ISMS

none

Document Control
Item

Description

Document
Title:

XYZ ISMS Acceptable Usage Policy

Doc Ref:

Version:

0.2

Classificatio
n

Public

Confidential

Strictly Confidential

Status:

Current

Internal
Type:

Draft

Release Date:
Revision Date:
Author:
Owner:

Version
No.

Date

Author(s)

Remarks

Document Review and Approval History

Version
No.

20/02/2014
Internal

Date

Reviewer(s)

Remarks

V0.2
Page 1 of 15

Contents
Document Control.................................................................................................. 1
Introduction........................................................................................................... 4
Overview............................................................................................................ 4
Purpose............................................................................................................... 4
Scope.................................................................................................................. 4
Compliance and enforcement............................................................................. 4
Deviations from Policy........................................................................................ 4
Roles and Responsibilities................................................................................... 5
Policy Statement.................................................................................................... 6
Principles of Implementation................................................................................. 6
General............................................................................................................... 6
System Account.................................................................................................. 6
Physical Security................................................................................................ 7
Desktop, Laptop and Portable Device Security...................................................7
Password Usage.................................................................................................. 8
Mobile Devices Usage......................................................................................... 8
Email Usage........................................................................................................ 9
Internet Usage.................................................................................................... 9
Computer Virus................................................................................................. 11
Software installation......................................................................................... 11
Clear Desk Clear Screen................................................................................... 12
Document Security........................................................................................... 12
Incident Reporting............................................................................................ 13
ISO 27001:2013 References................................................................................ 14
ISR Reference...................................................................................................... 14

20/02/2014
Internal

V0.2
Page 2 of 15

Definitions and Abbreviations

Abbreviation/
Term

Definition

XYZ

Xyz.co

ISMS

Information Security Management System

IT Department

Information Technology Department

CISO

Chief Information Security Officer

VPN

Virtual Private Network

LAN

Local Area Network

IP Address

Internet Protocol Address

CD-ROM

Compact Disc - Read Only Memory

PDA

Personal Digital Assistant

IDF

Intermediate Distribution Frame

USB

Universal Serial Bus / Flash drive

LAN

Local Area Network

IAI

Information Asset Inventory

IAC

Information Asset Classification

AV

Asset Value

OS

Operating System

CIA

Confidentiality, Integrity and Availability

ISO

International Organization for Standardization

20/02/2014
Internal

V0.2
Page 3 of 15

Introduction
Overview
XYZs Acceptable Use policies are in place to protect employees and the
organization from inappropriate usage of resources that exposes XYZ to risks
including virus attacks, compromise of network systems and services and legal
issues.
The Acceptable Use Policy is covers not limited to following

Assets such as desktops, laptop computers and BlackBerry devices;

Facilities provided by XYZ such as email and file servers;
Connectivity and access to the Internet and other networks; and
Software and applications such as the XYZ portal.

Purpose
The purpose of this policy is to define the acceptable use of XYZs IT resources
such as the Internet, email, networks and other IT information assets.

Scope
This policy applies to all employees, contractors, consultants, temporaries and
other workers at XYZ, including all personnel affiliated with third parties. In
addition, this policy applies to all XYZ owned IT equipment, assets and resources.

Compliance and enforcement

Violation of the terms of this policy will result in disciplinary action.

XYZ expects all users to comply with the terms of this policy and all other
policies and procedures published in its support.
Where there is evidence of a breach of this policy, it will be investigated in
accordance with XYZs disciplinary procedures.
In all cases, XYZ IT Team will act immediately to prevent further breaches.

Deviations from Policy

Deviations from the terms of this policy are not permitted without a written
waiver, formally authorised by the IT Director or Senior Management.

20/02/2014
Internal

V0.2
Page 4 of 15

Roles and Responsibilities

The following table shows the roles and responsibilities:
Role
ISMS Committee

Responsibility

Chief
Information
Security Officer (CISO)
Department Staf

End-users

20/02/2014
Internal

Actively supports and implements the policy

within own business area
Manages publication, distribution, maintenance
and review of the Acceptable Usage Policy (this
document)
Ensures that personnel are aware of their
responsibilities in terms of acceptable use of
XYZs IT and supporting function information
assets
Monitors use of IT resources to safeguard XYZs
information security objectives
Use XYZs resources in accordance with the
acceptable use and information security
policies
Follow
Acceptable
Usage
policies
and
procedures

V0.2
Page 5 of 15

Policy Statement
XYZ end-users shall use the IT Systems and associated privileges for business
purpose and shall not misuse IT Systems and privileges. XYZ IT department shall
develop necessary policy and awareness programs to educate the users with
respect to acceptable usage practices and shall enforce necessary technical
controls to monitor, prevent any inappropriate usage.

