IT Acceptable Use Policy
Version 2.1
October 2020
Information
Technology Acceptable Use Policy
Essentra plc, together
with its affiliates and subsidiaries (“Essentra”), is committed to doing business
the right way, to continually earn the trust of customers, other stakeholders
and the wider marketplace. In accordance with the Essentra Ethics Code, the
Board of Directors and the Group Management Committee expect all employees –
and anyone carrying out work on behalf of Essentra – to maintain the highest
standards of ethical business conduct and personal behaviour at all times, and
to act safely, honestly, responsibly, lawfully and with integrity.
In support of this
commitment, and consistent with its Six Principles, Essentra seeks to maintain
a culture of openness and accountability, so that prompt action can be taken to
address any illegal or unethical conduct involving anyone working for or on
behalf of Essentra. Attitudes or activities that amount to a breach of law or
trust, or otherwise fall below the highest standards of ethical business
conduct and personal behaviour will not be tolerated. It is the responsibility
of all Essentra employees to ensure that they report any infringement or suspected
infringement of legal or regulatory requirements or the highest standards of
ethical business conduct involving Essentra to their Line Manager or otherwise
in accordance with the Essentra ‘Right to Speak’ Policy.
1.
General
Information
1.1
Policy Purpose
The purpose of this Information Technology (IT) Acceptable Use Policy
(AUP) is to provide a framework for use of Essentra’s IT resources. It should
be interpreted such that it has the widest application to include new and
developing technologies and uses, which may not be explicitly referenced.
This Policy supports the IT Security Policy and will assist Essentra
business operations in managing compliance with relevant laws, regulations and
best practice for the protection of Essentra’s information assets, intellectual
property rights and brand reputation.
This Policy entirely replaces and supersedes the End User IT Usage
Policy previously released.
1.2
Policy
Scope
This policy applies to Essentra and all
companies acquired or owned by Essentra plc. It applies to all Essentra employees, contractors and
third-party service providers. It also
applies to people, processes and the technologies that are involved in Essentra
business activities including all information owned by Essentra or entrusted to
Essentra by a third-party (e.g. a supplier or customer).
2.
Policy
2.1
Introduction
Essentra handles information relating to its customers, suppliers,
business partners, employees, service providers and business operations. Some
of this information is sensitive (including intellectual property) and requires
specific controls relating to its storage, authorised access or use.
Information may be obtained or become accessible in a variety of ways including
electronic means, hardcopy format and verbally.
This
Acceptable Use Policy is focused on the individual user and gives a set of
basic rules to ensure day to day use of Essentra’s IT system is appropriate and
in accordance with the interests of Essentra.
Compliance with this and all associated policies, standards, procedures
and guidance documents is necessary to safeguard the organisation. This Policy
will assist Essentra in meeting its legal and regulatory obligations and to
maintain business continuity whilst limiting damage to business interests by
preventing security incidents and/or mitigating their impact.
Essentra is required to be compliant with, or align to, various legal
and regulatory standards and codes of practice relative to information security
governance including ensuring that information which Essentra controls is kept
confidential, its integrity is maintained, and it is readily available.
2.2
Policy
Statements
The Board of Essentra plc, our Group
Management Committee and Senior Leadership is fully committed to ensuring the confidentiality,
integrity and availability of information created, collected or entrusted to
us. Essentra shall ensure that
statutory, express and implied legal, regulatory or contractual obligations are
met.
2.3 Acceptable Use
Acceptable use of Essentra IT equipment, resources and information is
generally defined as any activity that may reasonably be expected to be carried
out by an authorised person with legitimate access to those resources for
business purposes.
Essentra IT facilities are provided for business purposes. Limited personal use is permitted within
reason, if such personal use is appropriate and does not create productivity
loss, impact service or resource availability or introduce liability or any
other risk to Essentra, any IT user, data or systems.
