資訊安全政策第一篇：Acceptable Use Policy

資訊安全政策第一篇：Acceptable Use Policy

此為國外某大型企業的資訊安全政策規範，涉及企業資訊安全的各方面，共數十個政策，我将陸續翻譯整理出來。這是第一篇：可接受使用政策。 歡迎轉載，但請注明出處及譯者。請不要用于商業用途。  原文： InfoSec Acceptable Use Policy   1.0 Overview InfoSec's intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to <Company Name>. established culture of openness, trust and integrity. InfoSec is committed to protecting <Company Name>'s employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly. Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of <Company Name>. These systems are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations. Please review Human Resources policies for further details. Effective security is a team effort involving the participation and support of every <Company Name> employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.               2.0 Purpose The purpose of this policy is to outline the acceptable use of computer equipment at <Company Name>. These rules are in place to protect the employee and <Company Name>. Inappropriate use exposes <Company Name> to risks including virus attacks, compromise of network systems and services, and legal issues.               3.0 Scope This policy applies to employees, contractors, consultants, temporaries, and other workers at <Company Name>, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by <Company Name>.               4.0 Policy 4.1 General Use and Ownership While <Company Name>'s network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of <Company Name>. Because of the need to protect <Company Name>'s network, management cannot guarantee the confidentiality of information stored on any network device belonging to <Company Name>. Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their supervisor or manager. InfoSec recommends that any information that users consider sensitive or vulnerable be encrypted. For guidelines on information classification, see InfoSec's Information Sensitivity Policy. For guidelines on encrypting email and documents, go to InfoSec's Awareness Initiative. For security and network maintenance purposes, authorized individuals within <Company Name> may monitor equipment, systems and network traffic at any time, per InfoSec's Audit Policy. <Company Name> reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.       4.2 Security and Proprietary Information The user interface for information contained on Internet/Intranet/Extranet-related systems should be classified as either confidential or not confidential, as defined by corporate confidentiality guidelines, details of which can be found in Human Resources policies. Examples of confidential information include but are not limited to: company private, corporate strategies, competitor sensitive, trade secrets, specifications, customer lists, and research data. Employees should take all necessary steps to prevent unauthorized access to this information. Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts. System level passwords should be changed quarterly, user level passwords should be changed every six months. All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off (control-alt-delete for Win2K users) when the host will be unattended. Use encryption of information in compliance with InfoSec's Acceptable Encryption Use policy. Because information contained on portable computers is especially vulnerable, special care should be exercised. Protect laptops in accordance with the “Laptop Security Tips”. Postings by employees from a <Company Name> email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of <Company Name>, unless posting is in the course of business duties. All hosts used by the employee that are connected to the <Company Name> Internet/Intranet/Extranet, whether owned by the employee or <Company Name>, shall be continually executing approved virus-scanning software with a current virus database. Unless overridden by departmental or group policy. Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code.   4.3. Unacceptable Use The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services). Under no circumstances is an employee of <Company Name> authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing <Company Name>-owned resources.   The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use.   System and Network Activities   The following activities are strictly prohibited, with no exceptions:   Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by <Company Name>. Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which <Company Name> or the end user does not have an active license is strictly prohibited. Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question. Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.). Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home. Using a <Company Name> computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction. Making fraudulent offers of products, items, or services originating from any <Company Name> account. Making statements about warranty, expressly or implied, unless it is a part of normal job duties. Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes. Port scanning or security scanning is expressly prohibited unless prior notification to InfoSec is made. Executing any form of network monitoring which will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty. Circumventing user authentication or security of any host, network or account. Interfering with or denying service to any user other than the employee's host (for example, denial of service attack). Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet. Providing information about, or lists of, <Company Name> employees to parties outside <Company Name>.   Email and Communications Activities   Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam). Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages. Unauthorized use, or forging, of email header information. Solicitation of email for any other email address, other than that of the poster's account, with the intent to harass or to collect replies. Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type. Use of unsolicited email originating from within <Company Name>'s networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by <Company Name> or connected via <Company Name>'s network. Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).   5.0 Enforcement Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.   