1 Introduction

The confidentiality, integrity and availability of FDM’s information and information systems are central to FDM’s success. This policy governs the use of FDM’s information and information systems with the intention of achieving an appropriate balance between information sharing and information protection.

This policy applies to all FDM users accessing any FDM data by any method and from any location. This includes but is not limited to, all employees (whether temporary, fixed term or permanent), contractors, sub-contractors and 3^rd party providers of any service to FDM whilst accessing or using FDM assets.

This policy applies to corporate owned / issued assets and any ‘Bring Your Own Device’ (BYOD) connected to or utilising any FDM corporate asset (including but not limited to infrastructure, applications and data). Throughout this policy references to ‘FDM asset’ includes any BYOD when used for FDM business purposes.

1.1 What does this policy mean to me?

This policy defines the individual responsibility to users for ensuring that all FDM data processed and protected appropriately. All suspected information system security breaches must be reported to your line manager in the first instance.

Failure to comply with the provisions of this policy or breaches to this policy will result in disciplinary action up to and including dismissal and/or civil or criminal sanctions.

1.2 Scope

All employees of FDM and all users of an account attached to any FDM owned domains.

1.3 Audience

All employees of FDM and all users of an account attached to any FDM owned domains.

1.4 Related documents

This document should be read in conjunction with all other FDM policies and standards. A comprehensive, but not exhaustive list, can be found on the FDM’s Internal Resources folder.^[1]

1.5 Contacts

Please send any questions or comments on this document to the author or by email to the Information Security team.

2 Policy

2.1 Illegal and Inappropriate Activities

FDM assets must not be used to download, disseminate, send, receive, store, distribute, transmit post, upload or display material that could be considered to be or contain material that is likely to be offensive.

It is a criminal offence to download or circulate certain types of files. Any incidents involving criminal activities will be reported to the relevant Authorities and result in summary dismissal.

2.2 Customer Data

FDM treats the use and storage of its customer data as confidential in accordance with FDM data classification standard (see FDM Technology Security Policy). Except as required to fulfil individual role and responsibilities, customer data must not be:

Transferred to any portable media, unless approved by the Data Protection team (Seek advice from the local data protection co-ordinator). Encryption to the FDM corporate standard must be used.
Accessed beyond that needed to fulfil the individual role and responsibilities.
Printed or otherwise copied. All such material must be handled and destroyed in accordance with data classification.
Shared with others.
Discussed or disclosed.

Note that Payment Card Industry (PCI) and Financial data require further controls.

3 Acceptable Use – All Systems

You must not do any of the following on any FDM asset (Note that these also apply to BYOD when connected to or processing any FDM asset).

3.1 General

Violate the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by FDM or the user. This prohibition includes unauthorised copying of copyrighted material and the installation of any copyrighted software for which FDM or the user does not have an active license. This applies to freeware, shareware and trial licenses as well as purchased instances.
Accept the End User License Agreement (EULA) for any new software without confirming approval from FDM Legal team.
Export software, technical information, encryption software or other technology in violation of international or regional export control laws. FDM Legal must be consulted prior to exporting any such material;
Attempt to breach security or disrupt network communication. Security breaches include, but are not limited to, accessing information or information systems which the user is not authorised to access or which are not necessary to the performance of a user’s authorised job function, even where the user may have password access to the information or information system;
Circumvent user authentication or the security process of any host, network or account;
Interfere with or deny service to any authorised user unless performed perform as part of business function’s role;
Install any service or application with the intention to facilitate the unauthorised transmission or copying of copyrightable material including but not restricted to “peer-to-peer” services;
Use any unauthorised software or hardware to access any FDM information or asset. This includes but is not limited to the use of remote-control software (e.g. ‘PCAnywhere’, ’Slack’, ‘Webex’ etc.);
Use remote control software to transfer files from any FDM Information system to any non FDM Information System unless approved by IS Security;
Use any software or hardware that would hinder or obstruct network access or bandwidth (e.g., gaming software), unless explicitly authorised by IS Security;
Attempt to destroy another user’s data or any technology system, including creating or sending computer viruses, Trojan horses, worms, or similar code;
Destroy, modify, remove or abuse any computer hardware, software, networking equipment, printers, and other information systems;
Use network bandwidth irresponsibly or in such a way that adversely impacts system performance on the FDM information systems or compromised Internet connection;
Impersonate a user or use another user’s credentials to log on except as part of your defined job function;
Disclose corporate sensitive information outside of FDM. See the Information Classification Standard.

