This policy outlines the requirements for access to and use of CarbonLink information technology and systems. Specific information related to the implementation of this policy can be found in CarbonLink’s Plans and Procedures guiding the use of and access to CarbonLink information technology.
Scope : – This policy applies to all users of CarbonLink information including without limitation, owner(s) and successors in title, partners, clients and customers, affiliates, employees, contractors, suppliers and subcontractors engaged directly or indirectly through CarbonLink and specifically relates to;
- Information Security and the use of and access to CarbonLink information assets and systems.
- Information Privacy and the collection and handling of personal information related to employees and prospective employees of CarbonLink.
- Information & Communication Technology (ICT) resources and the use of any devices, applications, software and networks owned by CarbonLink. This includes mobile phones, laptops, computers, printers, scanners, USB memory sticks, email, internet use and online applications.
- Social Media and all forms of related tools that allow user participation and interaction.
CarbonLink technology platforms include without limitation, network, operating system, data library, data vault,(whether hosted internally or externally), applications, enterprise systems, in printed and/or electronic form,scientific research and derivative reports and information related to customers of CarbonLink.
Use and Access of CarbonLink Information Assets and Systems
- Access to CarbonLink technology platforms will only be available via an authentication process which confirms the identity of users according to unique user ID’s and passwords.
- Access authorization control and change management related to addition, deletion or modification of user credentials must be recorded by an authorized representative of CarbonLink’s information technology team.
- Each user must have a single, unique identification and account and a personal, secret password. Sharing of access, user ID’s and personal, secret passwords is prohibited. User accounts will be suspended following cessation or termination of the user relationship with CarbonLink.
- Carbon Link technology platforms must only be used for conducting CarbonLink’s business or for purposes authorized in writing by CarbonLink management at General Manager level or above.
- Access to communication and technology systems is restricted on a “need to know” basis, according to protocols determined by CarbonLink. Users must not attempt to access systems or information to which they do not have authorization or which they do not need to do their job.
- Storing of any non-business related and private files is prohibited. Usage of CarbonLink information systems to store, process, download, or transmit data that can be construed as biased (politically, religiously, racially, ethnically, etc.) or supportive of harassment is strictly prohibited.
- Access control systems will be implemented to secure CarbonLink information technology and systems including without limitation, automatic log-off after a period of inactivity, disabling access after a series of failed login attempts, maintaining auditable records of user access and periodic re-validation of access rights for users.
Computer Software and Applications
- Only licensed software may be installed and operated on CarbonLink technology platforms.Users must not install or direct others to install illegal or unlicensed copies of computer software into any computer system of CarbonLink and further, users must not remove/delete/deactivate any software or antivirus/spyware programs installed by CarbonLink.
- Users must protect CarbonLink’s data stored in computers against virus attacks by scanning all media with authorised anti-virus software before usage.
- Users must not use any program/script/command, or send messages of any kind with the intent to interfere with another user’s terminal session (authorised actions by CarbonLink’s information technology team to maintain data integrity excepted).
Sharing of Information and Data
- Information stored or retrieved by users on or from CarbonLink technology platforms is deemed confidential information and should not be used for purposes other than intended.
- The primary requirement for protecting confidential information in all computer media is that access to it may only be given to people on a “need to know” basis.
- Confidential data or information that is no longer required should be erased.
- Confidential information must be protected against unauthorised access.
- Each user is accountable to minimise the possibility of theft of CarbonLink owned/leased computer workstations and the information they contain.
- Users must not add, remove, replace, or substitute any computer components (including detachable) without prior written approval from CarbonLink.
- Users must not reconfigure or change the set-up of LAN PC workstations without the knowledge and approval of CarbonLink’s information technology team.
- CarbonLink will only collect personal information it needs for the particular function or activity it is carrying out.
- Sometimes CarbonLink may collect personal information from a third party or publicly available source to enable CarbonLink to complete its activities. (eg; reference checking for a job application process).
- CarbonLink will take all reasonable steps to protect the security of any personal information held, be it stored in electronic or hard copy format.
- CarbonLink will take steps to protect the security of the personal information it holds from both internal and external threats by regularly assessing the risk of misuse, interference, loss, and unauthorised access, modification or disclosure of that information and taking measures to address those risks. Further, CarbonLink will conduct regular internal and external audits to assess whether we have adequately complied with or implemented these measures.
Use of Personal Information
CarbonLink will only use personal information it needs for the particular function or activity it is carrying out. Email addresses will be stored electronically in accordance with standards and authorities applicable to the state(s) in which CarbonLink conducts its enterprise. An email address will only used for the purpose for which it is provided and for the furtherance of CarbonLink’s business activities and will not added to any unauthorised mailing list or disclosed to other organisations.
Disclosure of Personal Information
CarbonLink will not disclose information except;
- Where legally required to do so as required under the Act or where disclosure is mandated under statutory obligations, in connection with prevention of an offence or via judicial mandate.
- To service providers who manage CarbonLink’s information technology and/or human resources information
- With the approval of the individual to whom the relevant personal information applies, or where such an individual would reasonably expect CarbonLink to.
- Where unauthorized attempts are made to access, tamper or interfere with files related to CarbonLink’s enterprise and only to the extent reasonably essential to arrest and mitigate such threats.
CarbonLink has no responsibility for the privacy policies or practices of third-party sites linked to or from its enterprise.
Acceptable Use of CarbonLink ICT
- ICT resources are provided for business purposes to enhance effectiveness and efficiency at work. Users must use the ICT resources professionally and appropriately at all times.
- Carbon Links ICT resources must not be used for unlawful, offensive or otherwise improper activities.
Users are responsible for ensuring they maintain the integrity and security of ICT Resources and protect confidential data stored on them. This includes maintaining complex access passwords and maintaining antivirus software and keeping software applications updated. It also includes not sharing passwords or login information with others and not copying sensitive information into an unsecure environment (such as onto USB or copying over public WiFi). Users should delete suspicious looking emails without opening them, as well as block junk, spam and scam emails.
- CarbonLink recognises the benefits of using social media for the promotion, development, and delivery of services. CarbonLink does not discourage people from communicating online in many ways, including through social media, professional networking sites, blogs, online news sites and personal web sites. However, all employees need to use good judgment about what material appears in a social forum, and in what context.
- At all times while you are using social media you are to ensure you meet the CarbonLink code of conduct outlined in its policies and procedures. If you are using social media during work hours as a part of your role at CarbonLink you need the prior approval of your Manager.
- Employees participating in private social media activity must uphold the CarbonLink code of conduct even when material is posted anonymously or using an ‘alias’ or pseudonym. They should bear in mind that even if they do not identify themselves online as a CarbonLink employee, they could nonetheless be recognised as such because social media sites are public forums.
- Employees should not rely on a site’s security settings to guarantee privacy, as material posted in a relatively secure setting can still be copied and reproduced elsewhere. Further, comments posted on one site can also be used on others under the terms and conditions of many social media sites.
- Employees who participate in social media communication deemed to be discriminatory or against the interests of CarbonLink will be subject to disciplinary action.
- CarbonLink will remove, or request the employee to remove, any material where there is a breach of the CarbonLink code of conduct or this Social Media Policy.
Ownership and Access
CarbonLink retains ownership of all ICT resources provided. CarbonLink may monitor use of CarbonLinks ICT resources and users are required to permit access if it is requested. CarbonLink may restrict a user’s access to ICT Resources if they believe that this policy may be breached.