INFORMATION

SECURITY
ACCEPTABLE USE
STANDARD

SPS SportSoft

Document Type L2 SPS SPORTSOFT STANDARD

Document Name ACCEPTABLE USE STANDARD
Document Owner INFORMATION SECURITY OFFICER
Last Updated By JAMES HEPBURN
Approved By MAX LINTOTT
Approval Date 20/06/2019
Issue Date 21/06/2019
Next Review Date 01/06/2020
Classification INTERNAL
 SPS Sportsoft Ltd

Confidential
Uncontrolled when printed

2|Page
 Information Security SPS Sportsoft Ltd

Table of Contents
1. INTRODUCTION.................................................................................................................................... 4
1.1 PURPOSE...................................................................................................................................... 4
1.2 INTENDED AUDIENCE.................................................................................................................. 4
1.3 IMPACTED DEPARTMENTS......................................................................................................... 4
1.4 EXCEPTION TO STANDARD......................................................................................................... 4
1.5 NON-COMPLIANCE....................................................................................................................... 4
1.6 REPORTING AND ESCALATING PROBLEMS..............................................................................4
1.6.1 IF YOU SUSPECT SOMETHING............................................................................................4
2. ABBREVIATIONS AND DEFINITIONS................................................................................................... 5
3. STANDARD STATEMENT..................................................................................................................... 6
3.1 ACCEPTABLE USE STANDARD................................................................................................... 6
3.1.1 USE OF SPSSL HARDWARE................................................................................................ 6
3.1.2 USE OF EMAILS..................................................................................................................... 6
3.1.3 BUSINESS AS USUAL MAILBOX ACCESS...........................................................................8
3.1.4 USE OF THE INTERNET........................................................................................................ 8
3.1.5 MONITORING......................................................................................................................... 9
3.1.6 HOMEWORKERS................................................................................................................. 10

3|Page

Internal
Uncontrolled when printed
 Information Security SPS Sportsoft Ltd

1. INTRODUCTION
1.1 PURPOSE
1.1.1.1 This Standard is intended to provide detail to supplement the SPS SportSoft Ltd (SPSSL)
Information Security Policy owned by the Information Security and supporting the ISO 27001
Information Security Management System (ISMS)
1.1.1.2 The purpose of this standard is to outline the acceptable use of SPSSL information and IT assets
in order to protect both workers and SPSSL. Inappropriate use of assets could expose SPSSL to
risks including virus attacks, compromise of network systems and services, and wider legal or
regulatory issues.
1.1.1.3 The solutions/services defined in this standard are mandatory across all of SPSSL business
operations.
1.1.1.4 Local Business departments may have more stringent practices in place e.g. to meet regulatory or
contractual requirements. The Business department is responsible for documenting those
standards and publishing them as appendix to this document.

1.2 INTENDED AUDIENCE

1.2.1.1 This document is intended to be read by all workers; permanent, temporary and contract.
1.2.1.2 This document must not be provided to 3rd Parties without approval from Information Security and
all 3rd parties must be assured to have suitable Information Security controls in line with the
classification of data.

1.3 IMPACTED DEPARTMENTS

1.3.1.1 The following departments are directly impacted due being responsible for the execution and
maintenance of the controls listed within this standard, therefore, have reviewed this document
prior to signing off.
1.3.1.2 All

1.4 EXCEPTION TO STANDARD

1.4.1.1 This Standard provides details on how to comply with the SSPSL Information Security ISMS.
Implementing solutions which do not comply with this standard, therefore, do not comply with the
mandated policies and require an exception.
1.4.1.2 Contact the Information Security team if an exception is required.

1.5 NON-COMPLIANCE
1.5.1.1 Non-compliance with this Standard may result in disciplinary and/or criminal proceedings against
the worker, which may include their managers.

1.6 REPORTING AND ESCALATING PROBLEMS

1.6.1 IF YOU SUSPECT SOMETHING
1.6.1.1 If you think there’s a problem with how SPSSL or a 3rd party is protecting data or you think
somebody isn’t complying with part of this policy, you must tell a manager straight away. Even if
there hasn’t been an actual incident.
1.6.1.2 Managers need to pass this on to the Information Security team immediately by emailing
Information Security or talking directly to one of the Information Security colleagues.
1.6.1.3 When the problem could expose us to operational risk, then you also need to tell the Risk ower or
Information Security through their risk event reporting process as detailed in the Information Risk
Policy.

