1.2 Acceptable Use Policy

Purpose and Scope

This Acceptable Use Policy defines standards for appropriate and secure use of Sord’s hardware and electronic systems including storage media, communication tools and internet access. From time to time, Sord may update this policy and implement different levels of security controls for different information assets, based on risk and other considerations. This policy is guided by security requirements specific to Sord including applicable laws and regulations.

This policy applies to all Sord personnel acting on behalf of Sord or accessing its applications, infrastructure, systems or data. All personnel are required to read, accept and follow all Sord policies and plans.

General

Ownership

Sord is the owner of all company-issued hardware and electronic systems and of the data stored in them or transmitted from them.

User Responsibilities

Personnel should not make any discriminatory, disparaging, defamatory or harassing comments when discussing Sord, using social media, blogging or otherwise engaging in any conduct to the detriment of Sord.

Personal Use Systems

Incidental use of Sord electronic systems for personal use is permitted provided such use does not interfere with productivity, confidentiality or the business and is not in conflict with team member responsibilities outlined in any Sord policy.

Compliance

  • For security and network maintenance purposes, Sord may monitor and track system access and content of Sord hardware, system(s) and information to reasonably ensure compliance with applicable laws, regulations and Sord policies.

  • Sord reserves the right to access and audit any devices, networks and systems to ensure compliance with any Sord policy.

Communication Tools

Use of Email and Messaging Tools

Email and other messaging tools are intended to be used as a business tools to facilitate communications and the exchange of information needed by team members to perform their assigned duties.

Encryption

All messages and/or attachments that contain confidential information are required to be encrypted to protect the privacy and integrity of the information.

Responsibilities

  • Communication tool passwords should not be shared with another individual. They are intended for the authorized team member only.

  • Team members who transmit confidential information outside the organization should comply with applicable regulatory and customer requirements and Sord policies regarding the disclosure of confidential information to third parties.

  • Communications may be monitored and tracked without advanced notice to or consent by the team member.

  • Retention and disposal of electronic communications should be in accordance with all other Sord data protection and privacy policies.

Prohibited Uses of Communication Tools

  • Dissemination of confidential information (i.e., trade secrets, team member personal information or financial data), except for approved business purposes.

  • Attempting to gain access to another team member’s account, without permission.

  • Misrepresenting, obscuring, suppressing, or replacing a team member’s identity.

  • Sending confidential information over an open network (the Internet) without proper encryption.

  • Transmitting, retrieving, or storing of any communications of a defamatory, discriminatory, or harassing nature or materials that are obscene.

  • Transmission of messages with derogatory or inflammatory remarks about an individual's race, age, disability, religion, national origin, physical attributes or sexual preference.

Devices

Use of Company Devices

The use of Sord phones (static and mobile), laptops and other hardware is primarily for business use.

Use of Personal Devices (BYOD)

The use of a personal device for Sord purposes should be limited to email and the Sord messaging tool. Personnel must not save Sord data to any personal device. You are responsible for updating your device to the latest software version within 30 days of a new release.

Personal phones are not in scope for this policy.

Mobile Device Management (MDM)

Mobile device management (MDM) is implemented to manage and enforce mobile device configuration and security policies. Mobile devices should be approved prior to granting access to resources.

The MDM solution ensures and/or manages the following:

  • Encryption: Storage is encrypted at rest

  • Malware Protection: Malware protection is enabled

  • Software Updates: OS updates are monitored

  • Screensaver / Lockscreen: Screensavers / lockscreens are configured to activate after a maximum of 15 minutes. Logs Are Enabled: Security and IT monitors and investigates events of interest e.g. unrecognized devices.

Employees and applicable contractors must report loss, theft, or other security incidents related to their company-provided mobile device in a timely manner.

Use of Removable Media

Sord personnel may use approved removable media only in their work computers. Sensitive information should be stored on removable media only when required in the performance of assigned duties. When sensitive information is stored on removable media, it must be encrypted in accordance with the Sord Encryption and Key Management Policy. Exceptions to this requirement may be granted by senior management.

Responsibilities

  • Personal use of Sord devices are allowed only as set forth in the General section of this policy.

  • Personnel assigned a Sord device are responsible for protecting the device from theft or damage.

  • If the issued device is lost or stolen, personnel responsible for the device must report the loss or theft to [email protected].

  • Devices that have not been approved by management should not be used to send or store any confidential information.

Social Media

Limited and occasional use of Sord devices to access social media is acceptable, provided that it is done in a professional and responsible manner, does not otherwise violate Sord policies, is not detrimental to the best interests of Sord, and does not interfere with a team members regular work duties.

Networks and Internet Access

Responsibilities

  • Use of internet access is primarily for business use. Personal use is allowed only as set forth in this policy.

  • Access to the Sord production network must be secure.

  • No confidential information should be sent from or to an individual or entity outside of Sord using personal email accounts.