2.4
Unacceptable
Use
Subject to exceptions defined in 2.8, Essentra IT systems must not be
deliberately used by a user for activities having, or likely to have, any of
the following characteristics:
·
intentionally
or unintentionally wasting staff effort or other Essentra resources
·
corrupting,
altering or destroying company or another user’s data without their consent
·
disrupting
the work of other users or the correct functioning of any IT system
·
denying
access to IT systems and its services to other users
·
pursuance
of unauthorised commercial activities related or unrelated to Essentra
· breaking any applicable laws or regulations or Essentra Policies, including transmitting or sharing information in breach of applicable export controls or sanctions laws
Users shall not:
·
introduce
data-interception, password-detecting or similar software or devices to
Essentra IT systems
·
attempt
or provide unauthorised or privileged access to any Essentra IT system
·
connect
any network enabled equipment (wired or wireless) to the corporate network
without authorisation from Essentra IT Change Approval Board (CAB)
·
access
or attempt to access data where the user knows or ought to know that they
should not have access
·
carry
out any computer hacking, reconnaissance or system compromise activities
·
knowingly
introduce or distribute any form of computer virus, malware, remote
access/control, automated script/trigger or other potentially malicious or
destructive software.
·
share
usernames and passwords with other users
·
use
Essentra systems for bulk or spam email campaigns
·
install,
copy or utilise unauthorised software or hardware
·
copy,
reproduce, share or transmit data or information where such activity would
undermine the intellectual property rights or trade secrets of Essentra
·
connect
personal devices to Essentra IT infrastructure unless it is approved as an IT
exception, for business purposes.
Essentra IT systems must not be used directly or indirectly for the
access, download, creation, copying, manipulation, transmission, processing or
storage of:
·
offensive,
obscene or indecent material, including but not limited to images, video audio
and documents
·
unlawful
material, or material that is defamatory, threatening, discriminatory, extremist
or which has the potential to radicalise
·
material
which is subsequently used to facilitate harassment, bullying and/or
victimisation
·
material
which promotes discrimination based on race, gender, religion or belief,
disability, age or sexual orientation
·
material
with the intent to defraud or which is likely to deceive a third party
·
material
which advocates or promotes any unlawful act
·
material
that infringes the intellectual property rights or privacy rights of a third party,
or that is in breach of a legal duty owed to another party
·
material
that is damaging to the Essentra brand or which may bring Essentra into
disrepute.
2.5
Monitoring
For the purposes of information security, data loss prevention, policy,
legal or regulatory compliance, Essentra will routinely log, monitor and audit
IT system access and usage, including but not limited to internet, email and
network traffic at any time. Essentra
reserves the right to perform monitoring, incident response and investigative
activities across all IT systems and services at any time without notice.
Any monitoring or audit activity may also capture any private or personal data which users create or store on Essentra’s IT systems and users are encouraged to create separate folders or file structures to store any such data, which then may be easily identifiable as separate to business information. For this reason, users are responsible for exercising good judgement regarding appropriate personal use and compliance with this Policy and all other related Essentra policies.
2.6
Actions upon termination of contract
All Essentra equipment and data, for example laptops and mobile devices including telephones, smartphones, tablet devices, USB memory devices and CDs/DVDs, must be returned to Essentra at termination of contract. In the event that security passcodes are required to access, or factory reset any device, these passcodes must also be provided, or, the device must be returned in a ‘factory reset’ state which permits Essentra to access the device without a passcode.
All Essentra data, records and intellectual property developed or gained during the period of employment remains the property of Essentra and must not be retained beyond termination or reused for any purpose.
2.6
Related
policies
·
Information Technology Security Policy
·
General Data Protection Policy
2.7
Exceptions
to Policy
Exceptions to IT security policies, standards, procedures or guidance
documents can only occur with explicit written permission from the IT Security
Team. If the risk caused by the exception is high (or if it is unsure as to
whether the risk is high or not), then the approval can only be provided by the
CIO or CISO.
2.8
Compliance
All employees are required to comply with this Policy and are personally
responsible for doing so. Employees must certify their compliance with the
terms of this Policy when requested.
