Cross Country Healthcare, Inc.

Transcription

1 Cross Country Healthcare, Inc. Acceptable Use Policy Handbook March 2015 Version 1.0 Document # SC_IT_ Park of Commerce Blvd. Boca Raton, Florida crosscountryhealthcare.com

2 Table of Contents 1. Introduction What Will I Gain by Reading This Handbook? Whom Do I Contact If I Have Questions? Users Information Security Quick Reference Card User Responsibilities Desktop Computer (PC) Security Appropriate Use Physical Security Software Desktop Computer Data Backup Viruses Laptop and Portable Computers Appropriate Use Physical Security Data Backup Internet Use And Access Appropriate Use Inappropriate Use File Transfer Guidelines Privacy Enforcement and Non-Compliance of Internet Guidelines Electronic Mail Appropriate Use Privacy Receiving Unwanted or Offensive messages Message Retention Mailing Lists and ListServs General Caution Voice Mail Appropriate Use Voice Mail Passwords Privacy Receiving Malicious or Offensive Voice Messages Network Use Appropriate Use Responsibilities Privacy Password Security Difficult-to-Guess Passwords Required; Cyclical Passwords Prohibited Minimum Password Length

3 3.7.3 User-Chosen Passwords Will Not Be Reused Suspected Disclosure Forces Password Changes Password-Sharing Prohibition Leaving Sensitive Systems without Logging Off Communications Security Insertion of Computer-Related Contact Numbers in Directories Leaving Sensitive Information on Answering Services Telephone Directories That Contain Restricted Information Physical Security Consistent Protection of Information Storage of Sensitive Information When Not in Use Testing of Access Controls Forbidden Approval Needed for Removal of Computer/Communications Equipment Managers Information Security Quick Reference Card (See CCH Security Brochure for pull out card) Manager Responsibilities Personnel Security Reporting Changes in User Duties to Systems Security Administration Transfer of Information Custodian Duties after Employee Terminations Responsibility for Taking Action in Response to Employee Terminations Information Security Responsibilities in Job Descriptions Information Security Considered in Employee Performance Evaluations Disaster Recovery Planning Compliance with Standards Required for Emergency/Disaster Support Framework for Segmenting Information Resources by Recovery Priority Organization and Maintenance of Computer Emergency Response Team Preparation and Maintenance of Computer Disaster Recovery Plans Preparation and Maintenance of Business Contingency Plans Computer and Communications System Contingency Plan Testing Physical Access Control Physical Access Control for Areas Containing Sensitive Information Information Security Policy Introduction Purpose Scope Responsibilities CCH Policy And Requirements Overview Use Of Company Data, Information Systems, Company Rights, And Security Requirements Employee And Non-Employee Responsibilities Consequences Of Noncompliance Reporting Procedures

4 4

5 1. Introduction Cross Country Healthcare Security s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to Cross Country Healthcare s established culture of openness, trust, and integrity. The Cross Country Healthcare Security & Compliance team is committed to protecting Cross Country Healthcare's employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly. The Acceptable Use Policy Handbook is intended to be a resource to all CCH and subsidiary employees. This handbook contains important information to help employees understand and comply with the CCH Information Systems Policies distributed in March Information Security & Compliance applies to all of us. Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and use of FTP, are the property of Cross Country Healthcare. These systems are to be used for business purposes only, in serving the interests of the company, our clients and of our customers in the course of normal day-to-day business operations. Please review Human Resources Policies for further details. Effective security over company systems and data is a team effort involving the participation and support of every Cross Country Healthcare employee, subsidiary employee, and affiliates who deals with information and/or information systems. It is the responsibility of every computer user to know and understand these guidelines, and to conduct their activities accordingly. Failure to comply with and enforce this Acceptable Use Handbook and CCH Information Systems Policies will result in disciplinary action up to and including termination. 1.1 What Will I Gain by Reading This Handbook? The proper use of all CCH system resources, protection of company data, and information security does not need to be intrusive or difficult. This handbook describes in simple, concise language what users and supervisors need to know about the acceptable use of our internal systems and bring awareness to ensure how everyone in the company can help keep our company data secure. Our ability to do the basics will make a huge difference in keeping our company data safe and our systems and applications more secure. This Handbook will answer simple questions such as: What can I use the Internet for? What are the requirements for passwords? (Keep them secret!) Are electronic mail and voice mail private? Should I turn my computer off at night and when I leave the office? Can I share my User ID? What do I do if I get a computer virus? 1.2 Whom Do I Contact If I Have Questions? Questions regarding information security and/or this acceptable use handbook should be directed to your supervisor, your local Human Resources representative, or the Director, IT Security & Compliance. 5

