Acceptable Use Policy
Contents
Introduction – 1.
Purpose – 1.
Scope – 1.
Who this policy applies to – 1.
Acceptable use principles - 2 1.
General principles - 2 2.
User IDs and passwords - 2 3.
Managing and protecting information -2 4.
Personal use of Heyllo IT - 3 5.
Email/fax/voice communication - 4 6.
Websites and Social Media - 4 7.
Devices, systems and networks - 4 8.
Physical Security - 5 9.
Compliance – 5.
Introduction – 1.
Purpose – 1.
Scope – 1.
Who this policy applies to – 1.
Acceptable use principles - 2 1.
General principles - 2 2.
User IDs and passwords - 2 3.
Managing and protecting information -2 4.
Personal use of Heyllo IT - 3 5.
Email/fax/voice communication - 4 6.
Websites and Social Media - 4 7.
Devices, systems and networks - 4 8.
Physical Security - 5 9.
Compliance – 5.
Introduction
Information technology resources, such as PCs, laptops, tablet devices and smart phones offer new and exciting ways of working and engaging with our Colleagues, Learners, Candidates and Clients. However, we must also be aware that improper use can impact us, our Colleagues, Learners, Candidates and Clients and Heyllo’s reputation. This Acceptable Use Policy (AUP) aims to protect all users of Heyllo equipment and minimise such risks by providing clarity on the behaviours expected and required by Heyllo and the consequences of breaching the AUP. It sets a framework within which to conduct the Heyllos business and explains how we can achieve compliance and evaluation of new business and technology requirements. This policy is effective from 15 September 2021.
Purpose
To ensure that users understand their responsibility for the appropriate use of Heyllo’s information technology resources. Understanding this will help users to protect themselves and Heyllo’s equipment, information and reputation.
Scope
All Heyllo equipment and information (all information systems, hardware, software and channels of communication, including voice- telephony, social media, video, email, instant messaging, internet and CRM). User’s personal information which is processed by Heyllo equipment is also subject to this policy.
Who this policy applies to:
All Heyllo Employees, Agents, Contractors, Consultants, Business partners, Learners, Candidates and Clients (referred to in this document as ‘users’) with access to Heyllo’s information and information systems.
Acceptable use principles
1.General principles
Users will:
1.1 Confirm prior to use of Heyllo equipment or information that they agree to this AUP and understand that breaching this policy may result in disciplinary procedures.
1.2 Be responsible for their own actions and act responsibly and professionally, following the Heyllo Standards of Behaviour and respecting fellow users.
1.3 Use information, systems and equipment in line with Heyllo security and Information Management policies
1.4 Immediately report any breach of this Acceptable Use Policy to their line manager and comply with official procedures when a breach of the policy is suspected or reported
1.5 Never undertake illegal activity, or any activity that would be harmful to Heyllo’s reputation or jeopardise user or commercial data, on Heyllo technology.
1.6 Understand that both business and personal use will be monitored as appropriate.
1.7 Be aware that they can raise a concern if it is believed that someone is misusing Heyllo information or electronic equipment.
1.8 Undertake education and awareness on security and using Heyllo information and technology, in order to be able to understand, recognise, and report threats, risks and incidents.
2. User IDs and passwords Users will:
2.1 Protect user names and passwords appropriately.
2.2 Create secure passwords following best practice guidance.
2.3 Not logon to any Heyllo systems using another user’s credentials.
2.4 Remove their network access and/or lock the screen when leaving temporarily devices that are in use.
3. Managing and protecting information Users will:
3.1 Understand that they and Heyllo have a legal responsibility to protect personal and sensitive information.
3.2 Ensure that all information is created, used, shared and disposed of in line with business need and in compliance with the GDPR 2021 policy.
3.3 Not attempt to access personal data unless there is a valid business need that is appropriate to your job role.
3.4 Comply with Managing HR records in respect of handling employee information.
3.5 Not provide information in response to callers or e-mails whose identity they cannot verify.
3.6 Be careful not to be overheard or overlooked in public areas when conducting Heyllo business
3.7 Apply Heyllo security protocols in public spaces.
3.8 Not attempt to access, amend, damage, delete or disseminate another person’s files, emails, communications or data without the appropriate authority.
3.9 Not attempt to compromise or gain unauthorised access to Heyllo IT, telephony or content, or prevent legitimate access to it.
3.10 Comply with the Heyllo Code of Conduct in managing Heyllo information.
4. Personal use of Heyllo IT Users will:
4.1 Understand that they are personally accountable for what they do online and with Heyllo technology
4.2 Personal use of IT resources is permitted in an employee’s own time when not on official duty.
4.3 Ensure that any personal information stored is appropriate i.e. legal, appropriate and compliant with this policy.
4.4 Understand that the ability to store personal information on Heyllo owned devices and systems is a privilege and Heyllo has a right to require the data is removed should this data interfere with business activity or use.
4.5 Ensure activities do not damage the reputation of Heyllo, its employees Learners, Candidates and Clients including accessing, storing, transmitting or distributing links to material that:
- Could embarrass or compromise Heyllo in any way;
- Is obtained in violation of copyright or used in breach of a licence agreement;
- Can be reasonably considered as harassment of, or insulting to, others;
- Is offensive, indecent or obscene including abusive images and literature
- Trade or canvass support for any organisation on official premises, whether it is for personal gain from any type of transaction or on behalf of external bodies.
- Send messages or material that solicit or promote religious, political or other non-business related causes, unless authorised by Heyllo.
- Provide unauthorised views or commitments that could appear to be on behalf of Heyllo.
- Use any type of applications and/or devices to circumvent management or security controls.
- Download software onto Heyllo devices with the exception of Heyllo supplied tablet devices and smart phones where permitted from an official source and appropriately licensed. This software must not compromise the performance or security of the device.
