PURPOSE, SCOPE AND USERS

The purpose of this document is to define clear rules for the use of the information system and other information assets in PlayerLync (hereinafter referred to as PlayerLync or “The Company”).

Users of this document are all employees of PlayerLync.

REFERENCE DOCUMENTS

1. ISO/IEC 27001 standard 
2. [Information Classification Policy] - Not Required
3. [Security Procedures for the IT Department] - Portions Required

PERSONNEL SECURITY

PlayerLync employees are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Upon hire, PlayerLync will verify an individual’s education and previous employment, and perform internal and external reference checks. Where local labor law or statutory regulations permit, PlayerLync may also conduct criminal, credit, immigration, and security checks. The extent of background checks is dependent on the desired position. Upon acceptance of employment at PlayerLync, all employees are required to execute a confidentiality agreement and must acknowledge receipt of and compliance with policies in PlayerLync’s Employee Handbook. The confidentiality and privacy of customer information and data is emphasized in the handbook and during new employee orientation.

PlayerLync employees handling customer data are required to complete necessary requirements in accordance with these policies. Training concerning customer data outlines the appropriate use of data in conjunction with business processes as well as the consequences of violations.

BASIC SECURITY RULES

DEFINITIONS

Information system ‑ includes all servers and clients, network infrastructure, system and application software, data, and other computer subsystems and components which are owned or used by the organization or which are under the organization's responsibility.  The use of an information system also includes the use of all internal or external services, such as Internet access, e-mail, etc. 

Information assets ‑ in the context of this Policy, the term information assets is applied to information systems and other information/equipment including paper documents, mobile phones, portable computers, data storage media, etc. 

EMPLOYEE BACKGROUND CHECKS

Before they join our staff, PlayerLync may verify an individual’s education and previous employment, and perform internal and external reference checks. Where local labor law or statutory regulations permit, PlayerLync may also conduct criminal, credit, immigration, and security checks. The extent of these background checks is dependent on the desired position.

ACCEPTABLE USE

Information assets may be used only for business needs with the purpose of executing organization-related tasks. 

RESPONSIBILITY FOR ASSETS

Each information asset has an owner designated in the Inventory of Assets.  The asset owner is responsible for the confidentiality, integrity and availability of information in the asset in question. 

PROHIBITED ACTIVITIES 

It is prohibited to use information assets in a manner that unnecessarily takes up capacity, weakens the performance of the information system or poses a security threat.  It is also prohibited: 

General Activities ‑ Users may not engage in any unlawful activity or transmit material in violation of applicable local, state or federal laws, PlayerLync policy, or industry regulations. Users must not purposely engage in activity that may harass, threaten or abuse others; degrade the performance of information resources; deprive an authorized user of access to a technology resource; or attempt to circumvent PlayerLync security measures. Users must not attempt to access data or programs contained on PlayerLync systems for which they do not have authorization. Users may not share account(s), passwords, security tokens, or similar information or devices used for identification and authorization purposes. Users must not take any action that violates PlayerLync’s codes of conduct, PlayerLync Company Policies, information technology security policies or other applicable laws. In the event of a conflict between policies, the more restrictive policy shall govern.

Server and Network Operations -  Unless specific authorization is received from ones manager, individual users or departments must not operate DHCP, DNS, proxy, e-mail, remote access, or connection sharing servers. Users may not implement individual or department servers for anything other than company purposes. Users must not use external DNS providers to advertise services at PlayerLync network addresses. Users or departments must not install individual network components such as switches, routers, or wireless access points, or tamper with any network wiring. 

Network Monitoring ‑ Users may not conduct network scans searching for other connected devices or conduct any form of network monitoring that will intercept data not intended for the user's computer. Unless this activity is a part of an authorized employee's normal job duty, users must not download, install or run programs designed to reveal or exploit weaknesses in system security such as password discovery programs, packet sniffers, or port scanners.

Commercial Use ‑ PlayerLync technology resources may not be used for solicitations, commercial purposes, or any business activities for individuals, groups, or organizations without prior permission obtained from the employees manager. 

Copyright and Illegal Software and Materials - Users must not make unauthorized copies of software owned by the organization, except in cases permitted by law, or by the CEO and CTO.  

The Company does not allow the unauthorized use, installation, copying, or distribution of copyrighted, trademarked, or patented material on the Internet. As a general rule, if you did not create the material, do not own the rights to it, or have not received authorization for its use, you may not put the material on the Internet. You are also responsible for making sure that anyone who sends you material over the Internet has the appropriate distribution rights.