6 2. Users Information Security Quick Reference Card 3. User Responsibilities Every employee is responsible for information security on a day-to-day basis. 3.1 Desktop Computer (PC) Security Appropriate Use Employees are authorized to use CCH desktop computing resources only for legitimate business purposes. Desktop computing resources include personal computers (PC s), and other computing devices such as printers, scanners, faxes, modems, etc. CCH desktop resources may not be used for conducting personal business. Use of company desktop resources for personal business could result in disciplinary action up to and including termination. 6

7 3.1.2 Physical Security While it is not physically possible to completely secure all company desktop computing resources, all employees must take reasonable measures to secure these resources when not in use. Reasonable measures include reporting any suspicious persons or activity in your work area to building security and Human Resources immediately and securing unattached computing components when unattended Software Every software package includes a licensing agreement. This licensing agreement, along with the federal copyright law, defines rights and usage limitations for the software package. When an individual breaks the seal of a software package, that individual accepts the terms of the license agreement for CCH. Software copyright and licensing policies vary from vendor to vendor and from one program to another. When it comes to the software on end user desktop resource, it should be noted that CCH has purchased these software packages (i.e. MS Office Suite) and gives IT the right to install and use the software, but does not imply that IT or CCH end users have complete ownership of the program. CCH Employees may not copy the written materials accompanying the software. Multiple installations (desktop installation and laptop installation) and all home use of CCH software must comply with licensing restrictions and be approved by your department director and IT System Administrator. No personal software may be used on CCH network or desktop workstations. All data disks or files brought from home or received from an outside source must be checked for viruses Desktop Computer Data Backup Users must be aware that any files that are stored in the user s local hard drive and not on the network cannot be backed up by IT. Please contact the CCH Service Desk at or Ext for instructions on how to ensure your files are stored and backed up via our company s network Viruses A computer virus is an unauthorized program that replicates itself and spreads onto various data storage media (CD/DVD, USB thumb drives, etc.) and/or across a network via or file share directories. The symptoms of virus infection include much slower computer response time, unexplainable loss of files, changed modification dates for files, increased file sizes, and total failure of computers. CCH has deployed anti-virus software (TrendMicro) throughout the company. This software is maintained and supported by Information Technology, and users may not tamper with these programs or their settings. Because viruses have become very complex, users must not attempt to eradicate them from their systems themselves. Computer viruses can spread quickly, and they must be eradicated as soon as possible to limit serious damage to computers and data. If you suspect that a virus has infected your computer, you should do the following: 1. Contact the CCH Service Desk ( or Ext ) immediately 2. Stop using your computer 3. Disconnect Ethernet Cable (looks like a large phone plug) 4. Be prepared to provide documentation and to participate in the investigation of how your computer became infected 7

