INFORMATION SERVICES SYSTEM POLICY

CHRISTUS Health System

Information Services
Acceptable Use Policy
Document ID Number: INFOSEC_001
Policy Definition
This policy is written to illustrate the CHRISTUS Health mission and vision. To ensure the practice of
attestation, a policy within CHRISTUS Health might provide actions for employee behavior, guidance to
handle various situations, protect the organization legally, keep the organization compliant with
governmental policies and laws, establish consistent work standards, rules, and regulations, and provide
consistent and fair treatment for employees.

Disclaimer
The information contained in this document is the proprietary and exclusive property of CHRISTUS
Health, except as otherwise indicated. No part of this document, in whole or in part, may be
reproduced, stored, transmitted, or used for design purposes without the prior written permission of
the CHRISTUS Health Information Services Department. The information contained in this document is
subject to change without notice. The information in this policy is provided for informational purposes
only. CHRISTUS Health or any other location makes no representation or warranty, across the United
States or International, as to the accuracy or completeness of the information.

Privacy Information
This document may contain information of a sensitive nature, whether in paper, electronic, audio, or
video etc. This information should not be given to persons other than those who are involved in the
Policy development or who will become involved during the Policy information lifecycle. Although, this
policy is intended to meet the “Standards of Excellence” set forth, by the Board of Directors at CHRISTUS
Health. Any additional information about this policy disclaimer is located on the CHRISTUS Health
website.

APPROVALS:
Level 1: Director Information Security

Level 2: Chief Information Security Officer (CISO)

Level 3: Chief Information Officer (CIO)

Mission “To Extend the Healing Ministry of Jesus Christ”

www.christushealth.org
919 Hidden Ridge• Irving, TX 75038•Telephone 1-469-282-2000
 INFORMATION SERVICES SYSTEM POLICY
TITLE: Acceptable Use Policy
DEPT: Information Services Document ID Number: INFOSEC_001
Effective Date: 03/01/2017 REVISION: 2.0 Revision Date: 10/06/2021 Page 2 of 8

(This Page Intentionally Left Blank)

The master copy of this document is stored on the CHRISTUS Health InfoSec secure share. Any other copy, either electronic or paper, is an
uncontrolled copy, may not contain the latest updates, and must be destroyed after it has served its purpose.
FOR INTERNAL USE ONLY – CONFIDENTIAL AND PROPRIETARY

Mission “To Extend the Healing Ministry of Jesus Christ”

 INFORMATION SERVICES SYSTEM POLICY
TITLE: Acceptable Use Policy
DEPT: Information Services Document ID Number: INFOSEC_001
Effective Date: 03/01/2017 REVISION: 2.0 Revision Date: 10/06/2021 Page 3 of 8

Contents
Policy Definition 1

Disclaimer 1

Privacy Information 1

Purpose 3

Groups or Departments Impacted 4

Responsibilities (Accountability) 4

Policy 4
Authoritative Source 4
General 4
Internet Use 5
Use of Email 5
Prohibited Uses 6
Policy Enforcement 8
Policy Exceptions 8

Definitions 8

Related Documents 8

Purpose
This CHRISTUS Health Acceptable Use Policy serves as a supplement to the CHRISTUS Health
Information Security Policy. CHRISTUS Health information resources consist of the computer

The master copy of this document is stored on the CHRISTUS Health InfoSec secure share. Any other copy, either electronic or paper, is an
uncontrolled copy, may not contain the latest updates, and must be destroyed after it has served its purpose.
FOR INTERNAL USE ONLY – CONFIDENTIAL AND PROPRIETARY

Mission “To Extend the Healing Ministry of Jesus Christ”

 INFORMATION SERVICES SYSTEM POLICY
TITLE: Acceptable Use Policy
DEPT: Information Services Document ID Number: INFOSEC_001
Effective Date: 03/01/2017 REVISION: 2.0 Revision Date: 10/06/2021 Page 4 of 8

devices, data, applications, and the supporting network infrastructure, whether owned or leased
by CHRISTUS Health, the employee, or a third party.
These technologies are critical to the organization. Information Services offers increased
opportunities for communication and collaboration.
Information systems connect to the network in numerous ways, including medical devices,
laptops, desktops and personal devices. The responsibility of acceptable use for all these
devices is the responsibility of every user. What one does on one device will affect another
device on the network.

