<Company Name>

HR Policy

Internet and Email

Policy for Employees
Policy Effective Date: <DD/MM/YY>

No part of this documentation may be reproduced or transmitted in any form or by any means, electronic
or mechanical, including photocopying or recording, for any purpose without express written permission of
the CEO of <Company Name Here>.
© 2021, <Company Name Here>. All Rights Reserved

Revision History
Ver Change Description Prepared By Reviewed By Approved Date
No. By

Table Of Contents

1
Table Of Contents 3
1. Objective 4
2. Scope and Applicability 4
3. Definition/Glossary 4
4. Policy / Process 5
4.1. Security & Confidentiality 5
4.2. ID Badge Policy 5
4.3. Clear Desk Clear Screen Policy 5
4.4. Personal Assets 6
4.5. Protection of Company Assets 6
4.6. Assessment Movements 6
4.7. Communication 6
4.8. Copyrights Policy 6
4.9. Protection Against Virus from Mobile Devices (Laptops) 6
4.10. Physical Security of Mobile Devices 7
4.11. Protection of Sensitive Data on Mobile Devices 8
4.12. Right to Trace User Activity 8
4.13. Employee Responsibility towards Business Continuity 8
4.14. Email 9
4.15. Spam Filtering 9
4.16. Social Networking Sites 10
4.17. Blogging 10
4.18. General Internet Access 11
4.19. Remote Access 11
5. Special Circumstance and Exception 12
6. Non-compliance and Consequence 12

1.Objective
The intent of this policy is to establish guidelines for the employees using <Company
Name Here>’s network facilities, including computer hardware, printers, software, e-
mail and internet access tools, collectively called “Information Technology Assets”.
This policy is in place to protect <Company Name Here> and it’s employees from
any inappropriate use of these assets which may lead to risks including virus
attacks, compromise of network systems and services, confidential data, Company’s
intellectual properties and related legal issues.

2.Scope and Applicability

This policy applies to employees, contractors, consultants and temporary staff at
<Company Name Here> including all personnel affiliated with third party vendors.
This policy is owned by <Name of the Person> and reachable @ <Contact Number>
and <email address>

3.Definition/Glossary

Term / Abbreviation Definition / Expansion

NDA Non-Disclosure Agreements

ITM Information Technology Manager

BCP Business Continuity Process

4.Policy / Process

4.1. Security & Confidentiality

√ All information about the company, its clients, prospects, suppliers or
employees is confidential and proprietary and shall not be divulged to
anyone other than persons who have a right to know or are authorized to
receive such information. Disclosure of information to such persons will
only be done after getting the NDA signed with him/her.
√ The company should get the NDA signed by all the Employees,
Contractors, Temporary staff, Interns or any such person or organisation
in need of information / data, before any such access is provided to them.
 √ This basic policy of caution and discretion in handling of confidential
information extends to both external and internal disclosure.
√ Confidential information obtained as a result of employment with the
organization is not to be used by employees for the purpose of furthering
any private interest or as a means for making personal gains.

4.2. ID Badge Policy

√ Id cards are to be displayed prominently at all times in and around the
Company premises

4.3. Clear Desk Clear Screen Policy

√ Employees shall keep their systems locked if they are leaving their desks.

√ Screensavers shall be activated if the systems are not being used for
more than 2 minutes.
√ Sensitive documents are stored securely and handled with care.

√ Sensitive or critical business information shall be kept in a secured central

location.
√ Sensitive or classified information, when printed, shall be cleared from the
printers immediately.

√ Unwanted printed material containing confidential information needs to be

shredded immediately

4.4. Personal Assets

√ Employees shall not carry any personal computing device like laptops,
pen-drives, CDs etc. within the premises unless authorized by the ITM.

4.5. Protection of Company Assets

√ Employees shall take adequate care to protect company assets
 √ Company assets to be used strictly for the company’s business purposes
only
√ All assets should be reviewed/Monitored monthly and all critical assets like
Servers, firewall, switches, DG, UPS, Physical access control, visitor
registers, material movement registers, should be reviewed/monitored at
least twice a week or as per the Management’s requirement.

