AHA Acceptable Use Policy
Contents Purpose...... 2 Policy...... 2 Responsibilities ...... 3 General User Responsibilities ...... 3 Responsibility Regarding Passwords ...... 3 Responsibility Regarding Media ...... 4 Responsibility Regarding Incidental Personal or Non‐business Use of AHA Communication Resources ...... 4 Responsibility Regarding Incidental Use of AHA Data on Personal Devices ...... 5 Concerns or Violations of This Policy...... 5 Acceptable Use Policy Frequently Asked Questions...... 6
Acceptable Use Policy Page 1 of 11 Last revised: 5 /22/2012
AHA Acceptable Use Policy
Purpose The American Heart Association’s Acceptable Use Policy governs the proper and acceptable use of both AHA and personally owned devices on which AHA data is stored and/or accessed. The advent and continued growth of electronic communication resources in the workplace requires the American Heart Association to proactively ensure that its employees and other resource users understand and abide by this policy. This Acceptable Use Policy is a companion to the AHA Privacy and Security Policies.
All use of communication resources must be in compliance with this Acceptable Use Policy and all AHA policies. The American Heart Association reserves the right to change the Acceptable Use Policy at any time.
Policy This policy applies to the use of all communication resources, equipment or devices that can be used for the retrieval, storage or dissemination of AHA data in any format whether personally owned or provided to Users by the AHA. American Heart Association communication resources (e.g., its computers, computer systems and networks, e‐mail, Internet and Intranet access, software, phones, Smartphones (iPhones, Blackberries, Androids, etc), tablets (iPads, etc), voicemail, faxes, copiers and other communication equipment and devices) are to be used for AHA business purposes. All use must be appropriate both in content, context, time and duration The use of communication resources and access to data is a privilege extended by the AHA to AHA staff, temporary workers, contract workers, its volunteers and others (“Users”) for conducting AHA business, and may be withdrawn at any time. Proper media storage and disposal of data containing, both AHA confidential and privacy‐restricted information, must be appropriately handled to prevent unauthorized access whether data is stored on Users’ personal devices or resources provided by the AHA.
• Use of communication resources and accounts with access to the AHA’s systems and data will be monitored and tracked by AHA management at any time without any notice. Users should have no expectation of privacy or confidentiality when using the AHA’s communication resources, equipments, devices or accounts. • The AHA owns, and may retrieve, read and disclose all material, whether business related or personal, that is created, sent, received, accessed, transmitted or stored on its systems. • AHA reserves the right to retrieve or delete any data on AHA or personally owned devices that synch with AHA systems. • The AHA will use, as it deems appropriate, software or other methods, that make it possible to identify and block access to Internet sites or other sources of materials deemed inappropriate or unnecessary in the workplace or that may compromise the security of the AHA’s communications systems and networks.
All Users to whom the AHA allows access to its communications resources must comply with this policy. Violation of the policy may result in disciplinary action up to and including termination of employment or service.
Acceptable Use Policy Page 2 of 11 Last revised: 5 /22/2012
AHA Acceptable Use Policy
Responsibilities The purpose of the responsibilities section is to clarify AHA User responsibilities for complying with the Acceptable Use Policy. Users are to exercise good judgment in the use of AHA communication resources to perform AHA business. For more information on responsibilities, refer to the Frequently Asked Questions.
General User Responsibilities Users must: 1. Not disengage AHA hardware or software security settings or take any other action that could result in the introduction of viruses, worms or any other form of malware. 2. Maintain up‐to‐date anti‐virus software and any security related patches for the operating system. 3. Store and safeguard AHA data and information to prevent unauthorized access, use or removal by any means and in any form. 4. Use communication tools in a manner that does not adversely affect the AHA or its public image or that of its customers, or associates. 5. Report to the Technology Service Desk any mobile device or portable media that is lost or stolen that contains AHA data including, but not limited to email, calendar and contacts.
Responsibility Regarding Passwords The AHA requires passwords or provides codes to users to access certain communication systems and networks. The AHA reserves the right to limit access to all or any portion of its communication systems and networks. All Users must follow the Association’s password usage policies and standards.