3.2 Confidentiality

FDM employees must treat all FDM Information according to its classification. Please see the FDM Technology Security Policy for more details.

3.3 Disk & Storage Management

Storage space on any FDM system is a shared resource that is limited in quantity. Like all shared and finite resources, limitations must be placed on usage to ensure that everyone who needs disk space has access to a reasonable amount.

Users are warned that only shared drives and personal drives on the network are backed up.

When storing data, you must;

Not use disk space for storage of files and information that have no business purpose or value;
Comply with the Data Classification policy in storing information on disk space;
Not move any information to an unencrypted removable storage media unless with explicit authorisation from IS Security.

3.4 Electronic Mail (Email)

Electronic mail (email) includes any electronic communication using any FDM information system including smart phones, mobile phones, wireless PDAs, Instant Messaging and corporate email and includes anything sent on or attached to an email.

Exercise extreme caution when opening email attachments received from unknown senders, as such messages may contain viruses or other types of malicious code.

Email services are for business use, though reasonable, moderate and appropriate personal use is permitted providing it does not, directly or indirectly interferes with FDM’s operation of its email services or cause noticeable incremental costs. Your line manager is responsible for determining what is reasonable.

When using email, you must;

Not open any email or attachments if there is any doubt as to the content or sender of the email or attachment. Contact IS Security if you need to open such email or attachments to fulfil your role;
Delete chain and junk emails. Do not forward or reply to them.
Not use FDM systems to send any form of harassing or discriminatory email messages.;
Not send business sensitive information (including all forms of personal data, customer data, people personal information) in an unencrypted email, or as an unencrypted attachment. Encryption software is required to send secure emails. Requests for FDM approved encryption software should be made with a business justification and line manager approval;
Not send any unsolicited email messages or bulk email messages that contain promotional or advertising material or a solicitation, unless as part of your regular job duties and in compliance with all applicable anti-spamming laws. Please contact the legal team for advice on these laws;
Not post internal business messages to any services that promotes the viewing or posting of internal email or memos;
Not use your personal email account for sending and receiving FDM business email, without the prior written consent of your line manager and IS Security;
Not forward or auto-forwarding business-related emails to personal email accounts.
Not reveal email account passwords to anyone or allowing the use of FDM email accounts by others. This includes family and other household members;
Not use FDM email or email services to engage in procuring or transmitting material that is in violation of any company policy or law, including harassment or discrimination laws;
Not make invalid or fraudulent offers of products, items, or services from any FDM information system;
Not access another employee’s email, unless as part of your job function and with explicit HR and IS Security authorisation;
Not send any email with the intent to harm any FDM information system or any other system;
Not send any email that contains an altered “From:” line or other falsified sender information in email messages or postings;
Not send any email that contains illegal material, or which could cause damage, embarrassment or legal liability to FDM (e.g. obscenity or pornography);
Not use POP3 or IMAP services unless explicitly approved and supported by IS Security.

3.5 Encryption

When transferring confidential data internally or externally, encryption must be used. This includes personal and/or sensitive data, in particular all customer and employee data.

See Data Classification policy for more details.

When using encryption on your device, you must;

Only use FDM issued devices, equipped with full hard drive encryption.
Use encryption on all portable storage devices containing FDM information, where you have been granted explicit permission to use the portable storage device.

The following are currently acceptable encryption products for use at FDM;

Email – PGP.
Network Storage – PGP.
USB or CD/DVD transfer – PGP / MS Bit locker.
Documents – Microsoft Office password protected documents.
Laptop Hard Drives – McAfee SafeBoot/ MS Bit locker

3.6 External File Transfer

You must not transfer FDM data to and from remote computer systems using methods such as FTP, SMTP, portable hard drives, and USB devices, except explicitly authorised by IS Security to do so.