TAKING ASSETS OFF-SITE

Equipment, information or software, regardless of its form or storage medium, may not be taken off-site without prior written permission by CTO. 

As long as said assets are outside the organization, they have to be controlled by the person who was granted permission for their removal.

RETURN OF ASSETS UPON TERMINATION OF CONTRACT

Upon termination of an employment contract or other contract on the basis of which various equipment, software or information in electronic or paper form is used, the user must return all such information assets to [job title]. 

BACKUP PROCEDURES

The frequency of backups is determined by the volatility of data; the retention period for backup copies is determined by the criticality of the data.

Backups of client application data will follow that which is defined in the Data Retention Policy and Appendix Data Retention Schedule.  Users will be required to familiarize themselves with the policies and act accordingly.  

ANTIVIRUS PROTECTION

Windows Defender AntiVirus will be installed on each windows-based computer with activated automatic updates. 

Dr. Antivirus will be installed on each Mac OS-based computer with activated automatic updates. 

MALWARE PREVENTION

An effective malware attack can lead to account compromise, data theft, and possibly additional access to a network. PlayerLync takes these threats to its networks and its customers very seriously and uses a variety of methods to prevent, detect and eradicate malware.

AUTHORIZATIONS FOR INFORMATION SYSTEM USE

Users of the information system may only access those information system assets for which they have been explicitly authorized by the asset owner.  

Users may use the information system only for purposes for which they have been authorized, i.e. for which they have been granted access rights. 

Users must not take part in activities which may be used to bypass information system security controls. 

USER ACCOUNT RESPONSIBILITIES

The user must not, directly or indirectly, allow another person to use his/her access rights, i.e. username, and must not use another person’s username and/or password.  The use of group user names is forbidden. 

The owner of the user account is its user, who is responsible for its use, and all transactions performed through this user account. 

PASSWORD RESPONSIBILITIES

OVERVIEW

Passwords are an integral aspect of our computer security program. Passwords are the front line of protection for user accounts. A poorly chosen password may result in the compromise of critical (organization) resources. As such, all (organization) staff and outside contractors and vendors with access to our systems are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.  Users must apply good security practices when selecting and using passwords:

GUIDELINES

• Passwords must not be disclosed to other persons, including management and system administrators.
• Passwords must not be written down, unless a secure method has been approved by [job title].
• User-generated passwords must not be distributed through any channel (using oral, written or electronic distribution, etc.)
• Passwords must be changed if there are indications that the passwords or the system may have been compromised ‑ in that case a security incident must be reported
• Strong passwords must be selected, in the following way:
• Using at least twelve characters
• Using at least one numeric character
• Using at least one uppercase and at least one lowercase alphabetic character
• Using at least one special character
• A password must not be a dictionary word, dialectal or jargon word from any language, or any of these words written backwards
• Passwords must not be based on personal data (e.g. date of birth, address, name of family member, etc.)
• The last three passwords must not be re-used
• Passwords must be changed every 3 months
• Password must be changed at first log-on to a system
• Passwords must not be stored in an automated log-on system (e.g. macro or browser)
• Passwords used for private purposes must not be used for business purposes

PASSWORD PROTECTION STANDARDS

• Change passwords at least once every 90 days.
• Do not write down passwords
• Do not store passwords on-line without encryption.
• Do not use the same password for (organization) accounts as for other non-(organization) access (e.g., personal ISP account, on-line banking, email, benefits, etc.).
• Do not share (organization) passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential (organization) information.
• Don't reveal a password over the phone to ANYONE
• Don't reveal a password in an email message
• Don't reveal a password to the boss
• Don't talk about a password in front of others
• Don't hint at the format of a password (e.g., "my family name")
• Don't reveal a password on questionnaires or security forms
• Don't share a password with family members
• Don't reveal a password to co-workers while on vacation
• Don't use the "Remember Password" feature of applications (e.g., Groupwise, Instant Messenger, Internet Explorer, Mozilla).   [we may want to offer or suggest or pre-load software for this.]
• If someone demands a password, refer them to this document or have them call the IT Service Desk.
• If an account or password is suspected to have been compromised, report the incident to IT security and change all passwords.
• Password cracking or guessing may be performed on a periodic or random basis by security personnel. If a password is guessed or cracked during one of these scans, the incident will be documented, and the user will be required to change their password.

