Cybersecurity Roles & Responsibilities
      Back to home
      1. Help Center
      2. Employee Handbook
      3. Cybersecurity Roles & Responsibilities

      Internet, Email, and Computer Use Policy

      This policy establishes acceptable use of electronic communications & computing systems, ensuring NIST CSF 2.0 compliance, supports cybersecurity best practices, & clearly defines employee responsibilities regarding digital assets & communications.

      Table of Contents:

      1. Ownership and Scope
      2. Acceptable Use Requirements
      3. Security and Password Management (Protect)
      4. Monitoring & Access Control  (Detect)
      5. Confidentiality & Data Protection
      6. Software & Device Use
      7. User Accountability (Identify)
      8. Enforcement & Disciplinary Action (Respond/Recover)
      9. Policy Updates & Acknowledgment
      10. Security Roles and Responsibilities

       

      1. Ownership and Scope

      • All electronic communications, systems, hardware, software, accounts, files, and data remain the sole property of the Company. Use is limited to authorized business activities. Personal use is prohibited except during approved break periods.

      • This policy applies to all Company-managed systems, whether accessed from Company premises, remotely, or via Company-paid devices and services.

      2. Acceptable Use Requirements

      Employees must:

      • Use Company systems only for approved business purposes.

      • Avoid engaging in activities that are illegal, unethical, discriminatory, harassing, defamatory, or otherwise contrary to Company policy.

      • Not access or attempt to access accounts or systems without proper authorization.

      • Not use anonymous communication tools, encryption without prior approval, or install unverified third-party software.

      All use must comply with related Company policies including those on data protection, confidentiality, and professional conduct.

      3. Security and Password Management (Protect)

      To protect Company data and systems:

      • Employees are prohibited from using browser-based “Password Autofill” for any Company system. Only authorized password vault accounts are allowed.

      • Credentials may be stored in a password-protected Excel file. A copy of the master password must be securely shared with IT or the designated integrator.

      • All passwords must meet minimum complexity standards (minimum 12 characters, mixed character sets, no dictionary words).

      • Passwords for critical systems such as the Veonics Portal, HubSpot, QuickBooks, AWS, WordPress, JIRA, payment portals, banking portals, or any software and browser-based credentials that access PII data must be updated every 90 days, without exception!

      • Multi-factor authentication (MFA) is required where supported.

      • Siloed Credentialing: When accessing any system that contains various levels of PII data, user credentials must be siloed to restrict access to PII data that is not necessary for general use and operations. The primary use case is the Veonics Portal, where users need dedicated credentials for each:
        • Sales Demonstrations with no access to customer data
        • Production Departmental use that allows access to only Production-related customer data
        • SaaS Suscribing accounts that allow access to only SaaS-related customer data

      4. Monitoring and Access Control (Detect)

      • The Company reserves the right to monitor and audit all electronic communications and system usage to ensure policy adherence and detect unauthorized or malicious activity.

      • Monitoring includes, but is not limited to, internet usage, emails, text messages (company-issued phones only) , instant messaging, file access, application usage, and system login attempts.

      • Any indication of misuse or cybersecurity threats will result in review and possible disciplinary action.

      5. Confidentiality and Data Protection

      • Employees must not transmit sensitive information, trade secrets, or customer PII/PHI through unsecured or unapproved channels (e.g., personal email, text).

      • Use of mobile and remote devices must comply with the Company’s data encryption and mobile device management (MDM) policies.

      • Confidential data must be stored only on Company-approved systems with encryption at rest and in transit.

      • Any suspected data loss or breach must be reported immediately to the IT administrator or Security Officer.

      6. Software and Device Use

      • Personal software may not be installed on any Company system.

      • Personal devices may not connect to Company networks unless explicitly authorized and secured according to policy. Any USB or other data storage device is strictly prohibited on Company property unless approved by our Information Technology Department.

      • All Company-managed devices must remain updated with Company-approved security patches, antivirus, and endpoint protection.

      7. User Accountability (Identify)

      Each user is accountable for:

      • To prevent high-level crafty social engineering cyber attacks from occurring for any reason, if another employee, contractor, or other individual is acting cryptic about any issues you're not 100% certain of, use our core value of Crystal Clear and have them clarify what they are discussing via email or text before you act or choose not to act. 

      • Protecting their login credentials and not sharing them with unauthorized parties.

      • Immediately report suspected phishing attempts, unauthorized access, or device compromise.

      • Following all system use protocols established by management and IT.

      8. Enforcement and Disciplinary Action (Respond/Recover)

      • Violations of this policy may result in disciplinary action, up to and including termination of employment and potential legal action.

      • All violations will be logged and reviewed. Affected systems or data will be subject to incident response protocols aligned with NIST CSF 2.0 standards.

      • Remediation and retraining will be mandatory for minor infractions. Repeated or severe violations will result in escalation to executive management.

      9. Policy Updates and Employee Acknowledgment

      This policy will be reviewed at least annually or as required by changes to applicable regulations or NIST CSF guidance. Employees must acknowledge receipt and understanding of this policy in writing or via the Company’s HR system.

      10. Security Roles and Responsibilities

      • All Employees (Everyone)

        • Never open an email from an unknown sender, and always verify the sender's identity by selecting the email sender and examining the email address for discrepancies.

        • Follow this policy and all related security policies (data handling, privacy).

        • Protect credentials (no sharing/reuse); use MFA where available.

        • Report suspected phishing, suspicious requests, or device compromise immediately.

        • Use only approved tools; do not email PII/PHI or use personal cloud storage for company data.

        • Lock screens when away by pressing the Windows, Alt, and L keys simultaneously; secure devices.

        • Never use removable media unless it is IT-approved.

      • General Employee PC Users

        • Complete onboarding and refresher cybersecurity training on schedule.

        • Handle PII only via approved workflows (e.g., Upload Center/Portal); never via email.

        • Keep local storage minimal; store work products only on approved drives/services.

      • Computer Admin PC Users / IT Operations

        • Provision/deprovision access on join/move/leave; enforce least privilege & MFA.

        • Maintain patching, AV/EDR, DNS filtering, and device encryption; monitor alerts.

        • Enforce session timeouts, password standards, and blocked/allowed software lists.

        • Maintain backups and restore tests; support incident response and evidence retention.

      • Veonics Portal Admin Users (Production & Subscription)

        • Create/manage organizations, roles, and permissions per least-privilege.

        • Keep Production and Subscription credentials siloed; no cross-use.

        • Review user access quarterly; disable/obliterate data per approved requests.

      • Department Heads / Managers

        • Ensure team compliance (training completion, tool usage, data handling).

        • Approve access requests according to need-to-know; review access quarterly.

        • Escalate incidents promptly; support corrective actions and coaching.

      • Security Officer / Compliance Lead

        • Maintain policies, runbooks, and training content; track attestations.

        • Coordinate incident triage, containment, root-cause, and remediation.

        • Conduct (or coordinate) periodic risk and access reviews; report metrics to leadership.

      • Executive Leadership

        • Approve policies and material changes; provide resources for controls and training.

        • Own risk acceptance decisions; oversee serious violations and external notifications.

        • Support business continuity, disaster recovery, and insurance posture.

      • Human Resources

        • Capture employee acknowledgments; embed security in onboarding/offboarding.

        • Coordinate with IT on timely account changes for role changes and terminations.

      • Third-Party Contractors / Vendors

        • Access only with written authorization and unique credentials; no shared logins.

        • Use approved remote-support methods; no local retention of company data.

        • Adhere to eXpress badging® security requirements and confidentiality agreements.

      Updated 09/09/2025 Joe French