3.7 Instant Messaging (IM)

Instant Messaging includes any electronic communication using any FDM information system including mobile phones, wireless PDAs, corporate electronic clients and includes anything sent on or attached to a conversation. Instant Messaging must only be used on FDM approved platforms.

Reasonable, moderate and appropriate personal use is permitted providing it does not, directly or indirectly interfere with your employment, other people’s employment or any user’s obligations to FDM. Your line manager is responsible for determining what is reasonable.

Instant Messaging tools typically allow other functions, such as, including Screen Sharing & Video

Conferencing. The current approved corporate FDM IM tool is Slack.

When using instant messaging, you must;

Not send any form of harassing or discriminatory instant Messaging communication. Harassment and discrimination can take on many forms including but not limited to language used and frequency or size of messages;
Not send commercially sensitive information, including all forms of personal data (e.g.

customer data, personal information);

Not send any unsolicited instant messages or bulk instant messages that contain promotional or advertising material or a solicitation, unless as part of your regular job duties and in compliance with all applicable anti-spamming laws;
Not reveal IM account passwords to anyone or allow the use of FDM IM accounts by others. This includes family and other household members;
Not engage in procuring or transmitting material that is in violation of any FDM policy or law;
Not make invalid or fraudulent offers of products, items, or services from any FDM information system;
Not attempt or gain unauthorised access to another employee’s IM account;
Not send instant message attachments that contain illegal material, or which could cause damage, embarrassment or legal liability to FDM (e.g., obscenity or pornography);
Not open unsolicited attachments received via an IM chat;
Not use Web-based IM systems for the communication of any sensitive or personal information.

3.8 Internet

FDM limits access to the Internet through its information systems. Access to the Internet from a FDM information system must be for a specified business reason, although reasonable, moderate and appropriate personal use is permitted. Your line manager is responsible for determining what is reasonable.

This approach helps ensure FDM information and information systems are not compromised, and those FDM products, services and other interests are protected from any inappropriate Internet activity.

FDM reserves the right to interrupt any connections to the network that may impact any FDM information system negatively or pose a security risk, without advance notice.

This policy applies to any device connected to any FDM Information system.

When using the internet, you must;

Only connect your FDM device to the Internet through FDM’s approved security mechanisms. Remote workers must use FDM installed VPN clients and/or internet security firewalls;
Not download or install software or files from the Internet without having obtained the correct licenses, copyrights, trademarks or other intellectual property rights
Not use FDM information systems to download or distribute pirated software or data;
Exercise caution when downloading files from the Internet. Verify that the source is a legitimate and reputable one. Verify that an anti-virus programme checks the files after downloading. If these verifications cannot be made or you are uncertain, do not download the file at all and contact IS Security;
Not use FDM information systems to abuse, defame, stalk, harass or threaten any person or to violate the laws and regulations of the United Kingdom, European Union or any other jurisdiction in which they may be operating on behalf of FDM.
Not install, remove, or otherwise modify any hardware or software for the purpose of bypassing, avoiding, or defeating any filtering, monitoring or other security measures that FDM may have in place;
Accurately identify yourself when corresponding or participating in business-related interactive activities;
Comply promptly with any alerts sent out by IS Security, all FDM policies and all instructions from the Legal, Human Resources and Corporate Security departments;
Comply with this policy when utilising Corporate Wi-Fi internet access.

3.9 Laptops and other networked device(s) usage

Users of Laptops and other networked device(s) e.g. iPads must;

Ensure laptops or other device(s) have hard drive encryption and employ the latest version of the software before connecting to the network;
Ensure antivirus software is installed and running on the device;
Take reasonable steps to prevent the physical theft or loss, for example, by physically securing the device when not in use;
Report lost or stolen device (s) immediately to the Police and via the theft reporting form on the intranet;
Take adequate care to avoid shoulder surfing or other methods by which others could view your screen, when using laptops or other network devices in public places;
Not remove or alter any VPN configuration settings and/or internet security firewall settings;
Not permit non-authorized individuals such as family members or others to use FDM owned equipment;
Not remove any FDM identification labelling.
Ensure that only authorised FDM assets (devices and technologies) are used to access FDM business sensitive customer or payment data (e.g. such as found in Payment Card Industry

(PCI) environments) o All such physical assets must bear a formally issued corporate asset tag that can be correlated to owner, contact information and purpose (e.g. using asset management tools such as Altiris, Casper, Asset Management Portal or Hardcat). All non-physical technologies (e.g. Windows/MAC OS, Software and application clients) must be an approved build. – e.g. ordered via processes such as SPARK T-Shop or SCCM. A business justification for any ‘non-catalogue’ software purchases on in scope devices must be approved by IS Security.