- Download music, video or other media-related files for non-business purposes or store such files on network drives
5. Email/fax/voice communication Users will:
5.1 Comply with the Heyllo’s email policies.
5.2 Only use appropriate language in messages, emails, faxes and recordings. Threatening, derogatory, abusive, indecent, obscene, racist, sexist or otherwise offensive content will not be tolerated
5.3 Not engage in mass transmission of unsolicited emails (SPAM).
5.4 Not alter the content of a third party’s message when forwarding it unless authorised.
5.5 Not try to assume the identity of another user or create or send material designed to mislead people about who originated or authorised it (e.g. through misuse of scanned signatures).
5.6 Be vigilant to phishing emails and know how to spot and report suspicious emails.
5.7 Employees and contractors must not use their Heyllo email address for personal use. Only use your Heyllo email address for Heyllo business related activities and linked organisational activity. All employees must use their personal email address for personal activities including purchasing and selling of goods, internet banking and any other personal activity, failure to comply may lead to disciplinary action.
6. Websites and Social Media Users will:
6.1 Only access appropriate content using Heyllo technology and not intentionally visit sites or news groups that are obscene, indecent or advocate illegal activity, as described in the blocked categories list.
6.2 Report any access to a site that should be blocked by our web filters to their line manager and the Security Advice Centre.
6.3 Contact [email protected] with requests to block/unblock a website (link is external) and do not attempt to bypass Heyllo web filters.
6.4 Use social media appropriately by making themselves aware of the Social Media Policy and guidelines.
6.5 Not put Heyllo information including anything that is sensitive / personal information onto online forums, blogs or social networking sites.
6.6 Only use approved Heyllo social media accounts for official business and where appropriate, use Heyllo branding and a professional image or persona on such accounts.
6.7 Be aware that their social media content may be available for anyone to see, indexed by Google and archived for posterity.
7. Devices, systems and networks
7.1 Only use systems, applications, software and devices which are approved, procured and configuration managed by Heyllo when undertaking official business, and apply Heyllo standards and guidance in their use.
7.2 Only use approved Heyllo devices connected to Heyllo network(s), including approved USBs, when undertaking official business.
7.3 Not connect Heyllo or personal mobile devices by USB cable to any device connected to the Department’s infrastructure, for the purpose of uploading/ downloading files or charging.
7.4 Heyllo permits connecting Heyllo devices, laptops etc., by WiFi (or Ethernet) to the internet to connect back to the department from anywhere e.g. home or a hotel. However Heyllo devices must not be connected to the internet via Captive Portals, for security reasons.
7.5 Heyllo permits wirelessly connecting a Heyllo Device to a Heyllo, or personal, mobile phone via a personal hotspot for the purpose of acquiring an internet connection (tethering) for work purposes. Tethering a personal mobile phone is permissible but Heyllo cannot be held liable for this use of a personal mobile phone including any data charges, and so any use of a personal phone for this purpose is the individual’s choice.
7.6 Ensure no official information is stored on devices without Heyllo security controls.
7.7 Do not use any personal wallpapers or screensavers.
7.8 Raise all software requests through Software Asset Management.
7.9 Seek exceptions to security policies by applying for an Exception.
7.10 Heyllo users travelling outside the UK on official business and wishing to take Heyllo devices with them must contact the Personnel Security Team (link sends e-mail) before they travel. Heyllo devices, including smart phones, must only be taken outside the UK when required for official business and approved by Personnel Security. Heyllo may prohibit the carrying and use of Heyllo devices in certain countries.
7.11 Users are required to contact the Personnel Security team before travelling to certain countries, whether this is on official business or for a personal visit. Users should check the Travel Abroad: Staff Advice and Notification intranet page to check whether this includes the country they are visiting.
8. Physical Security Users will:
8.1 Be responsible for keeping all portable devices assigned to them safe and secure and immediately report any loss or damage of their equipment to their line manager and the Security Advice Centre
8.2 Protect Heyllo equipment appropriately when travelling e.g.
· laptops must always be carried as hand luggage.
· Never leave a portable device in sight in parked vehicles
8.3 Return all Heyllo equipment when leaving Heyllo. Line Managers must complete all appropriate exit procedures with leavers
9. Compliance
9.1 If for any reason users are unable to comply with this policy or require use of technology which is outside its scope, this should be discussed with their line manager in the first instance and then the Security Advice Centre who can provide advice on escalation/exception routes.
9.2 All requests to use new software not currently approved by Heyllo must be subject to line manager agreement.
9.3 Line managers are responsible for ensuring that users understand their responsibilities and consequences as defined in this policy and continue to meet its requirements for the duration of their employment with Heyllo. They are also responsible for monitoring employees’ ability to perform assigned security responsibilities. However, this does not remove responsibility from employees, they are responsible for ensuring that they too understand their responsibilities as defined in this policy and continue to meet the requirements. It is a line manager’s responsibility to take appropriate action if individuals fail to comply with this policy.
9.4 Heyllo actively monitors employee and contractor personal use of IT and equipment to ensure everyone is complying with this policy (AUP) and the Heyllo Social Media Policy. Monitoring complies with and respects the privacy rights of all employees as outlined in the Heyllo Employee Privacy Notice. The consequences of failing to comply with the personal use limitations of Heyllo IT and equipment are serious and attract disciplinary penalties up to and including dismissal.
9.5 Breaching this policy may result in disciplinary procedures (including criminal prosecution) which could lead to dismissal.
9.6 Heyllo’s Security and Resilience team will regularly assess for compliance with this policy, Heyllo Collaboration Services will use software filters to block access to some online websites and services in order to support compliance.
Revision
Heyllo! reserves the right to revise the Terms at any time.