Employee Internet Use Monitoring and Filtering Policy

Version1.0.4 Last Updated2024-02-22 APPROVED

1. Purpose

The purpose of this policy is to define standards for monitoring and filtering employee internet use at AccuCode AI Inc. These measures are designed to ensure employees use the internet in a safe and responsible manner that protects sensitive healthcare data, and enables monitoring and investigation of employee web activity if needed for security incidents.

2. Scope

This policy applies to all employees, contractors, vendors and agents using an AccuCode AI-owned or personally-owned computer or device connected to the company network. It covers all user-initiated web traffic and communications between AccuCode AI’s network and the internet, including web browsing, instant messaging, file transfers and sharing. Server-to-server traffic like SMTP, backups, automated data transfers and database communications are excluded.

3. Policy

3.1 Internet Activity Monitoring

The IT department shall monitor all internet activity from devices connected to the corporate network. The monitoring system must log the source IP address, date, time, protocol, and destination site/server for all traffic. Where feasible, it should also log the User ID associated with the activity. Internet activity logs must be retained for at least 180 days.

3.2 Internet Activity Reports

General trend and activity reports will be provided to employees upon request to IT. The Computer Security Incident Response Team (CSIRT) shall have access to all reports and logs as needed for security incident investigations. Specific reports identifying users, sites, teams or devices will only be provided to HR upon written request.

3.3 Web Content Filtering

The IT department shall block access to websites and protocols deemed inappropriate for AccuCode AI’s corporate environment, including but not limited to:

  • Adult/sexually explicit content
  • Advertisements & pop-ups
  • Chat and instant messaging
  • Gambling
  • Hacking
  • Illegal drugs
  • Intimate apparel and swimwear
  • Peer-to-peer file sharing
  • Personals and dating
  • Social networking
  • SPAM, phishing and fraud
  • Spyware
  • Tasteless and offensive content
  • Violence, intolerance and hate speech
  • Web-based email

3.4 Filtering Rule Changes

IT shall periodically review and recommend changes to the web filtering rules. HR will review the recommendations and decide on any changes, which will be documented in this policy.

3.5 Filtering Exceptions

Employees may request an exception to unblock a miscategorized site by submitting an IT help desk ticket. For blocked sites that are categorized correctly, employees must submit an exception request to HR. Approved exceptions will be submitted to IT in writing. IT will unblock approved sites for that user only and maintain a log of exceptions.

4. Policy Compliance

4.1 Compliance Measurement

The InfoSec team will verify compliance with this policy through methods such as periodic walkthroughs, video monitoring, tool reports, audits and feedback.

4.2 Exceptions

Any policy exceptions must be approved in advance by the InfoSec team.

4.3 Non-Compliance

Violating this policy may result in disciplinary action up to and including termination of employment.