Responsibilities for passwords are: • Users must not disclose or share assigned individual passwords or codes or allow others to use any equipment or specific assigned accounts, for any reason, at any time – with the following exceptions: o AHA management has approved sharing user ID's and passwords with immediate family members to log into the American Heart University online courses. o Passwords may be shared with Technology and Customer Strategies (TCS) employees for troubleshooting computer problems. Users should always change passwords when the problem has been resolved. • Users must actively protect passwords. • Users must report any knowledge or suspicion of password misuse. • Users must password protect all mobile devices. • Users must create a strong password. • Users must periodically change their password.
Acceptable Use Policy Page 3 of 11 Last revised: 5 /22/2012
AHA Acceptable Use Policy
Responsibility Regarding Media Prevention of unauthorized access to the Association’s confidential and privacy‐ restricted information, including personal and sensitive data, is maintained by controlling the use, re‐use, storage and disposal of media containing such information. Media containing confidential and privacy‐restricted information may include, but is not limited to: • Paper: o Official records o Documents include credit card slips; credit card terminal printouts; worksheets, schedules, self‐stick notes, chart covers, and any other paper of any color or weight
• Electronic media, for example: o Computers, printers, faxes and personal Devices, Smart Phones, Blackberries, iPads, tablets, or any other wireless device o Removable magnetic media (e.g., compact disk (CD), digital video disc (DVD) optical disk) o Memory sticks and USB hard drives
Responsibilities for media: Users must handle all media containing confidential and privacy‐restricted information in a manner to prohibit unauthorized access by: a. Keeping paper locked up with limited access b. Storing confidential and privacy‐restricted information only on encrypted electronic media, including personal devices and cloud storage. c. Removing confidential and privacy restricted information from electronic media, including AHA and personal owned, when the data is no longer required and always before the media is re‐used.
Responsibility Regarding Incidental Personal or Non‐business Use of AHA Communication Resources Incidental personal or non‐business use of communication resources is permitted if it does not interfere with AHA business, services or resources and does not result in any loss, damage or liability to the AHA.
Users may use the AHA’s communication resources for limited personal or non‐business use provided: 1. The personal or non‐business use does not interfere in any way with the User’s work obligations, the use is not excessive, harassing or illegal in nature, and does not compromise the security or integrity of the AHA’s systems or violate this or other AHA policies. 2. The AHA incurs no significant additional costs. 3. The use would not be considered obscene, pornographic, indecent, maliciously false, racist, sexist, bullying, threatening, hateful, abusive, an invasion of privacy, hurtful or otherwise in violation of the law or AHA policies and guidelines.
Acceptable Use Policy Page 4 of 11 Last revised: 5 /22/2012
AHA Acceptable Use Policy
Nothing in this Policy is intended to, or shall be construed to, prohibit or limit discussions among employees about terms and conditions of employment or working conditions to the extent such discussions are protected by applicable law.
Responsibility Regarding Incidental Use of AHA Data on Personal Devices AHA allows porting of non‐sensitive AHA data to personal devices on an as needed basis for business use only. Personal devices include but are not limited to: Smart phones, notebooks, tablets, E‐readers, portable media devices, personal laptops/notebooks and computers and any Internet‐based storage.
Users must: 1. Password protect any device 2. Restrict Email to current only 3. Synch only current data of their AHA calendar 4. Segregate any AHA data in a separate folder/container named ”AHA”, if possible 5. Not back up AHA data via any personal backup method 6. Not connect personal devices to any data wall jack in AHA offices 7. Destroy AHA data on personal devices as soon as it is no longer needed or immediately, if user is no longer an employee of AHA: o Paper – cross cut shred all copies o CDs, DVDs – Shred. Most office shredders can shred CDs and DVDs. o Memory Sticks, USB Hard Drives – delete the data o Personal Devices – delete the data 8. Install and maintain up‐to‐date anti‐virus for personal devices, as available 9. Update any personal devices with the current operating system, as available 10. Agree that AHA may remove AHA data from personal devices
Concerns or Violations of This Policy If a User encounters or suspects any violations of this policy, he/she should contact his/her immediate manager or another senior manager or the Senior Human Resource Executive. If the User is not comfortable discussing the matter with management or has concerns with anonymity, contact the Ethics Hotline at (866) 293‐2427 or online at www.ethicspoint.com.
