Chapter 3: Internet Access and Media Files

Introduction

True Value Company and its subsidiaries and affiliates ("Company") provide employees access to the vast information resources of the Internet with the intention of increasing productivity. While the Internet has the potential to assist employees in performing their job responsibilities faster or smarter, there is justifiable concern that it can also be misused. Such misuse can waste time and potentially violate Company policy as well as state and federal laws. This Internet Access Policy ("Policy") outlines the expectations and limitations of Internet resources.

This Policy and Standard covers all Internet services. Examples of these services include but are not limited to electronic mail (e-mail), World Wide Web (WWW) browsing, transferring files via FTP, participation in news groups, Telnet, etc. This also includes the transfer and storage of music, picture and other media files. Electronic mail via the Internet is covered primarily in Chapter 2 - Electronic Mail.

Policy Statement

Authorized Internet users will behave in an ethical, legal and morally responsible fashion while representing the company over the Internet.

Standards

Acceptable Use

1. The Internet and Intranet connections as well as the contents of its communication systems are the exclusive property of the Company. The Company’s Internet access is for business-related purposes, including communicating with customers, suppliers and colleagues, researching relevant topics and obtaining useful business information. All relevant laws and Company policies, including those that deal with intellectual property protection, privacy, trademarks, copyrighted materials, misuse of Company resources, sexual harassment, data security, and confidentiality apply to Internet use.
2. Use of the Internet does not cause incremental expense to the Company, so the use of the Internet in itself does not constitute abuse. What is important is the purpose for which the Internet is being used. As a result, nothing should be done with Company Internet access resources that would otherwise be considered illegal or inappropriate. Downloading erotica, playing games, sending non-Company business mass mailings, running a private business, participating in on-line "chat" rooms, unauthorized instant messaging, gambling or wasting Company time by exploring Internet sites are obvious examples.
3. Access to Internet Services for personal use during your workday is allowed if such use is clearly insignificant as compared to your business use. In addition, personal use during or outside of your workday must not interfere or compete with Company business, not interfere with your job or the jobs of other Company Associates, and must comply with the security and use guidelines described within this document.
4. No employee may use Company facilities to knowingly download, store or distribute software, music files or data that is not licensed to True Value Company. This also applies to copying music files from the original CD and storing them electronically on corporate computers. The Information Services Department must approve any software or files downloaded from the Internet prior to downloading. If approved, the downloaded software or files must be used only in ways that are consistent with their licenses or copyrights.
5. Display of any kind of obscene image or document on any Company computing resource is a violation of existing Company policy on sexual harassment. In addition, obscene material may not be archived, stored, distributed, edited, or recorded using Company network, printing, or computing resources.
6. Viewing or listening to streaming audio or video clips and/or listening to on-line radio stations may threaten the stability of the Company network and/or impact the overall speed of the Internet connection for the entire corporation. No employee may use corporate Internet resources to view or listen to non-business related streaming audio or video. This includes, but is not limited to, audio or video clips and listening to on-line radio stations.
7. No employee may store digital music files on Company assets including desktops, laptops and/or servers unless it is approved by the Information Services Department. If approved, the downloaded or copied music files must be used only in ways that are consistent with their licenses or copyrights. Valid reasons do not include saving music files on your company asset so you have music to listen to. Additionally, employees may not use Company shared media (such as network “share” drives) to store personal files in excess of a few small files. Network storage space is for business use and its availability must be insured.
8. No employee may use the Company’s Internet facilities to deliberately propagate any virus, worm, Trojan horse, trap-door, or back-door program code or knowingly disable or overload any computer system, network, or to circumvent any system intended to protect the privacy or security of another user.
9. When using electronic mail to communicate on the Internet:

   • Do not send e-mail so it appears to have come from someone else.
   • Do not send unsolicited advertising via e-mail.
   • Do not automatically forward Company internal e-mail to an Internet email address.
   • Do not send, forward or reply to chain letters.
   • Do not use personal e-mail accounts when sending or receiving business correspondence. Use Company sponsored e-mail accounts which are acceptable and secured.

10. When receiving another company’s classified data from the Internet, employees must comply with that company’s instructions for protecting the data.
11. Company Internet facilities and computing resources must not be used to knowingly violate the laws and regulations of the United States or any other nation, or the laws and regulations of any state, city, province or local jurisdiction in any material way.
12. Infractions, including but not limited to those outlined, constitute misuse of Company assets and are considered a violation of this Policy which will result in disciplinary action up to and including termination of employment at the sole discretion of management.

