AHA Acceptable Use Policy Contents Purpose..........................................................................................................................................................................2 Policy..............................................................................................................................................................................2 Responsibilities ..............................................................................................................................................................3 General User Responsibilities ...................................................................................................................................................... 3 Responsibility Regarding Passwords ........................................................................................................................................... 3 Responsibility Regarding Media .................................................................................................................................................. 4 Responsibility Regarding Incidental Personal or Non‐business Use of AHA Communication Resources .................................... 4 Responsibility Regarding Incidental Use of AHA Data on Personal Devices ................................................................................ 5 Concerns or Violations of This Policy.............................................................................................................................5 Acceptable Use Policy Frequently Asked Questions......................................................................................................6 Acceptable Use Policy Page 1 of 11 Last revised: 5 /22/2012 AHA Acceptable Use Policy Purpose The American Heart Association’s Acceptable Use Policy governs the proper and acceptable use of both AHA and personally owned devices on which AHA data is stored and/or accessed. The advent and continued growth of electronic communication resources in the workplace requires the American Heart Association to proactively ensure that its employees and other resource users understand and abide by this policy. This Acceptable Use Policy is a companion to the AHA Privacy and Security Policies. All use of communication resources must be in compliance with this Acceptable Use Policy and all AHA policies. The American Heart Association reserves the right to change the Acceptable Use Policy at any time. Policy This policy applies to the use of all communication resources, equipment or devices that can be used for the retrieval, storage or dissemination of AHA data in any format whether personally owned or provided to Users by the AHA. American Heart Association communication resources (e.g., its computers, computer systems and networks, e‐mail, Internet and Intranet access, software, phones, Smartphones (iPhones, Blackberries, Androids, etc), tablets (iPads, etc), voicemail, faxes, copiers and other communication equipment and devices) are to be used for AHA business purposes. All use must be appropriate both in content, context, time and duration The use of communication resources and access to data is a privilege extended by the AHA to AHA staff, temporary workers, contract workers, its volunteers and others (“Users”) for conducting AHA business, and may be withdrawn at any time. Proper media storage and disposal of data containing, both AHA confidential and privacy‐restricted information, must be appropriately handled to prevent unauthorized access whether data is stored on Users’ personal devices or resources provided by the AHA. • Use of communication resources and accounts with access to the AHA’s systems and data will be monitored and tracked by AHA management at any time without any notice. Users should have no expectation of privacy or confidentiality when using the AHA’s communication resources, equipments, devices or accounts. • The AHA owns, and may retrieve, read and disclose all material, whether business related or personal, that is created, sent, received, accessed, transmitted or stored on its systems. • AHA reserves the right to retrieve or delete any data on AHA or personally owned devices that synch with AHA systems. • The AHA will use, as it deems appropriate, software or other methods, that make it possible to identify and block access to Internet sites or other sources of materials deemed inappropriate or unnecessary in the workplace or that may compromise the security of the AHA’s communications systems and networks. All Users to whom the AHA allows access to its communications resources must comply with this policy. Violation of the policy may result in disciplinary action up to and including termination of employment or service. Acceptable Use Policy Page 2 of 11 Last revised: 5 /22/2012 AHA Acceptable Use Policy Responsibilities The purpose of the responsibilities section is to clarify AHA User responsibilities for complying with the Acceptable Use Policy. Users are to exercise good judgment in the use of AHA communication resources to perform AHA business. For more information on responsibilities, refer to the Frequently Asked Questions. General User Responsibilities Users must: 1. Not disengage AHA hardware or software security settings or take any other action that could result in the introduction of viruses, worms or any other form of malware. 2. Maintain up‐to‐date anti‐virus software and any security related patches for the operating system. 3. Store and safeguard AHA data and information to prevent unauthorized access, use or removal by any means and in any form. 4. Use communication tools in a manner that does not adversely affect the AHA or its public image or that of its customers, or associates. 5. Report to the Technology Service Desk any mobile device or portable media that is lost or stolen that contains AHA data including, but not limited to email, calendar and contacts. Responsibility Regarding Passwords The AHA requires passwords or provides codes to users to access certain communication systems and networks. The AHA reserves the right to limit access to all or any portion of its communication systems and networks. All Users must follow the Association’s password usage policies and standards. Responsibilities for passwords are: • Users must not disclose or share assigned individual passwords or codes or allow others to use any equipment or specific assigned accounts, for any reason, at any time – with the following exceptions: o AHA management has approved sharing user ID's and passwords with immediate family members to log into the American Heart University online courses. o Passwords may be shared with Technology and Customer Strategies (TCS) employees for troubleshooting computer problems. Users should always change passwords when the problem has been resolved. • Users must actively protect passwords. • Users must report any knowledge or suspicion of password misuse. • Users must password protect all mobile devices. • Users must create a strong password. • Users must periodically change their password. Acceptable Use Policy Page 3 of 11 Last revised: 5 /22/2012 AHA Acceptable Use Policy Responsibility Regarding Media Prevention of unauthorized access to the Association’s confidential and privacy‐ restricted information, including personal and sensitive data, is maintained by controlling the use, re‐use, storage and disposal of media containing such information. Media containing confidential and privacy‐restricted information may include, but is not limited to: • Paper: o Official records o Documents include credit card slips; credit card terminal printouts; worksheets, schedules, self‐stick notes, chart covers, and any other paper of any color or weight • Electronic media, for example: o Computers, printers, faxes and personal Devices, Smart Phones, Blackberries, iPads, tablets, or any other wireless device o Removable magnetic media (e.g., compact disk (CD), digital video disc (DVD) optical disk) o Memory sticks and USB hard drives Responsibilities for media: Users must handle all media containing confidential and privacy‐restricted information in a manner to prohibit unauthorized access by: a. Keeping paper locked up with limited access b. Storing confidential and privacy‐restricted information only on encrypted electronic media, including personal devices and cloud storage. c. Removing confidential and privacy restricted information from electronic media, including AHA and personal owned, when the data is no longer required and always before the media is re‐used. Responsibility Regarding Incidental Personal or Non‐business Use of AHA Communication Resources Incidental personal or non‐business use of communication resources is permitted if it does not interfere with AHA business, services or resources and does not result in any loss, damage or liability to the AHA. Users may use the AHA’s communication resources for limited personal or non‐business use provided: 1. The personal or non‐business use does not interfere in any way with the User’s work obligations, the use is not excessive, harassing or illegal in nature, and does not compromise the security or integrity of the AHA’s systems or violate this or other AHA policies. 2. The AHA incurs no significant additional costs. 3. The use would not be considered obscene, pornographic, indecent, maliciously false, racist, sexist, bullying, threatening, hateful, abusive, an invasion of privacy, hurtful or otherwise in violation of the law or AHA policies and