The purpose of this policy is to outline the acceptable use of computers, computer systems, computer networks and computer resources located physically and / or virtually at all premises, physical and / or virtual, owned and / or controlled by Asian School of Cyber Laws (hereinafter referred to as ASCL). This policy seeks to protect ASCL and its employees, students, consultants, licensees, lessees, franchisees, vendors, customers, and affiliates. Vulnerabilities like inappropriate use of computers, computer systems, computer networks and computer resources may expose ASCL to risks including virus, Trojan and worm attacks, denial of service attacks, disruption of systems and services, and legal issues.

2.0 SCOPE

This policy applies to all employees, students, consultants, licensees, lessees, franchisees, vendors, customers, agents, and affiliates of ASCL and to all electronic transactions wherein one or more parties are one or more of the above-mentioned. This policy provides for best practices for use of computers and networking resources within the organization.

3.0 POLICY

3.1 General Use and Ownership

1. While ASCL's network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of ASCL. Because of the need to protect ASCL's network, management cannot guarantee the confidentiality of information stored on any network device belonging to ASCL.

2. Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their supervisor or manager.

3. All users shall maintain activity logs of their daily use of computing resources. These logs are to be maintained in pre-defined formats. Regular independent review of operation logs shall be done by management representatives.

4. Users shall be required to ensure that unattended equipment is given adequate and appropriate protection including but not limited to:
   • Door locking,
   • Logging off from domains before leaving the computer and
   • Inactive terminals shall be automatically shut down after defined period of activity to prevent unauthorised access.

5. For security and network maintenance purposes, authorized individuals within ASCL may monitor equipment, systems and network traffic at any time, as per ASCL's Audit Policy.

6. ASCL reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. The governing body shall periodically review the access rights and security practices with relation to use of computing resources.

3.2 Security and Proprietary Information

1. The user interface for information contained on Internet/Intranet/Extranet-related systems should be classified as either confidential or not confidential, as defined by corporate confidentiality guidelines, details of which can be found in Human Resources policies. Examples of confidential information include but are not limited to: company's private information, corporate strategies, competitor-sensitive data, trade secrets, specifications, customer lists, and research data. Employees should take all necessary steps to prevent unauthorized access to this information.

2. All users shall follow a formal authorization process before making any proprietary information, publicly available. The integrity of such information shall be protected after making it public also.

3. Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts. System level passwords should be changed quarterly, user level passwords should be changed every six months.

4. All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off (control-alt-delete for Win2K users) when the host will be unattended.

5. Use encryption of information in compliance with ASCL's Acceptable Encryption Use policy.

6. Because information contained on portable computers is especially vulnerable, special care should be exercised. Protect laptops in accordance with the "Laptop Security Tips".

7. Postings by employees from a ASCL email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of ASCL, unless posting is in the course of business duties.

8. All hosts used by the employee that are connected to the ASCL Internet/Intranet/Extranet, whether owned by the employee or ASCL, shall be continually executing approved virus-scanning software with a current virus database. Unless overridden by departmental or group policy.

9. Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code.

10. Exchange of proprietary information using other facilities including but not limited to voice, data, facsimile and video communication shall be controlled as per policy.

3.3 Unacceptable Use

The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).

Under no circumstances is an employee of ASCL authorized to engage in any activity that is illegal under local, state, central or international law while utilizing ASCL-owned resources.

The lists below are by no means exhaustive, but attempt to provide a framework for activities, which fall into the category of unacceptable use.

4.0 SYSTEM AND NETWORK ACTIVITIES

The following activities are strictly prohibited, with no exceptions:

1. Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by ASCL.

2. Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which ASCL or the end user does not have an active license is strictly prohibited.

3. Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question.

4. Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).

5. Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.

6. Using an ASCL computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction.

7. Making fraudulent offers of products, items, or services originating from any ASCL account.

8. Making statements about warranty, expressly or implied, unless it is a part of normal job duties.

9. Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.

10. Port scanning or security scanning is expressly prohibited unless prior notification to ASCL is made.

11. Executing any form of network monitoring which will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty.

12. Circumventing user authentication or security of any host, network or account.

13. Interfering with or denying service to any user other than the employee's host (for example, denial of service attack).

14. Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet.

15. Providing information about, or lists of, ASCL employees to parties outside ASCL.

5.0 ENFORCEMENT

Any person bound by this policy who intentionally and/or knowingly violates this policy shall be subject to action deemed fit by the Governing Board of the Asian School of Cyber Laws and shall also be liable to pay adequate and prompt compensation. Such action shall not preclude adequate civil and / or criminal remedy as per the applicable law.

6.0 DEFINITIONS

1. "access" with its grammatical variations and cognate expressions means gaining entry into, instructing or communicating with the logical, arithmetical, or memory function resources of a computer, computer system or computer network;

2. "addressee" means a person who is intended by the originator to receive the electronic record but does not include any intermediary;

3. "computer" means any electronic magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network;.

4. "computer network" means the interconnection of one or more computers through -

   1. the use of satellite, microwave, terrestrial line or other communication media; and

   2. terminals or a complex consisting of two or more interconnected computers whether or not the interconnection is continuously maintained;

5. "computer resource" means computer, computer system, computer network, data, computer data base or software;

6. "computer system" means a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files, which contain computer programmes, electronic instructions, input data and output data, that performs logic, arithmetic, data storage and retrieval, communication control and other functions;

7. "data" means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer;

8. "electronic form" with reference to information means any information generated, sent, received or stored in media, magnetic, optical, computer memory, micro film, computer generated micro fiche or similar device;

9. "electronic record" means data, record or data generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche;

10. "function", in relation to a computer, includes logic, control arithmetical process, deletion, storage and retrieval and communication or telecommunication from or within a computer;

11. "information" includes data, text, images, sound, voice, codes, computer programmes, software and databases or micro film or computer generated micro fiche:

12. "intermediary" with respect to any particular electronic message means any person who on behalf of another person receives, stores or transmits that message or provides any service with respect to that message;

13. "originator" means a person who sends, generates, stores or transmits any electronic message or causes any electronic message to be sent, generated, stored or transmitted to any other person but does not include an intermediary;

14. "computer contaminant" means any set of computer instructions that are designed-

    1. to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or

    2. by any means to usurp the normal operation of the computer, computer system, or computer network;

15. "computer data base" means a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that are being prepared or have been prepared in a formalised manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network;

16. "computer virus" means any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a programme, data or instruction is executed or some other event takes place in that computer resource;

17. "damage" means to destroy, alter, delete, add, modify or rearrange any computer resource by any means.

This document is created on 12-02-2002 and has been last updated on 22-02-2003. Please note that this document is updated on a regular basis and the latest version can be obtained from:

http://www.asianlaws.org/policies/aup.htm

Acceptable Use Policy Anti-Virus Policy Cryptographic Control Policy Information Classification Policy Mobile Tele-Working Policy

Official Email Policy Password Policy Remote Access Policy System Audit Policy Statement of Applicability

Server Security Policy Third Party Agreement Third Party Policy Virtual Private Network Policy Disclaimer