The Acceptable Use Policy at CPA Global is a mandatory policy for all employees and contractors to read, understand and sign. This is also applicable for our suppliers for relevant sections and as applicable for the scope of engagement.
Users accessing the Internet through CPA Global systems and network shall have no expectation of privacy relating to their use of the Internet, to the extent permissible by local law.
- Personal use of internet is discouraged.
- Users will not have access to internet based emails, social networking websites, and cloud based storage services unless such access is approved by CPA Global Executive leadership team or Global Security Council.
- Use of the internet must not violate legal statutes or corporate policies, must not place CPA Global at risk of embarrassment and must not impact normal computing operations or productivity
- Users are not permitted to use anonymous Internet surfing software, open proxies, tunnels utilizing HTTP or any other network service, or any other commercial or non-commercial software that is meant to transverse firewall access controls either in to or out of the CPA Global enterprise network.
Social Media & Collaboration
- CPA Global authorises users to only use Microsoft Yammer, Microsoft Outlook Web Access, Microsoft Teams, Cisco Jabber and Microsoft Online SharePoint as online enterprise social networking and collaboration tools, henceforth to be referred to as Corporate SMC (Social Media & Collaboration) tools.
- Corporate SMC tools should be strictly used for business purposes only.
- Users must be responsible for any data exchange and ensure that confidentiality, availability and integrity of CPA Global data is never compromised.
E-mail & Messaging
All CPA employees and contractors are provided with an email address and mailbox for the company mail and messaging platform. CPA Global suppliers are also provided with email address and mailbox based on the scope of the engagement.
- CPA Global e-mail system is strictly to be used for business purposes only. Access shall be on need basis.
- Users are responsible for the security of their email account and password. Passwords must not be shared with anyone and must be changed periodically.
- Any content that harasses, is sexually explicit, profane, intimidating, defamatory, soliciting for personal gain or profit, or which is otherwise unlawful must not be sent by e-mail or messaging solutions or other forms of electronic communication or displayed or stored in CPA Global systems. Users encountering or receiving this kind of material should immediately report the incident to their supervisor or Human Resources.
- All e-mail messages must correctly identify the sender’s true identity.
- Employees, contractors, suppliers, consultants or any other third parties shall not forward CPA Global confidential information or work-related material from CPA Global email accounts to external email accounts or personal email accounts.
CPA Global endorses the need to access corporate SMC tools, emails and messaging on mobile devices for users depending on their role and needs. This section establishes the guidelines for use of personally owned electronic devices for work-related purposes.
- Access to corporate SMC tools, email and messaging on mobile devices shall be provided on a ‘need-basis’ or based on business requirements post authorization from respective business or function heads.
- CPA Global employees and contractors (suppler resources included) may have the opportunity to use their personal mobile devices for work purposes, subject to acceptance of this policy and when authorized in writing, in advance, by the respective business or function head.
- To ensure the security of CPA Global data and information, authorized users using personal mobile devices are required to adhere, allow installation and configuration of CPA Global mobile device security guidelines.
- Use of removable media such as but not limited to flash drives, USB hard Disks, DVD’s, CD’s, etc. in CPA Global to store and transfer CPA Global information, is prohibited.
- Where authorized on exceptional basis by Executive Leadership Team or Cyber Security Council, users shall be responsible for the removable media. All such media should be encrypted with a password.
- CPA Global reserves the right to monitor the use of removable media on CPA Global assigned desktops or laptops.
- Local Administrator rights will be disabled on user endpoint systems by default.
- All users of mobile computing devices must ensure that they have Antivirus, Antimalware, Data Leakage Prevention, Firewall and disk encryption enabled and no efforts should be made to tamper the security configuration of the device.
Wireless and Networking Hubs
- Wireless networking hubs and wireless connectivity devices are prohibited from being installed on the CPA Global network unless explicitly approved by CPA Global Cyber Security Team.
- Requirements for wireless connectivity on production and lab/DMZ network segments require prior authorization from ISMT and also require that appropriate change control processes are documented.
Hacking and Vulnerability Assessment Tools
- The use of any form of hacking tools such as network sniffing tools, automatic scanning tools, password crackers, tools intended to defeat security measures, and/or vulnerability assessment tools within CPA Global Infrastructure is strictly prohibited, unless approved by cyber security.
- Users found using any type of hacking tools, bypass proxy or use vulnerability assessment tools without formal approval by cyber security will be subject to disciplinary action, up to and including, termination of employment. Any such disciplinary action will only be taken to the extent permissible by local law. Federal, state, and/or local law enforcement agencies may also be notified if evidence of criminal actions exists.
Clean Desk and Work Area
CPA Global recommends that all users adopt a practice of keeping a clean desk and work area to reduce the risk of unauthorized access, loss, theft or damage to CPA Global confidential and privileged data in the form of printed documents or any other physical media.
- Users must not leave written passwords, account information, or other clues that could aid another person in gaining access to the system or impersonate the credentials of an authorized user.
- Where appropriate, paper and computer media must be stored in suitable locked cabinets when not in use, especially outside working hours.
- Personal computers, computer terminals, and printers must not be left logged on when unattended and must be protected by a system lock screensaver function requiring a password to reinitiate a session.
Generally prohibited activities when using corporate information resources shall include, but are not limited to, the following:
- Stealing or copying of electronic files without permission.
- Violating laws such as copyright and privacy laws.
- Modification of the standard system image, including, but not limited to, installing or removing software, creating share folders on Endpoints or altering hardware and security configurations.
- Browsing the private files or accounts of others, except as permitted by the appropriate authority.
- Performing unofficial activities that may degrade the performance of systems, such as the playing of electronic games, watching movies or sport events and listening to music.
- Using of social network websites, unless such usage is deemed part of a User’s job role.
- Writing, copying, executing, or attempting to introduce any computer code designed to self-replicate, damage, or otherwise hinder the performance of or access to any corporate computer, network, or information.
- Bringing discredit or embarrassment to CPA Global, its personnel, or business partners.
- Promoting or maintaining a personal or private business, or using corporate information resources for personal gain.
- Using someone else’s logon ID and password.
- Conducting fraudulent or illegal activities, including but not limited to: gambling, trafficking in drugs or weapons, participating in terrorist acts, or attempting unauthorized entry to any corporate or non-corporate computer.
- Utilizing CPA Global computing resources to conduct non-CPA Global fund-raising, endorsing any product or service.
- Non business related information/content should not be downloaded onto a CPA Global provided BlackBerry and laptops/ desktops.
- Posting or uploading internal CPA Global documents to any website, blog, social media site or server not owned/controlled by CPA Global or without permission.
- Disclosing any corporate information that is not otherwise public.
- Performing any act that may defame, libel, abuse, embarrass, tarnish, present a bad image of, or portray in false light, any person, group, party, or CPA Global.