DRAFT – PRIVILEGED & CONFIDENTIAL
1836 Technologies International Employee Network and
Internet Usage and Monitoring Policy
1. Policy Statement
1.1 This policy sets out rules that all 1836 Technologies personnel must follow when using the
1836 Technologies Network and/or the Internet from any 1836 Technologies computer, which
includes usage of both the World Wide Web (www) and 1836 Technologies’s internal intranet
systems(“1836 Technologies Network”)
1.2 This policy also applies to personal use of 1836 Technologies’s E-mail (Outlook) system.
However, additional confidentiality and liability conditions apply to e-mails.
1.3 This policy also explains what 1836 Technologies may do as an employer to lawfully monitor
and report use of the 1836 Technologies Network and/or 1836 Technologies computer and
investigate suspected systems breaches by personnel or third parties as well as unlawful
behavior.
1.4 This policy applies to any person who uses 1836 Technologies’s network and/or computers to
access the Internet and E-mail. Where the policy refers to “personnel” or “user” this means
anyone employed by 1836 Technologies or its parent company, any person carrying out work
activities on 1836 Technologies occupied premises who is not directly employed by 1836
Technologies (e.g. students, interns, work placements or volunteers), or any person providing a
service to 1836 Technologies under contract (independent contractor, consultant, or temporary
employee). Collectively referred to as “1836 Technologies Personnel”.
1.5 Access to the 1836 Technologies network and/or Internet access is provided primarily to 1836
Technologies personnel to use for 1836 Technologies’s business and to develop the skills and
knowledge of 1836 Technologies’s workforce to the benefit of its business objectives. A certain
amount of limited and responsible personal use is also permitted.
1.6 The wide range of information available on the 1836 Technologies Network, as well as the
Internet, and the nature and risks associated with the use of the Internet raises concerns about
security, integrity, confidentiality, monitoring and proper conduct.
1.7 Data Protection Statement.
1.7 1836 Technologies will monitor all user activity on the Internet at network level for the
purposes specified in Section 4.1. Information recorded as part of this automated monitoring
process includes user identification, domain names of websites visited, duration of visits, and files
uploaded to or downloaded from the Internet. Staff must be made aware that this monitoring may
reveal sensitive data about them, for example visits to websites which details the activities of a
particular political party or religious group might indicate the political opinion or religious belief of
that staff member, or self-help or health advice sites might identify a physical or mental health
condition. By carrying out such activities using 1836 Technologies’s Internet access facilities,
Staff consent to 1836 Technologies processing any sensitive personal data about them that may
be revealed through monitoring.
Personnel who do not consent must take responsibility for the maintenance of their own personal
privacy by not using 1836 Technologies systems to access this type of information.
2.0 Purpose
The purpose of this policy is to define standards for systems that monitor and limit web use from
any computer or host within 1836 Technologies's network. These standards are designed to
ensure that 1836 Technologies assets network, and Internet are used in a safe and responsible
manner, to ensure the confidentiality, integrity, and reliability of the 1836 Technologies network,
and to prevent intrusions into 1836 Technologies’s network, breaches of personal and sensitive
data, and ensure that employee web use by Personnel be monitored or researched in the event
of an incident.
DRAFT – PRIVILEGED & CONFIDENTIAL
3.0 Scope
This policy applies to all 1836 Technologies employees, contractors, vendors, users, and agents
with a 1836 Technologies-owned, contractor provided, government furnished or personallyowned computer or workstation connected to the 1836 Technologies network. This policy applies
to all end user initiated communications between 1836 Technologies’s network and the Internet,
including web browsing, instant messaging, file transfer, file sharing, and other standard and
proprietary protocols. Server to Server communications, such as SMTP traffic, backups,
automated data transfers or database communications are excluded from this policy.
This policy also explains what 1836 Technologies may do as an employer to lawfully monitor and
report use of the system and investigate suspected systems breaches by Personnel or third
parties as well as unlawful behavior.
4.0 Policy
4.1 Internet and Network Monitoring
4.1.1 1836 Technologies’s Information Technology Services (ITS) Group has incorporated
intrusion detection capabilities into its Network so as to provide information relating to
unauthorized or irregular behavior on any 1836 Technologies computer, network, or
telecommunication system, and analyzing them for signs of possible incidents, which are
violations or imminent threats or violation of computer security policies, acceptable use policies,
or standard security practices. This is done to protect 1836 Technologies and customer
resources and data maintained or stored on 1836 Technologies’s network.
4.1.2
To protect the integrity of 1836 Technologies’s Network and the data maintained on its
Network, the (ITS) Group will monitor Internet usage, network traffic on the 1836 Technologies
Network a well as all 1836 Technologies computers and devices, whether or not connected to the
1836 Technologies Network
4.1.3 Because information recorded by the automated monitoring systems can be used to
identify an individual user and show, for example, a website or document that a user has been
viewing and the time spent browsing, personnel must not assume privacy in their use of the 1836
Technologies’s systems, even when accessing the systems in their personal time i.e. out of paid
working hours.
4.1.4. In the event that ITS finds inappropriate activity or infestation of a company asset, this
information may then be shared with the appropriate 1836 Technologies management, the
Incident Response Team, and the Legal Department. 1836 Technologies reserves the right to
carry out detailed inspection, make a copy of any 1836 Technologies asset or devices containing
1836 Technologies data, where warranted, and to re-image any 1836 Technologies asset as
needed.
4.2 Access to Web Site Monitoring Reports
Authorized ITS members, Incident Response Team members, and the Legal Department will
have access to all reports and data if necessary in order to respond to a security incident. Internet
Use reports that identify specific users, sites, teams, or devices will only be made available to
personnel outside ITS upon written or e-mail request from an authorized Human Resources
Representative.
4.3 Internet Use Filtering System
4.3.1 1836 Technologies Personnel shall not access, transmit, upload, download, print, display
or otherwise disseminate the following types of material while on the 1836 Technologies Network
or while using 1836 Technologies assets:



Adult/sexually explicit and/or obscene images, data, or other material;
Tasteless, Defamatory, and/or Offensive Content;
Racially offensive;
DRAFT – PRIVILEGED & CONFIDENTIAL



Fraudulent or Otherwise unlawful; and/or;
Promotes violence, Intolerance and/or Hatred;
Any data capable of being transformed into obscene or indecent images or material
This includes obscene language, pornography, hostile material relating to gender, sex, race,
sexual orientation, religious, political convictions, disability or information that would cause or
promote incitement of hatred, violence or any other intimidating material that is designed or could
be used to cause offence, annoyance, inconvenience, needless anxiety or which would
contravene any Trust policy, in particular equal opportunities or harassment, or break any law.
4.3.2
1836 Technologies Personnel cannot:
i.
Intentionally circumvent security mechanisms such as cracking passwords,
exploiting system vulnerabilities, or using systems in excess of granted privileges;
ii.
Intentionally write, compile, copy, propagate, execute, or attempt to introduce any
malicious computer code designed to self-replicate, damage, or otherwise hinder the
performance of any computer system. Such software may be referred to as malware virus,
bacteria, worm, or a Trojan Horse; and
iii.
Transmit, upload, post or discuss Personal Identifiable Information (PII),
Protected Health Information (PHI), or sensitive Government or 1836 Technologies company data
with any third party without prior written authorization; or
4.3.3 In addition to the above, the Internet may not be accessed and used for any of the following:










Any activity that infringes copyright
Transmission of unsolicited commercial or advertising material
Deliberate unauthorized access to facilities or services accessible via the Internet
Corrupting or destroying another user’s data
Any activity that would violate the privacy of others
Any activity that would risk bringing the organization into disrepute or place the Trust in a
position of liability
Cause damage or disruption to organizational systems
Any activity that would violate the laws and regulations of the European Union
Not to be used for any secondary paid employment or voluntary services
Not to be used to run a personal business
4.3.4 The IT Department reserves the right to block access to Internet websites and protocols that
are deemed inappropriate for 1836 Technologies’s corporate environment. The following
protocols and categories of websites are examples of the type of websites that may be blocked:











Adult/Sexually Explicit Material
Advertisements & Pop-Ups
Gambling
Hacking
Illegal Drugs
Intimate Apparel and Swimwear
Peer to Peer File Sharing
SPAM, Phishing and Fraud
Spyware
Tasteless Defamatory, and/or Offensive Content
Racially offensive, promoting violence, Intolerance and/or Hatred
DRAFT – PRIVILEGED & CONFIDENTIAL
4.4 Internet Use Filtering Exceptions
If a site is blocked, then 1836 Technologies Personnel may only access that blocked site with
prior written permission if appropriate and necessary for business purposes. If any Personnel
need access to a site that is blocked and appropriately categorized, they must submit a request to
their appraisal manager. They will then present all approved exception requests to ITS in writing
or by email, and ITS will evaluate the request and consider unblocking that site or category.
5.0 Enforcement
5.1
1836 Technologies personnel are expected to report suspected violations of this policy to
the Legal Department.
5.2
Any employee found to have violated this policy may be subject to disciplinary action, up
to and including termination of employment.
6.0
Special Approval for European Union (EU) Users
Due to privacy concerns within the EU, special approvals and consents from the 1836
Technologies Personnel must be undertaken before a deep packet inspection is started. 1836
Technologies ITS will first ask the affected 1836 Technologies Personnel permission to conduct a
further analysis of their packet payloads to determine the cause of the alert. The user will then
be informed of their options, and if they agree to the inspection, they will be required to complete
the attached EU Consent Form. If the user consents to ITS inspecting the packet payload, ITS
will then examine the packets captured. If the user denies ITS’ request, the user may be
disconnected from the 1836 Technologies Network if it is determined that his/her computer will
continue to pose a risk to the 1836 Technologies Network.
7.0 Definitions
Hacking Sites - Sites that provide content about breaking or subverting computer security
controls.
Incident - A reported security event or group of events that has proven to be a verified information
technology security breach. An incident may also be an identified violation or imminent threat of
violation of information technology security policies, or a threat to the security of system assets.
Some examples of possible information technology security incidents are, but are not limited to:





Loss of confidentiality of information
Compromise of integrity of information
Loss of system availability
Denial of service
Misuse of service systems or information
Internet - an unclassified electronic communications network that connects computer networks
and organizational computer facilities around the world.
Internet Filtering – Using technology that monitors each instance of communication between
devices on the corporate network and the Internet and blocks traffic that matches specific rules.
Intrusion detection - The process of monitoring the events occurring in a computer system or
network and analyzing them for signs of possible incidents, which are violations or imminent
threats of violation of computer security policies, acceptable use policies, or standard security
practices.
IP Address – Unique network address assigned to each device to allow it to communicate with
other devices on the network or Internet.
Peer to Peer File Sharing – Services or protocols such as BitTorrent and Kazaa that allow
Internet connected hosts to make files available to or download files from other hosts. Social
DRAFT – PRIVILEGED & CONFIDENTIAL
Networking Services – Internet sites such as Myspace and Facebook that allow users to post
content, chat, and interact in online communities.
Phishing – attempting to fraudulently acquire sensitive information by masquerading as a trusted
entity in an electronic communication.
SMTP – Simple Mail Transfer Protocol. The Internet Protocol that facilitates the exchange of mail
messages between Internet mail servers.
SPAM – Unsolicited Internet Email.
User ID – User Name or other identifier used when an associate logs into the corporate network.
8.0 Revision History
__/2010 – Draft Completed, ________________
DRAFT – PRIVILEGED & CONFIDENTIAL
DRAFT EU Consent Form
I, _____________________, having been informed of my right not to have a search made of the
computer systems hereinafter mentioned without a search warrant and of my right to refuse
consent to such a search, hereby authorize 1836 Technologies International, Inc., Information
Technology Services, to conduct a complete search of the computer system : ______(insert host
name of the computer here)______ and its communications used to conduct 1836 Technologies
business. This search includes the deep packet inspection of all communications between the
aforementioned computer and the internet in an effort to safeguard the 1836 Technologies
network from malicious activities.
You are hereby authorized by me to take from this location any property which you need to
complete your analysis, assessment, and/or resolution of a possible privacy or internet security
incident. This written permission is being given by me voluntarily and without threats or promises
of any kind. I have not been threatened, placed under duress or promised anything in exchange
for my consent. I have read and understand this form. I understand the English language and
have been able to communicate with the 1836 Technologies ITS representatives regarding the
possible privacy and/or IT security incident.
I understand that I this consent only applies to this incident and that my further consent will be
required for any future incidents that may occur.
Dated, signed and witnessed
Signed:____________________________
Date:
____________________________
Witnessed: _________________________