Acceptable Usage Policy 
1. Objective
The purpose of this policy is to establish the acceptable and unacceptable use of electronic devices and network resources at Icanio Technology Labs Private Limited (Icanio) in conjunction with its established culture of ethical and lawful behaviour, openness, trust, integrity and for the protection of all parties involved.

Icanio provides computer devices, networks, and other electronic information systems to meet missions, goals, and initiatives and must manage them responsibly to maintain the confidentiality, integrity, and availability of its information assets. This policy requires the users of information assets to comply with company policies and protects the company against damaging legal issues.

Anyone breaching the information security policy may be subject to disciplinary action. If a criminal offence has been committed, further action may be taken to assist in the prosecution of the offender(s). If you do not understand the implications of this policy or how it may apply to you, please seek advice from your immediate manager in the first instance.
2. Scope
This policy manual applies to:
  1. All staff members working for Icanio, who have access to the organization's and/or client’s information.
  2. This policy applies to the physical security of the company’s information systems, including, but not limited to, all company-owned or company-provided network devices, servers, personal computers, mobile devices, and storage media. 
  3. Additionally, any person working in or visiting the company’s office is covered by this policy.
  4. All staff members, vendors, and third-party employees who have access to Icanio’ information processing systems and the data contained in them. This includes the data accessed by licensed third parties, which is, in turn, deployed to and used by their clients.
  5. All stakeholders and interested parties who are relevant to the operations of Icanio.
  6. All digital and non-digital assets that play a role in the creation, storage, transmission, and disposal of information come under the purview of this policy.
3. Roles and Responsibilities

The Chief Information Security Officer (CISO) and the Information Security Steering Committee (ISSC) members are responsible for defining the organization’s vision and objectives related to information security and for enforcing this policy. 

The ISO is a part of the Information Security Steering Committee (ISSC) and is responsible to ensure that the policy is communicated to all stakeholders and implemented within the organization.​​​​​​

4. Policy Statements
4.1 E-mail Use
Personal usage of company email systems is permitted as long as:
  1. Usage does not negatively impact the corporate computer network.
  2. Usage does not negatively impact the user’s job performance.
  3. The following is never permitted: spamming, harassment, communicating threats, solicitations, chain letters, or pyramid schemes. This list is not exhaustive but is included to provide a frame of reference for types of activities that are prohibited.
  4. The user is prohibited from forging email header information or attempting to impersonate another person.
  5. Email is an insecure method of communication, and thus information that is considered confidential or proprietary to the company may not be sent via email.
  6. It is company policy not to open email attachments from unknown senders, or when such attachments are unexpected.
  7. Email systems were not designed to transfer large files and as such emails should not contain attachments of excessive file size.
  8. Does not include posting or sharing of non-business-related information messages to large numbers of users through Icanio Network.
  9. Posting to a public newsgroup, bulletin board etc. with an ICANIO email or IP address representing Icanio to the public is not permitted.
4.2 Confidentiality

Confidential data must not be:

  1. Shared or disclosed in any manner to non-employees of the company. 
  2. Should not be posted on the internet or any publicly accessible systems. 
  3. Should not be transferred in any insecure manner. 

Please note that this is only a brief overview of how to handle confidential information and that other policies may refer to the proper use of this information in more detail.

4.3 Network Access

The user should make reasonable efforts to avoid accessing network data, files, and information that are not directly related to his or her job function. The existence of access capabilities does not imply permission to use this access.

4.4 Unacceptable Use

The following actions shall constitute unacceptable use of the corporate network:
This list is not exhaustive but is included to provide a frame of reference for types of activities that are deemed unacceptable.
The user may not use the corporate network and/or systems to:

  1. Engage in activity that is illegal under local, state, federal, or international law.
  2. Engage in any activities that may cause embarrassment, loss of reputation, or other harm to the company.
  3. Disseminate defamatory, discriminatory, vilifying, sexist, racist, abusive, rude, annoying, insulting, threatening, obscene, or otherwise inappropriate messages or media.
  4. Engage in activities that cause an invasion of privacy.
  5. Engage in activities that cause disruption to the workplace environment or create a hostile workplace. Make fraudulent offers for products or services.
  6. Perform any of the following: port scanning, security scanning, network sniffing, keystroke logging, or other IT information gathering techniques when not part of an employee’s job function.
  7. Install or distribute unlicensed or “pirated” software.
  8. Reveal personal or network passwords to others, including family, friends, or other members of the household when working from home or remote locations.
4.5 Blogging and Social Networking

Blogging and social networking are not allowed from the corporate computer network or corporate provided endpoints / devices. No information detrimental to the company or confidential data / identifiers are to be published anywhere unless specified and approved by the Icanio Management.

The user must not identify himself or herself as an employee of the company in a blog or on a social networking site done personally. The user assumes all risks associated with blogging and/or social networking.

4.6 Overuse

Actions detrimental to the computer network or other corporate resources, or that negatively affect job performance are not permitted.

4.7 Web Browsing

The Internet is a network of interconnected computers of which the company has very little control. The user should recognize this when using the Internet and understand that it is a public domain and he or she can come into contact with information, even inadvertently, that he or she may find offensive, sexually explicit, or inappropriate. The user must use the Internet at his or her own risk. The company is specifically not responsible for any information that the user views, reads, or downloads from the Internet.

Personal Use. The company recognizes that the Internet can be a tool that is useful for both personal and professional purposes. Personal usage of company computer systems to access the Internet is permitted as long as such usage follows pertinent guidelines elsewhere in this document and does not have a detrimental effect on the company or the user’s job performance.

