University Security Policy Report: Internet Usage and Employee Conduct

Verified

Added on 2020/03/04

AI Summary

This report provides an analysis of information security threats and vulnerabilities, focusing on the development of appropriate control measures to mitigate risks. The report centers on the crucial role of a security policy in maintaining data confidentiality and addressing employee conduct within an organization, particularly concerning internet usage. It outlines the Internet Usage Policy, detailing allowed and prohibited activities, access protocols, software license agreements, public information review, and monitoring procedures. The report emphasizes the importance of adhering to these guidelines to ensure network security, protect corporate image, and maintain the confidentiality of sensitive information. It also addresses penalties for policy violations and the legal actions that may be taken in such instances. The discussion highlights the significance of security policies in general and internet usage policies in specific, providing insights into the responsibilities of employees and the limitations they face in the context of organizational resources.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: SECURITY POLICY
Security Policy
Name of the Student
Name of the University
Author’s Note:

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

1
SECURITY POLICY
Executive Summary
The main objective of this report is to analyze information security threats and vulnerabilities
and to determine appropriate control measures to reduce or remove such security risks. Threats
of an information security system are the probable danger that can misuse the security, breach
the confidentiality, and finally cause harm to it. Security policy is the policy that is maintained
by all organizations to keep the security and the confidentiality of the information and the
important data of the company. The employees are bound to follow all the rules that are
mentioned in the security policy. It addresses the limitations and the constraints on the conduct
of the employees for a particular organization. These constraints include the behavior of the
employees as well as the usage of any organizational resources. The following report covers the
Internet Usage Policy of an organization. The policy clearly mentions the usage, the limitations
of usage of that particular policy. The report sets a list of guidelines of Internet Usage Policy for
an organization. The guidelines will help the employees and the staff members of an
organization to understand the importance of the mentioned policy as well as the limitations of
such policies.

2
SECURITY POLICY
Table of Contents
Introduction..........................................................................................................................3
Discussion............................................................................................................................3
Security Policy.................................................................................................................3
Internet Usage Policy.......................................................................................................4
Internet Access.............................................................................................................5
Allowed Usage.............................................................................................................6
Personal Usage.............................................................................................................6
Prohibited Usage..........................................................................................................6
Software License.........................................................................................................8
Review of Public Information.....................................................................................9
Monitoring...................................................................................................................9
E-mail Confidentiality.................................................................................................9
Maintaining Corporate Image....................................................................................10
Conclusion.........................................................................................................................11
References..........................................................................................................................12

3
SECURITY POLICY
Introduction
Security policies are set of instructions or rather can be referred to as rules of a particular
organization that help the employees to understand the basic constraints of an employee. Internet
Usage Policy is the policy that describes about the guidelines and rules of the suitable utilization
of the organization’s network, equipment, and access to internet (Wall, Palvia and Lowry 2013).
The Internet Usage Policy is the chief certificate that is signed by all staff members and
employees before starting their work in the organization. Violation of these policy norms can end
the employee or staff member in prison or he can be penalized.
The report outlines the usage and the limitations of Internet Usage Policy of a particular
organization. This report clearly defines about the guidelines and the rules of the Internet Usage
Policy. It also covers a brief overview, the purpose and the scope of this particular policy. The
report also specifies the penalty and the legal actions that are to be taken if there is any kind of
violation in the policy. The policy mentions the authorized and the prohibited users. The report
also emphasizes on the confidentiality of the information of this Internet Usage Policy. The
description of the discussion is given in the following paragraphs.
Discussion
Security Policy
Security policy can be defined as the set of norms or guidelines, which state the security
of information or data for a system, company or organization. This policy helps the employees of
the organization to understand the rules of the organization and so that there is no violation of

