Information Systems Security Policy
The Institutes
provides each employee with the tools needed to perform his/her duties. Included in these tools is a Personal Computer
(PC) to access e-mail, SIMMS, Microsoft Office products such as Word, Excel,
and PowerPoint, the Internet, and other utilities. This document is a guideline to the secure
use and care of your PC. If you have any
questions regarding this document or the use of your PC, please contact
Information Services at extension 7250.
1) Appropriate Use -
PCs should be used for business purposes only. Any other use of your PC is strictly prohibited with the following exceptions:
a) E-mail - this should be limited to brief messages to family and friends. Personal e-mail should never include executable files¾those files with a .exe or .vbs extension. Pictures sent and received by e-mail should be kept to a minimum and should never be pornographic or offensive in nature. E-mail attachments should be no larger than 5MB.
b) Internet - see the Internet policy below
2)
User Accounts –
Requests for new user accounts, additional permissions, or to remove accounts for employees whose employment has terminated should be done through the Request Tracking System (RTS). Each request should have the appropriate supervisor’s approval before being submitted to the IS group.
3) Confidentiality -
The Institutes' database has built in security that restricts access to
only the information needed by employees to perform their duties. The
Institutes has Release of Information policies that govern information sharing
with our exam vendor, employers, public class providers, and the CPCU Society.
Employees should follow departmental operating policies that support these
Release of Information policies.
At no time should any customer information be shared with anyone other
than an Institute employee or the above parties as prescribed. Any
exception to these rules must receive prior approval by an Executive Council
member.
4) Passwords -
Each user is given a password to protect the information stored on their PC and in SIMMS. For security reasons, all passwords are set to expire on a regularly scheduled basis. Individuals should never share their password with anyone except an authorized member of the IS group.
5) Backups -
Information Services backs up each PC on a regularly scheduled basis. Only the information stored in the DATA directory is backed up. Employees should verify all critical files are stored in the DATA directory on their PC.
6) Physical Security -
a) Employees should take care in protecting their PC from physical damage. Food and drinks should be kept away from your PC to avoid accidental damage.
b) Employees should
also take care in preventing unauthorized use of their PC. PCs should never be left logged on at the end
of the day. Also, PCs should be locked if
you will be away from your workstation for an extended period of time.
7) Virus Protection -
The Institutes provides virus protection software to protect your PC. However, the virus protection software may not catch some new viruses. Therefore, any files received from an outside source, including your home PC, should be scanned for viruses before being loaded onto your PC. Any executable file, those with a .exe or .vbs extension, should be checked by IS before loading onto your PC. At no time should you download a file from the Internet without first receiving authorization from the IS group.
8) Software Licenses -
All software installed on Institutes' PCs must be licensed to AICPCU. At no time should software be loaded onto a PC for which a valid license has not been purchased by AICPCU. Using unlicensed software is illegal and strictly forbidden.
9) Internet Policy -
The Institutes’ maintain a connection to the Internet to provide employees with access to the resources it provides. Access is provided via the World Wide Web, Electronic Mail, and Instant Messaging. This policy provides guidelines for employee use of the Institutes’ Internet connection. Because the Institutes are professional education organizations and Internet communications place the Institutes’ name and electronic address on the Internet, Internet activity should be conducted in a professional manner.
Guidelines
a. Monitoring
1. The Institutes’ Internet connection is routinely monitored to detect attempts at intrusion into our computer network from external sources.
2. Employees should be aware that all outgoing and incoming Internet connections are subject to monitoring and review during this process.
b. Use
1. Access to the World Wide Web is granted for business-related activities. Because the Institutes’ pay a flat rate for the service, an employee may, with department head approval, use Internet access to research areas of personal interest. Such research might be for term papers, general business information, or other information available on the Internet.
2. At no time should an employee use the Institutes’ Internet connection to access sites that contain sexually explicit, hate group, or other unprofessional material.
c. File Transfer
1. To avoid infecting the Institutes’ computer network with viruses and to preclude software copyright violations, employees must not download software from the Internet. This includes any demonstration, freeware, or shareware software. In addition, pictures, images, video, audio, or other types of computer files must not be downloaded. If an employee requires a software program or computer file from an Internet source, the employee should submit a written request to Information Systems or a designated person in the employee’s area to download the software.
2. Information Systems or the designated person will download the requested file to a secure location on the network, inoculate the software, and check the software’s copyright status. Information Systems or the designated person will then transfer the file to the requesting employee’s personal computer.
d. Electronic Mail
1. At no time should any e-mail sent from the Institutes contain individually identifiable information as well as other individuals’ private information or data, such as social security numbers or credit card numbers, unless the e-mail has been properly encrypted.
2. Electronic Mail service is provided for business-related activities. However, because there is no additional cost to the Institutes’, an employee may, with department head approval, use Electronic Mail for personal correspondence.
3. Electronic Mail should be used in a professional manner.
4. All electronic mail is subject to review by the Institutes’ management.
e. Instant Messaging
1. Instant messaging should be limited to business activities. Brief messages may be sent to family members and should be limited to before work, during your lunch period, or after work.
f. Remote Access
1) With department head approval, some employees are provided with access to the Institutes’ server and computer network from their homes or while traveling. The above guidelines regarding Monitoring, the World Wide Web, File Transfer, and Electronic Mail also apply to remote access.
10) Visitors
Only the Institutes’ computers can be connected to the Institutes’ network. Computers belonging to salesmen, vendors, auditors, or other visitors cannot be connected to the network unless receiving prior permission and then only the IS group can make the connection.
AICPCU/IIA/IRC
(Institutes) Confidentiality of Records Agreement
I understand
that by the virtue of my employment with the Institutes, I may have
access to records which contain individually identifiable information as well
as other individuals’ private information or data and the disclosure
of which is prohibited by the Institutes. Security and confidentiality is a
matter of concern for all employees within the Institutes and any other persons
who have access to data systems or physical facilities. Each person working at
the Institutes holds a position of trust relative to this information. Therefore,
as an employee of the Institutes, I agree to respect and adhere to the
following statements:
§
I will
not make or permit unauthorized use of any information.
§
I will
not seek personal benefit or permit others to benefit personally by any
confidential information which has come to me by virtue of my work assignment.
§
I will
not exhibit or divulge the contents of any record, data, or report to any
person except in the conduct of my work assignment.
§
I will
not knowingly include or cause to be included in any record or report a false,
inaccurate, or misleading entry or to alter, destroy information, or commit any
similar act. I will not view, remove, or modify any data except as directed by
my supervisor in the performance of my duties.
§
I will
not aid, abet, or act in conspiracy with another to violate any part of this
confidentiality agreement.
§
I will
immediately report any violation of this code to my supervisor.
§
Anyone refusing
to be bound by this policy will be precluded from working in positions where
they may have access to records which contain individually identifiable
information as well as other individuals’ private information or data.
I acknowledge that I fully understand that the intentional
disclosure by me of this information to any unauthorized person could
constitute just cause for disciplinary action including termination of my
employment regardless of whether criminal or civil penalties are imposed.
Close this browser window and click the “Agree” button to
continue.