ShipBob Acceptable Use Policy
The purpose of this policy is to outline the acceptable use of computing and network resources at ShipBob, Inc. (together with its subsidiaries, “ShipBob”). These rules are in place to protect the members of the ShipBob workforce and ShipBob. Inappropriate use exposes ShipBob to risks including virus attacks, compromise of network systems and services, and legal and compliance issues.
This policy applies to all employees, consultants, and contractors with access to ShipBob’s networks and system resources.
III. The Policy
- General Use and Ownership
- ShipBob’s restricted and confidential information stored on electronic and computing and network resources, whether the resources are owned or leased by ShipBob, the employee, or a third party, remains the sole property of ShipBob. You must ensure through legal and technical means that restricted and confidential information is protected in accordance with the Non-Disclosure Agreement and/or confidentiality provisions in your contract and any other policies and procedures of ShipBob.
- Personal use of ShipBob devices is not permitted. There should be no expectation of privacy while utilizing a ShipBob-owned or managed network, device, or application. ShipBob reserves the right to access ShipBob resources at any time for legitimate business purposes. Networks and network devices, such as mobile hotspots, are to be used strictly for ShipBob-related activity.
- You have a responsibility to promptly report the theft, loss, or unauthorized disclosure of ShipBob’s restricted and confidential information.
- You may access, use, or share ShipBob’s restricted and confidential information only to the extent you are authorized and it is necessary to fulfill your assigned job duties.
- Unless you receive prior written approval from IT and Security, you may not use any removable media, nor download any data or ShipBob information onto such removable media.
- For security and network maintenance purposes, authorized individuals within ShipBob may monitor equipment, systems, and network traffic at any time.
- ShipBob reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
- Security of Confidential and Restricted Information
- The classification of data as ‘Restricted’ or ‘Confidential’ shall be conducted in accordance with the Data Classification Policy.
- All computing devices that connect to the internal network must comply with the principle of least privilege. Least privilege is defined as the practice of limiting access rights for users to the bare minimum permissions they need for their work.
- System-level and user-level passwords must comply with the Password Policy. Providing access to another individual, either deliberately or through failure to secure its access, is prohibited.
- Postings by members of the ShipBob workforce to newsgroups, social media, blogs, or other similar services should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of ShipBob unless posting is in the course of business duties.
- Members of the ShipBob workforce must use extreme caution when opening email attachments received from unknown senders, which may contain malware. Members of the ShipBob workforce must also use extreme caution when opening or determining whether to respond to emails that may be considered phishing.
- In the event that consultants or contractors are required to handle confidential data or information, they must sign a ShipBob Independent Contractor Agreement and a ShipBob Data Processing Agreement (where applicable) prior to beginning specified contract work.
- Recording Equipment
Video surveillance systems shall be reviewed under the guidance and supervision of the People Ops department in accordance with ShipBob policies as well as local, state, and federal laws. Personnel with access to the surveillance systems must abide by the ShipBob Code of Conduct when utilizing the monitoring equipment. Under no circumstances shall any recording equipment be utilized for anything other than the intended business use case.
- Privileged Utility Programs
Due to the short timelines involved with ShipBob’s business processes, ShipBob maintains several privileged accounts with access to sensitive systems and data.
Privileged utility programs and the accounts that enable their use should only be used in service of business processes and infrastructure maintenance. The number of accounts shall be strictly limited to authorized personnel and shall be regularly reviewed with all other access.
Responsibility and Accountability for Privileged Accounts
All responsibility for the creation, maintenance, and use of privileged accounts shall fall to the IT Department.
IV. Unacceptable Use
The following activities are, in general, prohibited. Members of the ShipBob workforce may be exempted from these restrictions during their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).
ShipBob employees are never authorized to engage in any activity that is illegal under local, state, federal, or international law while utilizing ShipBob-owned resources.
The lists below are by no means exhaustive but attempt to provide a framework for activities that fall into the category of unacceptable use. There should be no expectation of privacy on ShipBob-owned assets.
- System and Network Activities
The following activities are strictly prohibited, with no exceptions:
- Revealing your account password to others or allowing the use of your account by others.
- Violations of the rights of any person or ShipBob protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by ShipBob.
- Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books, or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which ShipBob or the end-user does not have an active license are strictly prohibited.
