ITS – Appropriate Use

Policy 5001
Information Technology Appropriate Use Policy

Policy Sections

5001.1 Appropriate use of IT Systems

5001.2 Conditions for Company Access

5001.3 Policy Development

Scope

This Policy applies to all Users of IT Systems, including but not limited to Company employees, contractors, and volunteers. It applies to the use of all IT Systems. These include systems, networks, and facilities administered by ITS.

Use of IT Systems, even when carried out on a privately owned computer or other device that is not owned, managed or maintained by Maxwell Group, Inc., is governed by this Policy.

Policy Statement

The purpose of this Policy is to ensure an information technology infrastructure that promotes the basic missions of the Company. In particular, this Policy aims to promote the following goals:

• To ensure the integrity, reliability, availability, and optimal performance of IT Systems and Data;
• To ensure that use of IT Systems is consistent with the principles and values that govern use of other Company facilities and services;
• To ensure that IT Systems  and Data are used for their intended purposes; and
• To establish processes for addressing policy violations and sanctions for violators.

Reason for the Policy

Information technology (“IT”) is used daily to create, access, examine, store, and distribute material in multiple media and formats. Information technology plays an integral part in the fulfillment of Maxwell Group, Inc.’s management, administrative, clinical, and other roles. Users of Maxwell Group, Inc.’s IT resources have a responsibility not to abuse those resources and to respect the rights of the members of the community as well as the Company itself. This Maxwell Group, Inc. IT Appropriate Use Policy (the “Policy” or “AUP”) provides guidelines for the appropriate use of Maxwell Group, Inc.’s IT resources as well as for the Company’s access to information and oversight of these resources.

This Policy addresses circumstances that are particular to the IT arena and is intended to augment but not to supersede other relevant Company policies.

For statements of other applicable Company policies, consult the Employee Handbook as well as policy and procedure manuals/statements issued by individual Company departments. The policies of Maxwell Group, Inc.’s Department of Information Technology Services (“ITS”) govern the use of Maxwell Group, Inc. IT Systems, and individual departments and facilities Maxwell Group, Inc. manages.

Definitions

IT Systems: These are the servers, personal computing devices, applications, printers, networks (virtual, wired and wireless), online and offline storage media and related equipment, software, and data files that are owned, managed, or maintained by Maxwell Group, Inc.. For example, IT Systems include corporate and departmental information systems, computer workstations and laptops, the Company’s network, and computer clusters.

User: A “User” is any person, whether authorized or not, who makes any use of any IT System from any location.

Systems Authority: While Maxwell Group, Inc. is the legal owner or operator of all IT Systems, it delegates oversight of particular systems to the head of specific departments, or office of the Company (“Systems Authority”).

Systems Administrator: Systems Authorities may designate another person as “Systems Administrator” to manage the particular system assigned to him or her. Systems Administrators oversee the day-to-day operation of the system and are authorized to determine who is permitted access to particular IT resources.

Certifying Authority: This is the Systems Administrator or other Company authority who certifies the appropriateness of an official Company document for electronic publication in the course of Company business.

Specific Authorization: This means documented permission provided by the applicable Systems Administrator.

Policy Sections

5001.1 Appropriate use of IT Systems

Although this Policy sets forth the general parameters of appropriate use of IT Systems, employees, contractors, and volunteers should consult company or departmental governing policies for more detailed statements on permitted use for their various roles within the company. In the event of conflict between IT policies, this Appropriate Use Policy will prevail.

A. Appropriate Use

IT Systems may be used only for their authorized purposes — that is, to support the management, administrative, clinical, and other functions of Maxwell Group, Inc. The particular purposes of any IT System as well as the nature and scope of authorized, incidental personal use may vary according to the duties and responsibilities of the User. Appropriate use restrictions extend to Users connecting to Maxwell Group, Inc. IT Systems with devices not owned by Maxwell Group, Inc.

B. Authorization

Users are entitled to access only those elements of IT Systems that are consistent with their Specific Authorization. Upon request by a Systems Administrator or other Company authority, Users must produce valid Company identification.

C. Specific Exclusions on Use

The following categories of use are inappropriate and prohibited:

1)      Use that impedes, interferes with, impairs, or otherwise causes harm to the activities of others.

i.      Users must not deny or interfere with or attempt to deny or interfere with service to other Users in any way. Knowing or reckless distribution of unwanted mail or other unwanted messages is prohibited. Other behavior that may cause excessive network traffic or computing load is also prohibited.

