ACCEPTABLE USE POLICY
Table of Contents
EXECUTIVE SUMMARY
POLICY PRESENTATION
- POLICY DETAILS
- SCOPE OF COVERAGE
- ORGANIZATIONAL RESPONSIBILITIES
- STATEMENT OF ACCOUNTABILITY & REQUESTING EXCEPTIONS
- ASSOCIATED DOCUMENTS & FURTHER INFORMATION
- APPROVAL AND REVISION HISTORY
GENERAL DISCLAIMER
Technicolor Creative Studios (TCS) complies with all laws, regulations, and the Technicolor Code of Ethics and will not exercise its rights referred to in this policy in countries or jurisdictions where such rights are or will be unlawful (for example, certain European countries have different legislation on privacy).
EXECUTIVE SUMMARY
The purpose of this policy is to outline the acceptable use of Computing Assets and Resources (i.e., computer systems, applications, equipment, computer services, mobile devices, cloud, and related services). This policy is in place to protect employees and Technicolor. Inappropriate use exposes Technicolor to risks including financial, cyber-attacks, compromise of network systems and services, and potential legal issues.
As set forth in the company Code of Ethics, Computing Assets and Resources (defined collectively in section 1.2.1, page 3, as “Computing Assets”) are to be used only for legitimate business purposes of Technicolor (subject to the limited exceptions contained in this policy) and only by authorized employees, officers, or their designees.
Technicolor equipment, networks, and electronic systems (such as Internet access, voicemail, cloud applications, email, and instant messaging) are provided to perform the work of supporting
Technicolor’s business needs and are for Technicolor business use. While incidental personal use is permitted on a limited basis, there is no expectation of privacy in any such personal use, including the use of Computing Assets to access social networking sites, personal password protected email accounts to transmit any type of information (including confidential or allegedly privileged information), or any other web site.
POLICY PRESENTATION
The objectives of this policy are to:
- Outline acceptable and unacceptable uses of any computing asset when it is employed to conduct Technicolor business
- Information stored on Technicolor-owned computing assets is the property of Technicolor or a Technicolor customer
- For personal computing devices, acceptable use must be in accordance with the agreement the user has signed with Technicolor and in compliance with this policy
1. POLICY DETAILS
1.1 Risks
- Unacceptable use of Computing Assets for unauthorized or illegal activities
- Unauthorized or illegal activities due to unacceptable use of Computing Assets
- Unlawful dissemination of copyrighted or offensive information
- Spread of viruses and other malware via Computing Assets
- Unauthorized disclosure of sensitive information
- Improper disclosure of personal information in violation of the EU General Data Protection Regulation
1.2 LIST OF ACCEPTABLE USES OF COMPUTING ASSETS
- For the purposes of this policy, “Computing Assets” are defined as 1) Technicolor- owned or managed computing assets, e.g., laptops, desktops, mobiles, networks, clouds; or 2) personal computing assets. Such Computing Assets are used to conduct business on behalf of Technicolor by connecting to Technicolor networks or other networks for the purposes of managing, storing, or transmitting Technicolor business information, intellectual property, or customer
- Technicolor-owned or managed Computing Assets, as defined in 2.1, shall be used only for Technicolor business-related purposes. Incidental personal use of company owned devices is permitted on a limited basis. Employees who are granted access to Technicolor email in the course of their work are permitted to use such email for non-business purposes, provided that such use complies with applicable law and Technicolor policy (including Technicolor’s policies on Discrimination, Harassment, and Information Protection).
- For personal Computing Assets, as defined in 1.2.1, that are employed for Technicolor business- related purposes, use must be in accordance with the agreement the user has signed with technicolor.
- As outlined in the Code of Ethics, all Technicolor or Technicolor third-party information or content transmitted by, received from, or stored in Computing Assets, electronic systems, networks, or clouds are the property Technicolor. Technicolor may, at its sole discretion, monitor and inspect any Computing Asset using a Technicolor network. Technicolor also reserves the right to access, review, copy, or delete any message or document on its Computing Assets and related media and may disclose such information to parties either inside or outside the organization as Technicolor deems appropriate
- Technicolor may log activity performed on its information systems to prevent company, customer or third-party data loss or Such activity includes but is not limited to changing; printing; deleting; copying hardcopy or electronically; or e- mailing or sharing. Technicolor, being a company which complies with any laws and regulations and its Code of Ethics, will not exercise its rights referred to in this section in countries or jurisdictions where such rights are or will be unlawful (certain European countries have different legislation on privacy).