Acceptable Use Policy Page 5 of 11 Last revised: 5 /22/2012
AHA Acceptable Use Policy
Acceptable Use Policy Frequently Asked Questions 1. How do I find out what I can or cannot do with regard to AHA communication resources? • Refer to the supporting information/Responsibilities sections of the Association Wide Acceptable Use Policy • If you have any questions or need additional clarification, please talk first with your Supervisor – your Supervisor may need to speak with your Senior HR Executive or the Technology Service Desk • Complete the American Heart University’s course, “AHA’s Acceptable Use Policy” 2. What are examples of unacceptable use for Personal or Non‐business Use of AHA Communication Resources? Examples of unacceptable use include but are not limited to the following: • Making personal long‐distance calls/faxes using AHA equipment. • Accessing, viewing and/or downloading or uploading or transmitting sexually explicit, obscene or offensive materials. • Engaging in Internet gambling. • Using communication tools with the intent to harass others. • Accessing personal email from AHA computers. However, Users may use their own personal smart phones for personal email. • Using AHA resources to further a personal commercial business. • Downloading or installing unlicensed or unapproved software on a computer or the AHA’s systems. • Uploading, downloading or transmitting, without express authorization, material on which a third party owns or holds the copyright, patent or other intellectual property or proprietary right (e.g., music, videos, etc.). • Uploading, downloading or transmitting confidential or proprietary materials of the AHA for non‐business purposes. • Using communication tools to send personal external broadcast messages. • Gaining unauthorized access to internal or external systems or material by hacking, cracking or otherwise circumventing security schemes. 3. Can I use AHA computers to check my personal email? No. Due to security risks, staff may not access personal email via web browsers on AHA computers. However they may use their own personal devices or smart phones for personal email and web browsing. 4. What exactly is considered excessive personal use? • Users of the AHA communication resources for personal or non‐business purposes are accountable for their use and must ensure that their use is consistent with the AHA Acceptable Use Policy and does not result in any loss, damage or liability to the AHA. Users are to exercise good judgment in the use of AHA communication resources. • Any personal usage beyond infrequent, brief periods of time is considered excessive. 5. How much time may I spend on my AHA PC or Laptop to do personal business (e.g., email)? Users may use AHA’s communication resources for limited personal or non‐business use provided that the communication tools are used on an off‐hour basis, such as during lunchtime or before or after work hours (e.g., infrequent, brief periods of time).
Acceptable Use Policy Page 6 of 11 Last revised: 5 /22/2012
AHA Acceptable Use Policy
6. May I use my personal device to conduct AHA business? • Yes. Only connect via the Guest Wireless network and access AHA drives and applications via webnet.heart.org. Do not connect via the data wall jack within an AHA office. • Any AHA data used on your personal device must be on an as needed basis. Remember, never copy sensitive data to personal devices and store all data in an AHA folder, if possible. • Any AHA data ported to your personal device must not be backed up using any personal backup method. • AHA may remove all data at any time. • In the event a mobile device is lost or stolen, AHA or personally owned, report the incident to Technology Service Desk. 7. Why shouldn’t I have pictures or music files on my AHA computer? We highly discourage keeping any personal items (including, but not limited to, pictures, music files, video files and other personal records/documents such as tax returns or medical records) on your work computer. Here are a few reasons: • Remember that your computer and its files can be seen by anyone at the AHA with the appropriate access rights, including your Manager and could be released at anytime, without the need for your permission. • If your work computer is stolen, there is a chance that the files on your computer could be compromised. • Storing your media files on an AHA Computer may violate copyright laws, subjecting you and the AHA to possible litigation. • Streaming Media (viewing videos and listening to music sites sites such as Pandora, iTunes, Yahoo or AOL Music) can reduce the performance of the AHA Network. 8. What are other examples of things can impact AHA Network performance and therefore not acceptable by the policy? • Downloading large files, requesting downloads of music files (e.g., MP3), Weather bug, etc. • Installing and using various toolbars, such as Google, Yahoo and AOL toolbars. These toolbars send and receive data continuously and impact the performance of our network resources. 9. Can I spend my lunch hour surfing the Internet? Using the Internet for personal use for extended periods of time (such as an entire lunch hour) can negatively impact bandwidth not only for your building or Affiliate, but for the entire AHA. For that reason, we ask that employees limit their personal time on the Internet even during their lunch hour. 10. Why has the AHA implemented an Internet monitoring system? The AHA implemented monitoring in order to: • Reduce intrusive, undesired spyware. • Prevent exposure to unwanted materials / Internet advertisements (pop‐ups). • Reduce the need for additional Internet Capacity.