System Monitoring

1. Users accessing Company information systems should be aware that monitoring and logging of system processes and activities occurs on an ongoing basis. Since production systems as well as other individuals use the Internet at all times, Internet usage will be monitored 24 hours a day, 7 days a week.
2. Employees should not have any expectation of privacy as to any Internet usage. The Company will monitor Internet usage patterns and may inspect any and all files or communications transmitted via or stored on Company resources to the extent necessary to ensure compliance.
3. In the event that a security breach has taken place or is imminent, the following actions will/may take place:

• If sensitive True Value information has been lost, or unauthorized use of corporate systems has taken place, users must notify the local site manager immediately. Local management must notify Information Services at World Headquarters immediately.

• Internet access may be immediately terminated corporate wide at the discretion of Information Services management until the extent of the breach can be assessed.
• Internet access privileges may be revoked for individual users at the discretion of Information Services if it is deemed network security is being compromised through that user's account or files.
• Internet access privileges for any person or computer system suspected to be involved in a security breach will be immediately suspended and investigated.
• For security breaches originating internally, Information Services, the Law Department, and Human Resources will be immediately notified for investigative and disciplinary purposes.

Public Representation

Distribution or transmission of negative comments or similar attacks on any person or entity, including True Value competitors, is strictly prohibited.

Authorized Internet users must never publicly disclose sensitive internal True Value information, whether via electronic mail, instant messaging or other network service, including any information that may adversely affect True Value's competitive position, member/vendor relations or public image. Such information includes, but is not limited to, business prospects, marketing plans, product release dates and other similar information.

Definition of Terms Used in this Document

Chat Room - A place on the Internet where people go to "chat" with other people in the room.

Computer virus - A computer virus is a program designed to copy itself into other programs. The virus may also be designed to cause the loss or alteration of data on a computer, or in extreme cases, to completely disable a computer. The virus is activated when the "infected" program is executed on a computer. Other forms of harmful code can act similarly to a computer virus but are not transmitted by copying and executing infected programs. These newer forms of attack are activated by simply viewing a web site that contains maliciously programmed applets or Java Script.

Download - The transfer of information from the Internet to your computer.

Internet - An interconnected system of networks that connects computers around the world via the TCP/IP protocol.

Intranet - A privately maintained computer network that can be accessed only by authorized persons, especially members or employees of the organization that owns it.

Trojan Horse - Like the Trojan horse of mythology, Trojan horse viruses pretend to be one thing when in fact they are something else. Trojan horses are packaged to look like valid programs, such as a game or even a utility like a weather alerting program. While you play the game or the utility runs, the Trojan Horse deletes files, installs malware or otherwise compromises your system.

Exceptions to the Policy

Requesting Internet Access

Users requesting Internet access must read the Policy and complete all form fields under the General Information section of the Internet Usage Policy Acknowledgment form (See Appendix for Form). The form must be signed by both the user seeking Internet authorization and a supervisor or manager. Signing this form indicates the user and the supervisor or manager have read and understood all relevant policies and standards pertaining to the use of the Internet. The signed form must be forwarded to IT Security Administration at World Headquarters for processing. The IT Security Administrator will provide the user with a logon ID and password. The completed document will then be forwarded to the Human Resources department for inclusion in the user’s personnel file.

Internet Gateways

Basic Internet access will be provided through approved Corporate Internet gateways at World Headquarters. The objective is to provide a secure computing environment by minimizing the exposure to unauthorized access to company data and systems via the Internet connections. Information Services will monitor all Internet connections for intruders, apply patches to systems within the Internet gateway within two business days of their release and manage and control all Internet connections.

Responsibilities

All users are responsible for:

• Reporting any known or suspected violation of this Policy to the local site manager or Information Services at World Headquarters and cooperating in the investigation of alleged violations.
• Complying with the standards and policy regarding Internet access contained herein.

Custodians are responsible for:

• Monitoring traffic and taking actions to secure True Value's internal network from unwanted Internet traffic.

Managers are responsible for:

• Taking action on the alleged violation and contacting Information Services and the Corporate Law department within two business days.
• Notifying the applicable Administrators of terminated or transferred employees.

References

See Chapter 2 for more standards related specifically to E-mail over the Internet.