4.8 Copyright Infringement

The company’s computer systems and networks must not be used to download, upload, or otherwise handle illegal and/or unauthorized copyrighted content. Any of the following activities constitute violations of acceptable use policy, if done without permission of the copyright owner:

  1. Copying and sharing images, music, movies, or other copyrighted material using P2P file-sharing or unlicensed CDs and DVDs. 
  2. Posting or plagiarizing copyrighted material; and 
  3. Downloading copyrighted files that the employee has not already legally procured. 

This list is not meant to be exhaustive; copyright law applies to a wide variety of works and applies to much more than is listed above.

4.8.1 Peer-to-Peer File Sharing

Peer-to-Peer (P2P) networking is not allowed on the corporate network under any circumstances.

4.9 Streaming Media

Streaming media can use a lot of network resources and thus must be used carefully. Reasonable use of streaming media is permitted as long as it is for only official purposes and does not negatively impact the computer network or the user’s job performance.

4.10 Monitoring and Privacy

Users should expect no privacy when using the corporate network or company resources. Such use may include but is not limited to the transmission and storage of files, data, and messages. The company reserves the right to monitor all use of the computer network. To ensure compliance with company policies this may include the interception and review of any emails, or other messages sent or received, an inspection of data stored on personal file directories, hard disks, and removable media.

4.11 Bandwidth Usage

Excessive use of company bandwidth or other computer resources is not permitted. Large file downloads or other bandwidth-intensive tasks that may degrade network capacity or performance must be performed during times of low company-wide usage.

4.12 Personal Usage

Personal usage of company computer systems is permitted as long as such usage follows pertinent guidelines elsewhere in this document and does not have a detrimental effect on the company or the user’s job performance.

4.13 Remote Desktop Access

Use of remote desktop software and/or services is allowable as long as it is provided by the company. Remote access to the network must conform to the company’s defined Policies.

4.14 Circumvention of Security

Using company-owned or company-provided computer systems to circumvent any security systems, authentication systems, user-based systems, or escalating privileges is expressly prohibited. Knowingly taking any actions to bypass or circumvent security is expressly prohibited.

4.15 Use for Illegal Activities

No company-owned or company-provided computer systems may be knowingly used for activities that are considered illegal under local, state, federal, or international law. Such actions may include, but are not limited to, the following:

  1. Unauthorized Port Scanning.
  2. Unauthorized Network Hacking.
  3. Unauthorized Packet Sniffing.
  4. Unauthorized Packet Spoofing.
  5. Unauthorized Denial of Service.
  6. Unauthorized Wireless Hacking.
  7. Any act that may be considered an attempt to gain unauthorized access to or escalate privileges on a computer or other electronic system.
  8. Acts of Terrorism Identity Theft.
  9. Spying.
  10. Downloading, storing, or distributing violent, perverse, obscene, lewd, or offensive material as deemed by applicable statutes.
  11. Downloading, storing, or distributing copyrighted material.

Icanio will take all necessary steps to report and prosecute any violations of this policy.

4.16 Non-Company-Owned Equipment

Non-company-provided equipment is expressly prohibited on the company’s network.

4.17 Personal Storage Media

Personal storage devices represent a serious threat to data security and are expressly prohibited on the company’s network.

4.18 Software Installation

No non-company-supplied software is to be installed without written permission from the IT Manager. Numerous security threats can masquerade as innocuous software - malware, spyware, and Trojans can all be installed inadvertently through games or other programs. Alternatively, the software can cause conflicts or have a negative impact on system performance. For these reasons, the installation of non-company-supplied programs is strongly discouraged. If a certain program is required for his or her job function, the user should contact the IT Department to request permission.

5. Reporting of Security Incidents

If a security incident or breach of any security policies is discovered or suspected, the user must immediately notify his or her supervisor and/or follow any applicable guidelines as detailed in the Incident Response Policy. 

Examples of incidents that require notification include:

  1. Suspected compromise of login credentials (username, password, etc.). Suspected virus/ malware/ Trojan infection.
  2. Loss or theft of any device that contains company information. Loss or theft of ID badge or keycard.
  3. Any attempt by any person to obtain a user’s password over the telephone or by email. Any other suspicious event that may impact the company’s information security.
Users must treat a suspected security incident as confidential information and report the incident only to his or her supervisor.
 

Users must not withhold information relating to a security incident or interfere with an investigation.

6. Applicability of Other Policies

This document is part of the company’s cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed.

7. Enforcement

This policy will be enforced by the ISMS Manager and/or IT Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.

8. Maintenance of Policy
  1. The compliance with this policy and supporting policies shall be audited on a yearly basis; exceptions identified during the audit shall be immediately and appropriately addressed.
  2. This policy shall be reviewed annually unless there is a major change in the organization or the environment affecting the organization, in which case it shall be done on a need basis.
  3. This policy shall be reviewed and revised whenever a major security risk or an incident is identified.
9. References

ISO 27001:2022

5.10 Acceptable Use Policy
Version
Date
Revision Author
Summary of Changes
Approved By
Position
0.1
01.08.2024
Green IT Ventures
Draft

 1.0

01.10.2024

Green IT Ventures

Initial release

Jebastin Prabhaharan

CEO

DECLARATION:

This is to confirm that I have read and understood the above mentioned policy.

Click here to fill the acknowledgement form.