  • You may use the production network and internet only for lawful purposes.

Encryption

Sord users who are in travel status and use laptops to access the production network or company data must ensure such transmissions are encrypted and only access the network through authorized means. During travel, access to the internet should only be made via secure wireless networks.

Explicit Content

Users using Sord devices who discover they have connected with a web site that contains sexually explicit, racist, violent, or other potentially offensive material must immediately leave the site and report such use to [email protected].

Prohibited Uses

You agree not to use personal email accounts for, but not limited to:

  • Dissemination of confidential information.

  • Attempting to gain access to another Internet account, without permission.

  • Sending confidential information over the Internet without proper encryption.

You agree not to use network and internet access to:

  • Violate any applicable federal, state, local, or international law or regulation (including, without limitation, any laws regarding the export of data or software to and from the US or other countries).

  • Access data, a server or an account for any purpose other than conducting Sord business, even if you have authorized access, is prohibited.

  • Make statements about warranty, expressly or implied, unless it is a part of normal job duties.

  • Make fraudulent offers of products, items, or services originating from any Sord account.

  • For the purpose of exploiting, harming, or attempting to exploit or harm, minors in any way by exposing them to inappropriate content, asking for personally identifiable information, or otherwise.

  • Send, knowingly receive, upload, download, use, or re-use any material which violates the rights of any individual or entity established in any jurisdiction.

  • Transmit, or procure the sending of, any advertising or promotional material, including any "junk mail," "chain letter," "spam," or any other similar solicitation.

  • Impersonate or attempt to impersonate Sord, an employee, contractor, another user, or any other person or entity (including, without limitation, by using e-mail addresses or screen names associated with any of the foregoing).

  • Engage in any other conduct that restricts or inhibits anyone's use or enjoyment of the network, or which, as determined by us, may harm Sord or users of the network or expose them to liability.

  • Disable, overburden, damage, or impair the network or interfere with any other party's use of the network, including their ability to engage in real time activities through the network.

  • Use any robot, spider, or other automatic device, process, or means to access the network for any purpose, including monitoring or copying any network traffic or resources available on the network.

  • Use any manual process to monitor or copy any network traffic or resources available on the network or for any other unauthorized purpose without our prior written consent.

  • Use any device, software, or routine that interferes with the proper working of the network.

  • Introduce any viruses, honeypots, trojan horses, worms, logic bombs, or other software or material which is malicious or technologically harmful.

  • Attempt to gain unauthorized access to, interfere with, damage, or disrupt any parts of the network or any server, computer, database, or other resource or element connected to the network.

  • Violate, attempt to violate, or knowingly facilitate the violation of the security or integrity of the network.

Content Standards

You agree not to send, knowingly receive, upload, download, use, or re-use any material which:

  • Contains any material that is defamatory, obscene, indecent, abusive, offensive, harassing, violent, hateful, inflammatory, or otherwise objectionable.

  • Promotes sexually explicit or pornographic material, violence, or discrimination based on race, sex, religion, nationality, disability, sexual orientation, or age.

  • Infringes any patent, trademark, trade secret, copyright, or other intellectual property or other rights of any other person.

  • Violates the legal rights (including the rights of publicity and privacy) of others or contains any material that could give rise to any civil or criminal liability under applicable laws or regulations.

  • Is likely to deceive any person.

  • Promotes any illegal activity, or advocates, promotes, or assists any unlawful act.

  • Causes annoyance, inconvenience, or needless anxiety or is likely to upset, embarrass, alarm, or annoy any other person.

  • Impersonates any person, or misrepresents your identity or affiliation with any person or organization.

  • Gives the impression that they emanate from or are endorsed by us or any other person or entity, if this is not the case.

Exceptions

Sord business needs, local situations, laws and regulations may occasionally call for an exception to this policy or any other Sord policy. If an exception is needed, Sord management will determine an acceptable alternative approach.

Enforcement

Any violation of this policy or any other Sord policy or procedure may result in disciplinary action, up to and including termination of employment. Sord reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Sord does not consider conduct in violation of this policy to be within an employee’s or contractor’s course and scope of work.

Any personnel who is requested to undertake an activity that he or she believes is in violation of this policy must provide a written or verbal complaint to his or her manager or any other manager of Sord as soon as possible.

The disciplinary process should also be used as a deterrent to prevent employees and contractors in violating organizational security policies and procedures, and any other security breaches.

Responsibility, Review, and Audit

Sord reviews and updates its security policies and plans to maintain organizational security objectives and meet regulatory requirements at least annually. The results are shared with appropriate parties internally and findings are tracked to resolution. Any changes are communicated across the organization.

This document is maintained by Jonathan Gautsch.

This document was last updated on 03/27/2024.

Previous1.1 Information Security PolicyNext1.3 Code of Conduct

Last updated