Appropriate Use Policy

SLAM provides many Systems to its users in pursuit of its mission and to enhance their productivity and jobs. These Systems include computers, software, communication tools (email, chat), access to internal networks (intranet), access to external networks (Internet), as well as telephone systems, voice mail, fax, photocopiers, etc. SLAM requires that these Systems be used in a responsible way, ethically, and in compliance with all legislation and other SLAM policies and contracts.

Appropriate Use Policy

Purpose

To reduce the cybersecurity risk to the organization, SLAM is required to design, implement and maintain a coherent set of policies, standards and procedures (collectively the Security Program) to manage risks to its data and information systems. Users are required to protect and ensure the Confidentiality, Integrity, and Availability (CIA) of data and information systems, regardless of audience, purpose, or how data is created, distributed, or stored. Security controls will be tailored accordingly so that cost-effective controls can be applied commensurate with the risk and sensitivity of the data and information system.

SLAM provides many Systems to its users in pursuit of its mission and to enhance their productivity and jobs. These Systems include computers, software, communication tools (email, chat), access to internal networks (intranet), access to external networks (Internet), as well as telephone systems, voice mail, fax, photocopiers, etc. SLAM requires that these Systems be used in a responsible way, ethically, and in compliance with all legislation and other SLAM policies and contracts.

Definition

In the realm of IT security terminology, the National Institute of Standards and Technology (NIST) IR 7298, Revision 1, Glossary of Key Information Security Terms, is the primary reference document that SLAM uses to define common IT security terms. Key terminology to be aware of includes:

• Control: A term describing any management, operational, or technical method that is used to manage risk. Controls are designed to monitor and measure specific aspects of standards to help SLAM accomplish stated goals or objectives.
• CIA: Confidentiality, Integrity, and Availability of company information systems and the underlying electronic data.
• Users: SLAM staff, Board Members, volunteers, and contractors who have access to SLAM information systems and who are in a computer-related position of trust.
• Systems: Information Technology systems (e.g., networks, operating systems, applications and databases)
• Privileged User Accounts: Those accounts granted special access rights for particular business needs pursuant to approved procedures.
• Malware: Malicious (nefarious or otherwise unauthorized) software, software add-ins, scripts, agents, etc., that may directly or indirectly expose data, methods or measures to unauthorized actors.
• Organization: Saint Louis Art Museum.

Policy

Users are encouraged to use the IT systems and resources to further the business goals and objectives of the organization. The types of activities that are encouraged include:

• Communicating with fellow users, SLAM business partners, and clients within the context of an individual’s assigned responsibilities.
• Acquiring or sharing information necessary or related to the performance of an individual’s assigned responsibilities.
• Participating in educational or professional development activities, sharing SLAM collection data with other museum institutions.

Personal use of these systems is limited to those situations authorized by your supervisor, or as expressly provided in this policy. Personal use must not interfere with the jobs we have been hired to perform. SLAM reserves the right to monitor, review, and enter a user’s assigned email, directories, files, and other usage.

Use of Computers and Other Technological Devices

• Personal hardware devices may not be attached to the organization’s network without permission of the IT Director.
• Use of the computer for personal reasons is limited to breaks and lunch and is regulated on the honor system. Any personal use must not be in violation of SLAM’s other policies, including but not limited to its policy prohibiting sexual harassment.
• Users shall not damage or alter any System hardware. If System hardware is damaged or changed, it must be reported to the IT Director immediately.
• Software or data from the computer network shall not be removed for personal use by the user.
• Do not leave your computer logged on and unattended.
• The systems shall not be used by users to disrupt other network users, services or equipment. Disruptions include, but are not limited to, distribution of unsolicited advertising, propagation of computer malware (viruses, worms, Trojans, etc.) and sustained high volume network traffic which consumes shared resources.
• Unauthorized software may not be copied onto the organization’s computer network; nor may personal software be used on any system, including local hard drives. Software use is authorized through the IT Director.
• IT System components may not be purchased via the Internet without authorization in compliance with the Purchasing Policy.
• Social networking, computerized game-playing, streaming sporting events, and viewing pornography are a flagrant misuse of time and equipment and is not permitted at any time unless specifically defined within a user job function or role. Users’ internet activity is subject to monitoring and potential inquiry.
• Report any abuse of this policy to your supervisor, department head, and/or HR immediately.

