Acceptable Use Policy
The IT Department will partner with the Security and Compliance Committee to provide appropriate technology for staff while maintaining the level of security our customers expect. This document sets forth Catalyst’s policy regarding various resources.
This policy applies to all users allowed to access Catalyst resources.
Policies, Communications, and Training
- To use Catalyst resources, users must agree to abide by Catalyst’s compliance and security policies. Policies are made available to users through their manager, HR, or on company assets.
- Communications will be sent to all users, personnel, and contracting agencies when a new policy is published and when existing policies are updated.
- It is the responsibility of the user to stay current with changes in compliance for all policies.
- Users will be required to participate in all company security activities and trainings should they be active when the training period closes.
General Use and the Use of Good Judgement
- Resources offered by Catalyst are provided to users for the specific purpose of conducting company business.
- Limited personal use of Catalyst issued user-devices is permissible; however, users are responsible for exercising good judgement regarding personal use.
- Catalyst maintains a policy of least privilege, and it is expected that users do not access any company resource unless they have an approved business purpose.
- Users may not view, load, house, or transmit illegal content using company systems or resources.
Devices and Data
It is expected that all devices accessing company data are password protected. Further information is available in the Catalyst Device Policy.
Any user-saved passwords should be in an encrypted password store and not stored on or displayed in open or otherwise easily accessible formats.
- Users must report all lost or stolen devices used in conjunction with Catalyst work activities to Catalyst’s Internal IT Department via the email@example.com email immediately or by directly opening a ticket using the company ticketing system.
- Installing any software designed to capture, mirror, analyze, or disrupt any form of company electronic communications is not allowed without prior approval of the SCC.
- Users should only use portable media provided by the company, and that media should be handled according to the Media Handling Policy.
- Users may not expose resources to computing devices that do not have up-to-date anti-malware systems.
- Users who introduce personal devices into the company environment agree that the devices will be subject to company policies.
- Catalyst's data and Catalyst Customer's data should only be stored or transmitted via approved channels.
Monitoring and Privacy
- Users shall have no expectations of privacy with respect to any Catalyst resources, devices, and electronic communications.
- All electronic communications using Catalyst systems are the property of Catalyst and are intended to assist in the carrying out of company business.
- Catalyst reserves the right to monitor, access, review, copy, store, or delete any communications, including personal messages, for any purpose and to disclose them to others, as deemed appropriate.
- System passwords should be complex and conform to the company’s Password Policy: never shared, never written, and rotated regularly.
Intellectual Property and Licensing
- Installation of company software on Catalyst issued user devices can be completed by the Internal IT Department. If users install software, they will be responsible to ensure that it is properly licensed.
- Users should not share license keys with others.
- Personal software may not be installed on company resources.
- Downloaded software may not be installed on company resources unless it has been scanned and passes a content check (usually an antivirus system with additional options possible).
- Accounts using any of the domain names owned by the company should only be used for acceptable business purposes.
- Only company officers and Catalyst’s Marketing Department may represent the company and post official statements on any Social Media sites.
- Any white papers or company information posted to an individual’s social media site must be approved by the Marketing Department.
- Concerns regarding social media posts or content should be referred to the Marketing Department for an official response.
- Non-public information should not be shared via Social Media.
- Users need to be cognizant that their comments and actions on social media can reflect positively or negatively on the company.
- Users shall not use Catalyst resources to engage in any communications or actions that are threatening, discriminatory, defamatory, slanderous, obscene, sexually explicit, pornographic, or harassing.
- Users shall not use company resources to engage in any illegal activities.
- The manipulation of electronic communications, data, or records is forbidden outside of approved channels.
- Circumvention of any company applied security measures is not permitted.
Under the policy, users must exercise good judgment or consult management in questionable situations. Users should understand this policy and endeavor to conduct business with the highest ethical standards. Information Security is the responsibility of all users, and it is expected that Catalyst users conduct themselves accordingly.
It is the responsibility of users to notify the Internal IT Department via the firstname.lastname@example.org email address immediately if they believe any of the above requirements have been violated.
Violations of the policy will be met with corrective action and carry the possibility of disciplinary action up to, and including, termination.
If there is a reason for a situational exemption from this policy, a risk assessment should be conducted by the company’s IT department. Exceptions must be documented and approved by the SCC.
Owner: Security and Compliance Committee
$Date: 2018-12-13 12:44:26 -0700 (Thu, 13 Dec 2018) $
$Revision: 472630 $