ACCEPTABLE USE
Overview
Red River Employees Federal Credit Union (RRCU) management has made available and supports the use of technology for conducting business and performing job responsibilities. This Acceptable Use Policy lays out the acceptable uses of RRCU’s technological and informational assets for employees, contractors, consultants, temporary, and other party job responsibilities.
Purpose
The purpose of the Acceptable Use Policy is to notify all parties with access to the RRCU’s information and/or information systems of their expected acceptable and restricted use. Said parties are required to review this policy and sign the attached agreement attesting that the reader understands this policy and agrees to adhere to its requirements.
Responsibility
· Board of Directors
The Board of Directors is responsible for reviewing and approving the Acceptable Use Policy annually.
· Information Security Officer (ISO)
The Information Security Officer is responsible for implementing the Acceptable Use Policy. The Information Security Officer shall also be responsible for reporting any changes in this document to the Board of Directors and notifying employees of any changes to the Acceptable Use Policy.
· Human Resource Department
The Human Resource Department is responsible for enforcing the Acceptable Use Policy, as well as ensuring that each employee signs the Acceptable Use Agreement upon their hire and annually thereafter.
· Employees
All employees are required to comply with the guidelines set forth in this policy, as well as to read the Acceptable Use Policy and Sign the Acceptable Use Agreement annually.
Agreement to This Policy
RRCU requires all parties that have access to information and/or information systems agree to the terms of this policy. By signing the Acceptable Use Agreement, it signifies the understanding and acceptance of all regulations stated within this policy. RRCU reserves the right to modify this policy or the associated agreement at any time. If modifications are made, all employees shall be notified of the changes made to this policy.
· Policy Updates
The Acceptable Use Policy shall be reviewed and updated periodically to ensure it remains current with the latest security practices, technological advances, and regulatory requirements. In addition to the review, the policy shall be updated whenever significant changes occur.
· Employee Training
All employees shall receive initial training on the Acceptable Use Policy upon hire. Additionally, regular refresher courses shall be conducted to reinforce the importance of compliance and to keep employees informed about any changes to the policy. Training sessions shall also be held whenever new threats or significant changes to the policy arise.
Confidentiality and Non-Disclosure
During the course of business, parties may have access to a variety of confidential, internal, and public information. The level of confidentiality for each classification area carries a specific level of secrecy and protection that must be granted to such information. Unauthorized disclosure or misuse of confidential or member information is strictly prohibited. All information created by RRCU employees is RRCU owned and must be treated in such a manner that aligns with RRCU’s strategic goals. For no reason should information, whether it be confidential, internal, or public, be used for non-business or personal use. By signing the Acceptable Use Agreement, it signifies acceptance of the responsibilities placed upon employees to ensure the confidentiality of member information by not disclosing information to any individual, employee, or non-employee that does not have a business-need or right to the access of such information. For additional information regarding Confidentiality and Non-Disclosure, see RRCU’s Acceptable Use and Confidentiality Agreement. Copying and Removing of Confidential Financial Information.
FCIC FIL-14 2012
In accordance with FDIC FIL-14-2012, copying and removing financial institution and supervisory records in anticipation of an institution's failure or for personal purposes violates applicable federal statutes, FDIC regulations, and the core components of RRCU’s Information Security Program. Unless deemed necessary by management for betterment of the institution or for the purposes of an examination or audit, all financial institution and supervisory records shall remain confidential.
Usage of Internet Services and Information Systems
All information systems and communications, including Internet connectivity and e-mail, are property of RRCU and shall be used for business purposes only. At no time should RRCU’s resources be used to engage in illegal or offensive activities, nor should users of RRCU’s information or information systems hold any expectation of privacy while utilizing said information and/or information systems.
Acceptable Activities
The use of information systems is a fundamental part of successful daily operations. To ensure RRCU can operate successfully, employees may use information systems for the following activities.
· Use of information technology systems to complete the activities specified in their job descriptions.
· Use of electronic communication to communicate with members and other employees to meet operational needs.
· Accessing systems and resources, which they have been authorized to use.
· Accessing approved online resources.
Prohibited Activities
At no time, unless directly authorized by management, shall a party attempt to bypass any security control or access information for which they do not have sufficient privileges. Additionally, at no time is any party authorized to perform any of the following actions:
· Using systems in any way that intentionally or unintentionally violates any applicable local, state, national, or international law or any rules or regulations published under the terms or authority of such laws.
· Attempting to break into accounts, crack passwords, or disrupt any services. Also, no user shall attempt to access systems for which they know they do not have access.
· Using electronic communications to engage in any communications or action considered threatening, discriminatory (based on language that can be viewed as harassing others based on race, creed, color, age, sex, physical handicap, sexual orientation, or otherwise), defamatory, slanderous, obscene, or harassing.
· Using electronic communications to make fraudulent offers to sell or buy products, items, or services or to advance any type of financial scam such as "pyramid schemes," "Ponzi schemes," and "chain letters."
