Ceridian Acceptable Use Policy

Transcription

Ceridian Acceptable Use Policy
Ceridian Acceptable Use Policy
Stored Value Solutions
Table of Contents
What is an Acceptable Use Policy? . . . . . . . . . . . . . . . . . . . . . . page1
Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page1
Compliance and Acknowledgment . . . . . . . . . . . . . . . . . . . . . page1
Ceridian’s Right to Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . page2
Acceptable Use Requirements . . . . . . . . . . . . . . . . . . . . . . . . . page3
Safe Work Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page3
Acceptable Use of Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . page4
Passwords and User IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page6
Email Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page7
Personal Use of Ceridian Assets . . . . . . . . . . . . . . . . . . . . . . page8
Clean Desk Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page9
Portable Asset Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . page10
Facility Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page11
Protection of Confidential Information . . . . . . . . . . . . . . . page11
Privacy Legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page11
Other Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page12
Conference Calls and Web Meetings . . . . . . . . . . . . . . . page12
Backup of Data Stored Locally . . . . . . . . . . . . . . . . . . . . page12
Classification of Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page12
Remote Desktop Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . page13
Data and Records Retention . . . . . . . . . . . . . . . . . . . . . . page14
Need to Know Basis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page14
Telephones / Cellular Phones / FAX . . . . . . . . . . . . . . . . page14
Reporting Security and Privacy Incidents . . . . . . . . . . . . . . . page15
Questions and Comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page16
Christopher H.,
Ceridian U.S.
What is an
Acceptable Use Policy?
The Ceridian Acceptable Use Policy highlights
the key themes found in our Information
Security program and core policies and describes
the minimum security and acceptable use
requirements for users of Ceridian assets, either
owned or managed. Ceridian’s Information
Security policies vary in topic such as, Information
Asset Management, Physical and Environmental
Security, Access Control and Business Continuity
Management. This Acceptable Use policy
summarizes the critical security components
of these policies by focusing on those policy
requirements that apply to most of the common
activities that occur in and out of the workplace.
The Acceptable Use Policy is not intended to be
the sole source for review of policy requirements.
Instead, its purpose is to make it easier for users of
Ceridian’s information assets to understand their
responsibilities. It is important that you familiarize
yourself with all of Ceridian’s Information Security
policies. In the event that this document conflicts
with published Security Policies, the original policy
requirement will apply.
The requirements within the Information Security
program are designed to protect Ceridian
and all its stakeholders from any harm or
damage caused willingly or inadvertently
by individuals internal and external to
our company. Our stakeholders include
each and every person involved with
Ceridian in some capacity; they
include our employees, customers,
vendors and other third parties.
Policies are not meant to inhibit
productivity, but rather to
ensure a repeatable and
reliable method that protects
all aspects of our company.
Scope
This Acceptable Use Policy must be followed
by all Ceridian employees, temporaries,
contractors, vendors and any others authorized
by Ceridian to use Ceridian assets. The terms
“user” and “end user” are used for the rest of
the document to include all of these people.
The term “asset” refers to any Ceridian owned
or controlled computing device or collection
of devices, known as a system, and any
information that these systems or devices
support. Ceridian computing devices, systems
or assets are used interchangeably to mean the
same thing in this document.
Compliance and
Acknowledgement
Each user is responsible for ensuring they
have read this document and understand their
responsibilities for access to Ceridian assets and
the Ceridian computing environment as well as
the consequences of non-compliance. Signed
acknowledgement is required upon hiring, and
annual acknowledgement of familiarity with this
policy is required. An employee or contractor’s
manager is responsible for ensuring employees
are aware of security requirements, and for
cooperating with company investigations and
any directions from the company regarding
correction of non-compliance.
Non-compliance is treated seriously and may
result in suspension of service to users when
deemed necessary. Depending on the severity
of the circumstances, disciplinary action, up
to and including termination of employment
or cancellation of vendor contracts may result.
Criminal or civil action against users may be
reviewed or referred to appropriate authorities.