4|Page

Internal
Uncontrolled when printed
 Information Security SPS Sportsoft Ltd

2. ABBREVIATIONS AND DEFINITIONS

2.1.1.1 All Abbreviations and Definitions are either explained within the document or can be found in the
Glossary of Key Information Security Terms
ABBREVIATION DEFINITIONS
BAU Business as usual
Endpoint Devices All information processing hardware, excluding servers
GDPR General Data Protection Regulation
ISMS Information Security Management System

3. STANDARD STATEMENT
5|Page

Internal
Uncontrolled when printed
 Information Security SPS Sportsoft Ltd
3.1 ACCEPTABLE USE STANDARD
3.1.1 USE OF SPSSL HARDWARE
3.1.1.1 All SPSSL information system users of desktops, PCs, laptops, smartphones and tablet devices
(collectively referred to from here as endpoint devices) must lock access to their endpoint by
using a password-protected screensaver or log off when it is not being used.
3.1.1.2 All users of the SPSSL information systems must save their work regularly in accordance with the
requirements of the Backup Management Standard, to prevent corruption or loss through system
or power malfunction.
3.1.1.3 All colleagues are not permitted to load non-approved screensavers or software which is not
required by the business onto the organisation's endpoint devices.
3.1.1.4 The use by SPSSL colleagues of non-SPSSL owned or managed equipment to access SPSSL
systems or networks is not permitted other than where the device complies with the Information
Security Policy and supporting standards.
3.1.1.5 All contractors or Third Parties working on SPSSL client data must use SPSSL equipment or
SPSSL approved equipment. No Third Party may use unapproved equipment e.g. personal or
Third Party company laptop to work on or transport SPSSL owned or managed data.
3.1.1.6 Where laptops, removable media, smartphones and tablet devices are left in an office overnight,
they must shut down fully (rather than set to hibernate) and securely locked away.
3.1.1.7 Must not sign up for any business services using personal accounts
3.1.1.8 Must not attempt, or purposely access any not suitable for work websites
3.1.1.9 Family and friends are not permitted to use SPSSL equipment.
3.1.1.10 Try and circumvent or remove any Information Security controls including using non-approved
USB/Removal media drives without explicit permission from Information Security.

3.1.2 USE OF EMAILS

3.1.2.1 Colleagues are not permitted to access mailboxes other than their own, without specific approval
from the owner of the mailbox. In some cases, it is necessary for a line manager, local security
manager or another responsible manager to request access/information to a user’s email files,
known as their mailbox.
3.1.2.2 There are two scenarios where this may happen, which are:
a) as part of Business As Usual (BAU). This is described in 3.1.3.2 below
b) where an investigation is ongoing. This includes access to the user’s archived mail (where
appropriate), as well as their unarchived and/or journaled mail
3.1.2.3 All other types of access to a user’s mailbox not covered by this standard must be enquired to
your Information Security team for approval to provide the access.
3.1.2.4 When a worker leaves SPSSL, their Line Manager must ensure that an appropriate Out of Office
message is set on the leaver’s email mailbox. The Out of Office message must give an alternative
name and email address, and must be tested by the Line Manage or H.R.
3.1.2.5 When a worker leaves SPSSL, their mailbox is automatically archived, and the mailbox is hidden
from the Global Address List for a period of 90 days, at which point it is deactivated. Access to
this hidden mailbox may be granted for either of the reasons described in 3.1.2.2, after following
the relevant process.
3.1.2.6 Personal email use is not exempt from monitoring, disclosure or any of the SPSSL Baseline
Information Security policies.
3.1.2.7 Users must:
a) change their password if it is disclosed to another party, or if it is suspected someone else
knows it
b) report the receipt of emails containing racial, sexual, religious or otherwise offensive remarks
or media immediately to their line manager and H.R who will treat this as an incident

6|Page

Internal
Uncontrolled when printed
 Information Security SPS Sportsoft Ltd
c) forward any suspected malicious or spam emails to Information Security
d) use only items from the limited range of approved mobile devices to send and/or receive email.
The list of approved mobile devices can be requested from IT.
e) remember that emails which refer to any client must be written in terms which would be
acceptable for the client to see
f) delete any email which contains personal data which may be subject to the Data Protection Act
as soon as it is no longer required for the purpose for which it was obtained unless the said
email is defined as a record.
g) take care to only send email to people who need to see it
h) confirm in writing to their line manager or local HR representative who, if anyone, can access
their email accounts in their absence
i) ensure the correct signature is applied that includes the classification of the email
3.1.2.8 Users must not:
a) send unencrypted Highly Confidential and/or Confidential email, which includes, but is not
limited to, payment card data, financial information and personal or sensitive information as
defined by the General Data Protection Regulation (GDPR)
b) send work-related email to personal email addresses, unless this is part of a business
requirement
c) auto-forward email to external addresses
d) share their password with anyone. Passwords must be changed as soon as the users suspect
someone else knows it
e) open email or attachments if the source is unknown
f) send emails containing racial, sexual, religious, political or otherwise offensive remarks or
media
g) send mass mailings and/or large messages/attachments to avoid potential network utilisation
problems
h) forward chain letters or spam, unless to Information Security
i) use their SPSSL email account to post messages on non-business related discussion forums
or subscribe to non-business related mailing lists
j) send emails which contain material which is incriminating, including in relation to admissions of
fault or liability, unless expressly authorised by a line manager for the purposes of formal
communication to a concerned party
k) reply to SPAM email or click on web links contained in unsolicited email
l) use the email client to access email accounts other than the ones provided for you by SPSSL
for business purposes
m) use the email account to run or engage in any form of personal or private business for hire or
reward
n) use email excessively for personal use. Reasonable but limited personal use of email may be
possible with the prior agreement of your line manager
o) access non-SPSSL email accounts e.g. Hotmail, Gmail etc unless approved by their line
manager and a governance non-compliance is approved to meet specific business needs
p) access social media unless approved by their line manager to meet specific business needs
q) use their SPSSL email for non-business related services or use their personal email for
business-related services
r) use instant messaging / chat applications, other than those provided by SPSSL

