docs.rockarch.org
Rockefeller Archive Center Documentation

Employee Handbook - Information Technology

Information Technology Acceptable Use Policy

Purpose

The RAC’s Information Technology Acceptable Use Policy seeks to ensure that the use of RAC’s information systems support the RAC’s mission as well as its administrative and business functions.  Users are responsible for exercising good judgment when using RAC’s information systems.  Misuse of RAC’s information systems can be damaging to the RAC and threatens the efficiency and integrity of its operations. 

Definitions

User

For purposes of this Policy, the term “User” includes directors, officers, employees, interns, and, independent contractors of RAC.

Information Systems

For purposes of this Policy, the term “Information Systems” or “Information and Communications Systems” includes all of RAC’s electronic networks, electronic devices, computer equipment and hardware, electronic communications, telecommunication networks, and telecommunications equipment licensed, owned, leased, or provided by or to RAC, as well as any equipment that may be connected to such networks, equipment, systems or devices by others (however structured, including wireless), including servers, computers, software, software accessories, documentation supporting any electronic communications, stored data and files, storage devices (including cloud storage, onsite servers, external hard drives, flash, or thumb drives), laptops, handheld computers, PDAs, iPads, tablets, mobile messaging and other telephones, voicemail systems, web pages, Wi-Fi, internet, and any data and information contained or processed by such systems or equipment.

Permissible Uses of Information Systems

Users must use information systems, including e-mail, messaging systems, and access to the internet, consistent with all other applicable RAC policies and legal requirements.  All uses must follow all software licenses, copyrights, and all other state, federal, and international laws, including those governing intellectual property and online activities.  In addition, any use of RAC’s information systems must be guided by good judgment and conform to other policies within this handbook, such as the Code of Conduct.

Users may use RAC’s information systems for incidental personal uses, so long as such use does not interfere with the user’s job responsibilities or the job responsibilities of other users, require substantial expenditures of time, add significant wear and tear on equipment, involve solicitation or distribution of non-work-related materials, or otherwise violate any of the RAC’s policies and procedures.  Excessive personal use during working time is prohibited, as is other usage that may interfere with the information system’s productivity, such as large attachments or audio/video segments. 

The following are examples of incidental personal uses of information systems:

  • Sending and receiving necessary or occasional personal communications.
  • Using the telephone system for occasional personal calls.
  • Accessing the internet for brief personal searches and inquiries.

Prohibited Uses of RAC’s Information Systems

Unless permitted by RAC or required by applicable law, information systems may not be used in ways that would violate federal, state, local laws, or any RAC policy. The following are examples of prohibited uses of information systems:

  • To access, store, print, download, process, transmit or communicate materials that are fraudulent, harassing, sexually explicit, profane, obscene, intimidating, or otherwise unlawful, or prohibited by RAC’s Non-Discrimination and Anti-Harassment Policies, or any other RAC policy. This includes sending such material by way of e-mail, text message or other form of electronic communication, or displaying such material.
  • To disseminate or store commercial or personal advertisements or solicitations such as fund-raisers, political, or religious activities.
  • To send or post any material in violation of federal, state or other privacy laws.
  • To conduct RAC business through personal e-mail accounts issued by public e-mail providers such as Google, Yahoo, etc. All RAC business must be conducted through RAC-provided email.
  • To download or use encryption software without first obtaining permission from RAC.
  • To duplicate or use copyrighted materials (including programs, software, files, information, archives, pictures, articles, etc.) without proper permission or authority.
  • To acquire, possess, trade, or use hardware/software tools on the information systems that could be employed to evaluate or compromise system vulnerabilities, without first obtaining written permission from RAC.
  • To “hack” or break into any computer, database or network or engage in “snooping” or “pretexting,” or to intentionally introduce any computer virus, worm, lock-out or disabling device, or otherwise engage in purposeful conduct to adversely affect information systems or any other system.
  • To engage in activities designed to derive personal commercial gain.
  • To download and install personal software. If a user needs special software on RAC devices, they should submit a request through the IT ticketing system.
  • To connect non-RAC owned devices (including personal laptops) to the physical network without proper authorization.