Groups or Departments Impacted

This policy applies to all CHRISTUS Health Associates, contractors, consultants, and temporary
workers (referred to hereafter as “users”) who use CHRISTUS Health computing resources.

Responsibilities (Accountability)
Chief Information Security Officer (CISO) – Is responsible for implementing and enforcing the
terms of this Acceptable Use Policy.

Policy
Authoritative Source
The authoritative source for this policy and responsibility for its implementation rests with the
CISO and his delegates.
General
Annual Acknowledgement – All CHRISTUS Health computing resource users must read and
acknowledge this Acceptable Use Policy upon hire, and at least annually thereafter. Failure to do
so could result in disciplinary action, up to and including termination of employment.
Applicable Laws – CHRISTUS Health Network or information resource users are subject to the
same applicable federal, state and international laws as CHRISTUS Health. Violations may result
in termination of access, and potential prosecution and liability.
Computer Use Agreement – CHRISTUS Health users must also comply with the terms of the
Computer Use Agreement they sign as part of the on-boarding process for employment with
CHRISTUS Health.
Cooperation – CHRISTUS Health users have an obligation to assist, as directed by Information
Security personnel, with any incident investigations.

The master copy of this document is stored on the CHRISTUS Health InfoSec secure share. Any other copy, either electronic or paper, is an
uncontrolled copy, may not contain the latest updates, and must be destroyed after it has served its purpose.
FOR INTERNAL USE ONLY – CONFIDENTIAL AND PROPRIETARY

Mission “To Extend the Healing Ministry of Jesus Christ”

 INFORMATION SERVICES SYSTEM POLICY
TITLE: Acceptable Use Policy
DEPT: Information Services Document ID Number: INFOSEC_001
Effective Date: 03/01/2017 REVISION: 2.0 Revision Date: 10/06/2021 Page 5 of 8

Monitoring and Audits - For security and network maintenance purposes, authorized CHRISTUS
Health Associates may monitor equipment, systems and network traffic at any time. CHRISTUS
Health reserves the right to audit Associate and system activities to ensure compliance with this
policy.
Privacy Expectations – Users should have no expectation of privacy when using CHRISTUS’
systems. The Company may monitor, access, delete or disclose all use of its systems, including
email, web sites visited, materials downloaded or uploaded, and the amount of time spent
online, at any time without notification or user consent.
UserID and Passwords – System level and user level passwords must comply with the CHRISTUS
Health password standard. Users may not share their device, network or application passwords
with any other person(s).
Non-compliance - CHRISTUS Associates who violate the terms of this policy may be subject to
disciplinary action, up to and including termination of employment.
Internet Use
CHRISTUS Health Affiliation - Whenever users state an affiliation with CHRISTUS Health on the
Internet, they must clearly indicate that the opinions they expressed are their own and not
necessarily those of the company.
Internet Content Filtering - CHRISTUS Health employs Internet filtering software to block access
to potentially malicious websites, or sites that are otherwise forbidden due to their content. You
should know, however, that just because you can access certain websites does not mean that
you should. You should exercise your own good judgment to avoid potential issues
Internet Use - Use of the Internet is permitted and encouraged when such use supports
CHRISTUS’ business goals and objectives. Access to the Internet is a privilege and all users with
such access must adhere to these policies
Streaming Services - Unless it is for training or other business purposes, you should not stream
audio (such as Pandora, Jango, Spotify), video (Amazon, UStream, LiveStream) or other services
over the Internet that will consume available bandwidth and computing resources
Use of Email
Email Forwarding – Users are prohibited from automatically forwarding CHRISTUS email to a
third-party email system (such as Hotmail, Yahoo, Gmail, etc.) for any purpose.
Email Retention - Email should be retained only if it qualifies as a CHRISTUS Health business
record. Email is a business record if there exists a legitimate and ongoing business reason to
preserve the information contained in the email.
Monitoring - CHRISTUS Health reserves the right to monitor messages without prior notice.
No Expectation of Privacy - CHRISTUS Associates, vendors and contractors should have no
expectation of privacy in anything they store, send, or receive on the company’s email system.