Email Acceptable Use

Use of the SLAM electronic mail (email) systems and services is a privilege, not a right, and therefore must be used with respect and in accordance with the organization’s goals.

• Email access is controlled through individual user accounts and passwords. It is the responsibility of the user to protect the confidentiality of his/her account and password information.
• Users who require email to perform their jobs will be assigned an account.
• Temporary email accounts may be granted to third-party non-employees on a case-by-case basis. Possible non-employees that may be eligible for access include Board Members, Contractors, Volunteers, or Interns. Applications for these temporary accounts must be submitted in writing to the IT Director with a clear justification and specific termination date.
• Email access will be terminated when the user terminates his/her association with the organization. SLAM is under no obligation to store or forward the contents of a user’s email account after the term of employment has ceased.
• Important official communications are often delivered via email. As a result, users with email accounts are expected to check their email in a consistent and timely manner so they are aware of important organization announcements and updates, as well as for fulfilling business-oriented tasks.
• Email users are responsible for mailbox management, including organization, archiving, and cleaning.
• Use of institution-wide broadcast email is limited to specific positions based on need.
• If a user subscribes to a mailing list, she/he must be aware of how to be removed from the list and is responsible for doing so in the event their email address changes.
• Email users are expected to comply with normal standards of professional and personal courtesy and conduct.

Inappropriate Email Use

The email systems and services are not to be used for purposes that could be reasonably expected to cause excessive strain on systems. Individual email use shall not interfere with others’ use. Email use at SLAM will comply with all applicable laws, and all organizational policies, including, but not limited to the SLAM anti-discrimination and anti-harassment policies. The organization may monitor, retrieve, or review any data composed, sent, received, or stored on SLAM’s email systems at any time without notice.

The following non-exhaustive list of activities are deemed inappropriate uses of email:

• Use of email for illegal or unlawful purposes, including copyright infringement, obscenity, libel, slander, fraud, defamation, plagiarism, harassment, intimidation, forgery, impersonation, soliciting for illegal pyramid schemes, and computer tampering (e.g. spreading of computer malware).
• Viewing, copying, altering, or deletion of email accounts or files belonging to the organization or another user without authorized permission.
• Sending of unreasonably large email attachments. The total size of an email message sent (including attachment) should not exceed 12MB. However, be aware that many email services will reject emails of this size. If you must transmit files larger than 12MB, contact the IT group for assistance.
• Sharing email account passwords with another person or attempting to obtain another user’s email account password. Email accounts are only to be used by the registered user. In the event a department head needs access to an employee’s email, a request must be submitted to HR and the IT Director.
• Excessive personal use of the email resources. SLAM allows limited personal use for communication with family and friends, independent learning, and public service so long as it does not interfere with staff productivity, preempt any business activity, or consume more than a trivial amount of resources. SLAM prohibits personal use of its email systems and services for unsolicited mass mailings, non-organization commercial activity, political campaigning, dissemination of chain letters, and use by non-users.

Monitoring and Confidentiality

The email systems and services used at SLAM are owned by the organization without exception and are its property. This gives the organization the right to monitor all email traffic passing through its systems. While the organization does not actively read end-user email, email messages may be inadvertently read by IT group during the normal course of managing the email system.

In addition, backup copies of email messages may exist, despite end-user deletion, in compliance with the organization’s records retention policy. The goals of these backup and archiving procedures are to ensure system reliability and prevent business data loss.