6.0 Definitions Term          Definition Spam          Unauthorized and/or unsolicited electronic mass mailings.               7.0 Revision History 譯文： 資訊安全可接受使用政策 1.0 概述 釋出資訊安全可接受使用政策的目的并不是為了強加一些與已建立的公開、可信、完整的企業文化相反的限制。資訊安全是為了保障企業員工和合作夥伴的權益，使企業免受已知或未知的違法行為或破壞行為的損害。 Internet/Intranet/Extranet的相關系統包括但不僅限于計算機裝置，軟體，作業系統，存儲媒體，提供電子郵件、WWW浏覽和FTP服務的網絡賬戶，以及企業财産。這些系統被用來實作業務目标，保障企業和客戶的利益。詳情可參閱人力資源政策。 有效的安全是集體努力的結果，需要企業每位員工的參與和支援。每個計算機的使用者都需要了解這些規程，進而規範他們的行為。 2.0 目的 這份政策的目的是概要說明企業内計算機裝置可接受的使用方法。這些規則是為了保障員工和企業的利益。不當的使用會使企業暴露在各種風險之下，包括病毒攻擊，網絡系統和服務的破壞，法律糾紛等。 3.0 範圍 此份政策适用于企業的員工、承包人、顧問、臨時雇員，以及其他工作者，也适用于所有相關第三方的人員。此政策适用于企業擁有或租賃的所有裝置。 4.0 政策 4.1 普通應用和所有權 1、  盡管企業的網絡管理部門會提供合适的隐私級别，但使用者需要知道他們在公共系統中建立的資料仍然屬于企業财産。由于需要保障企業網絡的安全，管理部分無法保證存儲在企業所有網絡裝置中的資訊的機密性。 2、  員工需要對個人使用行為的合規性負責。每個部門負責建立各自的使用Internet/Intranet/Extranet系統的操作規程（guidelines）。當某類政策缺失時，員工需要遵守部門的相應政策，如果有任何不明确的地方，員工應與他們的主管或經理聯系。 3、  建議使用者将所有敏感的或易受攻擊的資訊加密。對于資訊分級方面的規程，請參閱資訊安全資訊敏感性政策。對于email和檔案機密方面的規程，請參閱InfoSec's Awareness Initiative。 4、  依照此政策，企業保有定期審查網絡和系統的權利。 4.2安全和所有者資訊 1、  如企業機密性規程中所規定，使用者通路包含在Internet/Intranet/Extranet相關系統中的資訊需要被分級為機密與非機密，詳情請參閱人力資源政策。機密性資訊包括但不限于：公司秘密、共同戰略、競争者資訊、商業機密、客戶清單，和研究資料等。員工們需要采取一切必要的措施阻止對于這些資訊的非授權通路。 2、  保證密碼安全并且不要共享賬戶。授權使用者負責保證他們賬戶和密碼的安全。系統級密碼應每三個月更換，使用者級密碼用每六個月更換。 3、  所有的PC機，便攜式電腦和工作站在無人使用時，應登出（對于Win2K使用者，通過control-alt-delete）或由密碼保護的螢幕保護程式保證其安全，螢幕保護應設定在10分鐘之内自動出現。 4、  依照資訊安全可接受加密政策中的規定加密資訊。 5、  由于包含在移動計算機上的資訊特别易受損害，對此應給與特别關注。請依據“便攜計算機安全提示”中的規定加以保護。 6、  當員工通過企業郵箱加入到新聞討論區時，除非在業務職責期間加入，否則應有相應的非承諾聲明，他們所發表的意見僅代表個人而非企業。 7、  除非與部門或組政策相沖突，否則員工使用的所有主機，隻要連接配接在Internet/Intranet/Extranet上，不管是員工所有或企業所有，都應由具有最新病毒庫的被認可的病毒掃描軟體執行掃描。 8、  當員工接收未知發送者的郵件附件時，必須給以充分的警告，因為這些附件中可能含有病毒，e-mail炸彈，或特洛伊木馬等。 4.3不可接受的應用 下列行為通常是被禁止的。員工在他們合法的工作職責過程中，（例如系統管理者或許需要中止一台主機對于網絡的通路，如果該主機正在進行破壞）也可能免受這些限制。 無論什麼情況，員工利用企業資源被授權從事的任何行為都不能違反地方，州，聯邦政府或國際的法律規定。 下面所列出的是非接收應用行為類别的大緻架構，可能會有遺漏。 系統和網絡行為 下列行為不論何種情況都是被嚴格禁止的： 1、  侵犯任何個人或組織的著作權、商業機密、***或其它知識産權，或違反相關的法律和規章。這些行為包括但不僅限于：盜版軟體或其他未授權使用軟體的安裝與分發。 2、  未授權拷貝受版權保護的資料。這些行為包括但不僅限于：書刊雜志圖檔、書籍、版權所有的音樂等受著作權保護的資料的掃描和分發，版權所有的軟體的未授權安裝，及終端使用者沒有使用合法的license。 3、  對于軟體、技術資訊、加密軟體或技術的出口，如果違反了國際或地區的出口法律規定，則是非法的。對于任何有疑問的物資在出口之前應到相關管理部門進行咨詢。 4、  将惡意程式引入網絡或伺服器。（如病毒、蠕蟲、特洛伊木馬、e-mail炸彈等） 5、  将賬戶密碼洩露給其他人或允許他人使用自己的賬戶。包括在家工作時由家人使用。 6、  在使用者本地權限内使用企業的計算資源主動擷取或傳播違反性騷擾法令的資料或敵對資料。 7、  對于企業賬戶的産品、條款、或服務等的欺詐性企圖。 8、  除非是正常工作職責的一部分，否則需要直接或間接的授權聲明。 9、  實施安全破壞或網絡通信中斷行為。安全破壞包括但不僅限于：正常職責之外的非授權通路資料或非授權登入伺服器或賬戶。在這一節，網絡通信中斷包括但不僅限于：網絡嗅探、ping洪流、包欺騙、拒絕服務攻擊、以及惡意的僞造路由資訊。 10、              除非預先向資訊安全部門通告，否則端口掃描和安全掃描是明令禁止的。 11、              除非是員工正常工作職責的一部分，否則禁止實施任何形式的網絡監控，因為通過監控可能實施資料攔截，使目标使用者無法收到資料。 12、              盜取使用者權限或侵犯任何主機、網絡、伺服器的安全。 13、              對員工個人主機之外的任何使用者實施妨礙或拒絕服務。（例如拒絕服務攻擊） 14、              通過本地或Internet/Intranet/Extranet，使用任何程式/腳本/指令，或發送任何種類的消息，妨礙或中斷使用者的終端會話。 15、              向外部組織提供企業資訊或員工清單。 Email和通信行為 1、  主動向未明确提出需求的個人在發送廣告資料或其他垃圾郵件。 2、  通過email、電話或書面實施任何形式的騷擾。 3、  非授權的使用或僞造email報頭資訊。 4、  為騷擾或收集資訊而向其它email位址發送欺騙郵件。 5、  建立或轉發“chain letters”，“Ponzi”，或其它類型的“pyramid”（類似傳銷？） 6、  利用企業網絡服務或網絡連接配接在企業網絡内部主動發送其它Internet/Intranet/Extranet服務提供商的廣告。 7、  在Usenet新聞討論區中加載大量的相同或相似的非業務相關的消息。（新聞討論區垃圾郵件） 5.0 執行 所有違反此政策的員工都會面臨紀律處分，直至中止雇傭合同。 6.0 定義 術語              定義 Spam             未經許可主動發送大量的電子郵件。 7.0 修訂曆史