· Adding, removing, or modifying identifying information in an effort to deceive or mislead or attempt to impersonate any person other than your true identity.
· Using systems to access (or to attempt to access) the accounts of others, or to penetrate (or attempt to penetrate) security measures of RRCU’s or another entity's computer software or hardware, electronic communications system, or telecommunications system, whether or not the intrusion results in corruption or loss of data.
· Using systems for any activity which adversely affects the ability of other people or systems to use RRCU systems. This includes a Denial of Service (DoS) attack, spreading malicious software, and excessive use of computing or network resources.
· Downloading or installing any unapproved software without the authorization of the Information Security Officer.
· Visiting unapproved websites or website content that is not directly related to job responsibilities. Unapproved website content includes pornography, adult mature content, violence, racism, hate, gambling, or illegal/questionable skills.
· Introducing any unapproved CDs, phones, USB devices, or other media/hardware to any RRCU system without first engaging the Information Security Officer for approval and scanning of the media for malicious software.
· Opening unknown attachments to electronic mail. Users should never, under any circumstances, open email attachments from unknown parties or those of a suspicious nature.
· Using email or other electronic communications to transmit unencrypted, internal, or confidential information or files that are not for business use or for malicious purposes.
· Revealing or publicizing confidential or proprietary information which includes, but is not limited to financial information, confidential client information, marketing strategies and plans, databases and any information contained therein, client lists, computer software source codes, computer/network access codes, and business relationships.
· Copying software or media, for any reason, that has been purchased, developed, or is owned by the institution, without prior authorization.
· Altering the network infrastructure without prior authorization and proper instruction. The network infrastructure consists of and is not limited to workstations, servers, wiring, switches, hubs, routers, firewalls, wireless devices, modems, internet connections, phone lines, and power connections.
· Altering or disabling malicious software protection programs is strictly prohibited unless prior authorization is received. Users are also required to report any suspicious or actual malicious software activity immediately to the Information Security Officer.
Username and Password Responsibilities
Users shall never share their usernames and passwords with anyone for any reason and will be held accountable for any actions taken with their credentials. Not all systems can meet the same password requirements; therefore, users of these systems must construct the strongest possible password allowable by the system and will be held accountable for failing to meet password standards.
Whenever not enforceable by policy, users should adhere to the CIS standards, which recommend the use of passwords with 14 characters and include uppercase and lowercase letters, numbers, and symbols.
Passwords must never be stored in clear text, whether electronically or physically. Only approved password management vaults may be used to store or manage passwords. The use of unapproved password storage methods, including spreadsheets, documents, or unsecured notes, is strictly prohibited.
Monitoring and Privacy
RRCU possesses the right to monitor all technological and informational assets for compliance with the Acceptable Use Policy. This includes, but is not limited to, tracking email, internet activity, and system data access. Monitoring operations may involve gathering information about user actions such as websites viewed, files accessed, and conversations sent and received. This information will be used strictly to ensure police compliance and the protection of RRCU assets. While RRCU respects the privacy of its users, it is important to understand that there is no expectation of privacy when using RRCU’s technological and informational assets. All activities conducted on these systems are subject to monitoring and review.
User Responsibilities in Security
Employees are the front line in securing information systems and protecting information. Thus, employees are to take all the necessary precautions to protect RRCU assets and information. This includes the proper use of information systems, protection of usernames and passwords, keeping sensitive information clear of desk and screen, proper disposal of sensitive information, and reporting security weaknesses and incidences including violations to institution policies.
The following items are applicable to all users and employees at RRCU:
· Allowing the installation of third-party software updates and/or patches on individual user workstations, as directed by management, IT, or IS.
· Securing all removable media (e.g., phone, USB, external hard drive, and compact discs) in some manner. This means controlling access in such a way that unauthorized access by anyone cannot be accomplished. This includes blank media, software media, and data media (leaving blank media lying about is an open invitation for someone to copy a program or a data disk).
· Ensuring sensitive documentation is stored in a secure location. Some program documentation is proprietary and sensitive while other documentation is not.
· It is the responsibility of the user to classify or seek classification of any files that they save to their hard drive or on any form of removable media. All electronic files located on the hard drive or on some form of removable media deemed by the organization to be critical to the business must also be backed up. Backup frequency should be determined by the critical nature of the data and how often the stored information changes. Data protection (backing up local information) is the responsibility of the user. The Information Security Officer will assist as needed.
· Alerting the Information Security Officer or IS Department when any failure or virus message occurs. If such an event does occur, the user should immediately make extensive notes regarding failure. Do not turn off the computer. If an error message is given, the error message should be copied into the notes. If a printer is available and functioning, try to print the screen or use the snipping tool containing the error message or the screen that will demonstrate the failure. The circumstances leading to the failure should be noted, and the notes should be dated and signed.