If SLAM discovers or has good reason to suspect activities that do not comply with applicable laws or this policy, email records may be retrieved and used to document the activity in accordance with due process. All reasonable efforts will be made to notify the user if email records are to be reviewed. Notification may not be possible, however, if the user cannot be contacted, as in the case of an absence due to vacation.

Use extreme caution when communicating confidential or sensitive information via email. Keep in mind that all email messages sent outside of the SLAM network become the property of the receiver. A good rule is to not communicate anything that you wouldn’t feel comfortable being made public. Demonstrate particular care when using the “Reply” and “Reply All” command during email correspondence.

Reporting Misuse

Any allegations of misuse should be promptly reported to the IT group. If you receive an offensive email, do not forward, delete, or reply to the message. Instead, report it directly to the IT group.

Telephone Acceptable Use

Use of the telephone for personal reasons is regulated on the honor system. Making or receiving personal phone calls should be limited to necessary calls that cannot be made during non-working hours. If possible, personal phone calls should be made during breaks and lunch.

• Jokes or other comments that may be considered offensive are never appropriate and are not to be sent using the organization’s phone or voice mail systems.
• The personal verification and internal/external greetings should be kept current.
• Contact the IT group to schedule training, to report trouble, or to make changes in phone or voice mail service.
• Users should periodically change the access code of any voice mailbox to which they are responsible.
• Any suspicion of unauthorized access should be reported immediately to the IT group.
• When users leave employment, the responsible department heads should see that voice mail access codes are changed, and that mailboxes are not left unattended.
• Any user requesting access to the telecom equipment should be referred to the IT group.

Fax and Photocopier Acceptable Use

Use of the SLAM fax machines for personal reasons should be kept to a minimum and should not interfere with official Museum business. Any incoming faxes containing confidential, private information should be sent to the HR fax machine at 314-655-5366. Personal use of the photocopier should be kept to a minimum and should not interfere with Museum business needs.

Inappropriate Use of the Internet and Wi-Fi

A User’s Internet usage, including use of Wi-Fi, will not interfere with others’ productive use of Internet resources. Users will not violate the network policies of any network accessed through their account. Internet use will comply with all Federal and Missouri laws, all SLAM policies, and all SLAM contracts. This includes, but is not limited to, the following:

• The Internet may not be used for illegal or unlawful purposes, including, but not limited to, copyright infringement, obscenity, libel, slander, fraud, defamation, plagiarism, harassment, intimidation, forgery, impersonation, illegal gambling, soliciting for illegal pyramid schemes, and computer tampering (e.g. spreading computer malware).
• The Internet may not be used in any way that is not consistent with the mission of the organization, misrepresents the organization, or violates SLAM policy.
• Users should limit their personal use of the Internet. SLAM allows limited personal use for communication with family and friends, independent learning, and public service. The organization prohibits use for access for non-users to organization resources or network facilities, uploading and downloading of files for personal use, access to pornographic sites, gaming, competitive commercial activity unless pre-approved by SLAM, and the dissemination of chain letters.
• Users may not establish organization computers as participants in any peer-to-peer sharing network, unless approved by IT staff.
• In the interest of maintaining network performance, users should not send unreasonably large email attachments or video files not needed for business purposes. Users should contact the IT group for alternative methods such as OneDrive, etc.

IT security systems block specific types of website known to be in violation of the organizations Appropriate User Policy. However, due to the nature of various artforms and works reflecting content considered objectionable by some, exceptions can be made for curatorial staff and others upon request, for example: art sites or repositories depicting nudity. Contact the IT Director to process an exception.

The types of websites blocked by organization IT security systems include, but are not limited to:

• Adware
• Dating
• Drugs
• Hate/Discrimination
• Lingerie/bikini
• P2P/File Sharing
• Pornography
• Proxy/Anonymizer
• Sexuality
• Television
• Tasteless
• Weapons

 

Approval and Ownership

Revision History