Network Acceptable Use Policy (AC-POL-002)
1. Objective
The objective of this policy is to establish the rules governing the acceptable use of [Company Name]’s network, internet access, and communication systems. This policy is designed to protect the integrity and availability of our information resources, safeguard sensitive data such as electronic Protected Health Information (ePHI), and ensure a secure and productive work environment.
2. Scope
This policy applies to all [Company Name] workforce members (including employees, contractors, and temporary staff) and any other individuals granted access to the company’s network and information systems. It covers the use of all network resources, including but not limited to internet access, email, instant messaging, cloud services, and any device connected to the corporate network.
3. Policy
All use of [Company Name]’s network resources must be conducted in a legal, ethical, and secure manner that is consistent with the company’s professional standards.
3.1 General Use and Ownership
3.1.1 Company Property Rights
All network infrastructure, systems, and the data created or transmitted over them shall be considered the property of [Company Name]. Workforce members shall acknowledge that their use of these resources is subject to company policies and applicable laws.
3.1.2 Privacy Expectations
Workforce members shall have no expectation of privacy in their use of company network resources. To ensure compliance and protect information assets, network traffic shall be actively monitored for security threats and potential policy violations, in accordance with applicable laws.
3.1.3 Business Purpose Requirements
Network resources shall be provided primarily for business-related activities. Limited and incidental personal use shall be permitted, provided it does not interfere with job performance, consume significant resources, or violate any other provision of this policy.
3.2 Security and Data Protection
Workforce members are responsible for maintaining the security of the network and protecting company data.
3.2.1 Credential Security
Workforce members shall not share their account credentials or allow others to use their accounts to access the network. Account credentials shall be protected as confidential information and used only by the authorized individual.
3.2.2 Malicious Software Prevention
Intentionally introducing malicious software (e.g., viruses, worms, spyware) into the network shall be strictly prohibited. Workforce members shall exercise caution when opening email attachments or clicking on links from unknown sources. To support this requirement, workforce members shall complete annual security awareness training, which provides specific guidance on identifying and avoiding threats like phishing and malware.
3.2.3 Security Incident Reporting
Any suspected security incident, unauthorized access, or vulnerability shall be reported immediately to the IT Department and the Security Officer. Workforce members shall not attempt to investigate or remediate security incidents independently.
3.2.4 Data Protection Requirements
The transmission of ePHI or other data classified as Confidential over the network shall be conducted using company-approved, encrypted methods. Unencrypted transmission of sensitive data shall be prohibited.
3.3 Prohibited Activities
The following activities are strictly prohibited when using [Company Name]’s network resources:
3.3.1 Prohibited Illegal Activities
Engaging in any activity that is illegal under local, state, or federal law shall be strictly prohibited, including but not limited to harassment, copyright infringement, or fraudulent activities.
3.3.2 Security Control Circumvention
Attempting to bypass or disable any security controls, such as firewalls, content filters, or monitoring software, shall be strictly prohibited.
3.3.3 Unauthorized System Access
Attempting to access systems, data, or accounts for which the user does not have explicit authorization shall be strictly prohibited.
3.3.4 Network Disruption Activities
Engaging in any activity that could disrupt network services or degrade performance for other users shall be strictly prohibited, such as initiating a denial-of-service attack or sending spam.
3.3.5 Unauthorized Data Transfer
Using unapproved peer-to-peer file-sharing services or transferring company data to unauthorized personal cloud storage accounts shall be strictly prohibited.
3.3.6 Inappropriate Content Access
Accessing, downloading, or distributing content that is obscene, defamatory, harassing, or otherwise violates [Company Name]’s professional conduct policies shall be strictly prohibited.
Compliance with these prohibitions is enforced through a combination of administrative oversight and technical controls, including but not limited to, web content filtering, intrusion detection systems, and data loss prevention (DLP) tools.
4. Standards Compliance
This policy is designed to comply with and support the following industry standards and regulations.
| Policy Section | Standard/Framework | Control Reference |
|---|---|---|
| All | HIPAA Security Rule | 45 CFR § 164.308(a)(1)(i) - Security Management Process |
| 3.2, 3.3 | HIPAA Security Rule | 45 CFR § 164.308(a)(5)(ii)(B) - Protection from Malicious Software |
| 3.2 | HIPAA Security Rule | 45 CFR § 164.308(a)(6)(ii) - Response and Reporting |
| 3.3 | SOC 2 Trust Services Criteria | CC6.7 - The entity restricts the transmission, movement, and removal of information… |
| 3.3 | SOC 2 Trust Services Criteria | CC6.8 - The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software. |
5. Definitions
-
Network Resources: All company-owned or managed hardware and software that provide network connectivity and services, including routers, switches, firewalls, servers, wireless access points, internet connections, and communication platforms.
-
Incidental Personal Use: Infrequent and brief personal use of network resources that does not incur additional cost to the company, interfere with work duties, or violate this policy. Examples of use that is not considered incidental include streaming high-bandwidth media for personal entertainment, engaging in online gaming, or activities related to operating a personal business.
6. Responsibilities
| Role | Responsibility |
|---|---|
| Security Officer / Team | Own, review, and update this policy annually. Oversee the monitoring of network activity for security and compliance purposes. |
| IT Department | Implement and maintain the technical controls necessary to enforce this policy, such as firewalls and content filters. Investigate and respond to reported security incidents. |
| Managers | Ensure their direct reports understand and adhere to this policy. Address minor infractions in consultation with the IT and HR departments. |
| All Workforce Members | Read, understand, and comply with this policy. Use company network resources responsibly and report any violations or security concerns. |