Internet Policies - A framework to protect your organisation

Why do I need an Internet Policy?

Recent court cases have highlighted the issues around the use of the Internet. Cases have included massive damages for libel, damage to business and copyright misuse. Furthermore, your internal systems can be at risk from viruses, security loopholes and general computer mis-use.

Finally, you want to ensure that your organisations use of the Internet is as professional as every other activity. There is a tendency, because the Internet is informal, to be informal in your dealings with the Internet. Yet you would not contemplate this with any other media, written or otherwise...

The sample presented below is intended to be a framework. It is certainly not validated in law and may contain more or less than you need to define for your own company. However, you are free to use it in any way you see fit and at your own risk or otherwise.

Credits

We are indebted to Peter Thomson and his colleagues at Wolverhampton Council (www.wolverhampton.gov.uk) for letting us use their own policy as a framework.

Introduction

This document details the policies established by the organisation for the use of the Internet. If you use a connection to the Internet in connection with your work for the organisation, you must understand and obey these policies. Most are a matter of common sense, and you will not find it difficult to follow them.

The basic aim of these policies is to ensure that, in using the Internet, neither you as an individual nor the organisation breaks the law, does anything unethical or anti-social, or damages the interests of the organisation. The policies may be amended from time to time to meet changing needs, while still reflecting this aim. You will be informed of any such changes.

The policies are written in relation to Internet access accounts provided by the organisation. You may, if you wish, use a privately provided Internet connection for purposes related to your work. However, if you do, the relevant parts of these policies will still apply.

All requests for Internet access must be in writing, and must indicate the purposes for which it is required. Requests which are agreed by your departmental management will be forwarded to and recorded by the Information Technology Department. The costs of access will be charged to your Department.

You will be told which Internet services the organisation has agreed to provide for you, and provided with appropriate software to access them. You must not attempt to access services which you have not been authorised to use. You must not install additional Internet related software, or change the configuration of existing software, without authorisation.

An Internet dial-up account is for use on one computer only. You must not load or use the access software on another computer.

The computer on which the access software is installed must also have an approved security package installed, and be configured so that only authorised users of the Internet can run the access package. Passwords should be chosen so as not to be easily guessed, should be changed regularly, and should never be disclosed to others. You are responsible for everything that is done using your logon ID and password.

The organisation reserves the right to:

• withdraw your access to any computer systems and communication services, including Internet services;
• prohibit access to certain specific newsgroups, web pages and other Internet resources;
• remove or substitute the hardware or software used to access the Internet

at any time and for any reason.

Internet access provided by the organisation must be used only for the organisations business. If it is found that an account is being used for non related business, you may be required to pay an appropriate part of the charges incurred, in addition to any other disciplinary action taken.

What Internet use is appropriate for your job is largely for you and your line manager to determine. You should, however, be aware that it is easy to spend long periods browsing without finding anything of real value to you. It is important to have a clear purpose in mind when using the Internet. Your manager is entitled to question whether your use of the Internet is appropriate.

When participating in discussions in newsgroups and mailing lists, you may offer information and advice to others if that is appropriate to your job, or if it represents a reasonable return (in terms of the effort involved) for the value you receive from the discussion. You should not offer help in areas which are the responsibility of someone else within the organisation, but you may redirect or pass on enquiries to the appropriate person if you know who that is. You must not take part in discussions on matters which are politically controversial, whether nationally or locally, and you must not give advice or information which you know is contrary to the organisation's policies or interests.

You must not use, or try to use, an Internet account for any of the following purposes, even if you consider them relevant to your job, without specific written authorisation:

• breaking through security controls, whether on the organisation's equipment or on any other computer system;
• accessing Internet traffic (such as e-mail) not intended for you, even if not protected by security controls, or doing anything which would adversely affect the ability of others to access Internet resources which they are entitled to access;
• intentionally accessing or transmitting computer viruses and similar software;
• intentionally accessing or transmitting information about, or software designed for, breaching security controls or creating computer viruses;
• intentionally accessing or transmitting material which is obscene, sexually explicit, defamatory, incites or depicts violence, or describes techniques for criminal or terrorist acts;
• knowingly doing anything which is illegal under English law or the law of any other relevant country.

If you inadvertently access material which you suspect contains a computer virus, you should immediately break the connection, stop using your computer and contact the Information Technology Department for help. If you inadvertently access any of the other types of unacceptable material above, you should immediately break the connection and delete any record of this material from your computer.