8 3.2 Laptop and Portable Computers Appropriate Use Employees are authorized to use CCH laptops and portable computer resources, such as smartphones, tablets only for legitimate business purposes. CCH laptops and portable computer resources may not be used for conducting personal business. Use of these company resources for personal business could result in disciplinary action up to and including termination Physical Security Laptop theft worldwide is on the increase. Employees must take responsibility for safeguarding all laptops and portable computing accessories in their possession at all times. Security Tips: Never leave laptops unattended, especially in airports, taxi cabs, or hotel rooms Keep a watchful eye whenever you must pass your laptop through an X-ray security conveyor such as ones you will find in an airport. Be careful to place the laptop on the belt immediately before passing through yourself so you will be able to receive the item on the other side without delay Do not leave laptops unattended in the office, especially overnight. If you must leave your laptop in the office overnight, you must ensure that it is secured in a locked drawer or office A lost laptop not only causes a monetary loss to the company, but the potential that data stored in the laptop is exposed to unauthorized parties also exposes the company to legal and regulatory consequences Laptop thefts must be reported immediately (2 hours) to the CCH Service Desk as follows: Phone: After hours call / Ext Using another computer send CCHServiceDesk@crosscountry.com See Laptop Theft Policy for additional details Data Backup Due to risk of loss/theft or system failure, it is especially critical that all files on your laptop computer be backed up on a regular basis. The contents of Your Home Directory (R :) are backed up to the network; consequently any critical files must be stored there. Critical or important files stored on your laptops local My Documents folder will not be backed up. For additional instructions on how to back up your files, please contact the Service Desk. 3.3 Internet Use And Access CCH encourages the use of the Internet because it makes communications more efficient and effective, and because it is a valuable resource for researching information about our vendors, customers, and business partners. However, the Internet must be used responsibly, and therefore, the following guidelines apply to all Internet use that is: Accessed on or from company premises Accessed using company equipment, including laptops and home computers connected to the company network Used in a manner which identifies CCH as the Company 8

9 3.3.1 Appropriate Use The Internet is intended for company business use only. Although use of the Internet for personal business use may be understandable and acceptable at times, this is a privilege that the company reserves the right to control, similar to personal phone calls. Legitimate company business use of the Internet includes but is not limited to: Product and company research Business, industry, and competitive news and information research Access to CCH information, products, and services Communication with vendors, business partners, and customers Any electronic communications sent via the Internet must responsibly represent the Company just like any other official company communication. Documents, programs, or data (collectively referred to as Files ) downloaded from the Internet are automatically scanned for viruses, if a virus is detected on a downloaded file please contact the CCH Service Desk at Ext immediately. Further, all files downloaded from the Internet are subject to any applicable copyright limitations Inappropriate Use The Internet may not be used for any illegal or unethical purpose (Refer to Business Ethics Policy (page 12) of the Cross Country Healthcare, Inc. Policy & Procedure on our local Human Resources Portal). It also may not be used for transmitting, retrieving, or storing any communications of an obscene, discriminatory, or harassing nature, or in any other way that violates company policy. Employees may not use CCH Internet resources to read or hack into other systems or to breach any computer or network security measures Employees may not send electronic media or communications via the Internet that attempt to conceal the identity of the sender or which represent the sender as someone other than his/her true identity Employees who use the Internet to obtain access to online information sources may not further copy, distribute, or forward copyrighted materials accessed thereon except as explicitly permitted by the copyright owner, or after consulting CCH s legal counsel, as allowed under applicable copyright law No employee may use the Internet to upload or download any files, documents, programs, or data (collectively referred to as Files ) to or from the Internet or to or from any other on-line service, regardless of whether such Files belong to the company, the employee, or a third party, without prior written consent of company management and/or the employee s supervisor No programs or applications may be downloaded or installed from the Internet without the approval of the Information Technology group File Transfer Guidelines CCH employees may be granted authority by management to transfer files across the Internet using the File Transfer Protocol (FTP) Service. The following guidelines apply to all uses of the FTP Service: Employees will need to make a formal FTP access request via the CCH Service Desk Employees must obtain written consent from company management and/or the employee s supervisor prior to using the FTP Service 9