Principles of Implementation
The principles that need to be followed for the efective implementation of the
Acceptable Usage Policy are explained in this section.

General
IT resources and other messaging services provided by the IT Department and its
customers should be used primarily for business purposes. All IT information
assets and resources allocated by XYZ are its property and cannot be considered
private. The following rules apply to all employees using XYZs information
resources:
1. Employees are responsible for exercising good judgement regarding the
reasonableness of personal use
2. Employees should consult their supervisor or manager if there is any
uncertainty.
3. It is the responsibility of IT users to ensure that they use no illegal or
unauthorised software or hardware.
4. The XYZ IT Department reserves the right to audit networks and systems
to ensure compliance with this policy.
5. Users shall ensure communicating the information or resources with
authorized personal
6. Employees shall not read, discuss or otherwise expose XYZs business
sensitive information on airplanes, restaurants, public transportation or at
other public places

System Account
1. XYZ information resources are provided to the users for job related
purpose and necessary system privileges are granted only where there is
a legitimate business need.
2. XYZ IT does not allow the use of XYZ IT and Communication resources for
personal use, including repositories for personal data.
3. XYZ has deployed right e-fax for official purpose and employees shall use
e-fax services with utmost care and as per the guidelines.
4. XYZ will ensure that each end user will sign an Acceptable Use statement
prior to being granted access to an information system.
5. Computer and information systems shall be used in a manner that
maintains confidentiality and protects the information contained on the
XYZ IT systems.
6. XYZ Staf may only gain access to and use systems for which they are
specifically authorized to.
20/02/2014
Internal

V0.2
Page 6 of 15

7. Users are not permitted to disable security services, devices or antivirus

software on any XYZ resource unless explicitly authorised by the CISO.
8. Introduction of pornographic material into any XYZ information systems
environment shall be strictly prohibited. The storage, processing, or
transmittal of pornographic material on XYZ information systems, by XYZ
staf, contractors or associates shall be strictly prohibited.
9. Any classified information shall not be copied and exchanged in any
manner including but not limited to CD, USB drive, email attachment, etc.
unless it is authorised for official purposes.
10.
Any computer software which XYZ IT Staf develop within the scope
of their employment remains the Intellectual Property of XYZ.
11.
XYZ IT reserves the right to perform a compliance review on
monthly basis to ensure compliance with this policy.

Physical Security
1. XYZ staf provided with XYZ Identity cards shall always visibly display
their identity card within the XYZ premises.
2. It is everyones interest to ensure that the physical access controls to XYZ
premises operate efectively. XYZ Staf shall cooperate and comply with
XYZ physical security measures.
3. Access to computer rooms and sensitive areas shall be controlled. Only
authorized staf are allowed to access to such areas (e.g., Data centre,
network room, computer room, etc.,).
4. Unauthorised personnel are allowed neither into XYZ premises nor to use
the computer resources of XYZ IT.
5. XYZ IT Information systems and resources shall not be moved out of XYZ
premises without appropriate approval from CISO.
Reference: XYZ ISMS Physical and Environmental Policy

Desktop, Laptop and Portable Device Security

1. Users are only authorized to access allocated desktop/ laptops within
dedicated locations. User shall be aware that they shall not access other
desktop /laptops located within XYZ premises without proper approval.
2. Users shall ensure that there is no illegal/pirated software on their
computers. Under no circumstance shall software, other than approved
and authorised, be loaded onto XYZ computers.
3. Users shall only use equipment owned and authorized by XYZ IT
Department.
Users are prohibited from connecting their personal
computer and devices (laptop, notebook, modems, PDAs, Memory sticks,
etc.) to the XYZ network.
4. Gaming software is not permitted for use on XYZ systems and shall not be
installed, transferred or used within XYZ network.
5. Introduction of freeware and shareware software (whether downloaded
from the Internet or obtained through any other media) to XYZ
information systems shall be subject to a formal evaluation and approval
process. Freeware and shareware applications shall be evaluated and
tested by the CISO before installation on XYZ Information Resources is
permitted.
6. Loss of laptops, notebook, PDAs, shall be reported immediately to
Administrator Service Desk Team.
20/02/2014
Internal

V0.2
Page 7 of 15

7. Laptop Users shall ensure that any data stored on the local disk is copied
to the central file server for backing up.
8. Laptops shall be carried as hand luggage to prevent damage and
unauthorized access when travelling.

