The roles and responsibilities policy describes a standard of “due care” for the ownership, use and transmittal of information resources. The audience for this policy includes all employees, and especially those who have access to corporate computer systems.
Read on for excerpts from the actual policy:
This policy applies to all information processed or stored on company computers and transmitted over _COMPANY networks. This includes, but is not limited to, mainframes, personal computers, local and wide area networks, client/server and departmental computers, cellular telephones, and other personal communications and data storage devices.
This policy applies to _COMPANY employees, customers and independent third parties engaged by _COMPANY, including consultants, contractors and vendors.
The following rules define _COMPANY’s policy
- · There must be an owner for all information. The owner is responsible for classifying the information and for determining the appropriate level of security. The owner should be guided by local business definitions, legal or regulatory requirements and the specifications published by the IT Department.
- · In general, access to information and resources is limited to that which is necessary for the performance of an individual’s assigned job responsibilities.
- Not all information requires the same level of protection. Because various businesses and applications often share our systems, security controls must be implemented at the appropriate level to satisfy the most stringent requirements of any party on the system.
- _COMPANY employees must ensure that any logon ID, password, key lock device or any other device issued to them for accessing company resources remains confidential and under their control.
- _COMPANY employees must access only the information they need to do their jobs.
- _COMPANY employees must use only authorized connections to company networks and computers. Refrain from using connection devices, such as modems, without prior approval from network security personnel.
_COMPANY employees must take precautions that any comments they make publicly or send electronically cannot be construed as representing _COMPANY, unless they are authorized to speak for the company