Introduction
Employees are provided with access to the company network and Internet, and have a responsibility to use both in a professional, lawful and ethical manner. Abuse of these may result in disciplinary action, including possible termination and civil and/or criminal liability.
PCI Pal data and systems access are sensitive. Employees must ensure that all access to and use of PCI Pal data and systems access is conducted over PCI Pal hardware and via approved methods. If a provided system or approved channel is not suitable to an employee’s particular role, responsibilities or resources, the employee must raise this to their line manager and to the Information Security & Compliance (ISC) team for an appropriate solution to be agreed. Use of removable storage media (such as USB storage sticks or external hard drives) is not permitted without explicit knowledge and approval from the ISC team, and any removable storage media used for a PCI Pal device must not contain personal data/apps. Connecting removable storage media containing a malware infection to a PCI Pal device may be considered as an attempt to bypass PCI Pal security measures.
Computer resources are not unlimited. Network bandwidth and storage capacity have finite limits, and all employees connected to the network have a responsibility to conserve these resources. As such, the employee must not unfairly monopolise resources to the exclusion of others or make unreasonable personal uses of PCI Pal storage and bandwidth resources. This may include, but are not limited to playing games, uploading or downloading large files, streaming audio and/or video files, or otherwise creating unnecessary loads on network traffic or storage associated with non-work-related activities.
Using personal or non-approved solutions to access, store, transmit, display, or administrate PCI Pal data and systems may result in disciplinary action, including possible termination and civil and/or criminal liability. If an employee’s personal device is implicated in a PCI Pal service or security incident as the cause or an exacerbating factor, the employee must provide reasonable access to this device to PCI Pal internal IT staff or PCI Pal’s chosen third-party forensics investigators for the sole purposes of ascertaining the involvement and/or degree of culpability in the incident.
Publishing/Releasing Information
Attention must be paid to ensuring that published information has relevance to normal professional activities before any material is released in the Company name. Where personal views are expressed a disclaimer stating that this is the case should be clearly added to all correspondence. The intellectual property right and copyright must not be compromised when publishing on the Internet.
Without prior written permission from appropriate PCI Pal management, the corporate computer network may not be used to disseminate, view or store commercial or personal advertisements, solicitations, promotions, destructive code (e.g., viruses, hacking, Trojan horse programs, etc.) or any other unauthorised materials.
Unless expressly authorised to do so, employees are prohibited from sending, transmitting, or otherwise distributing proprietary information, data, trade secrets or other confidential information belonging to PCI Pal. Unauthorised dissemination of such material may result in severe disciplinary action, as well as substantial civil and criminal penalties.
You are not permitted to use the Internet for any financial dealings in the name of the company or outside the normal parameters of your job or without express written authorisation of the company.
Offensive Material
The availability and variety of information on the Internet has meant that it can be used to obtain material reasonably considered to be offensive. PCI Pal has the right to utilise software that makes it possible to identify and block access to Internet sites containing sexually explicit or other material deemed inappropriate in the workplace. The use of the Internet to access and/or distribute any kind of offensive material leaves an individual liable to disciplinary action which could lead to dismissal.
Monitoring
PCI Pal reserves the absolute right to monitor employees' use of the network and Internet on PCI Pal’s networks and devices. Employees are given network and Internet access to enable them in the performance of their jobs, and should have no expectation of privacy in anything they create, store, send or receive using the company’s computer equipment. PCI Pal’s computer networks and devices are the property of the Company and may be used only for Company purposes.
Leaving a device unlocked while away from your desk / from the device means that unauthorised use may occur in your absence and be attributable to you. Please see also the Clear Desks and Clear Screens policy.
Illegal Copying
Employees may not illegally copy material protected under copyright law or make that material available to others for copying. Employees are responsible for complying with copyright law and applicable licenses that may apply to software, files, graphics, documents, messages, and other material they wish to download or copy. Employees may not agree to a license or download any material for which a registration fee is charged without first obtaining express written permission from appropriate PCI Pal management.
Viruses
Users should display discretion and intelligence when receiving or accessing files across the Internet, via email or other external sources, and if in doubt they should contact the ISC team. If malware is identified on a PCI Pal device or system, the responsible employee must prioritise and assist the ISC team in identifying and remediating the malware and the vector by which it entered that device or system.
Authentication
PCI Pal employees must ensure all passwords are kept securely. PCI Pal provides access to LastPass to help with secure storage/retrieval of passwords, and the ISC team are able to provide assistance and training to employees in use of Lastpass or the configuration of appropriate alternative password security measures. Employees should seek to enable and use multi-factor authentication (MFA) wherever feasible. SMS-based MFA is not considered secure however, and should only be used where no better options are available.
