Cybersecurity Roles & Responsibilities
      Back to home
      1. Help Center
      2. Employee Handbook
      3. Cybersecurity Roles & Responsibilities

      Internet, Email, and Computer Use Policy

      This policy establishes acceptable use of electronic communications & computing systems, ensuring NIST CSF 2.0 compliance, supports cybersecurity best practices, & clearly defines employee responsibilities regarding digital assets & communications.

      1. Ownership and Scope

      • All electronic communications, systems, hardware, software, accounts, files, and data remain the sole property of the Company. Use is limited to authorized business activities. Personal use is prohibited except during approved break periods.

      • This policy applies to all Company-managed systems, whether accessed from Company premises, remotely, or via Company-paid devices and services.

      2. Acceptable Use Requirements

      Employees must:

      • Use Company systems only for approved business purposes.

      • Avoid engaging in activities that are illegal, unethical, discriminatory, harassing, defamatory, or otherwise contrary to Company policy.

      • Not access or attempt to access accounts or systems without proper authorization.

      • Not use anonymous communication tools, encryption without prior approval, or install unverified third-party software.

      All use must comply with related Company policies including those on data protection, confidentiality, and professional conduct.

      3. Security and Password Management (Protect)

      To protect Company data and systems:

      • Employees are prohibited from using browser-based “Password Autofill” for any Company system. Only authorized password vault accounts are allowed.

      • Credentials may be stored in a password-protected Excel file. A copy of the master password must be securely shared with IT or the designated integrator.

      • All passwords must meet minimum complexity standards (minimum 12 characters, mixed character sets, no dictionary words).

      • Passwords for critical systems such as the Veonics Portal, HubSpot, QuickBooks, AWS, WordPress, JIRA, payment portals, banking portals, or any software and browser-based credentials that access PII data must be updated every 90 days, without exception!

      • Multi-factor authentication (MFA) is required where supported.

      • Siloed Credentialing: When accessing any system that contains various levels of PII data, user credentials must be siloed to restrict access to PII data that is not necessary for general use and operations. The primary use case is the Veonics Portal, where users need dedicated credentials for each:
        • Sales Demonstrations with no access to customer data
        • Production Departmental use that allows access to only Production-related customer data
        • SaaS Suscribing accounts that allow access to only SaaS-related customer data

      4. Monitoring and Access Control (Detect)

      • The Company reserves the right to monitor and audit all electronic communications and system usage to ensure policy adherence and detect unauthorized or malicious activity.

      • Monitoring includes, but is not limited to, internet usage, emails, text messages, instant messaging, file access, application usage, and system login attempts.

      • Any indication of misuse or cybersecurity threats will result in review and possible disciplinary action.

      5. Confidentiality and Data Protection

      • Employees must not transmit sensitive information, trade secrets, or customer PII/PHI through unsecured or unapproved channels (e.g., personal email, text).

      • Use of mobile and remote devices must comply with the Company’s data encryption and mobile device management (MDM) policies.

      • Confidential data must be stored only on Company-approved systems with encryption at rest and in transit.

      • Any suspected data loss or breach must be reported immediately to the IT administrator or Security Officer.

      6. Software and Device Use

      • Personal software may not be installed on any Company system.

      • Personal devices may not connect to Company networks unless explicitly authorized and secured according to policy. Any USB or other data storage device is strictly prohibited on Company property unless approved by our Information Technology Department.

      • All Company-managed devices must remain updated with Company-approved security patches, antivirus, and endpoint protection.

      7. User Accountability (Identify)

      Each user is accountable for:

      • To prevent high-level crafty social engineering cyber attacks from occurring for any reason, if another employee, contractor, or other individual is acting cryptic about any issues you're not 100% certain of, use our core value of Crystal Clear and have them clarify what they are discussing via email or text before you act or choose not to act. 

      • Protecting their login credentials and not sharing them with unauthorized parties.

      • Immediately report suspected phishing attempts, unauthorized access, or device compromise.

      • Following all system use protocols established by management and IT.

      8. Enforcement and Disciplinary Action (Respond/Recover)

      • Violations of this policy may result in disciplinary action, up to and including termination of employment and potential legal action.

      • All violations will be logged and reviewed. Affected systems or data will be subject to incident response protocols aligned with NIST CSF 2.0 standards.

      • Remediation and retraining will be mandatory for minor infractions. Repeated or severe violations will result in escalation to executive management.

      9. Policy Updates and Employee Acknowledgment

      This policy will be reviewed at least annually or as required by changes to applicable regulations or NIST CSF guidance. Employees must acknowledge receipt and understanding of this policy in writing or via the Company’s HR system.

       

      Updated 5/30/2025 Joe French