- Employees (section 2) and Third Parties (section 2) are responsible for exercising discretion in personal use of company Computing Assets. Employees should seek guidance from their direct manager and Third Parties should contact the Technicolor representative responsible for their project/work to which they are
- Many computing devices offer flexibility to be able to connect in multiple ways (e.g. Wi-Fi, physical network cable, embedded mobile broadband/SIM, ) which is important especially given the diversity of connectivity needs when at home or traveling. However, it is not acceptable for Computing Assets to have a secondary network device/path active while also connected in a Technicolor building OR while the Computing Asset is connected to the Technicolor VPN. For example, you should not have wired access in a Technicolor facility and also have an active mobile broadband connection.
- The installation, activation and use of third-party internet service provider (ISP) from inside Technicolor’s facilities is prohibited without prior approval from the IT Security Organization (ITSO) in accordance with the Request for an Exception to a Security Policy (see Associated Documents).
- Computing Assets that are connected to Technicolor’s global network or used in an approved remote working environment must run Technicolor-approved virus- scanning software with current virus In addition, computing assets must be current with all vital software updates as deemed required by Technicolor. It is the responsibility of Employees (section 2,) and Third Parties (section 2,) to follow Technicolor guidelines to ensure all required updates are applied. Exceptions to this requirement must be approved in advance by the Security Office in accordance with the Request for an Exception to a Security Policy.
- Computing Assets that are connected to Technicolor’s global network must be equipped with and automatically execute a device screensaver or locking feature that activates when the device remains inactive for 10 minutes (lower intervals acceptable). Reactivation of the device requires entry of a user password. Exceptions to this requirement must be approved by the Security Office in accordance with the Request for an Exception to a Security
- Computing Assets that manage, store, or transmit Valued Information as defined in the Information Protection Policy (Restricted, Confidential, Private) are to encrypt the information in accordance with the Information Protection
- Postings by Employees or Third Parties to social networks, newsgroups, and BLOGS, g., Facebook, Dropbox accounts, Skype accounts, etc., must be in accordance with the Technicolor Social Media Policy (see Associated Documents section 5).
- Computing Assets must be secured in compliance with relevant company Exceptions to this requirement must be approved in advance by the Security Office in accordance with the Request for an Exception to a Security Policy.
- Consistent with applicable local and regional legal requirements, the Security Office and IT Security Organization reserve the right to audit networks and systems on a periodic basis to ensure compliance with this
- As of January 2021, Remote Technicolor computing assets are expected to include remote wipe capability e. Microsoft Intune or similar.
1.3 LIST OF PROHIBITED AND UNACCEPTABLE USES OF COMPUTING ASSETS
- Using any Computing Asset to engage in any activity that is illegal under local, regional, or international
- Using Company-owned Computing Assets for non-Technicolor commercial use, grid computing or part of a personal social network. This also includes the use of trademarks, brands, or copyrighted marketing material for commercial purposes without the prior approval of Technicolor’s [Marketing Department].
- Using Company-owned Computing Assets (such as Internet access, voicemail, email, and instant messaging) to view, transmit, store, scan or print any discriminatory, threatening, intimidating, hate, pornographic or harassing files or materials.
- Attaching any non-Company-provided equipment to Company Wireless Local Area Network (WLAN); Local Area Network (LAN); a Company wireless connectivity device (including, but not limited to, wireless cards or air cards); or client computer system resources without prior approval from the Security This includes but is not limited to wireless access points; personal or Third-Party desktop or laptop computers; USB devices; jump drives; smart media, smart phones, and tablets.
- Installing any non-standard software on Technicolor Computing Assets without prior approval from the local or corporate Information Technology Security Organization (ITSO). Refer to the Laptops, Workstations and Peripherals Policy for more information (see Associated Documents).
- Installation, implementation, or configuration of non-approved Peer-to-Peer communications services without (1) prior written approval from a Technicolor IT Director or above, and (2) an authorized security policy exception following the Security Policy Exception This includes, but is not limited to, services such as voice, chat, or collaboration-oriented services.
- Usage of cloud-based file sharing, storage, backup, or collaborative solutions (collectively known as “cloud computing”) for company data without prior approval from the Security office.
- Transmission or storage of Restricted, Confidential or Private company data (as defined in Technicolor’s Information Protection Policy) outside of the Technicolor’s network or computing infrastructure via ANY means without authorization of the data owner/controller. Any transmission or storage is subject to the provisions of section 2.11 regarding encryption.
- The use of any device such as a mobile device, digital camera or web camera that can take photographs or videos in designated secure or sensitive areas of a Technicolor facility.
- Unauthorized copying or transmitting of copyrighted information in a manner that infringes upon intellectual property rights, including, but not limited to, digitization and distribution of photographs from magazines, books, or other copyrighted sources; copyrighted music; copyrighted video; and the installation of any copyrighted software for which Technicolor or the end user is not legally authorized.