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

4
SECURITY POLICY
rules for the policy (Cheng et al. 2013). For a particular organization, the security policy
addresses the limitations or constraints on the conduct of its employees and members as well as
limitations inflicted on competitors or challengers by different mechanisms such as locks, keys,
doors, and walls (Pieters, Dimkov and Pavlovic 2013). However, the security policy for systems
is slight different. In systems, the policy addresses restrictions on functions and move among the
functions, limitations on ingress by external competitors, adversaries and systems including
access to data and programs by authorized people. There are many systematic strategies of risk
assessment and various methodologies to ensure the comprehensiveness of the security policies
and reassure that the policies are completely imposed (Wall, Palvia and Lowry 2013). In various
complex systems, such as information systems, security policies can be degraded into several
sub-policies to facilitate the allotment of security mechanisms to prosecute sub-policies.
Internet Usage Policy
Internet Usage Policy defines the access and the restrictions of internet in an
organization. All employees of that organization follow this policy (Orr, Ptacek and Song 2012).
The Internet Usage Policy is applicable to all Internet users, which mean individuals working for
the organization that include permanent part-time and full-time employees, business partners,
vendors, temporary agency workers and contract workers, who utilizes the Internet through the
networking or computing resources (Sommestad et al. 2014). The organization's Internet users
are presumed to be well known with and to comply with this internet usage policy, and are
needed to exercise good judgment and use their common sense while using the Internet services.
Internet is to be accessed for only business purposes. The following Internet services are
to be accessed.

5
SECURITY POLICY
a) E-mail: Receive or send emails from the Internet that would be with or without
attachments.
b) File Transfer Protocol (FTP): Sending files or information and receiving incoming
data and files, as required for organizational purposes.
c) Navigation: Employees will get complete access to the Internet and restricted access
from the Internet (Sommestad et al. 2014). Management retains the authority to add or remove
services as organization needs change and alterations.
Internet Access
The employee is required to read the Internet usage Policy. He/she will then sign the
statement that he or she agrees to comply with the policy. The user does not have any other
option except to sign this policy (Choyi and Vinokurov 2012). The employee is granted policy
acknowledgement and awareness. After he requests for the internet access, by submitting an IT
Access Request form along with an attached copy of a signed Internet Usage Coverage
Acknowledgement Form, he will get the access from the IT department.
Internet access will be stopped upon completion of contract, resignation of employee,
termination of service of non-employee, or legal action arising from violating this policy (Safa,
Von Solms and Furnell 2016). All users are given certain ID for their internet access and when
they stop working, their IDs are taken back.
Utilizing the company’s Internet will be supported and given only if practicable business
requirements are recognized (Berger 2014). Internet access will be allowed on the basis of the
current job responsibilities of a staff member. When an employee shifts to any other business
unit or changes his job functions, a new request for Internet access must be submitted to IT

6
SECURITY POLICY
department within 5 days (Vance and Siponen 2012.). The requirements will be reviewed on a
monthly basis by the organization.
Allowed Usage
Internet usage is given for the purpose of doing business activities and to carry out the job
functions (Cheng et al. 2013). All employees must follow the principles of the organization
regarding usage of Internet. The access of Internet can include:
i)Communication between the employees for business purposes;
ii) Downloading software patches and upgrades;
iii) Viewing possible websites for the product information;
iv) For technical information.
Personal Usage
The employees do not have the right to use the company’s Internet for their personal
reasons. However, if the reason is genuine, the employee can take permission from the authority
and access the Internet (Orr, Ptacek and Song 2012). Users, who opt to transmit or store their
personal information such as credit card numbers, private keys, or any confidential access, do so
at their own risk. The organization is not responsible for any kind of breaching or loss of
information.
Prohibited Usage
The employees are not allowed to access any illegal web sites and access data from those
web sites (Bayuk et al. 2012). Storage, acquisition and usage of information that is not legal, or
that negatively protrays sex, race or creed is highly prohibited. The organization also stops the

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7
SECURITY POLICY
behavior of a political activity that is engaging in fraudulent activities, and in any structure of
intelligence collection from the provisions.
Other activities are strictly prohibited. The activities include:
i) Access of company information which is not within the opportunity of an individual’s
work (Berger 2014). This includes unauthorized access of personnel file information, reading of
customer account information, and accessing information, which is not needed for the proper
completion of job functions.
ii) Disclosing or misusing without perfect permission, and changing customer
information. This includes making unauthorized alterations to a file or sharing personnel data
with unauthorized users (Choyi and Vinokurov 2012).
iii) Any behavior that would encourage a criminal offense, or violate any regulations,
state, national or international, local law.
iv) Transmission, use, voluntary or duplication receipt of material that infringes on the
trademarks, copyrights or patent rights of any organization or person.
v) Transmission, use of any confidential or sensitive information without any proper
controls.
vi) Transmission, creation, posting or voluntary receipt of any threatening, offensive,
unlawful, harassing material, including comments that are based on national origin, race, sex,
age, religion, political beliefs or disability (Orr, Ptacek and Song 2012).
vii) Any type of gambling.

