Avecia Extranet
Avecia Code of Conduct - Extranet Usage Policy
The effective operation of Avecia's business depends upon the use of a wide variety of information, much of which is stored or processed in electronic systems. It is Avecia policy to ensure the integrity, confidentiality and availability of this information and to take such action as is necessary to ensure the security of associated systems, computer hardware and telecommunications networks against loss or misuse. In addition, it is Avecia policy to comply with external laws and regulations as they apply.
User Responsibilities
All users of electronic systems have a personal responsibility for protecting information and systems, and must at all times comply with the information classification and security systems laid down. Users of Avecia’s Extranet will be given formal access to the systems and information which they require to perform their jobs, and must only attempt to access those systems/information for which they have been authorised.
No user shall misuse Avecia’s computer resources for whatever reason. Any attempt to break security which comes to the attention of a user of Avecia’s Extranet, must be reported immediately to their Avecia Representative, supervisor (or line manager).
In the sections which follow, instructions are displayed to which all users must adhere. Unauthorised access to a computer or tampering with computer systems are extremely serious industrial offences and criminal offences in many countries. Failure to comply with this Code of Conduct may lead to appropriate action.
Further information and copies of relevant documents may be obtained from your Avecia representative, or local IT Security Manager.
1. Authorisation
No user shall, without permission, pass Avecia information or information belonging to a 3rd party to another person unless they are sure of their right to receive it.
Users may use only those systems and information sources for which they are authorised. No attempt must be made to access other systems or databases without such authority.
Technical support staff will not access facilities or services on the network without authority. If such staff are given access to the network, they must exercise due care and attention and restrict their activities to testing and fault finding.
2. Staff Movements
Users who have access to Avecia’s Extranet will require their access privileges to be amended when they change roles or employer. Users should notify appropriate contacts of any changes.
3. Information Classification and Handling
Information must be categorised as Unclassified, Confidential, Company Secret or Personnel Confidential and handled in accordance with the rules laid down in Avecia’s "Security of Information" guidelines available on request from your Avecia contact or local Avecia IT Security Manager.
Users who, in the course of their work, become privy to information to which access is not authorised should treat it as confidential.
Users discovering such information on computer systems, databases, text systems or speech networks or in the monitoring of telecommunication lines, should under no circumstances repeat this to anyone nor take a copy of it for retention, other than as part of established procedures for the management of the service.
Floppy disks, CDs, hard-copy prints or any other media likely to hold classified information must be properly safeguarded by being locked away when not in actual use, and must not be transferred to similar media being the property of any other person unless such transfer is properly authorised.
Information assets contained in the form of disks or tapes must not be removed from the site unless prior permission has been obtained from the designated owner. Hard-copy prints removed for the purposes of working at home or elsewhere in the course of business must be safeguarded and returned to the normal place of work for storage or destruction.
Information held on computer network drives or on personal computers with 'hard' disks is particularly at risk. Any information which is classed as Company Secret should be held in encrypted form on 'hard' disks, or alternatively stored only on removable media (CD or ‘floppy’ disk) and the media stored securely. Repairs to (or disposal of) faulty disks should only be carried out via the authorised channels, and care must be taken when such equipment is being replaced or transferred to other users that all confidential information has been removed from it.
Information on printed material or other media such as CDs must be disposed of according to laid down procedures (see "Security of Information" guidelines, available form your Avecia contact or your local Avecia IT Security Manager). Confidential output must be clearly marked for shredding or incineration. Disposable parts of printers may contain visible information and must be suitably destroyed.
4. Electronically transmitted information
Company secret information may only be transmitted electronically via Office Systems under secure procedures.
Dial-up access to Avecia's computer systems is covered by the IT Security Standards a copy of which may be obtained from your Avecia contact or your local Avecia IT Security Manager. Any Avecia telephone numbers used for dial-up over the public network should not be made freely available.
5. Personal Data
Users are reminded that information relating to identified or identifiable individuals may be subject to Data Protection legislation, which is being standardised across the Europe and elsewhere. Users whose work involves the use of personal information must ensure that they and everyone to whom they provide data know of the obligations imposed on the storage, handling and transmission of such information.
Guidance on the UK Data Protection Act is contained in a document called Personal Data Protection which is available from your Avecia representative or local Avecia IT Security Manager.
6. Passwords and Personal Identification
Users who require access to Avecia’s computer systems/information will be issued with a logon ID and/or other personal identification device after appropriate authorisation and registration. Passwords and user IDs will be provided to non Avecia users of the Extranet system by telephone. Users are personally accountable for all computer systems access carried out using their logon ID.
Personal Passwords or any other form of personal identification code or device must remain the sole property of the individual and must not be revealed, lent to or shared with others. In particular passwords should not be written down, displayed on computers or stored in clear (i.e., in a legible format) on electronic media. Users are responsible for changing their passwords on a regular basis (normally once a month) or when it is suspected that the password has been revealed to another person. When choosing a password users are reminded that to maximise effectiveness they must avoid using obvious passwords such as initials, family names, etc.
Should it become necessary for users to be given an access code and password to test out a system, they should only be used for this purpose and with the permission of the user. Following such use, users should be reminded to change their passwords to avoid any unauthorised access.
No users should attempt to obtain or use passwords or access privileges belonging to other people.
The use of group passwords and non-personal logon IDs is permissible in approved circumstances. Incorrect use of passwords, logon IDs, etc. should be reported immediately by users to the appropriate contact.
The loss of a personal identification device, if supplied, must be reported immediately.
7. System Security
Users must conform to the security procedures laid down for any system they are authorised to use and must familiarise themselves with those rules at the outset.
8. Software Programs and Data Transfer
Personal or work-related software programs must not be inserted into Avecia’s computing facilities without prior authorisation unless the system for which the user is authorised specifically provides this facility.
No data processed locally on workstations must be transferred into Avecia’s computer resources (Extranet, etc.) unless such transfer is conducted in strict accordance with the system rules laid down here or elsewhere (other documentation, if available).
Users are expected to safeguard any data copied onto local workstations from other Avecia sources, such copying being subject to proper authority having been obtained from the data owner. Similar safeguards must be taken with respect to hard copies of such data produced on local printing devices.
It is illegal and expressly forbidden to copy commercial software packages subject to copyright restrictions, or to use in any way "unauthorised or pirated" software via Avecia’s Extranet.
See the document entitled "Downloading Software from the Internet" for further information.
9. Office/Workplace Security
Computer screens should be sited such that they cannot be overlooked by unauthorised personnel. Confidential information should not be left displayed on screens.
It is the responsibility of each user to ensure that when the workplace is left unattended the computing device (PC, printer - attached or not to Avecia’s communications network) is effectively secured by taking one or more of the following precautions:-
- by locking the office
- by invoking password protection at ‘screen saver’ level
- by locking the computing device
- by logging-off to the level before password entry
- by locking the computing session and by logging off.
Security devices of whatever type must not be left casually available to an unauthorised user.
10. Network Connection
No equipment or software of any description must be connected to the Extranet for the purposes of use in conjunction with other computer resources without permission.
Connection to external computer networks (e.g., Extranet) must only be carried out through approved connection points. Passwords used when logging into
Avecia environments must be different to passwords used to log into other systems. |