10 All files transmitted to or from CCH resources remain the property of the Company, must serve a legitimate business purpose, and must abide by the appropriate use guidelines included in this handbook Files that contain sensitive, company protected, or personal information must not be transmitted through the FTP service without taking appropriate measures, such as encryption and password protection, to safeguard the information Privacy CCH routinely monitors Internet and network usage and periodically reviews individual employee use. Therefore, employees should not assume that electronic communications are private and confidential, and should transmit personally sensitive information in other ways. Again, employees should have no expectation of privacy in the use of electronic communications using company resources. Such communications should not contain sensitive information, company-protected information, or personal content Enforcement and Non-Compliance of Internet Guidelines The guidelines contained above are enforced through the company Information Security Policy. Management will monitor employee use of the Internet to ensure that the above guidelines are adhered to. The Information Technology Department will also monitor Internet use and inform company management when violations occur. Employee violation of these guidelines will result in discipline up to and including termination. 3.4 Electronic Mail Appropriate Use Employees are authorized to use Electronic Mail, or , only for legitimate business purposes. Such usage includes but is not limited to communication with co-workers, vendors, customers, and other people and organizations engaged in business with CCH. Since each outgoing Internet message is identified as originating within CCH or one of its subsidiaries, the same rules of usage apply as for telephone and business letter communications. Electronic mail may not be used for conducting personal business. Use of electronic mail for personal business could result in disciplinary action up to and including termination Privacy All computers located at or issued or distributed by CCH and the data stored on them are and remain at all times the property of the Company. As such, all electronic mail messages composed, sent, and received on the Company s computers are and remain the property of the Company. The Company reserves the right to retrieve and read any electronic mail message composed, sent, and/or received. Because it is possible to recreate a message even after it has been erased, the privacy of messages cannot be guaranteed to anyone. Electronic mail messages are potentially subject to interception and to disclosure to third parties in the course of litigation or investigation. Also, the Company retains the right to monitor the use of . Although interception, disclosure to third parties, and monitoring are likely to occur infrequently, employees should have no expectation of privacy in these communications. Therefore, such messages should not contain sensitive information such as credit card numbers, company-protected information, or other personal or confidential material. Although access to the Company s system includes the use of passwords, the reliability of passwords for maintaining confidentiality cannot be guaranteed. Each user must assume that any and all messages may be read by someone other than the intended recipient(s). 10

11 3.4.3 Receiving Unwanted or Offensive messages Although CCH has implemented technology to filter and block unsolicited , also known as Spam, it is possible to receive unsolicited and/or unwanted messages much the same as it is possible to receive junk mail or chain letters at home. If the message is inoffensive and not repeated, erase it and forget it. However, if the message is repeated or offensive, contains objectionable material or language, or is damaging to the Company, you are required to report that message to your supervisor, department head, Human Resources, or Director, IT Security & Compliance immediately. This is necessary to allow the Company to take the appropriate steps to protect both the employee and the Company. Employees are not to send electronic mail messages containing material or language that may reasonably be considered offensive or disruptive to any employee. This includes sexual comments, racial slurs, or any other comments that would offend someone on the basis of his or her age, gender, sexual orientation, race, color, national origin, marital status, veteran s status, disability, or religion. Any user who generates offensive or disruptive messages is subject to disciplinary action up to and including termination Message Retention Because messages are not private and are subject to interception and disclosure to third parties, it is critical to retain messages (both sent and received) only as long as necessary. The Company s document retention policy applies to and other computer records as well as to hard copies of documents, and employees are to refer to that policy to determine the appropriate retention period for individual messages. As a general rule, messages are considered either non-essential communications, which are to be retained for no longer than one month, or intracompany memoranda, which may be retained for no longer than one year, unless otherwise directed by the Company s HR or Legal Department. The Company retains ownership of all messages transmitted over company-owned equipment Mailing Lists and ListServs Subscriptions to mailing lists and list services (RSS Feeds, ListServs) should be for legitimate business purposes only and are subject to the appropriate use guidelines described above. Traffic volume for these services may be monitored and excessive use curtailed General Caution is a quick and powerful tool with many legitimate uses. The fact that it is connected to the Internet means that the Company cannot guarantee that you will never be offended by messages sent to you. It also cannot guarantee that messages you send will not be read by anyone other than the intended recipients. 3.5 Voice Mail Appropriate Use Voice mail users are authorized to use the voice mail system for legitimate business purposes. Such usage includes but is not limited to communication with coworkers, vendors, customers, and other people and organizations engaged in business with CCH. Users are also required to report all incidents referenced in the Receiving Malicious or Offensive Voice Messages section below. Inappropriate use of the voice mail system could result in disciplinary action up to and including termination. 11