8
SECURITY POLICY
viii) Downloading of any unauthorized programs for utilization without permission from
the IT Department (Pieters, Dimkov and Pavlovic 2013).
ix) Ordering or shopping of goods on the Internet.
x) Accessing of any games.
The above-mentioned activities are strictly prohibited as per the Internet Usage Policy of
an organization. The employees should make sensible efforts to use the internet in ways that do
not affect other employees (Banuri et al. 2012). Specific departments should set regulations on
resource allocation and bandwidth use, and should ban downloading of particular file types.
Software License
The organization strongly supports strictness to software vendors license agreements.
When at work, or when company computing or networking resources are employed, copying of
software in a manner that is not consistent with the vendor’s license is strictly prohibited (Ifinedo
2012). Similarly, production of materials that are available over the Internet must be done only
with the written permission of the owner or author of the document. Permission is necessary if
the user is wanting to make copies of contents that already exists. Copies of materials can be
anything including journals, magazines, books, newsletters or other online documents (Neisse,
Steri and Baldini 2014). Using organization’s computer resources to access the Internet for
personal purposes, without the approval from the IT department and the user’s manager, will be
considered cause for legal action including and up to termination. The employees who choose to
transmit or store their personal information for example the passwords, credit or debit card
numbers, private keys, encrypted certificates will do so at their own risk (Knapp and Ferrante

9
SECURITY POLICY
2012). This can be quite risky as there is always a chance of hacking in Internet that is accessed
by many people. The employees should be careful about their privacy and confidentiality.
Review of Public Information
All the directories that are publicly written on Internet-connected computers will be
cleared and reviewed each month end. This process is required to stop the anonymous exchange
of data that are inconsistent with company business (Gouglidis, Mavridis and Hu 2014).
Examples of public information that are unauthorized include use of credit and debit cards,
pirated information, and passwords. Privacy of the user’s personal information and data are
expected to be secured. These are secured through various functions like monitoring,
confidentiality of emails and maintaining a corporate image (Vance and Siponen 2012.).
Monitoring
The IT department should periodically monitor the internet activities so that the users
should be aware of their access and they try to limit their illegal usage and activities (Vance and
Siponen 2012.). Management should have the right to check and evaluate the personal file
directories, emails, web access and all other information, which are stored on the company
computers, at any time without any kind of notice (Ifinedo 2012). This examination and
evaluation assures compliance with internet usage policy and the employees are afraid to do any
illegal work in office premises. This monitoring will even help the other employees to feel safe
and secure.
E-mail Confidentiality
Confidentiality of personal mails or emails is another major function to secure the
privacy of personal and official information. The employees should be aware that a clean text

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

10
SECURITY POLICY
email is not a secured mode of communication (Banuri et al. 2012). There is a chance of hacking
in such cases. The organization will not guarantee that electronic communications will be
private. The users should be aware that the electronic communications could be intercepted,
printed, forwarded, and stored by others. The users should also be aware that once an email is
transmitted it might be changed (Orr, Ptacek and Song 2012). Removing an email from an
employee workstation will not delete it from the different systems across which the email has
been transmitted.
Maintaining Corporate Image
While using the company resources to use and access the Internet, the users should
realize that they represent their company (Bayuk et al. 2012). Whenever the employees state an
affiliation to the organization, they must also clearly reflect that the opinions are expressed from
their own and not necessarily those of their company. The users should not keep company
material for example documentation, press releases, internal memos, and product or usage
information on any public news group, mailing list or such service (Gouglidis, Mavridis and Hu
2014). Any posting of materials must be approved by the employee’s manager and the
information technology department and will be kept by an authorized person.
All the business units and individuals wishing to develop a WWW home page or site
should first develop implementation, business, and maintenance plans (Neisse, Steri and Baldini
2014). Official permission should be acquired through the IT Department. This will maintain
publishing and content standards needed to ensure appropriateness ad consistency. Moreover,
contents of the material that are made available to the public through the Internet should be
formally reviewed and supported before being published (Knapp and Ferrante 2012). All
material should be to the Corporate Manager for initial approval to continue.