- Exporting software, technical information, encryption software or technology in violation of local, regional, or international export control laws. The appropriate management should be consulted prior to exporting any material that is in question.
- Purposely introducing malicious programs (viruses, worms, Trojan horses, key loggers, email bombs, ) into a network or server.
- Revealing a personal account and/or password to others or allowing use of a personal account by others. This includes family and other household members/guests when working outside of Technicolor premises.
- Store any credential and/or password in an insecure way or share it with others.
- Making fraudulent offers of products, items, or services originating from any Company account or alleging to make said offers on behalf of the company.
- Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the Employee is not an intended recipient or logging into a server or account that the Employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For the purposes of this section, “disruption” includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forging routing information for malicious purposes.
- Unauthorized port scanning or security Unauthorized launching of hacking tools, programs, or scripts.
- Providing information about or lists of Technicolor customers or vendors to parties outside Technicolor without prior approval from the information owner.
- Gathering or providing any individual’s sensitive personal information (e.g., an individual’s Social Security number, personal health information, bank account information, or credit card information), including information related to network, internet, cloud or e-mail usage, without express permission and approval of the local Human Resources Manager, Technicolor Legal and the Security Office as defined in the Information Discovery and Access Policy and the Personal Data Protection policy.
- Reconfiguring or otherwise attempting to bypass security software or other security controls applied to Computing Assets or Technicolor networks.
- Computing Assets, as defined in 1.2.1, shall be used in a manner that protects employee personal information according to the provisions of the Personal Data Protection Policy (see Associated Documents).
- Technicolor’s electronic mail may not be automatically forwarded to external email addresses. It is forbidden to set-up an auto forward to an external email.
1.4 SUMMARY OF ACCEPTABLE/UNACCEPTABLE USES BY COMPUTING ASSET (TECHNICOLOR OR BYOD/PERSONAL)
Policy section |
Type of Activity |
TC Computing Asset |
BYOD/Personal Computing Asset |
Comments |
3.1 |
Use device for Technicolor business activities while connected to Technicolor networks |
Y |
Y |
|
3.2 |
Use device for personal activity, e.g., internet access |
Limited |
N/A |
Speak with manager concerning amount and type |
3.3 |
Use device in accordance with signed agreement for Technicolor access |
N/A |
Y |
|
3.4 |
Technicolor may log activity performed while connected to Technicolor networks |
Y |
Y |
See 3.13 |
3.7 |
Can be connected to WIFI while networked to sensitive Technicolor data/systems |
N |
N |
|
3.8 |
Can install/use third-party ISP while connected to Technicolor networks |
N |
N |
|
3.9 |
Must use anti-virus while connected to Technicolor networks |
Y |
Y |
|
3.10 |
Screensaver/locking after 10 mins |
Y |
Y |
|
3.11 |
Must encrypt Valued Information in various states |
Y* |
Y* |
* In accordance with the Information Protection Policy |
3.12 |
User may post to social media on behalf of Technicolor |
N* |
N* |
* Only in accordance with the Social Media Policy |
3.13 |
User required to secure devices |
Y |
Y |
* In accordance with relevant company standards |
3.14 |
Company can audit devices connected to Technicolor networks |
Y |
Y |
* In accordance with local/regional/nation al laws. See 3.4. |
3.17 |
Use device for non-Technicolor commercial activity |
N |
N/A |
|
3.18 |
Use device to access/view inappropriate material |
N |
N/A |
|
3.19 |
May attach non-company equipment to company networks |
N* |
N* |
* Approval required from Security Office |
3.19 |
May attach non-company equipment (USB, jump drives, etc.) to computing assets |
N* |
N/A |
* Approval required from Security Office |
3.20 |
May install non-standard software without approval |
N* |
N/A |
* Follow Laptops, Workstations, Peripherals and Accessories Policy & Guidelines |
3.21 |
May install/configure/use Peer- to-Peer services |
N* |
N* |
* Approval of IT Director and request for exception to this policy required |
3.22 |
May use cloud-based solutions |
Y* |
Y* |
* With permission of Security Office and following a vendor risk assessment |
3.23 |
Transmission/storage of Valued Information. See 3.11 |
-- |
-- |
|
3.24 |
May use camera/video in restricted areas |
N |
N |
|
3.25 |
May copy/transmit copyrighted material for which Technicolor does not have authorization |
N |
N |
|
3.26 |
May export materials in violation of export control laws |
N |
N |
|
3.28 |
May reveal personal Technicolor account to others |
N |
N |
|
3.34 |
May gather/provide another individual’s information related to e-mail, network, internet, cloud use |
N* |
N* |
* Subject to provisions of E-Mail and File Access Policy |
3.37 |
May set up automatic forwarded to external email addresses |
N |
N |
|
2. SCOPE OF COVERAGE
This policy is applicable to all Technicolor Brands and Services Lines within the Creative Studios business group (collectively referred to as “Creative Studios”)
This policy applies to all Creative Studios employees, whether senior, full-time, part-time, temporary or interns (collectively referred to as “Employees”)
This policy applies to all Creative Studios consultants, contractors, vendors, employees of vendors, and staffing agencies, and customers who have access to or use Technicolor’s Valued Information ore Technicolor facilities (collectively referred to as “Third-Parties”)
This policy applies to all Technicolor Creative Studios including subsidiaries (collectively referred to as "Technicolor" or the "Company")
This policy applies to all Technicolor Computing Assets and resources including, but not limited to, computer systems, networks, applications, cloud services, equipment and computer services that are owned, rented, leased, licensed or otherwise in Technicolor’s possession or under Technicolor’s responsibility.