Acceptable Use Policy Page 7 of 11 Last revised: 5 /22/2012
AHA Acceptable Use Policy
• Maximize bandwidth and speed for AHA specific software applications (e.g., Customer Relationship Management (CRM), PeopleSoft, etc.). • Minimize downtime and computer repair costs as a result of spyware, viruses, etc. • Minimize non‐compliance with the AHA’s Association Wide Acceptable Use Policy. 11. Will consultants and temporary staff be monitored as well? Yes. All staff and temporary or contractual workers are required to consent and comply with the Association Wide Acceptable Use policy. Their AHA contact is responsible for securing appropriate signatures and submitting to HR. 12. Why is an Internet site blocked? The system that was implemented by the AHA categorizes each site as either acceptable or unacceptable. The vendor views each site and assigns a category that is the best fit based on the content of that site. Sites that fall into certain categories are automatically blocked. 13. Why is Internet site X blocked but not site Y? The Web site list of acceptable and unacceptable sites is updated by the vendor on a daily basis. It categorizes thousands of new sites daily. Also, it may receive requests from AHA and other customers to re‐categorize a site. (For example, if a site comes under attack due to spyware distribution or a virus, it may be re‐categorized as a security risk and blocked.) 14. What should I do if a Web site is blocked that I need to access for AHA business? • Contact the Technology Service Desk in one of three ways (listed in order of preference): By online form located here (must be on the network) By email: [email protected] By phone: 1‐800‐527‐2393 or if at National Center, dial x5970 • Be prepared to provide the following information: Your name, position and contact information. What is the URL / Web site you are trying to access? What is the category filtered? (This is displayed on your screen) What is the business requirement to access this site? (e.g. – How does this impact the ability to perform your job?) How often do you access this site? (Is this a one time need or ongoing?) Do you know if other AHA staff will need to access this site? Have you been able to access this site before? If yes, when? Supervisor name. • The request will be sent to the appropriate group for review and/or approval. This process takes 2–3 business days. Once the site is evaluated, you will be contacted that a site has been re‐categorized OR that is has been determined unacceptable or unsafe. 15. What if I am having a meeting or a vendor presentation, and will need to access Web sites? Do I need to do something special? • You should ALWAYS verify that access to a site is allowed well in advance of the meeting. In addition, since the vendor sometimes must re‐categorize a site, you may want to check a few hours before the meeting as well.