1
Ceridian’s Right to Monitor
All electronic and communication systems, and all information sent, received, created on or contained upon
Ceridian assets, is the property of Ceridian and should not be considered in any way as belonging to the user.
Users should not have any expectations of privacy as Ceridian maintains the administrative authority to
permit access to all material transmitted or stored on its computer systems or using its computing assets,
including information that has been protected by a password.
All contents of Ceridian’s IT resources and communications systems are the property of the company.
Therefore, there should be no expectation of privacy when you use any of Ceridian provided equipment or
tools, including in any message, file, data, document, facsimile, telephone conversation, social media post or
conversation , or any other kind of information or communications transmitted to, received or printed from, or
stored or recorded on the company’s electronic information and communications systems.
All Ceridian users are bound by confidentiality and/or non-disclosure agreements. This restriction applies at all
times, in any and all medium whether during work time or not, and whether devices and assets are Ceridian
supplied or not. Unless expressly authorized to do so, users are not allowed to communicate or disclose any
information about Ceridian or Ceridian customers and prospects. Users are not even allowed to acknowledge
who our customers are without express permission to do so. If Ceridian becomes aware of any such
unauthorized disclosure, the user may be subject to compliance action wherever or whenever the infraction
occurred. All monitoring will be done with adherence to applicable legislative requirements.
The purpose of monitoring (internal or external) is to confirm compliance with policies, support investigations,
comply with any legal requirement (such as Court Orders, Subpoenas or Search Warrants) and assist with the
management of Ceridian assets.
Employee consent is deemed to be given on:
• Acknowledgement of receipt of these guidelines, or
• Acknowledgement of annual review of these guidelines, or
• Continued use of Ceridian information assets and systems, or
• Other methods as may be implemented by company management.
2
Acceptable Use Requirements
Ceridian information assets, such as but not limited to desktops,
laptops and Blackberrys, issued to employees are the property of
Ceridian and may be used only for its legitimate business purposes.
Users are permitted access to these assets to assist them in the
performance of their jobs. All users have the responsibility to use
Ceridian assets in a professional, ethical and lawful manner. Use of
Ceridian assets is considered a privilege that may be revoked at
any time.
Safe Work Environment
Ceridian strives to maintain a safe and productive
environment which is free from discrimination
and harassment. This also applies to the Ceridian
computing environment and all assets contained
within. Users are expected to refrain from
downloading, storing, sending and receiving
material that may be considered inappropriate
or offensive under Ceridian discrimination and
harassment policies and/or its Code of Conduct.
This includes, but is not limited to:
• Material that advocates or promotes
illegal activities.
• Material that contains sexually explicit images
or descriptions.
• Material that advocates or promotes intolerance
for others, such as anything that could be
construed as harassment or disparagement
based on race, color, religion, sex, ancestry,
disability, medical condition, sexual orientation,
or any other characteristic protected by law.
• Material that contains language that is
offensive, vulgar, obscene, threatening, violent
or defamatory.
Cam L.,
Ceridian Canada
3
Acceptable Use of Assets
Employees are expected to treat Ceridian assets in a professional
manner in order to reduce the risk of harm or damage to our
information assets, the data held within our systems, and our
reputation in the marketplace.
• Ceridian information must never reside outside a Ceridian
controlled and secured ‘space’. Approved personal
computers or approved personal mobile devices may only
contain Ceridian information within Ceridian created/
secured/controlled spaces. Ceridian business should not
be conducted on a personal mobile device, such as a
personal cell phone.
• Ceridian information must never reside on/in any other
product/service/site not provided for your use by Ceridian
(such as hotmail or gmail).
• Use professional, polite and appropriate language in all
communication both inside and outside the company.
• Only Ceridian issued assets can be connected to our
networks. Personal computers, network devices and other
peripheral devices such as personal printers or external
drives cannot be connected to our network. Vendors and
contractors with non-Ceridian issued computers must
utilize external guest lines to access Internet resources
whenever available.