12 3.5.2 Voice Mail Passwords The requirements for a voice mail password are as follows: The minimum length of a voice mail password is four digits The new password must be different from the password being changed The new password cannot be the default password Privacy All telephone equipment, including the voice mail system and its contents, is the property of the Company. As such, all voice mail messages composed, sent, and/or received on the Company s voice mail systems are and remain the property of the Company. The Company reserves the right to retrieve and document any voice mail message on the company system at any time. Unless marked as a private message, a voice mail message may be forwarded to any other user on the system by the receiver of the message. For example, if you create and send a voice mail message to mailbox 1234 and do not mark the message private, voice mail user 1234 may forward that message to any other voice mailbox on the system Receiving Malicious or Offensive Voice Messages CCH prohibits the use of malicious and offensive messages. A voice mail user who receives a malicious or offensive voice mail message should first save the message, and then report the incident to her/his supervisor or department head immediately. The supervisor should, in turn, notify your local Human Resources representative and the Director, IT Security & Compliance (Ext ). 3.6 Network Use Appropriate Use Employees are authorized to use company network resources, including the Internet, only for legitimate Company purposes. The Company s network resources may not be used for personal business. Inappropriate use of network resources may result in disciplinary action up to and including termination Responsibilities All employees are responsible for the appropriate use of network resources. Each network user is responsible for reading and abiding by the Information Security Policy and the guidelines contained herein Network users must adhere to computer password standards as defined in the Global Password Standards document Privacy Network resources may be monitored by the Company. Although monitoring is likely to occur infrequently, employees should have no expectation of privacy regarding their communications over the Company s network. Therefore, no documents should contain personally sensitive information, and all documents should be maintained and protected within the guidelines of this handbook. 12

13 3.7 Password Security Difficult-to-Guess Passwords Required; Cyclical Passwords Prohibited All computer system users must choose passwords that cannot easily be guessed. This means that passwords will NOT be related to the user s job or personal life, e.g., a car license plate number, a spouse s name, or address. Words found in a dictionary should also be avoided. Users may not construct passwords using a basic sequence of characters that is then partially changed based on the date or some other predictable factor. For example, users may not employ passwords like JAN01 in January, FEB02 in February, etc Minimum Password Length All passwords must have at least eight characters User-Chosen Passwords Will Not Be Reused Users may not employ passwords that are identical or substantially similar to passwords that have been employed within the last six months Suspected Disclosure Forces Password Changes The user is responsible for promptly changing any password that he or she suspects or knows has been disclosed to unauthorized parties. The Director, IT Security and Compliance should also be notified immediately in the event of such disclosure Password-Sharing Prohibition Regardless of the circumstances, passwords must never be shared or revealed to anyone. To do so exposes the authorized user to responsibility for any actions a third party takes with the password. If users need to share computerresident data, they should use electronic mail or public directories on local area network servers, or should contact the Security Administrator for access (with the manager s written approval) Leaving Sensitive Systems without Logging Off Users may not leave their workstation or terminal unattended without first logging off or enabling other access controls such as screen locks (Ctrl-Alt-Del). Any exceptions must be pre-approved in writing by the Director, IT Security and Compliance and the Department Director, Vice President, or equivalent member of management. 3.8 Communications Security Insertion of Computer-Related Contact Numbers in Directories Information regarding access to CCH computer and communications systems, such as wireless networks SSID and keys, is considered confidential. This information may NOT be posted on social media sites, listed in online directories, placed on business cards, or otherwise made available to third parties without the advance written permission of the appropriate department director. 13

