From rperry@iac.netSat Mar 16 12:54:07 1996 Date: Tue, 5 Mar 1996 09:03:47 -0900 From: Richard Perry To: Multiple recipients of list Subject: Summary: Internet Policies and Procedures Thanks to all for your suggestions and contributions in my search for information related to the development of Policy and Procedures for Internet usage within an organization. I have combined your responses with some research of my own to create the summary attached below. With this summary, I hope to highlight the issues that need to be addressed in such documents, provide pointers to some documents you may find useful, and to show examples of a couple of existing/draft policies and procedures. Through this process, I have developed a great sense of optimism for the corporate uses of the Internet as well as a keen understanding as to why this resource should be carefully implemented and controlled. Richard Perry rperry@iac.net http://www.iac.net/~rperry _________________________________________________________________ Internet Use Policy and Procedures In reviewing numerous resources related to the development of Policies and Procedures for the use of corporate Internet resources, it is immediately evident that no document can accurately anticipate all situations for which a policy and procedure would be needed. Many documents instead attempt to set a "corporate philosophy" to guide the company users as to acceptable and non-acceptable uses of online resources. However, to be enforceable and to be able to hold employees accountable for their performance, there must additionally be an attempt to clearly spell out expectations and give clear indications of the ramifications of improper usage. In line with this, certain basic themes and concerns began to emerge as needing to be formally addressed. The development of policies and procedures should address in some form the following factors: 1. Encourage appropriate use of online resources and discourage the practice of "random surfing". Acceptable use criteria often include: to facilitate communication with other agencies or business partners, to facilitate discussions aimed at professional development, to gather information on industry trends, for use in grant related activities, to gain timely access to government publications and statistics, and generally to advance the information needs of the organization. Inappropriate online behavior in the workplace, and as such generally requiring disciplinary action, would include the transmission of pornographic materials, sending racially or sexually offensive messages, making slanderous remarks or defamation of character, trying to enter or "hack" another computer system without authorization, unauthorized posting or transmission of company "trade secrets" or other confidential materials, using the network for recreational games, use of corporate resources for personal gain, blatant violation of copyright laws, and the use of "mail bombing". For an excellent discussion on the implications of Internet policy and many suggestions for explicit policies to implement, please review the following document. "Implementing Sound Corporate Internet Policies, Legal and Management Issues" Gordon & Glickson, PC (June 1995) This is a very thorough review of legal and management issues for Internet access. Available at no cost in portable document format (PDF). Obtain this, as well as other related documents, at: http://www.ggtech.com/publist.html 2. The use of proper "netiquette" and recognition of the users' professional responsibility, especially when making online postings from the company's domain name. All communications must be thought of as "on the record" and reflective of the company. A simple tag line stating that "these views are personal and do not represent the views of my employer" is not sufficient. Strong personal statements should be made only from personal accounts. A great netiquette guide written by Sally Hambridge at Intel, that should be required reading of all new users, is available at: ftp://ds.internic.net/rfc/rfc1855.txt 3. Security and procedural issues. These involve policies related to downloading executable files, the use of file attachments, not downloading directly to network drives, frequent changing of user passwords, and use of network manager approved virus detection software. 4. Another important theme is that policies should be developed with interaction from the users if they are to be relevant and enforceable. Further, it is very important to educate users up front as to how to best use this resource, and company expectations implicit with its use. An excellent discussion is contained in: "Horses and Barn Doors: Evolution of Corporate Guidelines for Internet Usage" by Sally Hambridge and Jeffrey Sedayao from Intel Corporation. It may be obtained at: http://www.intel.com/intel/papers/horses.html OTHER RESOURCES: 1. Internic maintains an archive of Policies and Procedures. While mainly aimed at academic settings, there are some good resources here. Visit these archives at: ftp://ds.internic.net/policies-procedures 2. Another interesting site that contains some good examples of policies is the "Court TV Small Business Law Center Seminar - Employee Handbooks, A Workshop". Look for the "Electronic Media and Services: Scope of Use" document from DHL Systems, and the "Hitachi America - Corporate Electronic Mail Policy Statement and Instruction" paper. These may be found at: http://www.courttv.com/seminars/handbook/index.html EXAMPLES OF POLICIES AND PROCEDURES Two persons were kind enough to forward their policies and procedures and graciously allow them to be reposted in my summary. ** However, the caveats as a condition for their posting include that if you consider using all or parts of these policies, you MUST remove all references to the originating organization and futher understand that there are no warranties, either expressed or implied. They are included as examples only. ** Fair Enough? 