Level 2 Supporting Policies
      Back to home
      1. HealthSafe Help Center
      2. HS ISO27001 Documents
      3. Level 2 Supporting Policies

      21. HealthSafe Acceptable Usage Policy


      ACCEPTABLE USAGE POLICY



      Document Identification 

      HSNZ/POL/21

      Document Name

      Acceptable Usage Policy

      Master Copy

      CISO

      Version Number

      1.3

      Date Of Release 

      15 Aug 2023

      Prepared By

      Eparama Tuibenau

      CISO

      Approved by

      Kevin McAfee

      Managing Director

       


      VERSION HISTORY


      Sl No

      Version No.

      Prepared by

      Approved by

      Description of Version

      Date

      Reason for Version Change

      From

      To

      1

      1.0

      -

      CISO

      MD

      First Release

      14 Apr 2020 

      No changes made

      1

      1.0

      1.1

      CISO

      MD

      Updated

      11 July 2021 

      Modifications due to changes in HealthSafe

      1

      1.1

      1.2

      CISO

      MD

      Reviewed

      28 July 2022

      Annual review

      1

      1.2

      1.3

      CISO

      MD

      Reviewed

      15 Aug 2023

      Annual review

      DOCUMENT STATUS


      Date

      Document Status

      14 Apr 2020

      Modified

      11 Jul 2021

      Reviewed

      28 Jul 2022

      Reviewed

      15 Aug 2023

      Current

      Table of Contents

      1 Purpose


      2 Scope


      3 Input


      4 Output


      5 Interacting Process


      6 Abbreviations, Acronyms and Definitions


      7 Procedure


      8 Monitoring the Process


      9 Records




      1. PURPOSE
        The purpose of this document is to establish and maintain a policy for acceptable usage for HealthSafe NZ.

      2. SCOPE
        These procedures apply to all aspects of acceptable usage.

      3. ABBREVIATIONS, ACRONYMS AND DEFINITIONS

      Abbreviation

      Description

      FH

      Functional Head

      IT

      Information Technology Department

      TL

      Team Lead

      CISO

      Chief Information Security Officer

      4 INPUT

      In order to protect HealthSafe Information, privilege of access to type of information to protect the confidentiality of HealthSafe.


      5 OUTPUT

      The IT team shall accordingly give the privileges to the end users to protect the HealthSafe information and data.


      6 INTERACTING PROCESS

      Interactions shall be with FH


      7 PROCEDURE

      • Users shall be aware that the data they create on the corporate systems remains the property of HealthSafe NZ. 
      • In order to protect the information and network, HealthSafe may review and monitor the contents for security reasons.  This is applicable to the content stored by the employees laptops.
      • Any information transmitted over HealthSafe email that has not been specifically identified / claimed as the property of 3rd party, is by default treated as HealthSafe proprietary information 
      • Unauthorised access, disclosure, duplication, modification, diversion, destruction loss, misuse or theft of any information is strictly prohibited.
      • Users are responsible for exercising good judgment regarding the reasonableness of personal use. 
      • For Security maintenance purposes, the IT team may monitor equipment, systems and network traffic at any time.
      • HealthSafe reserves the right to audit laptops, smartphones, tablets, all company hardware, and systems on a periodic basis to ensure compliance with this policy.


      Security and proprietary information

      • Users are advised to keep passwords secure in LastPass and not to share user account-related information with others unless authorised to do so. 
      • Authorised users are responsible for the security of their respective passwords and accounts. 
      • System-level passwords and user level passwords should be changed in accordance with the Password policy.
      • All laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature set when the host will be unattended. Refer to the Clear Desk and Clear Screen Policy.
      • Information contained on portable devices may be vulnerable to HealthSafe network when connected. Hence special care should be exercised while handling media/portable devices. 
      • All devices used by the user that is connected to the HealthSafe server, whether owned by the user or HealthSafe, shall continuously run the Anti-virus scanning software.
      • Users must use extreme caution when opening email attachments received from unknown senders, which may contain viruses, email bombs, or Trojan horse code.

      Unacceptable use

      • Under no circumstances any user is authorised to engage in any activity that is illegal under local or international law while utilising HealthSafe-owned resources.
      • The lists below are by no means exhaustive but attempt to provide a framework for activities, which fall into the category of unacceptable use.