14 3.8.2 Leaving Sensitive Information on Answering Services Employees must refrain from leaving messages containing sensitive information on answering machines or voice mail systems. CCH may monitor any and all electronic communications originated at, received by, or passed through CCH resources Telephone Directories That Contain Restricted Information Internal telephone directories may not be distributed to third parties without the specific authorization of a department manager. Contractors, consultants, temporaries, and other third parties working for CCH may have telephone directories as their jobs require. 3.9 Physical Security Consistent Protection of Information Information must be protected in a manner commensurate with its sensitivity, value, and criticality. This policy applies regardless of the media on which information is stored, the locations where the information is stored, the systems used to process the information, and the processes by which information is handled. Examples of media for information storage include paper, presentations, CD/DVD and USB thumb drives. Examples of locations where information is stored include a headquarters building or a remote location. Examples of systems used for information processing include voice mail systems, fax machines, and laptop personal computers. Examples of processes used to handle information include the in-house systems development methodology, annual budget preparation procedure, and employee background-checking procedure Storage of Sensitive Information When Not in Use When not being used by authorized employees, all hardcopy sensitive information must be locked in file cabinets, desks, or other secure location. Likewise, when not being used or when not in a clearly visible and attended area, all computer media (CD/DVD and USB thumb drives, etc.) containing sensitive information must be stored in secure locations Testing of Access Controls Forbidden Employees may not attempt to enter restricted areas on the premises of CCH, such as the Data Center, Network Closet, or Operations center, nor break computer network restrictions, such as firewalls and password measures, to which they have not received access authorization Approval Needed for Removal of Computer/Communications Equipment Personal computers, portable computers, modems, printers, and other related information systems equipment may not be taken from CCH premises unless management has first been notified and has given written approval. 14

15 4. Managers Information Security Quick Reference Card (See CCH Security Brochure for pull out card) 5. Manager Responsibilities Managers are responsible for knowing and enforcing all End User Guidelines in addition to Manager Guidelines. 15

16 5.1 Personnel Security Reporting Changes in User Duties to Systems Security Administration Human Resource Management must promptly report all significant changes in end-user duties or employment status to the Director, Security & Compliance and/or Security & Compliance Administrator(s) for appropriate handling of the access entitlement for User IDs of the affected persons Transfer of Information Custodian Duties after Employee Terminations When an employee leaves a position, both computer-resident files and paper files must promptly be reviewed by his or her immediate manager to determine who should become the custodian of such files and/or which methods should be used for file disposal. Human Resources together with the employee s manager must then promptly reassign the employee s duties as well as specifically delegate responsibility for information formerly in the previous employee s possession Responsibility for Taking Action in Response to Employee Terminations In the event that an employee s (regular or contract) relationship with CCH is terminated, the employee s immediate manager together with Human Resources is responsible for ensuring that all company property in the custody of the employee is returned. This manager must also make sure that administrators handling the computer and communications accounts used by the employee are promptly notified and that all other work-related privileges of the employee are promptly revoked. Notification of all terminations will be communicated to Information Technology via Human Resources Information Security Responsibilities in Job Descriptions Specific information security responsibilities should be incorporated into employee job descriptions for employees who have access to sensitive or controlled information Information Security Considered in Employee Performance Evaluations Compliance with information security policies and procedures should be considered in employee performance evaluations for those employees who have access to CCH information. 5.2 Disaster Recovery Planning Compliance with Standards Required for Emergency/Disaster Support Subsidiaries, divisions, departments, and other CCH organizational units must implement hardware and software policies and related procedures to follow in the event of an emergency or a disaster Framework for Segmenting Information Resources by Recovery Priority Management will establish and use a logical framework for segmenting information resources by recovery priority. This will allow the most critical information resources to be recovered first. All departments will use such a framework when preparing information systems contingency plans. 16