2)    Harassing or threatening use.

i.    This category includes, for example, display of offensive, sexual material in the workplace and repeated unwelcome contacts with another.

3)              Use damaging the integrity of Company IT Systems or non-Maxwell Group, Inc. systems.

i.      This category includes, but is not limited to, the following activities:

a)      Attempts to defeat system security.

b)       Unauthorized access or use. The Company recognizes the importance of preserving the privacy of Users and data stored in IT systems. Users must honor this principle by neither seeking to obtain unauthorized access to IT Systems, nor permitting or assisting any others in doing the same. For example, a non-Maxwell Group, Inc. organization or individual may not use non-public IT Systems without specific authorization; Users are prohibited from accessing or attempting to access data on IT Systems that they are not authorized to access; Users must not make or attempt to make any deliberate, unauthorized changes to data on an IT System; and Users must not intercept or attempt to intercept or access data communications not intended for them.

c)      Disguised or impersonated use.

d)       Distributing computer viruses or malicious code.

e)         Unauthorized modification or removal of data or equipment.

4)      Use in violation of law.

i.      This includes, but is not limited to, fraud, threats, and harassment.

5)      Use in violation of Company contracts.

i.      All use of IT Systems must be consistent with the Company’s contractual obligations, including limitations defined in software and other licensing agreements;

6)      Use in violation of Company policy.

7)      Use in violation of external data network policies.

D. Personal Account Responsibility

With the guidance from the Information Technology Services Office, users are responsible for adhering to and maintaining the security of their own IT Systems accounts and passwords and may not share passwords without the authorization of the System Administrator. Access and passwords must conform with guidelines published at  http://its.maxwell-group.com/forms-and-policies/policies/its-passwords/. Users are presumed to be responsible for any activity carried out under their IT Systems accounts.

E. Responsibility for Content

Official Company information may be published in a variety of electronic forms. The user who publishes content is ultimately responsible for the content.

Neither Maxwell Group, Inc. nor individual Systems Administrators can screen such privately published material nor can they ensure its accuracy or assume any responsibility for its content.

5002.2 Conditions for Company Access

The Company places a high value on privacy and recognizes its critical importance in the management setting. There are nonetheless circumstances in which, following carefully prescribed processes, the Company may determine that other considerations outweigh the value of a User’s expectation of privacy and warrant Company access to relevant IT Systems without the consent of the User. Those circumstances are discussed below, together with the procedural safeguards established to ensure access is gained only when appropriate.

A. Conditions

In accordance with state and federal law, the Company may access all aspects of Maxwell Group. Inc.’s IT Systems (including devices not owned by Maxwell Group. Inc. but connected to Maxwell Group. Inc. IT Systems) without the consent of the User, in the following circumstances:

Consistent with the privacy interests of Users, Company access without the consent of the User pursuant to 5001.2 A (1) through (6) will occur only with the approval of the CEO and/or CIO, or their respective delegates, except when emergency access is necessary to preserve the integrity of the company or to preserve public health and safety. The Company, through the Systems Administrators, will log all instances of access without consent pursuant to 5001.2 A (1) through (5). Systems Administrators will also log any emergency access within their control for subsequent review by the appropriate Company authority. A User will be notified of Company access to relevant IT Systems without consent pursuant to 5001.2 A (1) through (4). Depending on the circumstances, such notification will occur before, during, or after the access, at the Company’s discretion. In the case of a former staff member, access without consent pursuant to 5001.2 A (6) may also be approved by one of the former staff member’s supervisors or their successors and no logging or notice is required.

C. User access deactivations

In addition to accessing IT Systems, the Company, through the appropriate Systems Administrator, may deactivate a User’s IT privileges, whether or not the User is suspected of any violation of this Policy, when necessary to preserve the integrity of the company, user services, or data. The Systems Administrator will attempt to notify the User of any such action.

D. Use of security scanning systems

By attaching privately owned personal computers or other IT resources to the Company’s network, Users consent to Company use of scanning programs for security purposes on those resources while attached to the network.

E. Logs

Most IT systems routinely log user actions in order to facilitate recovery from system malfunctions and for other management purposes. All Systems Administrators are required to establish and post policies and procedures concerning logging of User actions, including the extent of individually-identifiable data collection, data security, and data retention.

5001.3 Policy Development

This Policy may be periodically reviewed and modified by the CIO, who may consult with relevant Company executives, committees, and employees.

Contacts

Subject                                                                 Contact                                        Phone

Information Technology Services                    Chief Information Officer            (704) 246-1606