INTERNET POLICY

PURPOSE

The purpose of this policy is to ensure the proper use of the Company's internet system and make its employees and users aware of what the Company deems as acceptable and unacceptable use of its internet system. This policy also provides for sanctions in the event of a breach or violation of the policy terms hereunder.

APPLICABILITY

This Policy applies to all users of company technology, including employees, contractors, vendors, partners, associates, and any other parties accessing or using the Company's System through on-site or remote terminals.

ACCESSING THE INTERNET

Internet may be accessed only through the organization's local network with appropriate infrastructure and firewall protection.  Direct Internet access through modems, mobile Internet, wireless network or other devices for direct Internet access is forbidden. 

DISCLAIMER OF LIABILITY FOR USE OF INTERNET

The Company is not responsible for material viewed or downloaded by users from the Internet. The Internet is a worldwide network of computers that contains millions of pages of information. Users are cautioned that many of these pages include offensive, sexually explicit, and inappropriate material. In general, it is difficult to avoid at least some contact with this material while using the Internet. Even innocuous search requests may lead to sites with highly offensive content. In addition, having an e-mail address on the Internet may lead to receipt of unsolicited e-mail containing offensive content. Users accessing the Internet do so at their own risk.

DUTY NOT TO WASTE COMPUTER RESOURCES

Employees must not deliberately perform acts that waste computer resources or unfairly monopolize resources to the exclusion of others. These acts include, but are not limited to, sending mass mailings or chain letters, spending excessive amounts of time on the Internet, playing games, engaging in online chat groups, printing multiple copies of documents, or otherwise creating unnecessary network traffic. Because audio, video and picture files require significant storage space, files of this or any other sort may not be downloaded unless they are business-related.

NO EXPECTATION OF PRIVACY

The computers and computer accounts given to employees are the exclusive property of the Company. No individual should have any expectation of privacy in any communication over this System. The System is to be used solely for company-related business and is not to be used for personal business or pleasure.

MONITORING COMPUTER USAGE

The Company reserves the right to monitor, intercept and/or review all data transmitted, received or downloaded over the System. Any individual who is given access to the System is hereby given notice that the Company will exercise this right periodically, without prior notice and without the prior consent of the employee. The Company's interests in monitoring and intercepting data include but are not limited to: protection of company proprietary and classified data; managing the use of the Company's computer System; preventing the transmission or receipt of inappropriate materials by employees; and/or assisting the employee in the management of electronic data during periods of absence. No individual should interpret the use of password protection as creating a right or expectation of privacy. In order to protect everyone involved, no one can have a right or expectation of privacy with regards to the receipt, transmission or storage of data on the Company's Internet System.

BLOCKING OF INAPPROPRIATE CONTENT

Company may use software to identify inappropriate or sexually explicit Internet sites. Such sites may be blocked from access by Company networks. In the event you nonetheless encounter inappropriate or sexually explicit material while browsing on the Internet, immediately disconnect from the site, regardless of whether the site was subject to company blocking software.

PROHIBITED ACTIVITIES

Material that is fraudulent, harassing, embarrassing, sexually explicit, profane, obscene, intimidating, defamatory, or otherwise unlawful, inappropriate, offensive (including offensive material concerning sex, race, color, national origin, religion, age, disability, or other characteristic protected by law), or in violation of Company's equal employment opportunity policy and its policies against sexual or other harassment may not be downloaded from the Internet or displayed or stored in Company's computers. Employees encountering, witnessing or receiving this kind of material should immediately report the incident to their immediate supervisor and the person that signs your paycheck by phone.  Company's equal employment opportunity policy and its policies against sexual or other harassment apply fully to the use of the Internet and any violation of those policies is grounds for discipline up to and including discharge.

E-MAIL AND OTHER MESSAGE EXCHANGE METHODS

Message exchange methods other than electronic mail also include download of files from the Internet, transfer of data via [provide names of specialized communication systems], telephones, fax machines, sending SMS text messages, portable media, forums and social networks. 

EMAIL ACCOUNTS ARE THE PROPERTY OF THE COMPANY

All email accounts maintained on the Company's email systems are property of the Company. Company has the right to read and keep a record of any emails that users transmit via the Company's email system.