· Alerting the Information Security Officer or IS Department whenever an unauthorized access attempt or social engineering attempt is encountered. Social engineering attempts include emails from an untrusted source, phone calls in which authentication cannot be granted, unknown media such as CDs, DVDs, or USBs, and any person potentially surveilling the premises.
Use of AI/ML Tools
The use of artificial intelligence (AI) and machine learning (ML) tools for business purposes, such as automated writing, image generation, speech synthesis, and other AI/ML technologies, requires management approval. Employees will consult with their manager before implementing any proposed AI/ML tool. The specific AI/ML tool, its purpose, the type of data that will be used, and plans for securing sensitive information will all be considered. Management will provide guidance to ensure that any AI/ML tool is used in accordance with company policies regarding confidentiality, security, ethics, and acceptable use. Any manager who is unsure about the scope or potential impact of using an AI/ML tool usage should consult with the ISO. The ISO will assess the risks associated with the proposed AI/ML tool usage and provide guidance to ensure compliance with company policies related to security, privacy, ethics, and acceptable use. All AI/ML tool use must adhere to the guidelines outlined in this policy. Any exceptions require explicit approval from both management and the ISO.
All use of AI/ML tools must comply with the requirements outlined in this policy, including:
· Anonymizing any confidential data used as inputs.
· Reviewing outputs for accuracy, potential bias, and appropriate representation.
· Providing proper attribution when required by the AI/ML provider's terms of use.
· Not representing AI/ML outputs as one's own work without disclosure.
· Securing AI/ML credentials and outputs according to company data security protocols.
Social Media/Networking
Social media/networking includes sites such as Facebook, Instagram, LinkedIn, Twitter, TikTok and YouTube. Employees are personally responsible for the content they publish on social networking sites, both for personal and for institutional social networking sites, and therefore are expected to use good ethical judgment and follow institution policies. At no time is any party authorized to perform any of the following actions:
· Posting confidential or proprietary information about RRCU, its employees, or members.
· Posting of inappropriate or negative remarks about RRCU, its employees, or its members.
· Posting day-to-day activities or upcoming internal events, with or without intent to expose internal weaknesses, hours of high or low staffing, or anything that could jeopardize security at RRCU.
· Unauthorized use of RRCU’s name, logo, or other trademarks without written approval.
· Use of any RRCU email address, domain name, or website to engage in social media/networking activity.
· Use of a website proxy (or proxies) to bypass any restrictions or security controls implemented by RRCU to block social media websites.
· Additionally, social media/networking activity shall not interfere with work commitments.
Personal Phone Use
Employees shall limit the use of personal cell phones during business hours as well as the personal use of RRCU phones. To the best of the employee’s ability, personal calls shall be conducted either before or after the workday, or during breaks or meal periods. Additionally, personal calls shall be conducted in private away from members and other employees. Personal cell phones shall have an appropriate ringer set to an appropriate level to reduce distractions. At no time shall personal cell phones be used while attending to a member. Excessive use of personal calls may lead to disciplinary action.
Personal Mobile Device Usage
Employees who are granted access to RRCU corporate information or systems on personal mobile devices must adhere to the following requirements:
· Mobile Device Management (MDM):
Any personal device used to access RRCU corporate resources (e.g., email, documents, applications) must be enrolled in RRCU’s Mobile Device Management (MDM) system. This enables the organization to:
o Enforce security policies
o Manage access to corporate data
o Remotely wipe the device in the event of loss, theft, compromise, or termination of access
o Lost or Stolen Devices:
Employees must notify the Information Security department within 24 hours if an enrolled personal device is lost, stolen, or otherwise compromised.
· Network Restrictions:
Personal devices are not permitted to connect to RRCU’s internal wired or wireless networks unless explicitly authorized and managed through MDM.
· Usage Boundaries:
Access to corporate information on personal devices is permitted only during business hours or as required by job responsibilities. Personal use of mobile devices unrelated to corporate access should follow the guidelines outlined in Personal Phone Use section above.
Clean Desk/Clear Screen
Employees shall not leave confidential documentation, sensitive documentation, or storage media devices containing such documentation in their work areas during non-business hours or unattended for extended lengths of time during business hours.
Employees shall not leave confidential or sensitive information displayed on computer screens when screens are not supervised. Proper monitor placement prevents the disclosure of confidential and sensitive information to members or other employees within the facility. Therefore, computer display screens shall be positioned to prevent viewing from public areas and from externally facing windows. Additionally, before leaving a workstation unattended, employees shall log off or lock system.
Reporting a Violation of the Acceptable Use Policy or Security Issue
Employees shall immediately report any possible or actual security weaknesses and incidents that they become aware of to the Information Security Officer. For this reason, RRCU has appointed the Information Security Officer to be the initial contact for employees concerning all security and Acceptable Use Policy issues.
Enforcement
Any party found to have violated this policy may be subject to disciplinary action, including immediate verbal or written warnings, temporary or permanent reduction or loss of privileges, termination of employment or contract, and legal action including criminal prosecution.