17 5.2.3 Organization and Maintenance of Computer Emergency Response Team Management will organize and maintain an in-house computer emergency response team that will provide accelerated problem notifications, damage control, and problem-correction services in the event of computer-related emergencies such as virus infections, data breaches, natural disasters, and the like Preparation and Maintenance of Computer Disaster Recovery Plans Management will prepare, periodically update, and regularly test a disaster recovery plan that will allow critical computer and communications systems to be readily available and to resume processing quickly in the event of an interruption of service due to a major disaster such as a flood, earthquake, or tornado Preparation and Maintenance of Business Contingency Plans Management will prepare, periodically update, and regularly test a business contingency plan. This plan will specify how alternative facilities such as offices, furniture, telephones, and copiers will be provided so that employees can continue operations in the event of either an emergency or a disaster Computer and Communications System Contingency Plan Testing To the extent practical and feasible, computer and communications system contingency plans will be tested at regular intervals to ensure that they are still relevant and effective. After each test, a brief report will be submitted to top management officials detailing the results of the test and any remedial actions to be taken. 5.3 Physical Access Control Physical Access Control for Areas Containing Sensitive Information Access to all computer rooms and file servers containing sensitive information will be controlled in such a way that will protect that information. 6. Information Security Policy 6.1 Introduction Information and information systems are critical CCH assets that provide a significant business benefit to our Company. Accordingly, CCH management has a responsibility to protect and manage our Company s data and information systems. This means that we will take appropriate steps to ensure that data and information systems are properly protected from a variety of threats such as natural disaster, service interruptions, error, fraud, unauthorized changes, and embezzlement. The following is the information protection policy for all the organizations and corporate functions within the Company. 6.2 Purpose Computing resources are the hardware, software, networks, and data used to conduct the Company s business by employees and by other organizations and individuals authorized to do so. The purpose of this policy is to ensure that 17

18 the Company s computing resources are protected and commensurate with the value they represent to the Company. This will ensure the confidentiality, availability, and integrity of data while reducing the risk of data loss. 6.3 Scope This policy encompasses all the Company s computing resources, including interfaces with external systems and networks. All employees, vendors, suppliers, and other authorized individuals are required to observe this policy. This applies to all corporate information systems, facilities, communications, and networks and the information stored and processed on these facilities. Noncompliance with information security policies, standards, or procedures is a serious matter and is grounds for disciplinary action, including termination. 6.4 Responsibilities All employees are responsible for reading, understanding, and complying with the policies, standards, and guidelines for protecting CCH s information assets. Management is responsible for establishing and maintaining security for data and computing resources within their functional area. Management will, specifically: Evaluate and implement adequate controls to secure data and computing resources Authorize individuals access to corporate data Monitor compliance with this policy The Information Technology Department is responsible for supporting the corporation in the design, installation, maintenance, training, and use of Information Security controls. In addition, the Information Technology Department will monitor compliance with this policy and consult with each division as needed to ensure protection of the Company s data and computing assets. 6.5 CCH Policy And Requirements 6.6 Overview CCH will exercise basic Information Security precautions based on sound business judgment, the value of the data being protected, and the risk associated with the protected data. The Company will implement the Information Security precautions in such a way as to: 1. Hold individuals accountable for their use of corporate data 2. Authorize access to data on a need-to-know basis; access will be granted only to that set of data necessary to accomplish authorized endeavors 3. Ensure the timely recovery of data and provide backup processing capabilities in the event of lost data or information system capabilities 6.7 Use Of Company Data, Information Systems, Company Rights, And Security Requirements 1. CCH internal information systems are defined as including the computers, networks, and software and the data that they process. They are the private property of the Company. They shall be used only for business purposes that are in the interest of the Company as authorized by company management. Without specific written 18

19 exception, all programs, data, files, records, and documentation generated by or provided by employees, consultants, or contractors on the information systems of CCH are the property of CCH. 2. CCH information systems shall be protected commensurate with their value, sensitivity, and criticality. Although complete, constant protection is not feasible, CCH personnel must exercise due diligence and implement reasonable and prudent security measures, such as protecting information systems in a manner that meets legal and contractual requirements. Protection of information should be at least as secure as that of other organizations in the same industry. 3. Security measures shall include safeguards to protect information systems and their data against accidental or intentional unauthorized access, modification, damage, disclosure, corruption, or degradation of service. 4. Security measures shall be employed regardless of the media on which information is stored, the systems that process it, or the methods by which it is moved. CCH may monitor its systems and their data content at any time. 5. The computer and communications system privileges of all users, systems, and programs will be restricted based on the individual s need to know. Privileges will be granted only to those who need specific information for business purposes. Once granted, access privileges that are not used regularly or are no longer required shall be retracted. 6. Management shall conduct periodic reviews of risks to CCH systems and the effectiveness of CCH security measures. 7. Whenever a review of a security incident shows that the security of information systems is insufficient, management will take appropriate remedial action. 8. CCH information (databases, mailing lists, internal software, computer documentation, etc.) may be used only for the business purposes specifically allowed by management in conducting the business of CCH. Use of these information resources for any other reason will be permitted only after written permission has been granted by the appropriate manager authorized to do so. 9. CCH software, documentation, and all other types of internal information may not be sold or otherwise transferred to any non-company employee for any purposes other than business purposes expressly preauthorized by management. 10. All CCH internal information will be protected from disclosure to third parties. Third parties may be given access to internal company information only when a need to know exists and when such a disclosure has been expressly authorized by CCH management. 11. The utilization of computer programs licensed from third parties will be periodically reviewed by each business unit and/or department to ensure compliance with licensing agreements. 6.8 Employee And Non-Employee Responsibilities 1. A user is any person, whether an employee or not, who uses CCH information systems or their data in any way. Each user has an obligation to protect CCH information systems and to use them only as authorized and 19