The master copy of this document is stored on the CHRISTUS Health InfoSec secure share. Any other copy, either electronic or paper, is an
uncontrolled copy, may not contain the latest updates, and must be destroyed after it has served its purpose.
FOR INTERNAL USE ONLY – CONFIDENTIAL AND PROPRIETARY

Mission “To Extend the Healing Ministry of Jesus Christ”

 INFORMATION SERVICES SYSTEM POLICY
TITLE: Acceptable Use Policy
DEPT: Information Services Document ID Number: INFOSEC_001
Effective Date: 03/01/2017 REVISION: 2.0 Revision Date: 10/06/2021 Page 6 of 8

Messages generated on the CHRISTUS email system are CHRISTUS property, and are subject to
review by authorized parties. CHRISTUS email users should be aware of this possibility and
structure their communications accordingly.
No Use of Private Accounts - All CHRISTUS Health business emails must be transmitted using the
CHRISTUS email system. Private email accounts must not be used to conduct CHRISTUS business
or to transmit CHRISTUS information.
Reasonable Use - Using a reasonable amount of CHRISTUS resources for personal emails is
acceptable, but non-work-related email must be saved in a separate folder from work related
email. CHRISTUS email must not be used to send chain letters or joke emails, or for personal
enterprises.
Use of Encryption - Protected Health Information (PHI) or Personally Identifiable Information
(PII) transmitted through the CHRISTUS Health email system must be protected by using
acceptable encryption protocols, in accordance with the Acceptable Encryption Policy.

Prohibited Uses
The following activities are, in general, prohibited. Users may be exempted from these
restrictions as part of their legitimate job responsibilities (e.g., systems administration staff may
have a need to disable the network access of a host if that host is disrupting production
services). The list below is by no means exhaustive, but, instead, attempts to provide a
framework for activities that fall into the category of prohibited uses.
 Antisocial Behaviors - Creating or distributing any disruptive or offensive messages,
including offensive comments about race, gender, hair color, disabilities, age, sexual
orientation, pornography, religious or political beliefs, or national origin; employees
who receive any emails from other CHRISTUS employees that contain this content
should report the matter to their supervisor immediately.
 Circumvention of Security - Circumventing user authentication or security of any host,
network device or account.
 Copyrighted Materials - Downloading, copying, otherwise duplicating, and/or
distributing copyrighted materials without the specific written permission of the
copyright owner is prohibited, except where duplication and/or distribution of materials
for educational purposes is permitted when such duplication and/or distribution would
fall within the Fair Use Doctrine of the United States Copyright Law (Title 17, USC).
(Users must be aware that they can be held personally liable for the misuse of
copyrighted materials or intellectual property.)
 Defamation - Sending or posting information online or on social media that is
defamatory to CHRISTUS Health, its products/services, colleagues and/or customers.

The master copy of this document is stored on the CHRISTUS Health InfoSec secure share. Any other copy, either electronic or paper, is an
uncontrolled copy, may not contain the latest updates, and must be destroyed after it has served its purpose.
FOR INTERNAL USE ONLY – CONFIDENTIAL AND PROPRIETARY

Mission “To Extend the Healing Ministry of Jesus Christ”

 INFORMATION SERVICES SYSTEM POLICY
TITLE: Acceptable Use Policy
DEPT: Information Services Document ID Number: INFOSEC_001
Effective Date: 03/01/2017 REVISION: 2.0 Revision Date: 10/06/2021 Page 7 of 8