• Personal USB devices (IPods, MP3s, Mobile devices) may
only be connected in Charge only mode. Ceridian reserves
the right to erase/reformat without authorization or
warning any USB device connected to Ceridian networks
or computing devices.
• Only applications and software issued or approved by your
business unit’s central IT services group can be used or
installed on Ceridian assets.
• Do not use Ceridian assets (such as hardware, software and
internal tools) for any personal for profit activities or private
business activities, including commercial advertising.
• Gaming, on-line betting and gambling is not allowed on
Ceridian assets.
• Downloading music and videos onto Ceridian assets
is not allowed.
• Peer to peer programs, such as, but not
limited to, Limewire, BitTorrent and Kazaa,
are prohibited.
• Posting of Ceridian intellectual property
and confidential proprietary information in
any public forum such as, but not limited
to, online chats, messaging, blogs or any
other social networking site is prohibited.
&
Q A
Q: My manager told me
I was in violation of the
Acceptable Use Policy
because I was listening to
satellite radio using my
web browser.
A: True. Listening to
satellite radio is an example
of monopolizing system
resources. Streaming audio
creates a heavy demand
on our network when
utilized by multiple people
simultaneously. This creates
a violation of the Acceptable
Use Policy regardless of
whether the streaming audio
site is not blocked by
Internet proxy rules.
4
Acceptable Use of Assets, continued
• Users may not deliberately monopolize resources, for
example by sending mass mailings (spam) or chain letters,
streaming audio or video files, spending excessive amounts
of time on the Internet, or otherwise creating unnecessary
loads of traffic on the network for non-business related
purposes.
• Reviewing the files or communications of others, also known
as snooping, is strictly prohibited.
• Attempting to breach any security measure or intercepting
communications without proper authorization is prohibited.
• Users must never intentionally represent themselves as
someone else, also known as masquerading.
• Desktop sharing programs such as, but not limited to,
PCAnywhere, GoToMyPC or LapLink are prohibited unless
they have been approved by the central IT services group.
If approved, the use of such programs is limited to the
purpose and function contained in the approval.
• Utilize approved VPN technology to access Ceridian’s
network from any other external network including
home offices.
• Intentionally developing programs designed to harass
other users or infiltrate a computer or computing system to
damage or alter the software composition is prohibited.
• Users must ensure appropriate permission is obtained when
copying software or information to be used at Ceridian.
• Ceridian assets cannot be used for fund raising or
public relation activities other than those specifically
related to Ceridian activities or otherwise approved by
Ceridian management.
• Discussions where a user feels they need to have a
disclaimer such as “this represents my personal opinion
and not that of my department or Ceridian” should
be avoided.
• All social media communications on behalf of Ceridian
must be accurate, not disclose any confidential
information and must not disparage the company,
its employees, customers, prospects, competitors,
vendors, partners, suppliers, or products.
Rebecca A.,
Comdata
5
Passwords and User IDs
Passwords, paired with unique user IDs, act as the foundation
for basic security controls. The use of generic, shared or
borrowed credentials (whether from a customer or another
employee) is not allowed.
Employees must use passwords to access Ceridian systems or
assets. This includes screensaver passwords that restrict the use
of the actual workstation. PDAs must have the Security Time Out
option enabled and set to not more than 10 minutes.
Always use a secure password that is a combination of numbers,
letters and special characters. A password must not contain any
part of your name or user id, must not be a dictionary word and
should not be easily guessable (such as Ceridian). The minimum
password length allowed at Ceridian is 7 characters, although
there are exceptions on certain legacy applications that allow
6 characters, and some business units have implemented an 8
character requirement to make the password stronger. Ceridian
passwords must be changed on a regular basis. The absolute
minimum is no less than once every 62 days, although most
business units have implemented forced password changes more
frequently.
If you feel your password has been compromised contact your
IT Service Desk immediately.
Do not use the same user ID and password combination that
you use at Ceridian on any external system, such as Internet sites
that require a user id and password. This practice could make
Ceridian’s information assets susceptible to unauthorized access
by unknown individuals who have successfully compromised
access controls used on Internet sites.
