this document Record name “Storagelecation | Person Contras or record Retention responsiblefor | protection time storage TAuthorizations for | [intranet folder] | Gob tie] Records cannot be Records are software edited; only [job ttle} has | stored for a installation, use of theright store such | period of 8 Java applications records years ‘and Active X controls, use of cryptographic tools, download of program code from ‘external media, instaling peripheral devices] electronic form [authorization for | [intranet folder) | Gob tile] Records cannot be Records are taking assets off- edited; only job title} has | stored for a site] ~ electronic therighttostore such | period of 3 form records years [Authorization for | Tintranet folder] | Gob ttle] Records cannot be Records are access to selected ‘edited; only [job title} has | stored for a Internet pages] = theright store such | period of 8 electronic form records years [Decision on how — | [intranet folder] | Gob tie] Records cannot be Records are ‘each data type may edited; only [job ttle} has | stored for 3 be exchanged] ~ the right tostore such | period of 3 ‘electronic form records years [Decision on how | fintranet folder] | {job tile] Records cannot be Records are messages edited; only job ttle} has | stored for a containing therighttostore such | period of 3 (©20 hstmplste ay eued bycents of FS Sees. wa h27Clsanrcom nacre wth the ass Aer ‘Comment [O36]: Autos prope[organization name} [confidentiality level business relevant records yeas data should be stored] ~ electronic form [authorization for | [intranet folder] | Gob tiie] Records cannot be Records are teleworking edited; only [job ttle} has | stored for 3 ‘electronic form therighttostoresuch | period of 3 records years ‘Only {job title} can grant other employees access to the any ofthe abovementioned documents 5. Validity and document management ‘This document is valid as of [date] ‘The owner of this decument i [ob title), who must ls sl © See seule He ee least once a year. ‘When evaluating the effectiveness and adequacy ofthis document, the following criteria need to be ‘considered: + number of sss he St = Senter te of information assets ‘umber of ss pps te tates Settee awareness programs regarding acceptable use of information assets lob title} {name} isignature] “TecepiableUe Pay SSC eam te ——SSSCSCSCS~S~S~S*«S ag TO (©20 hstmplste ay eued bycents of FS Sees. wa h27Clsanrcom nacre wth the ass Aer ‘Comment [O38]; Aust as prope ‘Comment [OK40} sis onv = ———".