Some organisations accept orders for goods and services (particularly software) via the Internet. The fact that you have been granted Internet access does not give you the authority to place orders, or conduct other formal transactions, in the name of the organisation. Any orders to be placed in this way must first be authorised through your normal departmental procedures.

The term "postings" is used here to refer to material you transmit to the Internet as e-mail or newsgroup articles.

You should be aware that communications on the Internet are not guaranteed to be private, nor to arrive at their destination within a particular time or at all.

You must not transmit confidential, personal or other sensitive information to the Internet, unless appropriate encryption is applied to protect it (see the later heading "Encryption").

You must not "spam" multiple newsgroups or mailing lists, or make other excessive use of unsolicited postings.

You must not abuse or "flame" others, even in response to abuse directed at you.

You must not use Internet postings to harass or threaten anyone.

You must not participate in chain or pyramid letters or similar schemes.

The use of CAPITALS in postings is generally interpreted as SHOUTING and should be avoided.

You should not forward material posted to you personally to others, particularly to newsgroups or mailing lists, without the permission of the originator.

You must not use anonymous mailing services to conceal your identity when posting to the Internet, falsify postings to make them appear to originate from someone else, or provide false information to any Internet service which requests your name, e-mail address or other details.

The following must be included in your "signature file", which will be automatically appended to any and all newsgroup postings and/or e-mail created from an organisations Internet account:

Your signature file will be set up for you to contain these statements; you must not change or remove them.

Separate guidelines are being developed for the publication of the organisations information through the World Wide Web and other Internet channels. Unless specifically authorised, you should not make any of the organisations information available via WWW, FTP, gopher or other similar systems, based on your own or any other computer.

E-mail and other Internet services are not formal media, and their legal status remains unclear. They should not be used for formal communications - those where a permanent record needs to be kept.

If you keep copies of e-mail or other communications for any length of time, you should be aware that they are almost certain to be "personal data" within the terms of the Data Protection Act. You should ensure that you are suitably registered under the Act. If you are unclear about this, contact the Information Technology Department.

The quality of information available on the Internet is very variable, and should not be relied upon uncritically. It is your responsibility to make a judgement about any information obtained from this source, as to whether it is good enough for the purpose for which you will use it, and to verify it independently if necessary.

Equally, the quality of software available is variable. If you receive any software, you must check it for virus infection before running it. You must also ensure that it is of acceptable quality for the purposes for which you use it.

If you download any software or information contained on or available for retrieval through the Internet, you are responsible for ensuring that the copyright, patent or other rights of the owners are respected.

In particular, software described as "public domain", "shareware" etc. may not be free. In many instances these products are copyright and a fee is imposed by their creator for corporate use, even if they are free for individual home users. In some cases, a limited "evaluation" period of free use is permitted, after which a fee is payable. You are responsible for understanding and obeying the conditions specified in each individual case. Where a fee is payable for the lawful use of a product, you are responsible for arranging for approval and payment through the normal purchasing procedures. If approval is denied, the product must be deleted from any and all computers where it has been installed.

Equally, you must not transmit copyright software from your computer to the Internet or permit anyone else to access it on your computer via the Internet.

You should not copy information originated by others and re-post it without acknowledging the original source, even if you modify the content to some extent.

Copyright and other rights in all messages posted to the Internet from your account, like other material you produce at work, belongs to the organisation and not to you personally.

You must not install or use any encryption or authentication (digital signature) software, other than that contained within other standard software such as a Web browser, without authorisation from the Information Technology Department. If you do use such software, you will be required to provide the the Information Technology Department with a copy of all relevant keys. The use of digital signatures to authenticate postings as coming from the organisation will be subject to appropriate departmental controls, as for signatures on outgoing paper correspondence.

You should not assume that information posted on the Internet really originates from the person or organisation who appears to have produced it, without some form of authentication. If you intend to rely on a digital signature for authentication, you must not assume that it really belongs to the person or organisation it appears to without checking this by a means outside the Internet (e.g. telephone, post or meeting).

The organisation reserves the right to monitor your Internet usage. This will normally mean capturing usage statistics, and providing such statistics to appropriate managers. However, more detailed monitoring may be applied where violation of these policies is suspected, and the information obtained may be used as a basis for action against such violations.

The organisation may, depending on the nature of the violation, respond by any combination of:

• informal warning;
• denial of Internet access for a period;
• denial of access permanently;
• disciplinary action through the normal disciplinary process;
• provision of information to the police for possible criminal proceedings.

If you need further help in understanding or following these policies, or if you think they need to be changed, contact the Information Technology Department.