&
Q A
Q: As a manager I am
allowed to request the
user ID and password of
my employee’s network
account only in instances
when the employee is
scheduled to leave the
company because this will
allow me to maintain the
business information on
the employee’s PC and any
business correspondence
in their email.
A: False. This scenario
represents use of a shared
ID and password. Performing
this type of activity can
create segregation of duty
conflicts and eliminates
any personal accountability
by the designated account
user. Whenever possible,
managers should work
with affected employees
to transition all business
related information prior to
an employee’s last day of
employment. In instances
of immediate terminations,
managers should contact
local service desk teams
to assist in coordinating
post-termination access to
information resources.
6
Email Security
• Never email sensitive or proprietary Ceridian information outside of the Ceridian
network without appropriate security, such as using email encryption. Sensitive
information includes any client-related information or personally identifiable
information such as a Social Security number (SSN) or a Social Insurance number (SIN).
Contact your local Information Protection department to identify approved methods
of secure email transmissions.
• Monopolizing corporate email systems for unauthorized mass email messages is
prohibited. Do not use your email account to broadcast mass email or spam.
• Automatic forwarding of email on Ceridian systems to an external destination is
not allowed.
• Personal email accounts (e.g. hotmail, gmail, yahoo, etc) may not be used for company
related business.
• Ceridian email may only be sent and received from Ceridian owned assets. Accessing
Ceridian email from personal devices is not allowed except through the use of approved
web access URLs.
• Email is a communications tool, and is not to be used for information storage/retention.
Information that is important enough to be stored, should be exported/moved to file
shares or Sharepoint sites provided by Ceridian for data storage and collaboration.
7
Personal Use of Ceridian Assets
Use of Ceridian owned assets, applications and networks
is intended to be for Ceridian business purposes. However,
the Company recognizes that there will be occasions when
employees may wish to access the Internet via Ceridian assets
or use Ceridian email for non-work related purposes, such as
internet banking, travel arrangements and weather forecasts.
Personal use of Ceridian assets is a privilege, not a right, and it
may be withdrawn at any time if it is abused.
Incidental personal use will be considered appropriate as long as:
• It is not contrary to any existing Ceridian policies or the
Code of Conduct.
• It does not interfere with Ceridian business.
• It does not interfere with productivity.
• It complies with all existing laws and regulations (please
remember that internet use in other countries must comply
with laws in that jurisdiction).
• It would be considered ethical and in good taste by any
reasonable person.
• It meets all other requirements of this policy.
&
Q A
Q: My coworker noticed me
buying airline tickets for my
trip home over the holidays.
I was told I was in violation of
the Acceptable Use Policy.
A: False. While Ceridian
owned systems should be
used mainly for business
purposes, the company
does recognize limited
occasions when employees
may access the Internet
using Ceridian assets for
non-work related purposes.
The key to this policy is to
be mindful of the time used
for personal business and to
use discretion so that you
are not visiting sites of a
questionable nature.
Myline C.,
Ceridian Mauritius
8
Clean Desk Policy
Ceridian has a clean (clear) desk policy which portrays a professional image to any visitors we may have,
but more importantly to reduce the risk of security breaches, both accidental and deliberate.
• During working hours necessary paperwork may be kept on your desk but confidential papers
should be secured. If you leave your desk for any length of time, confidential or sensitive papers
(or any other media) should be removed from your desk and locked away where possible.
• Secure your laptop to your desk or workstation using the locking mechanism supplied by Ceridian
where applicable.
• Activate a password protected keyboard / screen lock when you are away from your desk.
• Log off from your computer at the end of each day (it is also recommended that you turn off your
monitor at the end of the day to reduce electricity consumption as well as to secure your system).
• Ensure confidential and sensitive information that has been printed on hard copy is disposed of
using confidential shredding bins or locked recycling bins when it is no longer required.