11
SECURITY POLICY
Conclusion
Therefore, from the above discussion, it can concluded that security policies are
extremely important for all organization. Such policies keep the confidentiality and the
authenticity of the company. The report focuses on the Internet Usage policy. This policy defines
about the utilization and the limitations of access to internet in an organization. This policy is
maintained by all employees. The internet usage policy has some instructions or rules for the
employees so that they do not cross their limits while using office internet. The above report
points out a set of guidelines that are to be followed by the employees of all organization
regarding internet. This policy is extremely beneficial and helpful to mitigate or reduce cyber
crime and unnecessary usage of company’s internet.

12
SECURITY POLICY
References
Banuri, H., Alam, M., Khan, S., Manzoor, J., Ali, B., Khan, Y., Yaseen, M., Tahir, M.N., Ali, T.,
Alam, Q. and Zhang, X., 2012. An Android runtime security policy enforcement
framework. Personal and Ubiquitous Computing, 16(6), pp.631-641.
Bayuk, J.L., Healey, J., Rohmeyer, P., Sachs, M.H., Schmidt, J. and Weiss, J., 2012. Cyber
security policy guidebook. John Wiley & Sons.
Berger, T.U., 2014. Norms, Identity, and National Security. Security Studies: A Reader.
Cheng, L., Li, Y., Li, W., Holm, E. and Zhai, Q., 2013. Understanding the violation of IS
security policy in organizations: An integrated model based on social control and deterrence
theory. Computers & Security, 39, pp.447-459.
Choyi, V.K. and Vinokurov, D., Alcatel Lucent, 2012. System and method of network access
security policy management for multimodal device. U.S. Patent 8,191,106.
Gouglidis, A., Mavridis, I. and Hu, V.C., 2014. Security policy verification for multi-domains in
cloud systems. International Journal of Information Security, 13(2), pp.97-111.
Ifinedo, P., 2012. Understanding information systems security policy compliance: An integration
of the theory of planned behavior and the protection motivation theory. Computers &
Security, 31(1), pp.83-95.
Knapp, K.J. and Ferrante, C.J., 2012. Policy awareness, enforcement and maintenance: Critical
to information security effectiveness in organizations. Journal of Management Policy and
Practice, 13(5), p.66.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

13
SECURITY POLICY
Neisse, R., Steri, G. and Baldini, G., 2014, October. Enforcement of security policy rules for the
internet of things. In Wireless and Mobile Computing, Networking and Communications
(WiMob), 2014 IEEE 10th International Conference on (pp. 165-172). IEEE.
Orr, D.B., Ptacek, T.H. and Song, D.J., Arbor Networks, Inc., 2012. Method and system for
authentication event security policy generation. U.S. Patent 8,146,160.
Ouedraogo, W.F., Biennier, F. and Ghodous, P., 2012, April. Adaptive Security Policy Model to
Deploy Business Process in Cloud Infrastructure. In CLOSER (pp. 287-290).
Pieters, W., Dimkov, T. and Pavlovic, D., 2013. Security policy alignment: A formal
approach. IEEE Systems Journal, 7(2), pp.275-287.
Safa, N.S., Von Solms, R. and Furnell, S., 2016. Information security policy compliance model
in organizations. computers & security, 56, pp.70-82.
Sommestad, T., Hallberg, J., Lundholm, K. and Bengtsson, J., 2014. Variables influencing
information security policy compliance: a systematic review of quantitative studies. Information
Management & Computer Security, 22(1), pp.42-75.
Vance, A. and Siponen, M.T., 2012. IS security policy violations: a rational choice
perspective. Journal of Organizational and End User Computing (JOEUC), 24(1), pp.21-41.
Wall, J.D., Palvia, P. and Lowry, P.B., 2013. Control-related motivations and information
security policy compliance: The role of autonomy and efficacy. Journal of Information Privacy
and Security, 9(4), pp.52-79.