APPENDIX A: Acceptable Use Security Policy
The following document is a sample Acceptable Use Security Policy using the outline identified in the Security Policy Template. The purpose of this sample document is to aid with the development of your own agency Acceptable Use Security Policy by giving specific examples of what can be performed, stored, accessed and used through the use of your departments computing resources.
Section 1 - Introduction
Information Resources are strategic assets of the and must be treated and managed as valuable resources. provides various computer resources to its employees for the purpose of assisting them in the performance of their job-related duties. State law permits incidental access to state resources for personal use. This policy clearly documents expectations for appropriate use of assets. This Acceptable Use Policy in conjunction with the corresponding standards is established to achieve the following:
1. To establish appropriate and acceptable practices regarding the use of information resources.
2. To ensure compliance with applicable State law and other rules and regulations regarding the management of information resources.
3. To educate individuals who may use information resources with respect to their responsibilities associated with computer resource use.
This Acceptable Use Policy contains four policy directives. Part I – Acceptable Use Management, Part II – Ownership, Part III – Acceptable Use, and Part IV – Incidental Use. Together, these directives form the foundation of the Acceptable Use Program.
Section 2 – Roles & Responsibilities
1. management will establish a periodic reporting requirement to measure the compliance and effectiveness of this policy.
2. management is responsible for implementing the requirements of this policy, or documenting non-compliance via the method described under exception handling.
3. Managers, in cooperation with Security Management Division, are required to train employees on policy and document issues with Policy compliance.
4. All employees are required to read and acknowledge the reading of this policy.
Section 3 – Policy Directives
Part I Acceptable Use Management Requirements
1. will establish formal Standards and Processes to support the ongoing development and maintenance of the Acceptable Use Policy.
2. The Director and Management will commit to the ongoing training and education of e staff responsible for the administration and/or maintenance and/or use of Information Resources. At a minimum, skills to be included or advanced include User Training and Awareness
3. The Director and Management will use metrics to establish the need for additional education or awareness program in order to facilitate the reduction in the threat and vulnerability profiles of Assets and Information Resources.
4. The Director and Managers will establish a formal review cycle for all Acceptable Use initiatives.
5. Any security issues discovered will be reported to the CISO or his designee for follow-up investigation. Additional Reporting requirements can be located within the Policy Enforcement, Auditing and Reporting section of this policy.
Part II - Ownership
Electronic files created, sent, received, or stored on Information Resources owned, leased, administered, or otherwise under the custody and control of are the property of and employee use of these such files is neither personal nor private. Authorized Information Security employees may access all such files at any time without knowledge of the Information Resources user or owner. management reserves the right to monitor and/or log all employee use of Information Resources with or without prior notice.
Part III – Acceptable Use Requirements
1. Users must report any weaknesses in computer security to the appropriate security staff. Weaknesses in computer security include unexpected...
Please join StudyMode to read the full document