1. Intel Corporation's Internet Guidelines (Thanks to Sally Hambridge for all her work in this area) | intel | cover sheet No. 193016 | Rev.1 Page 1 of 6 ----------------------------------------------------------------- TITLE: INTERNET GUIDELINES ----------------------------------------------------------------- 1.0 PURPOSE/SCOPE These guidelines set the standards for appropriate behavior of an Intel employee when accessing the Internet. These guidelines apply to all Intel employees. Intel specifically reserves the right to modify, change or discontinue any portion of the Internet guidelines from time to time at its sole discretion. 2.0 DEFINITIONS o Cracking - attempting to break into another system on which you have no account, and is treated as malicious intent. o Netiquette - a word made from combining "Network Etiquette." The practice of good manners in a network environment. o MIME - Multipurpose Internet Mail Extension. The format for Internet mail which includes objects other than just text. 3.0 GENERAL 4.0 GUIDELINES 4.1 Behavior resulting in disciplinary action. The following behaviors are examples of actions or activities which can result in disciplinary action. Because all possible actions cannot be contemplated, the list is necessarily incomplete. Thus, disciplinary action may occur after other actions when the circumstances warrant it. Disciplinary actions range from verbal warnings to termination; the severity of the mis-behavior governs the severity of the disciplinary action. o Unauthorized attempts to break into any computer whether of Intel or another organization. (Cracking). o Using Intel time and resources for personal gain. o Sending threatening messages. o Sending racially and/or sexually harassing messages. o Theft, or copying electronic files without permission. o Sending or posting Intel confidential materials outside of Intel, or posting Intel confidential materials inside Intel to non-authorized personnel. o Refusing to cooperate with a reasonable security investigation. o Sending chain letters through electronic mail. 4.2 Behavior considered prudent, good manners, etiquette. The following behaviors are recommended for sending Internet mail, participating in Internet mailing lists and Usenet groups, ftp, and telnet. Lack of conformance may result in loss of Internet access. These guidelines have been gleaned from a variety of Internet Guides. A bibliography follows these guidelines, and we recommend you acquire one (or more) of these guides. 4.2.1 Electronic Mail (Email) The following guidelines cover the sending of electronic mail outside of Intel. o MAIL ON THE INTERNET IS NOT SECURE. Never include in a Email message anything which you want to keep private and confidential. Email is sent unencrypted, and is easily readable. o Be cognizant of any system etiquette. The computer on which you reside may have quotas on disk space usage. Mail takes up space. It's best not to save every message you receive. o Do not attempt to send anything but plain ascii text as mail. Recipients may not have the ability to translate Word or WP documents. MIME format messages are encouraged. (MIME=Multipurpose Internet Mail Extension). o Be careful when sending replies - make sure you're sending to a group when you want to send to a group, and to an individual when you want to send to an individual. It's best to address directly rather than use the reply command. o Include a signature which contains methods by which others can contact you. (Usually your Email address.) o Let senders know you've received their mail, even if you can't respond in depth immediately. They'll need to know their mail hasn't gotten lost. o Watch punctuation and spelling. o Remember that the recipient is a human being. Since they can't see you, they can't tell when you're joking. Be sure to include visual clues. Convention indicates the use of the smiley face. :-) (Look sideways). o DO NOT SEND MESSAGES ALL IN CAPITALS. It looks as if you're shouting. Use capitals for emphasis or use some other symbol for emphasis. That IS what I meant. That *is* what I meant. 4.2.2 Internet mailing lists and Usenet News Groups. All the guidelines covering Email should apply here as well. o Actively disclaim speaking for Intel. Note that if you use an Intel system to post an article, Intel's name is carried along with what you post in (at least) the headers. The "standard" disclaimers attached to many articles are meaningless if the reader finds the article offensive. o Remember that some people have to pay for each byte of data they receive. Keep messages to the point without being so terse as to be rude. o Obey copyright laws. o Be sure to change your mailing address if your account changes. Do not simply forward your mail from your old account to your new one. This creates a burden on Intel machines. o Be careful using auto-reply features in mail when you belong to mailing lists. These replies are often sent to the entire list, and most don't care that you're on vacation. o As a new member of a group, monitor the messages for a while to understand the history and personality of the group. Jumping right into the discussion may make you look foolish if you have no context. o Do not advertise Intel products. This violates the Internet Acceptable Use Policy. o Do not re-post any messages without permission. o Avoid cross-posting whenever possible. When not, apologize, especially if the groups seem to have a lot of overlap. Of course, apologize for any mistakes in posting. o Do not post personal messages to a group. o If you survey the group, post a summary. o Indicate quoted material. o Do not post any messages anonymously. This is viewed as bad form by the Usenet community and system managers are asked to track down offenders. This wastes Intel's time and resources. o Do not re-post any requests for a dying child in England to get postcards to get into the Guiness Book of World Records. The child got well, and the category has been removed from Guiness. o Make sure the subject of your message is clear in the Subject: line. o Join lists or monitor newsgroups giving thought to how much time these activities absorb. Also for Usenet, look at the news.announce.newusers group. It contains good information on getting started. There are also local Intel groups which are good for new people. o Be sure to read the