Network Acceptable Use Policy (AC-POL-002)
1. Objective
The objective of this policy is to establish the rules governing the acceptable use of [Company Name]’s network, internet access, and communication systems. This policy is designed to protect the integrity and availability of our information resources, safeguard sensitive data such as electronic Protected Health Information (ePHI), and ensure a secure and productive work environment.
2. Scope
This policy applies to all [Company Name] workforce members (including employees, contractors, and temporary staff) and any other individuals granted access to the company’s network and information systems. It covers the use of all network resources, including but not limited to internet access, email, instant messaging, cloud services, and any device connected to the corporate network.
3. Policy
All use of [Company Name]’s network resources must be conducted in a legal, ethical, and secure manner that is consistent with the company’s professional standards.
3.1 General Use and Ownership
-
Company Property: All network infrastructure, systems, and the data created or transmitted over them are the property of [Company Name].
-
No Expectation of Privacy: Workforce members should have no expectation of privacy in their use of company network resources. To ensure compliance and protect information assets, network traffic is actively monitored for security threats and potential policy violations, in accordance with applicable laws.
-
Business Purpose: Network resources are provided primarily for business-related activities. Limited and incidental personal use is permitted, provided it does not interfere with job performance, consume significant resources, or violate any other provision of this policy.
3.2 Security and Data Protection
Workforce members are responsible for maintaining the security of the network and protecting company data.
-
Credentials: Workforce members shall not share their account credentials or allow others to use their accounts to access the network.
-
Malicious Software: Intentionally introducing malicious software (e.g., viruses, worms, spyware) into the network is strictly prohibited. Workforce members shall exercise caution when opening email attachments or clicking on links from unknown sources. To support this, workforce members shall complete annual security awareness training, which provides specific guidance on identifying and avoiding threats like phishing and malware.
-
Security Incidents: Any suspected security incident, unauthorized access, or vulnerability shall be reported immediately to the IT Department and the Security Officer.
-
Data Handling: The transmission of ePHI or other data classified as Confidential over the network shall be done using company-approved, encrypted methods.
3.3 Prohibited Activities
The following activities are strictly prohibited when using [Company Name]’s network resources:
-
Illegal or Unethical Activities: Engaging in any activity that is illegal under local, state, or federal law, including but not limited to harassment, copyright infringement, or fraudulent activities.
-
Circumventing Security: Attempting to bypass or disable any security controls, such as firewalls, content filters, or monitoring software.
-
Unauthorized Access: Attempting to access systems, data, or accounts for which the user does not have explicit authorization.
-
Disruptive Behavior: Engaging in any activity that could disrupt network services or degrade performance for other users, such as initiating a denial-of-service attack or sending spam.
-
Unauthorized Data Transfer: Using unapproved peer-to-peer file-sharing services or transferring company data to unauthorized personal cloud storage accounts.
-
Inappropriate Content: Accessing, downloading, or distributing content that is obscene, defamatory, harassing, or otherwise violates [Company Name]’s professional conduct policies.
Compliance with these prohibitions is enforced through a combination of administrative oversight and technical controls, including but not limited to, web content filtering, intrusion detection systems, and data loss prevention (DLP) tools.
4. Standards Compliance
This policy is designed to comply with and support the following industry standards and regulations.
| Policy Section | Standard/Framework | Control Reference |
|---|---|---|
| All | HIPAA Security Rule | 45 CFR § 164.308(a)(1)(i) - Security Management Process |
| 3.2, 3.3 | HIPAA Security Rule | 45 CFR § 164.308(a)(5)(ii)(B) - Protection from Malicious Software |
| 3.2 | HIPAA Security Rule | 45 CFR § 164.308(a)(6)(ii) - Response and Reporting |
| 3.3 | SOC 2 Trust Services Criteria | CC6.7 - The entity restricts the transmission, movement, and removal of information… |
| 3.3 | SOC 2 Trust Services Criteria | CC6.8 - The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software. |
5. Definitions
-
Network Resources: All company-owned or managed hardware and software that provide network connectivity and services, including routers, switches, firewalls, servers, wireless access points, internet connections, and communication platforms.
-
Incidental Personal Use: Infrequent and brief personal use of network resources that does not incur additional cost to the company, interfere with work duties, or violate this policy. Examples of use that is not considered incidental include streaming high-bandwidth media for personal entertainment, engaging in online gaming, or activities related to operating a personal business.
6. Responsibilities
| Role | Responsibility |
|---|---|
| Security Officer / Team | Own, review, and update this policy annually. Oversee the monitoring of network activity for security and compliance purposes. |
| IT Department | Implement and maintain the technical controls necessary to enforce this policy, such as firewalls and content filters. Investigate and respond to reported security incidents. |
| Managers | Ensure their direct reports understand and adhere to this policy. Address minor infractions in consultation with the IT and HR departments. |
| All Workforce Members | Read, understand, and comply with this policy. Use company network resources responsibly and report any violations or security concerns. |