IT Code of Practice - Discipline at work

Set out below is a sample procedure which employers may wish to use as the basis for an IT Code of Practice. We suggest this is referred to in the formal Disciplinary Code and may form part of the employee handbook.

Information assets and the IT systems that support them are becoming increasingly more vulnerable as the potential for wider accessibility is facilitated via more powerful computers and communications network. Information takes many forms and includes papers, databases, films, computerised images, view foils, tapes, diskettes etc. From a security perspective appropriate security protection should be applied to all types of information and information media.

All staff having privileged access to sensitive information are responsible for ensuring that access controls and the information obtained via such controls is not compromised by; revealing or failing to protect password information; revealing or allowing access to information by persons not authorised to have it and failing to take reasonable precautions against unauthorised access e.g. leaving a workstation unattended which is logged-in or failing to secure sensitive documents.

Computer viruses include "network worms, Trojan horse, logic bombs" etc. are malicious techniques to make unauthorised modifications to computer software. Personal computers are particularly vulnerable to these types of attack. To minimise the risk of virus infection licensed and authorised software only may be used on the Company’s systems.
Staff may only download files from the internet or introduce files via other connections, floppy discs, hard discs or other storage media by permission of their manager. This includes opening attachments to emails. In any event any such files may not be downloaded unless they have been subject to a virus checking software before introduction to the system. If in any doubt staff should seek the advice of the IT service desk.

The Data Protection Act imposes statutory conditions for the maintenance of personal data on the Company’s computer systems including data held by individual members of staff on PCs. It is an offence to use or disclose such data if not registered to do so under the Data Protection Act.
All Company information systems are subject to potential loss of data due to failure of software or hardware media. It is the responsibility of users to ensure that regular back-up copies of essential data are made and stored in a safe location, remote from the system. Computer media e.g. disks, should not be left lying around in offices. Employees must ensure that both PCs and media are secured after use.

In addition to security employees should ensure they do not misuse the email or internet facilities provided for them. Those facilities are specifically provided for work use. Staff should only access internet sites which are directly relevant to their work, under no circumstances should they access any sites for the purpose of viewing pornography. Emails should not include any salacious or offensive content nor should any such emails be passed on inside or outside the company.

Employees are specifically referred to Email Internet Policy and Computer Security of the Contract of Employment which also deals with these matters.

More generally see our comments on IT misuse.