 Export Control Laws - Exporting software, technical information, encryption software or

technology, in violation of international or regional export control laws.
 Hacking – Attempting to access another computer or computing system without
authorization.
 Illegal Activities - Engaging in any activity that is illegal under local, state, federal or
international laws while using CHRISTUS Health-owned resources.
 Inappropriate Materials - Accessing or processing pornographic materials,
inappropriate text files (as determined by the system administrator), or files dangerous
to the integrity of the local area network.
 Non-personal Information - Seeking information on, obtaining copies of, or modifying
files, data, or passwords belonging to other CHRISTUS Health users, or misrepresenting
other users on the network.
 Passwords – Using CHRISTUS credentials on public websites including, but not limited
to, Facebook, Twitter, LinkedIn, personal email accounts, Dropbox or other such
services, etc.
 Peer-to-Peer File Sharing – Peer-to-peer file sharing (such as sharing music or other
digital content).
 Personal Information - Giving out personal information to third parties about other
CHRISTUS Associates, contractors, consultants, or temporary workers, including home
address and phone number.
 Personal Profit - Using the CHRISTUS Health network for personal commercial or for-
profit purposes.
 Political Activities - Engaging in political activities while using CHRISTUS Health
computing resources.
 Restricted Information - Sharing CHRISTUS Health’s restricted information outside of
the organization.
 Scanning - Unapproved port or security scanning, or any form of network monitoring to
intercept data not intended for the Associate's host, unless this activity is a part of the
Associate's normal job/duty.
 Unapproved Software - Downloading and installing any unapproved software, including
shareware and freeware, on CHRISTUS Health computers; or downloading
entertainment software or other files not related to the mission and objectives of
CHRISTUS Health for later transfer to a user's home computer, personal computer, or
other media.

The master copy of this document is stored on the CHRISTUS Health InfoSec secure share. Any other copy, either electronic or paper, is an
uncontrolled copy, may not contain the latest updates, and must be destroyed after it has served its purpose.
FOR INTERNAL USE ONLY – CONFIDENTIAL AND PROPRIETARY

Mission “To Extend the Healing Ministry of Jesus Christ”

 INFORMATION SERVICES SYSTEM POLICY
TITLE: Acceptable Use Policy
DEPT: Information Services Document ID Number: INFOSEC_001
Effective Date: 03/01/2017 REVISION: 2.0 Revision Date: 10/06/2021 Page 8 of 8

 Unauthorized Equipment – Connecting unauthorized equipment to the CHRISTUS

network.
 Warranties - Making statements about warranty, either express or implied, unless it is a
part of normal job duties.
Policy Enforcement
 Compliance- The Information Services Security Team will verify compliance to this policy
through various methods, including but not limited to, business tool reports, internal
and external audits, and feedback to the policy owner.
 Non-Compliance- Any Associates found to have violated this policy may be subject to
disciplinary action, up to and including termination of employment.
Policy Exceptions
All information technology resources associated with the CHRISTUS Health network are
expected to comply with Information Services (IS) security policies and standards that are
designed to establish the controls necessary to properly protect CHRISTUS information assets.
A control deficiency in one business process or IM resource can jeopardize other processes or
resources because erroneous data may be inherited, privacy can be compromised, or a conduit
for an intrusion into the CHRISTUS systems may be created. However, there may be a case
where compliance cannot be achieved for a variety of reasons.
In such cases, an exception must be documented and approved.

Definitions
None.

Related Documents
 Health Insurance Portability and Accountability Act (HIPAA)
 National Institute of Standards and Technology (NIST 800-53)
 Payment Card Industry Data Security Standard (PCI-DSS)
 CHRISTUS Health Security Control Framework

The master copy of this document is stored on the CHRISTUS Health InfoSec secure share. Any other copy, either electronic or paper, is an
uncontrolled copy, may not contain the latest updates, and must be destroyed after it has served its purpose.
FOR INTERNAL USE ONLY – CONFIDENTIAL AND PROPRIETARY

Mission “To Extend the Healing Ministry of Jesus Christ”