This policy applies to any personal Computing Assets, e.g., BYOD, that are used to manage, store or transmit Technicolor business information, intellectual property or customer content.
3. ORGANIZATIONAL RESPONSIBILITIES
- The Security Office shall:
- Be the owner of and responsible for the contents, management, implementation and communication of this
- Annually review and, where necessary, revise this
- Allow or disallow requests for exceptions to this policy and manage all exceptions granted to it, working closely with legal or human resources as appropriate (See Statement of Accountability and Exceptions).
- Under the guidance of the Technicolor Legal Department, have the authority to audit, consistent with applicable international, regional and local laws, Company-provided files, computers and all devices connected to the Company data networks, all e-mail messages, disk files and all servers and mainframe
- Have the authority to audit, consistent with applicable local and regional legal requirements, Computing Assets and all devices connected to the Company voice or data
- The Security Operations Center (SOC) shall:
- Be responsible to define and enforce security controls and safeguards required to protect Computing Assets and Valued Information (as this term is defined in Technicolor’s Information Protection Policy), network and computer resources from damage, loss, misuse, or inappropriate disclosure in accordance with Technicolor's policies.
- Have the authority to audit, consistent with applicable local and regional legal requirements, Computing Assets and all devices connected to the Company voice or data networks.
- Technicolor Employees and Third-Parties shall:
- Be knowledgeable of this policy and all associated guidelines and comply with program elements applicable to their jobs.
- Report all incidents of violation of this policy or associated guidelines in accordance with Technicolor's Corporate Ethics Charter, Technicolor's Significant Business Incident Policy and any related policies, guidelines or standards.
- Obtain clarification from the Security Office or the IT Security Organization in advance of implementation regarding questionable issues pertaining to the acceptable use of Computing Assets.
- Technicolor managers and all persons having management or supervisory responsibility shall be responsible to ensure that every Employee and Third Party within their organization has been informed of and is knowledgeable of the contents of this policy.
- IT Support Administrators are obligated to keep all employees’ personal information private and confidential as required by the IT Privileged User Accounts Standard (see Associated Documents) except as necessary to comply with this policy, conduct investigations, operate the business of the Company, comply with legal obligations, and respond to legitimate government inquiries.
- Those performing auditing functions as defined in 1.5 and 3.2.2 are obligated to keep all employees’ personal information confidential as defined in the Personal Data Protection Policy except as necessary to comply with this policy, conduct investigations, operate the business of the Company, comply with legal obligations, and respond to legitimate government inquiries.
4. STATEMENT OF ACCOUNTABILITY & REQUESTING EXCEPTIONS
4.1 STATEMENT OF ACCOUNTABILITY
Any Employee found in non-compliance with this or any other TCS policy or standard may be subject to disciplinary action up to, but not limited to, termination of employment consistent with applicable local, regional legal requirements and the Company’s Rules and Regulations.
Any Third-Party found in non-compliance with this policy may be deemed in violation of contract terms and conditions and may be subject to disciplinary action and/or other sanctions up to, but not limited to, termination of working contracts consistent with applicable local, regional legal requirements and the Company’s Rules and Regulations.
Technicolor will not exercise its rights referred to herein in countries and jurisdictions where such rights are or will be unlawful.
4.2 REQUESTING EXCEPTIONS
- Any exception to a TCS Security Policy must be formally requested and approved by the Security The Security Office has the authority to grant exceptions to a TCS security policy. Requests must be made from Service Now.
- Exceptions must identify the requestor, the policy to which an exception is being requested, and a description of the reason for the
- Requests are for a period of no more than one year and must be renewed upon The Security may modify a policy upon its revision to take into account identified exceptions.
- The Security Office may deny a request for exception if the security risk is deemed
Exceptions can be filed here: Security Exception Request
Confidential & Proprietary:
The information contained herein is the property of Technicolor and shall not be reproduced, copied, or used for any purpose without permission.