|Corda Network Foundation||Document history|
Acceptable Use Policy
Information and Communication Technology (ICT) resources, both in-house and externally operated, are essential to the operation of the Corda Network Foundation. Innovative use of ICT by Foundation team members is encouraged where such use supports Foundation objectives. The intention in publishing this policy is not to impose restrictions that are contrary to the Foundation’s established culture of innovation, openness and trust. Such a culture does, however, depend on a common understanding of what constitutes “acceptable use” at the Foundation. This policy requires that all team members and associates use of ICT resources in the workplace is conducted in a manner that is lawful, responsible and cognisant of the needs of the Foundation and network participants. Effective security is a team effort, requiring the active support of all. We all have a responsibility to understand the requirements of this policy and to conduct ourselves accordingly.
2 Risks Addressed
This policy addresses the following risks:
- Damage to the Foundation’s reputation or exposure of the Foundation to legal action as a result of deliberate or inadvertent misuse of Foundation ICT resources.
- Compromise of the security of Foundation information or systems by their deliberate or inadvertent misuse.
- Financial loss incurred in responding and recovering from security incidents that may result from such an eventuality.
3 Who Does This Policy Apply To?
This policy applies to workers at the Foundation (employees and contractors, consultants, temporaries, and others) including all personnel affiliated with third parties. This group is referred to throughout this policy as “team members”.
This policy takes into account the increasing pace of change in the corporate ICT environment, the widespread deployment of smartphone devices, cloud services and the trend towards consumerisation of corporate IT. The scope of the policy therefore includes any ICT system used to conduct Foundation business, regardless of its location, operator or owner and the means by which it is accessed. Users of third party or personally owned devices that the Foundation may permit to access its ICT systems must comply with this policy in the same way as users of Foundation supplied equipment.
5 Mandatory Controls
5.1 Note on the wording of this policy
This policy is intended to provide day-to-day guidance for Foundation team members. Policy clauses are therefore presented throughout in the second person (you). This presentation has been chosen deliberately to make plain that responsibility lies with all team members to observe the controls listed herein.
5.2 Personal use of Foundation systems
You are responsible for exercising good judgment regarding the reasonableness of personal use of Foundation systems. Team members must be guided by the employee handbook and any departmental policies on personal use.
5.3 Ownership of data and resources
ICT resources provided to staff by the Foundation remain the property of the Foundation, and are intended to serve the interests of the Foundation and its customers.
You should have no expectation of privacy of information stored on any device, or traversing any network, belonging to, or operated on behalf of, the Foundation. This extends explicitly to email, instant messaging and other collaborative tools used at the Foundation. Although not obliged to monitor traffic on such systems, the Foundation may choose to do so without prior notice and at any time.
5.4 Access control
You are granted access to ICT resources appropriate to your role. Access to resources over and above those explicitly granted must be requested via your line manager. Any attempt to bypass or otherwise subvert security controls in order to obtain additional or elevated access to ICT resources is prohibited.
Access to other team members’ ICT resources without specific authorisation by that employee’s manager is prohibited.
5.5 Introduction of new technologies and services
The Foundation recognises that it thrives through the use of new technologies and services, and is keen not to stifle innovation or unnecessarily limit productivity. With this in mind, you are responsible for exercising good judgement with regards the introduction of technology into the workplace. As an example, it may not be necessary for a developer to formally request management approval for their choice of text editor. On the other hand, a new cloud collaboration tool (for example) cannot be adopted without management level assessment of the risks associated with its use.
With the above in mind, only open-source or free single user resources may be used without approval. All shared (multi-user) ICT or paid-for resources must be approved by the IT team before use.
Where the Foundation already provides services to support a particular task (file sharing, being a good example), you are required to use these services, rather than seek out new ones. Where existing services are not fit for your purpose, you must raise this as an issue with your line manager, who will be able to provide guidance as to how to proceed.
5.6 Use of personal identities and accounts
A personal identity or account is one which you have created for use in your private life outside of the work environment. The Foundation does not, in general permit the use of such identities or accounts for transacting Foundation business. Whilst there are generally accepted exceptions to this rule (such as the use of high value “personal” brands by key thought leaders at the Foundation or the use of LinkedIn or Twitter to promote Corda), you should maintain a clear separation between Foundation and personal identities.
In particular, personal identities must not be used to manage the configuration or content of Foundation ICT resources or Foundation issued devices.