Password Usage
1. Use strong password - eight or more characters password mixed with
upper case, lower case, letters with numbers and special charter
2. Dont use a correctly spelled word in any language, because dictionary
attack software can crack these in minutes
3. Change your password regularly this way, if your password does fall into
the wrong hands, it wont be usable for long. It is best to change your
password every 90 days.
4. Dont use personal information such as your name (or the name of a
relative or pet), birthday or hobby, because these are easy to guess
5. Dont disclose your password to unauthorized users
Reference: XYZ ISMS Password Policy

Mobile Devices Usage

1.
2.
3.
4.
5.

User login using User ID and Password.

Ensure passwords are in compliance with XYZ password policy.
Password shall not follow sequence as mobile device key pads.
Never leave mobile device unattended to prevent theft.
Report lost or stolen devices and change any passwords immediately
through IT Service Desk.
Reference: XYZ ISMS Mobile computing policy

20/02/2014
Internal

V0.2
Page 8 of 15

Email Usage
1. Users shall ensure that the XYZ email facility is used for official purpose
only.
2. Users shall be responsible for the content of email originating from their
official email ID
3. Users shall refrain from using their official email ID for personal
communications.
4. Users shall not allow others to use their official email ID for any kind of
email communication.
5. Users shall not use others official email ID for any kind of email
communication instead use own email ID
6. Users are prohibited from sending, receiving or forwarding following
categories of emails using official email facility:
a. Emails containing defamatory, ofensive, racist or obscene remarks.
b. Emails that contains viruses or worms
c. Chain mails like mails forwarded from a chain of people usually
containing hoaxes, jokes, music, movies and others.
d. Emails containing any document, software, or other information
protected by copyright, privacy or disclosure regulation.
7. Users shall exercise caution in providing their official email account to
external websites such as discussion board/ mailing list etc.
8. Users shall be aware that they are provided with a fixed amount of mail
box space for various official email communication
9. Users shall ensure that any email communications is within the fixed size
for transmission and any over sized communication shall be made through
other appropriate channels as authorized by the IT department.
10.Users shall use the official email client i.e. outlook for all kinds of official
email communications.
11.Users shall be aware that they are responsible for management of any
local copy of mailbox that they are storing in their laptop or desktop.
12.User shall password protect the local copy of mail box with a strong
password.
13.Users shall ensure that email communication containing sensitive
information is protected during transmission using appropriate mechanism
as authorized by the IT department.
14.Users shall promptly report any kind of security incidents related to the email system to the IT department through appropriate channel.
15.Users shall be aware that XYZ reserves the right to monitor email
messages and may intercept or disclose or assist in intercepting or
disclosing e-mail communications to ensure that email usage is as per this
policy. XYZ may use the intercepted email as an evidence to prosecute the
user if required.
16.Users shall be held responsible for any misuse of email communication
originating from their account. In the event of misuse the users email
account shall be terminated and adequate disciplinary actions may be
taken
Reference: XYZ ISMS e-Mail Policy

20/02/2014
Internal

V0.2
Page 9 of 15

Internet Usage
1. Users shall ensure that the XYZ internet facility is used strictly for official
purposes only.
2. Users shall refrain from establishing unauthorized means of accessing
internet such as personal modems, mobile cards, unauthorized wireless
access points etc
3. Users shall ensure that they follow appropriate authentication mechanism
to access internet through the corporate internet facility
4. Users shall ensure that they do not access the corporate internet facility
with credentials of another user
5. Users shall ensure that they do not allow another user to access the
corporate internet facility with his/her credential
6. Users shall not use corporate internet facility to access illegal or unethical
websites propagating information on gambling, obscene material,
violence, weapons, drugs, racism, hate and other similar explicit contents.
7. Users shall not share official information with external websites unless
otherwise authorized by the management
8. Users shall not use internet to download and distribute malicious software
in the corporate network of XYZ
9. Users shall promptly report any kind of security incidents related to
internet to the IT department through the appropriate channel.
10.Users shall be held responsible for any misuse of Internet access
originating from their account.
Reference: XYZ Internet usage policy