      System activities

      The following activities are strictly prohibited, with no exceptions:

      • Not limited to the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by HealthSafe.
      • Unauthorised copying of copyrighted material including, but not limited to, digitisation and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which HealthSafe or the end user does not have an active license is strictly prohibited.
      • Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The top management shall be consulted prior to export of any material that is in question.
      • Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, email bombs, etc.).
      • Revealing account passwords to others or allowing the use of accounts by others. 
      • Making fraudulent offers of products, items, or services originating from any HealthSafe account, systems, and ideas.
      • Making statements about warranty, expressly or implied, unless it is a part of normal job duties.
      • Effecting security breaches or disruptions of HealthSafe network communication where, security breaches include, but are not limited to, accessing data of which the user is not an intended recipient or logging into a server or account that the user is not expressly authorised to access, unless these duties are within the scope of regular duties. "Disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
      • Port scanning or security scanning, installation of certain services is expressly prohibited unless prior approval from CISO is obtained.
      • Executing any form of network monitoring which will intercept data not intended for the user's host, unless this activity is a part of the user's normal job/duty. Any such activity, which is part of normal duty/project requirement, needs prior and explicit approval from CISO.
      • Trying to circumvent the user authentication or security of any devices, network or account
      • Use of software to crack passwords or security locks is prohibited.
      • Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet.

      Communication activities

      • The facility, either official or public accessible through HealthSafe infrastructure, should be used for legitimate official purposes only.
      • Any form of harassment via email, mobile, SMS, whether through language, frequency, or size of messages.

      Customer Information and Data Policy

      Customer Information & Data is confidential information provided to HealthSafe by customers for HealthSafe use.  Handling of this information is governed by not only HealthSafe internal policies but also National Laws and Guidelines.  HealthSafe employees have a legal and moral responsibility to ensure that these laws/guidelines are followed.  Failure to do so, either by accident or malicious action, may result in 3rd Party legal action, damage the reputation of the HealthSafe brand or cause harm/distress to both customers and the individuals to whom the information relates.  

      Real versus Fictional/Anonymous Information

      The responsibility entrusted to HealthSafe employees when handling Customer Information and Data should not be underestimated.  

      • Wherever possible, and in particular when training both internal and external staff, Customer Information & Data should be “anonymised” or “fictitious”  
      • Any document leaving a department that contains (in any format) real or fictitious Customer Information & Data should be proof checked and authorised by the FH.

      Customer Information Rules

      The acceptance, use, storage, transfer and disposal of Customer Information and Data must be in compliance with Information Privacy Code Rules.  These rules are based on the NZ and Australia Privacy Act.  The Rules most likely to affect HealthSafe are summarised below:  

      • Only collect and store health information if you really need it.
      • Take good care of it once you have it.
      • Get rid of it when you have finished with it.
      • Only use it for the purpose you got it for.

      No Customer Information or Data is to be saved/stored on any HealthSafe Device (PC, Laptop, Tablet, Mobile Phone, External Hard Drive, Flash Stick, and Digital Camera) for longer than is absolutely necessary. Wherever possible, if a device has Customer Information or Data stored on it and it is not being used, it should be placed in a safe or enhanced security methods.  Documents containing Customer Information and Data are to be marked as “Read-only” and “Password Protected” as default.  Only authorised personnel should change the security setting and then only in exceptional circumstances.  HEALTHSAFE EMPLOYEES ARE PERSONALLY RESPONSIBLE AND LIABLE FOR THE DEVICES THEY ARE ISSUED AND THE INFORMATION AND DATA STORED ON THEM AT ALL TIMES.

      All hard copies (paper) of Customer Information and Data are to be kept in a safe secure storage when not being utilised.  Likewise, any portable hard drives, including flash drives, that hold sensitive information or data on them are also to be kept in secure storage.

      HealthSafe devices are to be password protected.  If a “find my device” or “remote access” application is available on the device, it should be activated.  If any HealthSafe device is lost or stolen, regardless of what type of information may/may not have been stored on the device, CISO and relevant Functional Head are to be informed as soon as possible.  

      Active user records and Authorisations must be kept for all Customer Information/Environments and Data handling and storage.  The following is the generic HealthSafe process:

      • A list of staff authorised to access the Customer Information and Data is to be compiled and monitored by the relevant FH on receipt of the Information/Data.


      8 Monitoring the process

      Monitoring shall be the IT department


      9 Records

      NIL