3.10 Monitoring, Accesses and Audit

FDM reserves the right to inspect or monitor any information system and disclose any information to any appropriate person or entity, at any time, without further user consent or notice and irrespective of any password protection.

The FDM Technology team will periodically audit information, information systems and users to review compliance with the Information Security Policy and supporting documents.

3.11 Online Document Collaboration and Storage

Online collaboration software (such as Google docs) allows users to create, edit and store documents online while collaborating in real-time with other users.

When using any non-FDM collaboration software, you must;

Not store any FDM data on these external servers;
Not represent yourself as working on behalf of FDM;
Not reveal any FDM confidential data in any forums, blogs or comments.

3.12 Passwords

All FDM information systems require passwords for access. The passwords serve to protect against unauthorised access, modification, disclosure, or destruction of FDM’s information and information systems and should be treated as confidential.

When using a password protected system, you must;

Change your password when prompted by the applicable system;
Not write it down in electronic, paper or any other format;
Not use a word found in a dictionary (English or foreign);
Not reveal password(s) to co-workers, even while off sick, away from the office, on holiday or business travel;
Not use the same password used on other non-FDM access (e.g. personal ISP account, web banking, etc.).
Change any password if there is any suspicion your password is compromised or known to others.

Passwords must comply and be consistent with the clauses on passwords in the FDM Technology Security Policy.

3.13 Peer-to-Peer File Sharing (P2P)

A major use of P2P technology is to copy and share commercial music and video files, without the copyright holder’s permission. This type of usage violates copyright law. The use of any P2P software must be approved by IS Security, after adequate business justification and a risk assessment have been completed.

If approved, P2P software usage within FDM infrastructure must;

Not be used to share copyrighted and IPR material belonging to FDM or any of its partners;
Not be used to transfer subscriber or employee personal information;
Not be used to transfer any subscriber or employee payment card information.

3.14 Personal Hosting

Personal hosting of websites within the FDM infrastructure must be explicitly authorised by IS Security.

Any illegal content found on any such authorised personally hosted website will be taken down immediately and the responsible person(s) liable for disciplinary/criminal proceedings.

When using personally hosted websites on FDM Infrastructure, you must;

Not publish FDM copyrighted material or IPR;
Not publish FDM customer or employee personal information;
Display the following disclaimer; “This website is the personal responsibility of the author(s). The views, content and opinion expressed herein do not necessarily state or reflect those of FDMUK Limited (FDM). Further FDM does not warrant or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information presented in this web site.”

3.15 Personal Storage Media

Personal storage media devices are portable devices capable of storing data. Examples include but not limited to, USB sticks or pen drives, external hard drives, mobile phones, MP3/4 players.

Only FDM issued personal storage media must be used within the FDM infrastructure. Users are prohibited from using personal storage media in a manner which will harm or otherwise damage the reputation, integrity or financial position of FDM.

When using personal storage media, users must;

Handle it in accordance with FDM Data classification policy;
Use encryption when storing confidential information;
Not store or be used to transfer any subscriber or employee payment card information;
Not leave storage media unattended when inside or attached to a computer;
Physically secure storage media from loss or theft when not in use if containing confidential or sensitive information;
Require the use of a login ID and password prior to permitting access to classified or sensitive information;
Take reasonable steps to ensure the security of the personal storage media;
Report all lost or stolen personal storage media immediately

3.16 Remote Access

To protect FDM’s information and information systems, remote users are required to further authenticate themselves prior to accessing any FDM information and/or information system, using either FDM issued secure tokens or Smartcards. Contact IT if you require a secure token. A Smartcard can be requested by contacting IT.

Remote Access connected users must not copy, move or store sensitive information (such as customer or cardholder data) to local storage or removable media without prior approval of IS Security.