20/02/2014
Internal

V0.2
Page 10 of 15

Computer Virus
1. User shall report any malicious content detected, configuration change or
any unusual behaviour in their systems to IT Help Desk team.
2. Any machine thought to be infected by a virus shall immediately be
disconnected from XYZ IT network.
Reference: XYZ ISMS Antivirus Policy

Software installation
1
2

Users are prohibited from installing software using available networking

facilities such as Trial Version, Freeware, Shareware etc.,
Users are strictly prohibited from installing any information security testing
tools such as password cracking software, network scanning tools, port
scanning utilities etc.,
Users are strictly prohibited from copy, paste and running scripts in the
operating environment.
Reference: XYZ ISMS Software installation policy

20/02/2014
Internal

V0.2
Page 11 of 15

Clear Desk Clear Screen

Clear Desk
1. Users paper and computer media shall be stored in suitable locked
cabinets and/or other forms of security furniture when not in use,
especially outside working hours.
2. All desks shall be kept clean, tidy, and clear of sensitive or valuable
company assets while left unattended. At the end of each working day, all
assets shall be secured.
3. Confidential business information shall be locked away when not required.
4. Confidential or strictly confidential information, when printed, shall be
cleared from printers and fax machines immediately.
Clear Screen
1. User workstations must be protected by key locks, passwords, screen
savers or equivalent controls when not in use
2. Users need to manually lock their Desktops and Laptops even when they
leave their workplace for a shorter period of time.
Reference: XYZ ISMS Clear Desk Clear Screen Policy

Document Security
1. Users shall collect the printouts and photocopy immediately from the
printers and photocopier.
2. Users shall ensure that unused printouts are shredded appropriately.
3. In order to reduce the risk of unauthorized access to the XYZ information
users shall adopt Clear Desk policy. This shall be ensured by keeping all
the documents in safe custody such as lock and key arrangement.
4. All documents containing sensitive information shall be labelled as per
information classification and labelling guidelines.
5. Documents containing confidential information shall have retention period
and shall have proper disposal/destruction process to avoid any
unauthorized access to that data.
6. XYZ IT Department shall ensure to display warning notices on the fax
coversheets to the efect that the message is meant for the recipient only
and the use of the message by any other party will be deemed
unauthorized or illegal.

20/02/2014
Internal

V0.2
Page 12 of 15

Incident Reporting
1. Users shall promptly report all incidents through the appropriate channel
as provided by the IT department. This may include (not limited to):
a. Loss of service, equipment or facilities
b. Information leakage or loss
c. System malfunctions or overloads
d. Human errors
e. Breaches of physical security arrangements
f. Uncontrolled system changes
g. Access violations
h. Successful hacking attempts
i. Virus incidents involving e-mail, Internet, USB, CD diskette and
others
j. Malfunctioning of systems, software or hardware
k. Misuse of IT resources
l. Unacceptable use of information assets
m. Power problems
n. Suspicious activities
o. Physical security breaches
p. Security weakness
q. Fire
r. Theft of company property
s. Password sharing or compromise
t. Non-compliances with policies and procedures
2. Users shall support the incident response team in its response to contain
the incident and take necessary corrective & preventive actions.
3. Users shall refrain from tampering any source of evidence or audit logs on
information systems that may be required for future audit and prosecution
purposes.
Reference: XYZ ISMS Security Incident Management Policy

20/02/2014
Internal

V0.2
Page 13 of 15

ISO 27001:2013 References

A.6.2.1 - Mobile device policy
A.7.2.3-Disciplinary process
A.8.1.3 - Acceptable use of assets
A.9.3.1 - Use of secret authentication information
A.11.2.8- Unattended user equipment
A.11.2.9- Clear desk and clear screen policy
A.12.2.1- Controls against malware
A.12.6.1- Restrictions on software installation.
A.13.2.3- Electronic messaging
A.16.1.2- Reporting information security events

ISR Reference
2.6.1-Develop, distribute and maintains an acceptable use policy

****End of document****

20/02/2014
Internal

V0.2
Page 14 of 15