Sample Misuse Reporting Standard:: Difference between revisions
No edit summary |
No edit summary |
||
Line 1: | Line 1: | ||
=='''Sample Misuse Reporting Standard'''== | =='''Sample Misuse Reporting Standard'''== | ||
<br> | <br> | ||
The '''<Your Company Name>'''(the "Company") [[Sample Acceptable Use Policy:|'''Sample Acceptable Use Policy''']] defines objectives for establishing specific standards on the appropriate business use of information assets.<br> | The '''<Your Company Name>''' (the "Company") [[Sample Acceptable Use Policy:|'''Sample Acceptable Use Policy''']] defines objectives for establishing specific standards on the appropriate business use of information assets.<br> | ||
<br> | <br> | ||
This Misuse Reporting Standard builds on the objectives established in the [[Sample Acceptable Use Policy:|'''Sample Acceptable Use Policy''']], and provides specific instructions and requirements for reporting violations to the [[Sample Acceptable Use Policy:|'''Sample Acceptable Use Policy''']] and its associated standards.<br> | This Misuse Reporting Standard builds on the objectives established in the [[Sample Acceptable Use Policy:|'''Sample Acceptable Use Policy''']], and provides specific instructions and requirements for reporting violations to the [[Sample Acceptable Use Policy:|'''Sample Acceptable Use Policy''']] and its associated standards.<br> | ||
Line 15: | Line 15: | ||
'''Information Assets''' are defined in the [[Sample Asset Identification and Classification Policy:|'''Sample Asset Identification and Classification Policy''']].<br> | '''Information Assets''' are defined in the [[Sample Asset Identification and Classification Policy:|'''Sample Asset Identification and Classification Policy''']].<br> | ||
<br> | <br> | ||
'''Internet Resources''' are defined in the | '''Internet Resources''' are defined in the [[Sample Internet Acceptable Use Policy:|'''Sample Internet Acceptable Use Policy''']].<br> | ||
<br> | <br> | ||
'''Objectionable''' refers to anything that could be reasonably considered to be obscene, indecent, harassing, offensive, or any other uses that would reflect adversely on the Company including but not limited to comments or images that would offend, harass, or threaten someone on the basis of his or her race, color, religion, national origin, gender, sexual preference, or political beliefs.<br> | '''Objectionable''' refers to anything that could be reasonably considered to be obscene, indecent, harassing, offensive, or any other uses that would reflect adversely on the Company including but not limited to comments or images that would offend, harass, or threaten someone on the basis of his or her race, color, religion, national origin, gender, sexual preference, or political beliefs.<br> |
Latest revision as of 12:22, 19 July 2007
Sample Misuse Reporting Standard
The <Your Company Name> (the "Company") Sample Acceptable Use Policy defines objectives for establishing specific standards on the appropriate business use of information assets.
This Misuse Reporting Standard builds on the objectives established in the Sample Acceptable Use Policy, and provides specific instructions and requirements for reporting violations to the Sample Acceptable Use Policy and its associated standards.
I. Scope
All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises, or who have been granted access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.
Electronic Communications Systems refers to all Company information systems and equipment including Electronic Mail Resources, Internet Resources, and Telecommunications Resources.
Electronic Mail Resources are defined in the Sample Electronic Mail Acceptable Use Standard.
Information Assets are defined in the Sample Asset Identification and Classification Policy.
Internet Resources are defined in the Sample Internet Acceptable Use Policy.
Objectionable refers to anything that could be reasonably considered to be obscene, indecent, harassing, offensive, or any other uses that would reflect adversely on the Company including but not limited to comments or images that would offend, harass, or threaten someone on the basis of his or her race, color, religion, national origin, gender, sexual preference, or political beliefs.
Telecommunications Resources are defined in the Sample Telecommunication Acceptable Use Standard.
Users refer to all individuals, groups, or organizations authorized by the Company to use Company Electronic Communications Resources.
II. Requirements
The requirements of the Misuse Reporting Standard, although specific, should not be considered a comprehensive listing. The Company considers consistency with requirements as the basis for considering the appropriateness of other activities and practices that are not specifically addressed.
- A. General
- 1. Actual or suspected misuse of Company Electronic Communications Resources should be reported within twenty-four (24) hours.
- 1. Actual or suspected misuse of Company Electronic Communications Resources should be reported within twenty-four (24) hours.
- 2. Violations of the Sample Acceptable Use Policy and associated standards, in whole or in part, constitute misuse and should be reported within twenty-four (24) hours.
- 2. Violations of the Sample Acceptable Use Policy and associated standards, in whole or in part, constitute misuse and should be reported within twenty-four (24) hours.
- 3. Upon the receipt or continued receipt of Objectionable content, Users should contact <Specify Contact> no later than the next business day of each occurrence.
- 3. Upon the receipt or continued receipt of Objectionable content, Users should contact <Specify Contact> no later than the next business day of each occurrence.
- B. Reporting Misuse
- 1. Misuse of Company Electronic Communications Resources should be reported using the Misuse Report Form posted on the Company intranet at <SPECIFY LINK>.
- 1. Misuse of Company Electronic Communications Resources should be reported using the Misuse Report Form posted on the Company intranet at <SPECIFY LINK>.
- 2. Individuals reporting misuse must specify:
- 2. Individuals reporting misuse must specify:
- Name.
- Corporate E-mail Address.
- Name(s) of individual(s) involved in misuse.
- Specific details including date, time, and description of misuse or violation.
- Name.
- 3. The identities of the individual(s) reporting misuse of Company Electronic Communications Resources will be kept confidential.
- 3. The identities of the individual(s) reporting misuse of Company Electronic Communications Resources will be kept confidential.
- 4. All submitted Misuse Report Forms will be processed immediately by <SPECIFY DEPARTMENT> in accordance with Company-approved security investigation processes and procedures.
- 4. All submitted Misuse Report Forms will be processed immediately by <SPECIFY DEPARTMENT> in accordance with Company-approved security investigation processes and procedures.
- 5. Users and management should not directly discuss the violation with the individual(s) involved in misuse unless instructed by <SPECIFY DEPARTMENT>.
- 5. Users and management should not directly discuss the violation with the individual(s) involved in misuse unless instructed by <SPECIFY DEPARTMENT>.
III. Responsibilities
The Chief Information Security Officer (CISO) approves the Misuse Reporting Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Misuse Reporting Standard.
Company management is responsible for ensuring that the Misuse Reporting Standard is properly communicated and understood within its respective organizational units. Company management also is responsible for defining, approving, and implementing processes and procedures in its organizational units; ensuring their consistency with the Misuse Reporting Standard; and implementing any necessary corrective actions based on the misuse resolution.
Users are responsible for familiarizing themselves and complying with the Misuse Reporting Standard and the associated guidelines provided by Company management. Users also are responsible for reporting misuse of Company Electronic Communication Resources and cooperating with official Company security investigations relating to misuse of such resources.
IV. Enforcement and Exception Handling
Failure to comply with the Misuse Reporting Standard and associated guidelines and procedures can result in disciplinary actions, up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.
Requests for exceptions to the Misuse Reporting Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Misuse Reporting Standard.
V. Review and Revision
The Misuse Reporting Standard will be reviewed and revised in accordance with the Sample Information Security Program Charter.
Approved: _______________________________________________________
- Signature
- Signature
- <Insert Name>
- <Insert Name>
- Chief Information Security Officer
- Chief Information Security Officer