Prohibited Websites

The following are examples of website categories that may not be accessed via RAC’s information systems:

  • Sexually explicit websites (adult content, nudity, sex)
  • Gambling websites
  • Illegal websites
  • Information technology related to hacking, proxy avoidance, pretexting, snooping, and/or URL translation
  • Militancy or extremism sites
  • Websites promoting violence, use of weapons, racism or hate.

The RAC may, but is under no obligation to use software to identify and block access to any inappropriate internet sites.

Security of RAC Systems and Information

RAC’s information security program and this policy are designed to safeguard information maintained on RAC information systems, including employee information.  Below are some best practices users should follow to help ensure the security of the information within RAC’s information systems:

  • Users, guests, and visitors must use the guest Wi-Fi (RAC-Guests) network to access wi-fi services. Guest access to the corporate network (RACHQ) is strictly prohibited.
  • Users should follow the RAC’s Records Retention Schedule to ensure that only necessary data and information are stored on RAC systems.
  • Users should always use their assigned SharePoint sites for document storage. It is highly encouraged to use OneDrive to store files to make them accessible from anywhere even while working remotely. Work should not be stored on a local drive since only data on network drives/OneDrive/SharePoint is backed up.
  • Users should never access network data, files, and information that are not related to the user’s job functions. The existence of access capabilities does not imply permission to use this access. The RAC’s computer systems and networks must never be used to download, upload, or otherwise handle illegal and/or unauthorized copyrighted content.
  • Running any of the following tools without proper authorization is prohibited: port/vulnerability scanner, network sniffers, keystroke loggers, or any other network discovery tools.
  • Users should always use caution when opening e-mail attachments or links received from unknown senders, which may contain viruses/malware or otherwise be harmful to the RAC. When in doubt about a suspicious email, contact IT.
  • Users who need to transfer large files to an external party should contact IT for assistance.
  • Users should refrain from using RAC systems for transferring and storing personal data (e.g., tax forms, health information, personal pictures, music, video, and other documents). 
  • If a user accesses RAC data such as email from a personal device (e.g., mobile phone), the RAC reserves the right to review or retain personal and RAC related data on the device. Upon resignation or termination of employment, or at any time on request, the employee may be asked to produce the personal device for inspection. All RAC data on personal devices will be removed by IT upon termination of employment.
  • External USB storage devices (Flash Drives, External Disks) that are not RAC issued, should not be used on RAC systems. If a flash drive is needed, a user can request flash drive through the IT ticketing system.  
  • Users should report theft, loss, or unauthorized disclosure of any RAC resources (e.g., tablet, laptop), including personally owned equipment used for business purposes and containing RAC information, to IT through the IT ticketing system and to the user’s supervisor within twenty-four (24) hours of the incident.
  • Users must protect unattended equipment from unauthorized access.  For example, workstations should be locked when unattended and active login sessions should be terminated when completed.  All laptop computers must be stored in a secure place. 

Monitoring

The RAC has the right, but not the obligation, to access, monitor, and record information systems’ usage.  Although limited personal use that does not violate any RAC policy or otherwise interfere with job duties is not prohibited in all cases, users should not expect that such use entitles them to any expectation of privacy in anything that they access, view, create, store, transmit or receive on or through RAC’s information systems, including any personal messages.

The RAC reserves the right to investigate all activity on or through its information systems, including any investigation of information or data composed, transmitted, or received on RAC’s information systems, consistent with state and federal law, including, but not limited to, monitoring internet browsing.  Generally, any such access will be made only by those who have a need to know for legitimate business reasons, or when necessary to protect a property right or other legal interest of the RAC. According to New York State law, any and all telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage by an employee by any electronic device or system, including but not limited to the use of a computer, telephone, or photo-optical systems may be subject to monitoring at any and all times and by any lawful means.