7|Page

Internal
Uncontrolled when printed
 Information Security SPS Sportsoft Ltd
3.1.3 BUSINESS AS USUAL MAILBOX ACCESS
3.1.3.1 The circumstances a request might be made for one of the above processes are as follows:
a) where a manager wants to give access to their mailbox e.g. to a personal assistant for diary
management etc
b) during long-term absence e.g. sick or maternity leave when a line manager might require limited
access to a subordinate’s mailbox
3.1.3.2 All requests for BAU access must be:
a) approved by the appropriate responsible manager; and
b) approved by H.R
c) received in writing to the data.protection@sportpesa.com or Information.Security@sportpesa.eu
mailbox account;
3.1.3.3 Only requests received from data protection or another responsible manager shall be processed
by information security
3.1.3.4 Access to the mailbox for investigation, please refer to the Incident Response Standard for
details.

3.1.4 USE OF THE INTERNET

3.1.4.1 Access to the Internet must only be through SPSSL approved network connections, which must
have a suitable host-based firewall configuration installed.
3.1.4.2 Not set up any Private networks such as mobile “Hotspots”.
3.1.4.3 Use of the Internet includes access for personal use and must comply with this standard.
3.1.4.4 Users must:
a) only use the Internet for business purposes, though occasional personal use is acceptable
provided it is reasonable. Any personal use must not interfere with normal business activities,
must not involve solicitation, must not be associated with any ‘for-profit’ outside business activity
and must not potentially embarrass the company or bring it into disrepute.
b) disconnect immediately from any site accidentally accessed contains sexually explicit or offensive
material, regardless of whether or not the site had previously been deemed acceptable and notify
your line manager if you inadvertently visit an unacceptable site
c) notify your manager immediately if you receive any inappropriate material
d) schedule communications-intensive operations, such as large file transfers, for outside working
hours with approval of IT
e) comply with copyright law and all applicable licences may apply to software, files, graphics,
documents, messages and other material you wish to download or copy
f) use Internet systems with the same integrity as in face-to-face, video- conference or audio-
conference business operations
g) ensure any portal or website that requires data storage has an application owner and business
impact assessment done
h) ensure any portal or website that requires data storage has an application owner and privacy
impact assessment done
i) notify Information Security of any alerts when accessing any websites
j) notify Information Security of any websites that look visually similar to SPSSL websites
k) notify Information Security of any websites that ask for additional permission for use or attempt to
download additional software for its use
l) notify Information Security for any transfer of data across the internet
m) notify Information Security of the use of any Virtual Private Networks (VPNs) with a business
justification for their use

8|Page

Internal
Uncontrolled when printed
 Information Security SPS Sportsoft Ltd
n) classify any information downloaded from the Internet
3.1.4.5 Users must not:
a) access, display, store or send material which is discriminatory, harassing, obscene, pornographic,
libellous, defamatory, breach any obligations of confidentiality or is otherwise deemed by the
company to be inappropriate in the workplace
b) illegally copy material protected under copyright law or make material available to others for
copying
c) use SPSSL computing resources to overload any computer system or network or to circumvent
any system intended to protect the privacy or security of another user
d) use Internet services to obtain unauthorised information or information which is personal or
private to another individual or organisation. If such material is accidentally received or
obtained its content must not be discussed or disseminated to any other person or
organisation, other than the sender
e) make excessive use of the Internet (as deemed by the company) for personal or non-business
purposes
f) download music or games or play games against opponents over the Internet
g) download any software, including freeware, shareware or public domain software, without prior
authorisation from the local IT or Information Security Officer. Software with direct business use
must be properly licensed and registered in advance
h) agree to a licence or download any material for which a registration fee is charged without first
obtaining express written permission from their line manager. A company subscription for
commercial Internet services or fee-for-use services must be in place prior to using any SPSSL
owned or operated equipment to access such commercial services
i) download images or videos unless there is an express business-related use for the material
j) attempt to circumvent the firewall, or other inherent controls, (for example by using modems or by
amending the browser configuration), without explicit authorisation from the local IT and
Information Security
k) reveal confidential company information, customer data, trade secrets and other material covered
by existing company security policies on public forums such as chat rooms and newsgroups
l) speak or write in the name of the company on any newsgroup or chat room unless explicitly
authorised to do so
m) deliberately post false information to any newsgroup or chat room
n) commit SPSSL to any form of the contract through the Internet without prior authorisation
o) provide links to an inappropriate non-business related website or another resource which access,
display, store or send material that is discriminatory, harassing, obscene, pornographic, libellous,
defamatory, breaches any obligations of confidentiality or is otherwise deemed by the company to
be inappropriate in the workplace