Acceptable Use Policy Page 8 of 11 Last revised: 5 /22/2012
AHA Acceptable Use Policy
• Guests visiting AHA offices that need access to the Internet, may use the guest wireless network. AHA staff must provide the current guest wireless password found on the TSD SharePoint site. 16. May I share my password with other AHA staff? • No. Users must not disclose or share their individual passwords or codes or allow others to use any equipment or accounts specifically assigned to him or her. Violation of the policy may result in disciplinary action, up to and including termination. • In emergencies, Supervisors may contact the Technology Service Desk to access their staff PC/Laptop files. • Exception: If you’ve contacted the Technology Service Desk for computer issues, they may request your password to perform their duties. TCS will not reset passwords without appropriate Supervisor approval. It is advised that you change your password afterwards. 17. How do users actively and effectively protect passwords? • By creating a strong password using full sentences, inserting numbers, symbols, upper‐ and lowercase letters and not using easily guessed words like names of loved ones. • By periodically changing or updating all passwords. • By memorizing passwords – don’t write and store password in unsafe places such as desks or a documents. If passwords are written, make sure the note is safely hidden. 18. How can I create a strong password? An ideal password is long and has letters, punctuation, symbols, and numbers. • Use at least 15 characters or more. • The greater the variety of characters in your password, the better (e.g. letters, numbers, special characters). • Use the entire keyboard, not just the letters and characters you use or see most often. 19. Doesn’t TCS push out security updates and patches? Yes, for AHA owned client computers. However, for personally owned devices, Users are responsible to have up‐to‐date anti‐virus software and security related patches for their operating system. 20. Is it OK for me to send or receive e‐mail messages concerning my home business or second job (non‐AHA) using my AHA account? No. This is not acceptable use of AHA communication resources. 21. How do I restrict my email to current only? By limiting the number of emails synched. For example: save the last 100 messages or the most recent 7 days only. 22. How do I know if my personal device has the current operating system? If you question whether you do or not, contact your vendor for assistance. 23. What is cloud storage? Cloud storage is a model of computer data storage hosted by third parties, accessible via the Internet.
Acceptable Use Policy Page 9 of 11 Last revised: 5 /22/2012
AHA Acceptable Use Policy
24. How do I destroy data? If the device is AHA owned, TCS will ensure proper data wipe of the device. If the device is personally owned, TCS can ensure the proper data wipe or work with a legitimate business that provides data wipes. 25. How do I restore data that has been wiped out? AHA cannot restore data wiped out from personal devices except AHA data that has been synched with AHA systems; i.e. email, data on shared drives or SharePoint. The ability to restore personal data is your responsibility.
26. What if I need someone to process my E‐1 activities while I’m out? Acceptable use for reassigning an E‐1 expense report processing task or responsibility to another person is listed below: • A Proxy allows for the permanent or temporary (10 days or more) assignment of a data‐ entry task, for inputting of expense reports, but denies authority for approvals. • When a supervisor has a leave of absence for an extended time (e.g., more than three weeks), Delegations of Authority allow temporary assignment of management responsibility and authority for issuing approvals (for what?) to pass to supervisors of the same level or higher. (as someone who doesn’t use E‐1 often, this is a little confusing.) • Both processes can be requested in writing through E1 support by emailing [email protected]. 27. What are examples of confidential, personal and sensitive information? • Confidential Information is information protected by statutes, regulations, company policies or contractual language, including but not limited to trade secrets, embargoed information, personal and financial information of donors, vendors and suppliers and customers, health information and information required to be kept confidential by contract. • Personal Information is information that is or can be about or related to an identifiable individual. "An example of personal information is Demographic Information which identifies a specific individual with a minimal degree of effort. Demographic Information includes name, address, city and other similar information. Sensitive Information is information that requires an extra level of protection and a higher duty of care. Examples of sensitive information is An Individual's First Name OR First Initial AND Last Name in combination with any one or more of the following items: Customer Credit or Debit Card Number, Card type and expiration date of Customer Credit or Debit Card Number, Social Security Numbers, Driver's License Numbers, Financial Information such as bank account numbers or Medical Information. 28. What data can the AHA wipe from my mobile device? If a device synchs with the AHA environment, AHA can erase all data. 29. How can I prevent my personal emails and contacts from being wiped, if necessary? You have agreed AHA may wipe all data on your personal device, so it is important that you back up or copy personal data to a personal resource so you can later restore your data.
Acceptable Use Policy Page 10 of 11 Last revised: 5 /22/2012
AHA Acceptable Use Policy
30. With whom may I consult if I am not sure what I am doing is acceptable per the policy? • Talk with your Supervisor • Your Supervisor may want to contact the Technology Service Desk • Consult your Senior HR Executive
Acceptable Use Policy Page 11 of 11 Last revised: 5 /22/2012