20 only in the interest of the Company. This means that each user must employ appropriate security measures to prevent harm to CCH s interests that might stem from a variety of threats to information systems such as error, fraud, damage, service interruptions, or privacy violations. 2. Users have an obligation to educate themselves about the importance of computer security and the methods they should use to protect company information and assets. Users shall each obtain a copy of the CCH Security Policy Handbook and follow the measures stipulated. 3. All users who have access to company information systems shall be held accountable for the use of such access as defined in CCH s Non-Disclosure Agreement. Users must request access to use CCH information systems and applications by submitting a request to the CCH Service Desk- ( CCHServiceDesk@crosscountry.com, or call at / Ext. 7777). Each account (User ID) shall be assigned to a specific individual and, at a minimum, be protected by a password. Users shall keep their passwords secret and change them at appropriate intervals. 4. Users responsible for systems that can accept public or private network connections to CCH systems shall ensure that they are password-protected at a minimum, and follow specific requirements defined in the CCH Security Policy Handbook. 5. Users shall report, through appropriate means, any violations of this policy that they may observe or become aware of. 6. Anyone found in violation of this policy may be subject to disciplinary or legal measures. 7. Employees may not disclose to any persons outside CCH either the information system controls that are in use or the way in which they are implemented. 8. No one shall be granted a User ID or otherwise be given privileges to use CCH computers or communications systems unless the advance written approval of both the requestor s department head and the Director, IT Security & Compliance have been obtained. 9. All computer-resident information, including information on individual hard drives, which is sensitive, critical, or valuable, must be protected through system access controls to ensure that it is not improperly disclosed, modified, deleted, or rendered unavailable. 6.9 Consequences of Noncompliance Because data and computer security are critical to the corporate well-being, failure to comply with this policy can have severe consequences for the individuals involved and for the Company. Employees who violate the CCH Acceptable Use Policy will be subject to discipline up to and including termination. In addition, supervisors who reasonably should have detected and reported a violation of this policy may be disciplined. Of course, an employee suspected of such a violation will be afforded an opportunity to explain his or her actions fully before any disciplinary action is taken Reporting Procedures All CCH employees have a duty to report promptly all information security violations and problems to their Local System/Network Administrator, Human Resources, or to the Director, IT Security & Compliance on a timely basis so 20

21 that immediate remedial action may be taken. Management must promptly report known information security violations to the Director, IT Security and Compliance and Human Resources. If necessary, external authorities will be contacted in conjunction with corporate counsel. Whenever evidence shows that CCH has been or may have been victimized by a computer or communications crime, a thorough investigation will be performed by the Director, IT Security & Compliance and appropriate Human Resources staff. This investigation will provide sufficient information so that management can take steps to ensure that (1) effective security measures have been re-established so that incidents cannot reasonably take place again, and (2) appropriate disciplinary actions have been taken. How do I report a possible Information Security or Acceptable Use violation? 1. Contact your Local Human Resources representative as soon as possible 2. Notify your own manager 3. Document the problem and be prepared to cooperate as necessary with the investigation of the possible violation Any inquiries relating to this Acceptable Use Policy or the application of IT Policies should be referred to Director, IT Security & Compliance. 21