FAQs (Frequently Asked Questions) for your group(s). o If provoked, do not send angry messages (flames) without waiting overnight. If you still think a flame is warranted, label your message with "flame on". If you receive a flame, don't go overboard in reaction. Remember that not everyone is as polite as you are. 4.2.3 FTP These guidelines cover file transfer protocol. o Do not ftp to any machines on which you do not have an account, or which doesn't advertise anonymous ftp services. Random net-hunting is not approved. o Observe working hours or posted hours for ftp sites. Most sites request you NOT ftp between their local hours of 8-5. o Don't ftp during your site's prime hours as well. o Look locally before ftping something from a site geographically remote. Your system manager can help you find the closest site. o Don't ftp on the off chance you'll "need it someday." Conversely, don't hunt around for "neat stuff" to ftp. If you discover that you don't need what you've ftp'ed, delete it. You can always get it again if you discover you do need it. o Observe any posted restrictions on the ftp server. o Use your real username and node as your password on anonymous ftp servers. 4.2.4 TELNET These guidelines cover telnetting to remote systems. o Do not telnet to machines on which you have no account, or there is no guest account. Do not attempt to telnet deliberately into anonymous ftp servers. o Observe any posted restrictions on the machine to which you're telnetted. o Do not try to telnet into miscellaneous ports; use only authorized ports for access. 5.0 Selected Bibliography LaQuey, Tracy. _The Internet Companion_. Reading, MA: Addison-Wesley, 1993. Kehoe, Brendan. _Zen and the Art of the Internet_. Englewood Cliffs, NJ: Prentice-Hall, 1992. Krol, Ed. _The Whole Internet: User's Guide and Catalog_. Sebastopol, CA: O'Reilly & Associates, 1992. Tennant, Ron, John Ober & Anne G. Lipow. _Crossing the Internet Threshold: An Instrustional Handbook_. Berkeley, CA: Library Solutions Press, 1993. 2. Draft Policies and Procedures from Minnesota Department of Health (Thanks to Wendy Nelson for her help) *******DRAFT********DRAFT********DRAFT********DRAFT******* Health Policy and Systems Compliance Internet Use Policy The Internet has become an extremely valuable tool for Health Policy and Systems Compliance Division staff. It offers direct access to numerous agencies and organizations whose publications and information are sought by staff on a daily basis and enables staff to locate materials at their own computer. In addition, more elusive information can often be located in a highly time efficient manner by subject searching on the Internet or querying a listserve. It benefits the organization to provide direct access to the Internet to employees who can use it to better perform their jobs. Guidelines In keeping with this philosophy the following guidelines for Internet use in the Health Policy and Systems Compliance Division have been developed. *Access to the Internet will be provided to HP&SC employees when deemed appropriate for their work. *The division will provide training opportunities, aids, and assistance in locating tutorials and/or classes. *Any costs incurred related to providing access (computer equipment and software) will be the responsibility of the employee's section and at the discretion of the section manager. *Any costs incurred while accessing the Internet are the responsibility of the employee unless approved in advance according to the Department of Health's policies. *Documents should be downloaded only if absolutely necessary . When downloading, an employee may only download to a their "C" drive or to a floppy disk. Employees shall not transfer documents to network drives without first checking them with virus software approved by the network manager. The Health Policy and Systems Compliance Division reserves the right to examine all downloaded files. *When accessing the Internet, employees are representing the Department of Health and all conduct shall be appropriate. *Employees must use proper "Netiquette" when participating in Newsgroups or send email. Employees should be aware that when sites are accessed, IP addresses are recorded. Comments, including flame wars, are not anonymous. *Employees must observe copyright or site specific directions when using Internet materials. *Employees shall comply with all state and federal laws, rules and regulations when accessing the Internet. *Employees shall not use or allow the use of state time, supplies of state owned or leased property and equipment for the employee's private interests or any other use not in the interest of the state. (Minnesota Statutes 1994, Section 43A.38, subd. 4) Any employee that violates the provisions of section 43A.38 shall be subject to disciplinary action and action pursuant to Minnesota Statutes 1995, Chapter 609, the Criminal Code. Enforcement The Health Policy and Systems Compliance Division reserves the right to review user accounts, workstations and fileserver space in order to make determinations on whether specific uses of the information systems are appropriate. The Health Policy and Systems Compliance Division reserves the right to revoke an employee's access to the network and network services when there has been a clear violation of acceptable use principles and guidelines. In addition, where violations occur, employees are subject to any disciplinary action or penalties proscribed in law. *******DRAFT********DRAFT********DRAFT********DRAFT******* I have read the Health Policy and Systems Compliance Internet Use Policy, specific conditions have been explained to me and I agree to the above conditions for use. Name__________________________________________ Date_______________ Position _________________________________ Program___________________ *******DRAFT********DRAFT********DRAFT********DRAFT******* ========================================================== END OF SUMMARY I hope this summary is of value to the list members. Good luck in developing your own policies and procedures. It will be some work, but will be very valuable to your organization in the long term. Richard