Applications and data that you use to conduct your personal life should, wherever possible, remain separate to applications and data used to conduct Foundation business.
With the exception of the exclusions noted in this section, you must be prepared to divulge any user credentials, passwords, PINs etc. that you may create in conjunction with your work at the Foundation to the Foundation upon request.
5.7 Specific unacceptable use examples
Under no circumstances may you use any ICT resources provided by the Foundation to engage in any activity that is illegal or otherwise unlawful.
In addition, the Foundation regards a broad group of other activities as unacceptable. Unacceptable activities include those that may disrupt the intended use of Foundation ICT services, activities that waste Foundation resources and activities that cause unnecessary risk to the Foundation or our colleagues, or that might bring the Foundation into disrepute. The list below is by no means exhaustive. Its purpose is to bring as clearly as possible to the reader’s attention those activities most commonly associated with the abuse and potentially unlawful use of network services. You should consult your supervisor or manager if you are uncertain as to whether an activity is permitted or not. The following activities are considered unacceptable and are therefore prohibited:
- Any activity that could reasonably be regarded as unlawful, or potentially so.
- Transmission, or causing the transmission, of any material which could be regarded as illegal, offensive, in bad taste or immoral.
- Bypassing any security controls, in an attempt to gain access to network resources above and beyond those granted by the Foundation.
- Permitting any unauthorised network or other external access to the Foundation network resources, this includes unauthorised VPN networking (see below) or modem connection to Foundation resources.
- Using Foundation systems to send offensive or harassing material to others, whether through content, frequency, or size of messages.
- Using Foundation systems to perpetrate any form of fraud.
- Any activity that infringes the copyright of another individual or entity, including downloading commercial software or any copyrighted materials belonging to third parties unless this download is covered or permitted under a commercial agreement or other such licence.
- The export of software, technical information, encryption software or technology, in violation of international or regional export control laws. Such practices are illegal. You should consult your manager prior to export of any material that is in question.
- Publishing defamatory and/or knowingly false material about Foundation, colleagues and/or network participants via social media, blogs or any other online publishing format.
- Revealing confidential information about Foundation in a personal online posting, upload or transmission. This could include financial information and information relating to our clients, business plans, policies, staff and/or internal discussions.
- Making statements about warranty, expressly or implied, unless it is a part of normal job duties.
- Undertaking deliberate or reckless activities that waste staff effort or networked resources.
- Introducing any form of malicious software onto Foundation systems.
- Continuing to use software, hardware or cloud services after being instructed not to by Foundation support or management staff.
- Using Foundation resources to carry out security testing (including port or vulnerability scanning) against the Foundation or other network devices unless specifically required to as part of the individual’s operational responsibilities.
- Using Virtual Private Networking or network traffic anonymization software to connect to resources within or outside the Foundation’s network unless either specifically directed to, or required to as part of your operational responsibilities.
- Forwarding chain letters or joke emails from a Foundation email account.
- Sending or forwarding private emails at work which the originator or forwarder would not want a third party to read.
- Agreeing to terms, entering into contractual commitments or making representations by email unless appropriate authority has been obtained.
- Sending messages from another worker’s computer or under an assumed name unless specifically authorised.
- Sending confidential messages by means which are known not to be secure.
- Using public communications channels to post private or Foundation or network participant confidential material.
- Sharing password information with other team members at the firm or individuals external to the Foundation.
- Leaving Foundation issued devices unattended in public venues.
- Any other activities that violate the conduct requirements mandated by any other Foundation guidelines or procedures.
5.8 General notes
Whilst a specific use or behaviour may not be called out in this document, its absence does automatically not mark it as acceptable. If you are uncertain as to whether of a particular activity might comply with the intent of this policy, you should seek guidance from your supervisor or information security manager.
5.9 Reporting potential violations of this policy
If you believe that this policy has been breached, the Foundation provides a facility for you to raise concerns anonymously, whether these concern breaches of policies such as this one, financial, behavioural or other misconduct. You may report suspicious circumstances on an anonymous basis, without fear of retaliation, 24 hours a day, 7 days a week.
Assessments may be carried out for compliance against this policy. Any violation of this policy will be investigated and if the cause is found due to wilful disregard or negligence, it will be treated as a disciplinary offence. All disciplinary proceedings are coordinated through the Human Resources Department. The Foundation reserves the right to amend this policy at any time and will publish updated versions to all staff. All team members must attest to this policy annually.