FDM maintains the right to conduct inspections of remote access locations and equipment with one or more days advance notice. Remote access accounts will be disabled after six (6) consecutive months of inactivity.

In the event you use a non-FDM information system to access your FDM email via the internet (https), you are still required to ensure compliance with applicable email & internet policies.

When remotely accessing FDM infrastructure, you must;

Only use an approved Virtual Private Network (VPN) client for elevated access into the FDM network;
Not connect to the FDM network and a public network (e.g. the internet) at the same time, using the same physical network connection.

3.17 Remote Control Applications

Remote Desktop Control software (such as GoToMyPc.com, pcAnywhere.com, LogMeIn.com) allows users to view the desktop of a remote computer and control any programs remotely.

You must not install and /or use any such remote-control software on any FDM asset, except explicitly authorised by IS Security, after requisite business justification.

3.18 Remote Control Support

In their normal course of duty, technology support staff may be required to establish a remote-control session to your system.

While receiving support, users must;

Take necessary precaution to ensure the call has originated from the IT Team before granting access;
Close all applications or files which contain confidential or sensitive information prior to the remote session;
Be physically present and monitor the remote-control session by watching the actions of the individual providing support and report any suspicious activity or attempts to access confidential data.

3.19 Social Networking

FDM allows all employees to access social networking sites. Personal social media activities must not interfere with work commitments. When using personal social media, you must not reference your employment at FDM in your username, email address or profile.

Social media activity related to FDM’s content, products, processes and business must be via official FDM corporate accounts, in accordance with the FDM Social Media Policy detailed in the FDM Staff Handbook. Personal accounts must not be used for business purposes. The only exception to this is if you have appropriate authorisation and comply with the specific guidelines in place for your part of the business – for example if you are part of the mystery shopping team.

When using any personal social networking tool from any FDM system, you must;

Be respectful to FDM, other employees, customers, partners, and competitors;
Not post malicious, offensive or defamatory comments concerning FDM and any of its employees, customers, subscribers or business partners;
Respect copyright laws, and reference or cite sources appropriately;
Not use another person’s idea or a part of their work and pretend that it is your own;
Not display or use the medium to transfer any subscriber or employee payment card information;
Not use FDM logos and trademarks without written consent.

3.20 Software Usage

FDM Technology provides you a system to ensure you can carry out your role efficiently and effectively with software being a vital tool and enabler. All software use is covered by the vendor’s terms and conditions, including Open Source and “free” software, making it illegal to install software without having a valid licence or agreement in place.

Technology conducts periodic audits and meters software usage to ensure compliance and reserves the right to immediately remove any software that has been installed outside the current Provisioning Process.

Technology also reserves the right to remove and reallocate any software that has not been used for 90 days or more.

Only relevant members of FDM Technology teams are authorised to install software on your system

When using your system, you must;

Request any software change (addition, modification or deletion) to the IT Team;
Not download and/or install any software from the internet, USB drives, CD’s or other portable device(s);
Not install or attempt to install any personal software.

3.21 Workstation Security

Unauthorised workstation access could be gained when legitimate users leave their workstation (laptops, mobile devices, desktops) logged on and unattended.

When using your workstation, you must lock your workstation anytime you leave your desk in accordance with the FDM Technology Security Policy.

3.22 Wireless Access

Wireless connectivity is the use of any technology that uses radio frequency spectrum to connect to any FDM information system.

FDM may at any time prohibit or restrict the use of wireless devices and/or determine what devices can be connected to the network and how these devices must be configured.

When accessing FDM infrastructure wirelessly (this excludes guest Wi-Fi) you must;

Only use hardware and software approved, installed and supported by FDM Technology;
Not connect simultaneously to the FDM network using a wired connection and a wireless connection;
Not connect simultaneously with the same device to the FDM network and any other non-FDM network or system;
Not create, install, host or manage a non FDM access point (personal wireless);
Not disable any security features configured to enhance wireless connectivity to any FDM information and information system;
Not use any FDM-owned wireless device in a peer-to-peer mode not supported or approved by FDM Technology.

[1]Dropbox>FDM Team Folder>Internal>Resources

Acceptable Use Policy