- Accessing data, a server, or an account for any purpose other than conducting ShipBob business, even if you have authorized access, is prohibited.
- Exporting software, technical information, encryption software, or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to the export of any material that is in question.
- Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
- Using a ShipBob computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws or any other employment or workplace laws in the user’s federal, state, and local jurisdiction.
- Making any offers of products, items, or services originating from any ShipBob account, other than on official ShipBob business.
- Creating ShipBob-related accounts or email addresses without explicit consent from IT and Security.
- Making statements about warranties, expressly or implied, unless it is a part of normal job duties.
- Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the user is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access unless these duties are within the scope of regular duties. For purposes of this section, “disruption” includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
- Port scanning or security scanning is expressly prohibited unless prior notification to IT and Security is made.
- Subscribing to or purchasing any service or solution without having an approved procurement request first unless this activity is conducted by an approved IT purchaser acting with Security oversight.
- Executing any form of network monitoring which will intercept data not intended for the employee’s assigned device, unless this activity is a part of the employee’s normal job/duty.
- Circumventing user authentication or security of any device, network, or account.
- Introducing honeypots, honeynets, or similar technology on ShipBob’s network(s).
- Interfering with or denying service to any user other than the user’s host (for example, denial of service attack).
- Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user’s terminal session, via any means, locally or via the Internet/Intranet.
- Providing information about, or lists of, ShipBob’s employees to parties outside ShipBob.
- Using ShipBob equipment to run/operate a personal, non-ShipBob, company or business.
- Email and Communication Activities
When using ShipBob resources to access and use the Internet, users must realize they represent ShipBob. Whenever members of the ShipBob workforce state an affiliation to ShipBob, they must also clearly indicate that “the opinions expressed are my own and not necessarily those of ShipBob”. Questions may be addressed to the IT and Security Departments regarding these or other activities. Prohibited email and communication activities shall include but not be limited to the following:
- Using your assigned ShipBob email address for personal communication needs.
- Forwarding ShipBob email to personal email addresses.
- Sending unsolicited email messages, including the sending of “junk mail” or other advertising material to individuals who did not specifically request such material (email spam).
- Any form of harassment via email, telephone, or paging, whether through language, frequency, or size of messages.
- Unauthorized use, or forging, of email header information.
- Solicitation of email for any other email address, other than that of the poster’s account, with the intent to harass or to collect replies.
- Creating or forwarding “chain letters,” “Ponzi,” or other “pyramid” schemes of any type.
- Use of unsolicited email originating from within ShipBob’s networks of other Internet/Intranet service providers on behalf of, or to advertise, any service hosted by ShipBob or connected via ShipBob’s network.
- Blogging and Social Media Activities
- Blogging by members of the ShipBob workforce, using ShipBob property or computer systems, is strictly prohibited. The sole exception to this prohibition shall be sales and marketing associates blogging for the sole purposes of generating business or brand awareness. All blogging from ShipBob’s computers or other systems shall be monitored. Blogging access may be revoked at any time upon a finding of a violation of ShipBob policies and procedures.
- All blogging as defined above shall be done in a professional and responsible manner, without violating ShipBob policy, and without being detrimental to ShipBob’s best interests.
- Members of the ShipBob workforce are prohibited from revealing any of ShipBob’s restricted or confidential information, trade secrets, or any other related material when engaged in blogging, whether blogging in the course of their duties or on their personal time.
- Members of the ShipBob workforce are prohibited from making any discriminatory, disparaging, defamatory, or harassing comments when blogging.
- Members of the ShipBob workforce may also not attribute personal statements, opinions, or beliefs to ShipBob when engaged in blogging.
- Apart from following all laws pertaining to the handling and disclosure of copyrighted or export-controlled materials, ShipBob’s trademarks, logos, and any other intellectual property may also not be used in connection with any blogging activity.
The Security Team will verify compliance with this policy through various methods, including but not limited to: business tool reports, internal and external audits, and feedback to the policy owner.
Requests for an exception to this policy must be submitted to the Security Team for approval.
VII. Violations & Enforcement
Any known violations of this policy should be reported to the Security Team. Any workforce member found to have violated this policy may be subject to disciplinary action, up to and including termination of employment or termination of consulting or contractor agreement.