Sample Internet Usage Policy Template

Learn how PurpleSec’s experts can help develop your organization’s cyber security policies.

Author: Rich Selvidge, CISSP / Last Updated: 12/31/22

Reviewed By: Michael Swanagan, CISSP, CISA, CISM

View Our: Editorial Process

Overview

Internet access and usage at {COMPANY-NAME} must be managed as valuable and mission critical resources.

This policy is established to:

• Create prudent and acceptable practices regarding the use of the Internet.
• Educate individuals who may use information resources with respect to their responsibilities associated with such use.

Purpose

The purpose of an internet usage policy is to establish the rules for the use of company Internet for access to the Internet or the Intranet.

Audience

This policy applies equally to all individuals granted access privileges to any {COMPANY-NAME} information system or resource with the capacity to access the Internet, the Intranet, or both.

Policy Detail

Accessing The Internet

Users are provided access to the Internet to assist them in the performance of their jobs. At any time, at the request of management, Internet access may be revoked.

IT may restrict access to certain Internet sites that reduce network performance or are known or found to be compromised with and by malware. {COMPANY-NAME} will use internet filters to block high-risk content and deny access to any unwanted material or malware in support of the Acceptable Use Policy.

All software used to access the Internet must be part of the {COMPANY-NAME} standard software suite or approved by IT. Such software must incorporate all vendor provided security patches.

Users accessing the Internet through a computer connected to {COMPANY-NAME}’s network must do so through an approved Internet firewall or other security device. All software used to access the Internet shall be configured to use a proxy or other means of managing or controlling. Bypassing {COMPANY-NAME}’s network security, by accessing the Internet directly, is strictly prohibited.

Users are prohibited from using {COMPANY-NAME} Internet access for: unauthorized access to local and remote computer systems, software piracy, illegal activities, the transmission of threatening, obscene, or harassing materials, or personal solicitations.

Expectation Of Privacy

Users should have no expectation of privacy in anything they create, store, send, or receive using {COMPANY-NAME}’s Internet access. Users expressly waive any right of privacy in anything they create, store, send, or receive using {COMPANY-NAME}’s Internet access.

File Downloads And Virus Protection

Users are prohibited from downloading and installing software on their PC without proper authorization from IT. Technical controls may be utilized to limit the download and installation of software.
Downloaded software may be used only in ways that conform to its license and copyrights.

All files, downloaded from the Internet, must be scanned for viruses using {COMPANY-NAME} approved virus detection software. If a user suspects a file may be infected, he/she must notify IT immediately.

Users are prohibited from using the Internet to deliberately propagate any virus, worm, Trojan Horse, trap-door, or other malicious programs.

Monitoring Of Computer And Internet Usage

All user activity on {COMPANY-NAME} IT assets is subject to logging and review. {COMPANY-NAME} has the right to monitor and log all aspects of its systems including, but not limited to, monitoring Internet sites visited by users, monitoring chat and newsgroups, monitoring file downloads, and all communications sent and received by users.

Frivolous Use

Computer resources are not unlimited. Network bandwidth and storage capacity have finite limits, and all users connected to the network have a responsibility to conserve these resources. As such, the user must not deliberately perform acts that waste computer resources or unfairly monopolize resources to the exclusion of others.

These acts include, but are not limited to, spending excessive amounts of time on the Internet, playing games, engaging in online chat groups, uploading or downloading large files, accessing streaming audio and/or video files, or otherwise creating unnecessary loads on network traffic associated with non-business-related uses of the Internet.

Personal use, beyond incidental use of the Internet, may be done only on break room PCs and only in compliance with this policy.

Reimbursement

An employee, whose position requires him/her to have remote access, will be reimbursed for his/her Internet expenses up to a reasonable amount.

An Expense Report will need to be completed and submitted to his/her manager for approval.

Content

{COMPANY-NAME} utilizes software that makes it possible to identify and block access to Internet sites containing sexually explicit material or other material deemed inappropriate in the workplace. The display, storing, archiving, or editing of such content on any {COMPANY-NAME} PC is prohibited.

Users are prohibited from attempting to access or accessing inappropriate sites from any {COMPANY-NAME} PC. If a user accidentally connects to a site containing such material, the user must disconnect at once and report the incident immediately to IT. {COMPANY-NAME} Departments may not host their own websites or contract for the hosting of websites by a vendor without the permission of IT.

Content on all {COMPANY-NAME} hosted web sites must comply with the {COMPANY-NAME} Acceptable Use of Information Systems and Privacy Policies. No internal data will be made available to hosted Internet websites without approval of IT.

No personal or non-{COMPANY-NAME} commercial advertising may be made available via hosted {COMPANY-NAME} web sites.

Transmissions

All sensitive {COMPANY-NAME} material transmitted over the Internet or external network must be encrypted.

Electronic files are subject to the same records retention rules that apply to other documents and must be retained in accordance with departmental records retention schedules.

Incidental Use

Incidental personal use of Internet access is restricted to {COMPANY-NAME} approved Users; it does not extend to family members or other acquaintances.

Incidental use must not result in direct costs to {COMPANY-NAME}.Incidental use must not interfere with the normal performance of an employee’s work duties.

No files or documents may be sent or received that may cause legal liability for, or embarrassment to, {COMPANY-NAME}.

Storage of personal files and documents within {COMPANY-NAME}’s IT should be nominal.All files and documents, including personal files and documents, are owned by {COMPANY-NAME}, may be subject to open records requests, and may be accessed in accordance with this policy.