4.6. Assessment Movements

√ Employees shall not move company assets without authorization by their
respective Managers. The Manager will consult with the Facilities / IT
department to approve / reject such movement or plan and execute the
movement.

4.7. Communication
√ Employees shall take appropriate care not to compromise on information
security while using various modes of communication like email, verbal
discussions and phone.

4.8. Copyrights Policy

√ Possessing or obtaining unauthorized copies of copyrighted materials
including software, hardware designs, company related documents and
products are strictly prohibited

4.9. Protection Against Virus from Mobile Devices (Laptops)

√ Anti-virus software must be installed on laptops and configured to scan
files as they are installed or copied to the laptop
√ Do not disable virus scan feature

√ Update Antivirus software regularly

√ Loading or installing non-business related items onto the laptop is

discouraged.
 √ Any virus infection on the mobile device should immediately be informed
to the IT Manager and the device should be disconnected from the
network. If possible the mobile device must be switched off.
√ All critical data shall always be backed up before proceeding on an
extended travel.
√ In situations where the removable media or mobile device is used outside
the office premises or during travel, all items (CDs, paper, pen drives,
mobile devices) containing the organization's information property shall be
guarded. If they are to be discarded, then they should be disposed off
according to the “IT Asset Disposal section” in the IT policy of the
organization.
√ Mobile devices provided by the organization shall be used only for the
company's business purposes, by the employees.

4.10. Physical Security of Mobile Devices

√ Users must take all preventive measures towards physically securing their
allotted mobile devices.
√ All laptops acquired for or on behalf of the organization shall always
remain the organization’s property. Each employee provided with a laptop
is responsible for the security of that laptop, regardless of whether the
laptop is used in the office, at his/her residence or in any other location
such as a hotel, conference room, car or airport, etc.
√ Laptop computers must not be:
o Left to be viewed in an unattended area, even for a short period of
time,
o Left in a vehicle overnight,
o Kept in extreme temperatures
√ A laptop displaying sensitive information and being used in a public place,
e.g. on a train, aircraft or bus, must be positioned such that the screen
cannot be viewed by others.
√ When leaving a laptop unattended for any extended period, e.g. long
breaks during office hours or overnight, users must physically secure it
 with a cable lock or lock it away in a robust cabinet or alternatively lock the
door of an individually occupied office.
√ In vulnerable situations, e.g. public areas such as airport lounges, hotels
and conference centers, etc the laptop must never be left unattended.
√ Laptops should be carried as hand luggage whenever permitted while
traveling.
√ Where any of the above rules are either inappropriate or impractical, the
owner is responsible for taking all reasonable steps to minimize the risk of
loss or damage to the laptop.
√ Mobile users connecting to the web from external locations like their home
or a hotel room are vulnerable to virus attack. It is recommended to have a
personal firewall installed as an effective layer of security.
√ In case of any accident, theft, damage or harm to the laptop or any of its
components /accessories, the user must report the incident to the
Manager & IT Department immediately.

4.11. Protection of Sensitive Data on Mobile Devices

√ All sensitive information must be updated / stored on the main network

servers by the user.
√ It is the responsibility of each employee to ensure that confidential and
sensitive data is protected from unauthorized users.
√ It is the responsibility of the laptop owner to ensure safety of business &
important data. Local IT team should be requested for backup & archiving
on a regular basis as per the backup policy. IT team shall not be
responsible for any loss of the data due to failure of the hardware.
√ Keep the laptop in a locked and secured environment when not being
used for a long period.
4.12. Right to Trace User Activity
√ Company reserves the right to monitor or audit computer facilities, user
workstation, email access, internet access, network traffic, file transfer
activity, etc., as a regular maintenance exercise or for any suspected
abuse, unauthorized or illegal activities.