The RAC assumes no liability for loss, damage, destruction, alteration, disclosure or misuse of any personal data or communications transmitted over or stored on the information systems.  RAC accepts no responsibility or liability for the loss or non-delivery of any personal electronic mail or voicemail communications or any personal data stored on the Information Systems.  RAC strongly discourages employees from storing any personal data on the Information Systems.

RAC Email

RAC business should be conducted using its information systems, including email. Forwarding business-related emails as necessary and appropriate to carry out a user’s assigned job responsibilities is permitted. However, users should not forward business-related messages from RAC emails to the user’s own personal email accounts or otherwise outside of RAC’s information systems.

Consistent with this policy, RAC email address assigned to a user is primarily for business purposes. Distribution of a user’s email address should be done with discretion. RAC email addresses should not be used to register for personal email subscriptions, fantasy sports teams, personal social media accounts, or other similar publications or notifications. Distribution of RAC email address for personal banking, mortgages, billing notifications and other services is discouraged.

Accessing Other User’s Files 

Unless authorized by the RAC, users may not access, alter or copy any information, data or materials created by another user that is not made generally available on RAC’s information systems or otherwise shared in accordance with RAC policies. 

Personal Home Computers and Other Devices

Except as otherwise permitted by the RAC, users should not use their personal home computer or other non-RAC portable device (such as, PDAs, telephones, smartphones, flash drives, external hard drives, or any other similar device) to store, retain or archive RAC confidential information.  Any such information, records or documents residing on such a device shall always remain RAC property and must be returned to the RAC or discarded in accordance with RAC’s policy. In addition, to connect to RAC’s information systems using such equipment users must do so via the RAC’s VPN solution.

Virus Detection

Users must take reasonable precautions to ensure that they do not introduce or propagate viruses on or through RAC’s information systems. RAC’s internet connection uses a firewall proxy protection system designed to protect RAC’s internal network which help block or prevent certain unauthorized access. All incoming internet e-mail, including attachments, will be scanned for viruses; however, new computer virus strains are routinely being created and may penetrate virus-scanning procedures currently in place. Therefore, users should avoid opening suspicious e-mails or e-mails from unknown sources.

If a user becomes aware of a virus infection or any other security violation (whether internally or from external sources), they should immediately contact IT.

Reporting IT Security Incidents

If a security incident or a breach of any security policy is discovered or suspected, the user must immediately notify IT through the IT ticketing system or directly to the IT team. Users must not withhold information relating to a security incident or interfere with an investigation. Examples of incidents that require notification include:

  • Suspected compromise of login credentials (username, password, etc.)
  • Suspected virus/malware/trojan infection
  • Loss or theft of any device that contains RAC information
  • Any attempt by any person to obtain a user’s password over the telephone or by email
  • Any other suspicious event that may impact the RAC’s information security

Use of Passwords/Access

Users can access RAC’s information systems using their unique username and password. Passwords must be developed in accordance with the following requirements:

  • 14 alphanumeric and special characters
  • Passwords should not be the same or like ones used on other sites or services
  • Passwords should not use a single word or a commonly used phrases
  • Passwords should be hard to guess
  • Passwords should be considered confidential data and treated with the same discretion as any of the organization’s proprietary information. The RAC will enforce multi-factor authentication in all its business applications. If a user is using a service for work-related purposes that isn’t administered centrally by IT, the user must enable MFA (Multi Factor Authentication) on that service and account.

Users should not share their username and password with anyone, including immediate supervisors. In the event there is a need to share one’s username and password, users may contact IT to acquire the necessary permissions to the system.

Discipline

Any violation of this policy by a user may result in limiting or terminating the user’s access to RAC’s information system, terminating the user’s business relationship with RAC, and/or potentially seeking legal action against the user. If the user is an employee, any violation of this policy also may result in disciplinary action, up to and including termination of employment.