From time to time, Essentra may require you to take mandatory training
in relation to the terms of this Policy. You must ensure that you complete this
training as required.
If any employee believes that the terms of this Policy are not being
correctly observed, it is their responsibility to raise any concerns with their
line manager. If employees feel that they need to raise the issue outside of
their immediate working environment at any time, Essentra has put in place,
through an independent third party, the ‘Essentra EthicsPoint Helpline’. This
is a confidential call centre manned 24 hours a day by appropriately trained,
local language speaking individuals, and the relevant telephone numbers are
displayed at each Essentra business location.
Alternatively, employees can submit a report through the Essentra
EthicsPoint portal and file a confidential concern. Essentra is committed to
ensuring that employees feel able to raise concerns openly and in good faith
under the ‘Right to Speak’ Policy, without fear of reprisal or retaliation, and
with the support Essentra.
Failure to observe the terms of this Policy – or to cooperate fully with
any investigation by Essentra into alleged or suspected breaches – may result
in any employee’s conduct being subject to review and/or revocation or
limitation of access to any IT system or service. In the most serious cases,
such review may potentially lead to the termination of their employment and/or
result in personal criminal or civil liability.
3.
Roles
and Responsibilities
3.1
Group
Management Committee and Main Board
The Group Management Committee (GMC) and Main
Board shall be accountable for:
·
Ensuring
that appropriate information security, legal and regulatory controls are
identified, implemented, and maintained throughout the company;
·
Approving
and endorsing, through the Chief Information Officer (CIO) and/or Chief
Information Security Officer (CISO), this and all supporting policies,
standards, procedures and guidance documents for use throughout the company;
3.2
Chief
Information Officer
The Chief Information Officer (CIO) is
responsible for:
·
Establishing
and enforcing information technology acceptable use policies, standards,
procedures and guidance documents;
·
Identifying
unacceptable use-related issues and implementing appropriate remediation
controls necessary to ensure the organisation adheres and aligns with all
mandated legal and regulatory obligations
3.3
Functional
Management
All managers are responsible within their
function for:
·
Ensuring
staff receive relevant education and awareness with regards to acceptable use
of IT;
·
Ensuring
staff are aware of their responsibilities with regards to acceptable use of IT;
·
Understanding
the assets and services for which they are responsible and the applicable
acceptable use requirements;
·
Assigning
ownership authority and responsibility for information and computer assets;
·
Ensuring
effective use of control mechanisms, including the correct use of user
identities and passwords.
3.4
Users
Users including contractors and suppliers
are required to be fully aware and comply with the Essentra’s policies,
standards, procedures and guidelines, legal, regulatory, and contractual
obligations within their area of responsibility, safeguarding all
company-provided IT assets and associated systems and data access, whilst reporting information security
incidents and concerns to their manager and/or the IT Service Desk in a timely
manner.
4.
Document
Control
This Policy will be formally reviewed on an annual basis as a minimum or
if required changes are identified to address one or more of the following:
·
A change
in business activities, which will or could possibly affect the current
operation of the Essentra Information Security Management System and the
relevance of this document;
·
A
change in the way Essentra manages or operates its IT assets and/or their supporting
assets, which may affect the accuracy of this document;
·
An
identified shortcoming in the effectiveness of this Policy, for example because
of a reported IT unacceptable use or security incident, formal review or an
audit finding.
The current version of this Policy, together with its previous versions,
shall be recorded below.
|
Document
Control |
|
|
Status: |
Issued - Approved |
|
Owned by: |
Group CIO |
|
Version Control |
|||||
|
Version |
Date |
Author |
Reviewer |
Approver |
Comment |
|
2.0 |
September 2020 |
CISO |
Group Management
Committee (GMC) |
Board of Directors |
Approved major
version superseding the previous End User IT Usage Policy (AUP v1.0) across
the group. |
|
2.1 |
October 2020 |
CISO |
Group Management
Committee (GMC) |
Board of Directors |
Added section 2.6 - Actions upon termination of contract. |