E-MAIL EXISTS FOR BUSINESS PURPOSES ONLY

The Company allows its e-mail access primarily for business purposes. The users may use the Company's email system for personal use only in accordance with this policy.

CONFIDENTIAL INFORMATION

Avoid sending confidential information by email. Users should follow the handling classified information guidelines set in the Information Classification Policy.

Confidential information includes, but is not limited to:

• client lists;
• credit card numbers;
• Social Security numbers;
• employee performance reviews;
• salary details;
• trade secrets;
• passwords; and
• any other information that could embarrass the Company and its associates if the information were disclosed to the public
• If sending a message with confidential data, the user must protect it as specified in the Information Classification Policy.

INAPPROPRIATE CONTENT

Users may only send messages containing true information. It is forbidden to send materials with disturbing, unpleasant, sexually explicit, rude, slanderous or any other unacceptable or illegal content.  Users must not send spam messages to persons with whom no business relationship has been established or to persons who did not require such information. 

VIOLATIONS AND SANCTIONS

If an employee is found to violate any of this email policy rules, the Company could take disciplinary action up to and including termination of employment.

The actual penalty applied will depend on factors such as the seriousness of the breach, the employee's disciplinary record, and any other factors the Company deems necessary to consider.

SOCIAL MEDIA POLICY

The Company knows that online social platforms, including blogs, wiki's, message boards, video and photo sharing websites, and social networking services, are constantly transforming the way we interact. We also recognize the importance of the Internet in shaping the public view of our Company. The Company is committed to supporting your right to interact responsibly and knowledgeably on the Internet through blogging and interaction in social media. We want our members to share and learn from others in order to build a valuable online community.

The purpose of these guidelines is two-fold: First, the Company has an aim to protect our interests, including, but not limited to, the privacy of our employees and confidentiality regarding our business purpose, plans, partners, users, and competitors. Second, these guidelines will help you make respectful and appropriate decisions about your work-related interactions with people on the Internet.

Your personal online activity is your business. However, any activity in or outside of work that affects your performance, the performance of others at the Company, or the Company's business interests are a proper focus for this Social Media Policy. You must always assume that your social media activity is visible to the Company as well as current and potential employees, clients, partners, prospects, and competitors. The Company reserves the right to direct its members to avoid certain subjects and remove inappropriate comments and posts. Our internal policies remain in effect in our workplace.  

GUIDELINES FOR DISCUSSING THE COMPANY ON THE INTERNET

You are not authorized to speak on behalf of the Company without express permission from the Executive Team or Marketing.  If you have permission to discuss the Company and / or our current and potential business activities, employees, partners, clients, or competitors, please follow these guidelines:

IDENTIFICATION

Identify yourself. Include your name, and when appropriate, state your role or title within the Company.

DISCLAIMER

Use a disclaimer that "the views you express on the particular website are yours alone and do not represent the views of the Company." 

PROOF

Support any statements made online with factual evidence.   Also, let your manager know about the content you plan to publish. Your manager may want to visit the website to understand your point of view.

GUIDELINES FOR CONFIDENTIAL AND PROPRIETARY INFORMATION

You may not share information that is confidential and proprietary about the Company. This includes, but is not limited to, company strategy, information about trademarks, upcoming product releases, sales, finances, number of products sold, number of employees, and any other information that has not been publicly released by the Company.

The list above is given as example only and does not cover the range of what the Company considers confidential and proprietary. If you have any questions about whether information has been released publicly or any other concerns, please speak with your manager before releasing information that could potentially harm the Company, or our current and potential business interests, employees, partners, and clients.

For additional information on proprietary information, please review the Employee Handbook and the contract you signed when you joined the Company.

The Company's logo and trademarks may not be used without explicit permission in writing from the Company. This is to prevent the appearance that you speak for or officially represent the Company.

It is fine to quote or retweet others, but you should not attempt to pass off someone else's words, photography, or other information as your own. All copyright, privacy, and other laws that apply offline apply online as well. Always give proper credit to credit your sources when posting a link or information gathered from another source. 

MANAGING RECORDS KEPT ON THE BASIS OF THIS DOCUMENT

Authorizations as a result of requests as defined in this document will be tracked alongside the Access Control and Access Groups documentation.   Please refer to 8.2 Access Control Policy and associated Sharepoint document. 

AMENDMENT OF POLICY

The Company reserves the right to amend this policy at its discretion. In case of amendments, users will be informed appropriately.