4.13. Employee Responsibility towards Business Continuity

√ Understand the safety aspects in the work environment

√ Participate in fire drills

√ Prevent actions/activities that could cause a disaster such as bringing in

inflammable material into the premises
√ Follow fire safety procedures at all times

√ Keep personal and emergency contact information updated

√ Report any observed safety or security lapse immediately to BCP and IT

Teams

4.14. Email
√ Email is to be used for company’s business purpose only

√ The company’s confidential information must not be shared outside of the

company, without authorization, at any time
√ Employees should not conduct personal business using the company
computer or email
√ The <Company Name Here> email group lists must be shared with
<Company Name Here> users only and must not be shared with any
external or public domain
√ Sensitive content like source code, customer contacts, project documents,
organizational strategy information and any other proprietary information
of the company must not be sent to personal email addresses
 √ Personal email must not be used as contact address for official purposes

√ Official email must not be used for publishing, distributing or disseminating

any inappropriate, profane, defamatory, infringing, obscene, indecent or
unlawful material
√ Official email must not be used for surveys, contests, chain emails, junk e-
mail, spamming, unsolicited messages or messages that have racial or
sexual slur, political or religious solicitations
√ Official email must not be auto forwarded to any personal email or public
email domains

4.15. Spam Filtering

√ Employees must not open emails from dubious sources

√ Employees must not reply to spam or click on links, including ‘unsubscribe'

facilities, in spam
√ Employees must not accept spam-advertised offers

√ Employees must block incoming mail from known spammers

√ Employees must not post official email addresses on publicly available

sites or directories. If one must do so, look for options, such as tick boxes,
that allow one to opt out of receiving further offers or information
√ Employees must not disclose personal information to any online
organization unless they agree (in their terms and conditions or privacy
policy) not to pass information on to other parties

4.16. Social Networking Sites

√ Social networking sites allow photographs, videos and comments to be
shared with thousands of other users. However, it shall not be appropriate
to share work-related information in this way. <Company Name Here>
employees should be mindful of the information they disclose on social
 networking sites. They shall not act in a manner that would bring disrepute
to <Company Name Here>.
√ Employees shall not:
o Store, send or distribute confidential information, copyright material
or other content which is subject to third party intellectual property
rights, unless you have a lawful right to do so.
o Do anything, including store, send or distribute material which
defames, harasses, threatens, abuses, menaces, offends, violates
the privacy of or incites violence or hatred against any person or
class of persons or which could give rise to civil or criminal
proceedings.

4.17. Blogging
√ Personal blogs, micro blogs and websites should not reveal confidential
information about <Company Name Here>. This might include aspects of
<Company Name Here> policies or details of internal <Company Name
Here> discussions. If in doubt about what might be confidential, staff
members should consult their reporting manager.
√ Personal blogs, micro blogs and websites should not be used to attack or
abuse colleagues. Staff members should respect the privacy and the
feelings of others.
√ If a staff member thinks something on their blog, micro blog or website
gives rise to concerns about a conflict of interest, and in particular
concerns about impartiality or confidentiality, this must be discussed with
their reporting manager.
√ If a staff member is offered payment to produce a blog or microblog for a
third party, this could constitute a conflict of interest and must be
discussed with their reporting manager.

4.18. General Internet Access

√ Internet use brings the possibility of breaches to the security of
confidential company information. Internet use also creates the possibility
of contamination to our system via viruses or spyware. Spyware allows
 unauthorized people, outside the company, potential access to company
passwords and other confidential information.

Users :
√ Shall comply with country/region specific moral codes at all times

√ Shall not use company computers or other electronic equipment to

obtain, view, or reach any pornographic or otherwise immoral,
unethical or non-business-related internet sites
√ Internet must not be used for downloading, publishing, distributing or
disseminating any inappropriate, profane, defamatory, infringing,
obscene, indecent or unlawful material
√ Shall not download files such as music files, video files or other large
files unless they are specifically warranted for the user’s official duties

4.19. Remote Access

√ Care should be exercised when working in public places such as internet
cafés, airport lounges or hotel lobbies.
√ It is advisable to clear out browser cache and temp files after logging out
of non-<Company Name Here> systems or applications.
√ While working from home or other remote locations, adhere to the
company’s IT policy.

5.Special Circumstance and Exception

Any Deviation to this policy has to be approved by ITM. Any changes to the
policy has to be approved by HR, Legal and Compliance.

6.Non-compliance and Consequence

Non compliance of this policy like misuse of office equipment for personal work
or negligent damage or attending to personal work during office hours without the
explicit permission of Manager or HR and any such acts that construe to be a
violation of this policy will be viewed seriously by HR and appropriate action will
be initiated, including termination of employment contract.
This template is brought to you by

www.greythr.com