3.1.5 MONITORING
3.1.5.1 SPSSL personnel are responsible for any activity performed under their user credentials (i.e. login
name and password). Inappropriate use of endpoint devices, systems, applications, email, the
Internet and other services provided by SPSSL may lead to disciplinary action.
3.1.5.2 SPSSL has software and systems in place to monitor and record all email and Internet usage.
These security systems are capable of recording (for each and every user) each Internet site visit,
each chat, newsgroup or email message, and each file transfer in and out of our internal
networks.
3.1.5.3 SPSSL uses independently supplied software and data to identify inappropriate or sexually
explicit Internet sites based on category and will block access to such sites as necessary.
3.1.5.4 Computer resources are not unlimited. Network bandwidth and storage capacity have finite limits
and all users connected to the network have a responsibility to use these resources wisely.

9|Page

Internal
Uncontrolled when printed
 Information Security SPS Sportsoft Ltd
3.1.5.5 All email and Internet activity will be reviewed and usage patterns may be analysed.
3.1.5.6 SPSSL will block access to other sites as necessary, where these sites constitute a threat to the
normal running of SportPesa business, or where there is no valid business reason for access.
These include, but are not limited to:
a) criminal activity
b) hacking
c) illegal drugs
d) phishing
e) fraud
f) spyware
3.1.5.7 SPSSL reserves the right to inspect any and all files stored on any server or workstation which it
owns or manages, or which sits on the corporate infrastructure and including remote users in
order to ensure compliance with the policy. This right may be exercised for the purposes of, for
example:
a) record keeping
b) determining whether communications are relevant to the business
c) preventing or detecting crime
d) ensuring the effective operation of the system
3.1.5.8 In addition, SPSSL reserves the right to monitor communications to determine the existence of
facts, detecting unauthorised use of its systems and to ascertain the standards which ought to be
achieved by workers using its systems.
3.1.5.9 Use of any SPSSL owned or managed connection to the Internet is inappropriate when using:
a) compromises the privacy of users and their personal data
b) damages the integrity of a computer system or the data or programs stored on a computer system
c) disrupts the intended use of a system or network resource
d) wastes resources which are needed for business use (including the resources required to resolve
issues)
3.1.5.10 Internet messages must be treated as non-confidential by all SPSSL colleagues. Anything sent
through the Internet passes through numerous computer systems, all with different levels of
security. Unless they are encrypted, messages may be compromised at any point. Refer to the
Encryption Standard for more information.
3.1.5.11 Information obtained via the Internet with caution, as it may be factually incorrect.
3.1.5.12 All SPSSL colleagues must be aware downloading items from the Internet could result in
unwanted items ‘piggy-backing’ onto the request, potentially causing corruption of data or the
installation of “back-door” ways into the SPSSL colleague's network, you must report any
suspicious activity immediately to their local IT support team.

3.1.6 HOMEWORKERS
3.1.6.1 All acceptable use detailed in this Standard document apply to homeworkers.
3.1.6.2 Data must be backed up on a regular basis in accordance with the requirements of the Backup
Management Standard, daily or weekly if possible, depending on the risk of not having the data.
3.1.6.3 The Homeworker must dispose of confidential or otherwise sensitive documentation as described
in the Confidential Information Disposal Standard and the IT Equipment Disposal Standard.
3.1.6.4 The Homeworker must keep all SPSSL owned equipment and data secure when it is not in use
3.1.6.5 Homeworkers must not process, transmit or store payment cardholder data unless they are on a
suitable SPSSL network.

10 | P a g e

Internal
Uncontrolled when printed
 Information Security SPS Sportsoft Ltd
3.1.6.6 Where Wi-Fi is in use, the Homeworker must comply with the Wireless Standard and Encryption
Standard.

11 | P a g e

Internal
Uncontrolled when printed