• Remove sensitive or confidential information from printers immediately after it is printed. Where
available, use “secure print” features on printers that require a PIN code to release a print job from the
print queue at the shared printer’s location.
• Always clear your desktop before you go home and put away all work into a drawer, filing cabinet or
cupboard where possible. Sensitive or confidential paper should be in a locked drawer, locked filing
cabinet or locked cupboard where possible.
• Wipe boards clean in conference rooms after the conclusion of meetings. Remove any sensitive or
confidential paper.
9
Portable Asset Protection
The possibility of theft and accidental loss of portable assets
presents an increased risk to Ceridian assets and the information
contained upon them. Users are expected to help reduce the
possibility of theft and loss, and must ensure these assets are
appropriately protected within Ceridian offices, working at
external sites, and during travel.
Portable assets include desktop computers, laptop / portable
computers, personal digital assistants (PDAs), such as
Blackberry devices, and any other device capable of storing or
communicating information, such as CDs, USB Memory Storage
Devices or removable CD drives.
All laptops at Ceridian are issued with full disk encryption. You
are not allowed to remove this from your laptop. The use of
other mobile devices, such as USB keys and thumb drives is not
encouraged because these devices are especially susceptible to
loss and theft. If you must use a portable device that contains
any sensitive information, for example customer information, you
must use encryption to protect this data.
Portable assets must:
• Be password protected.
• Be secure at all times and not visible to the public during
non-business hours.
• Never left in vehicles overnight.
• Be secure in the trunks / boots or rear security covers
of vehicles.
• Be secured “out of plain sight” in hotel rooms. Make use of
hotel safes if available.
• Never left unattended in public places such as hotel lobbies,
airports, or restaurants.
• Never be checked in transportation luggage / baggage
systems.
• Not contain confidential or sensitive information without an
extra layer of security, such as encryption. If it is necessary to
copy sensitive information to a mobile device for
a short period of time (for example for a client
visit) this information should be deleted as
soon as it is no longer required.
&
Q A
Q: It’s okay to leave my laptop
in the cabin of my car when I
have a quick errand to do like
grocery shopping or to buy a
cup of coffee because it is in a
computer bag which makes
it “out of plain site”.
A: False. Thieves target
vehicles that have an exposed
incentive like a wallet, purse,
or any sort of bags, especially
laptop carrying cases. Laptop
cases are being designed to
be trendier and look more
like messenger bags or even
back packs and duffle bags.
Regardless of a bag’s
design, it will not fool a
would-be criminal because
they know that the contents
may contain valuable
items like cash, credit cards
and portable computing
equipment. Be sure to place
your bag in the trunk/boot
of your vehicle ahead of time
and not while in the parking
lot of your final destination
so that an observing thief
does not take notice.
10
Facility Protection
All employees are issued an ID badge, and are expected to display their badge while on Ceridian
premises. Never lend out your badge to other people.
All guests to Ceridian must sign in at the central building entrance. Anyone requesting access to your
building or office space should be directed to the sign in desk — never allow an individual into secure
areas of your building. All Ceridian guests that are allowed into a secure area of the building must be
escorted by a Ceridian employee at all times.
Protection of Confidential Information
All information relating to customers and their employees, clients and consumers must be
treated with the strictest confidence. Ceridian is a custodian of customer/client data collected as
part of providing our services — Ceridian is not the data owner. Information that is obtained from
customers or consumers, or from third parties on behalf of our customers, must adhere to the
following guidelines:
• The information we collect is to be used only for its original intended purpose at the time it
was collected.
• We will not use real customer data, or production data, for testing unless an exception has
been granted by the local information protection department, and a documented approval
has been obtained by the data owner (e.g. Ceridian customers and clients).
• We only collect information from our customers that we require to fulfill our contractual
obligations.
• We do not share any information with any third party other than third parties that are used to
fulfill our service obligations to our customers (or as required by law).
• Personal information is protected by security safeguards appropriate to the sensitivity of
the information.
Privacy Legislation
The collection, storage, use, disclosure of, and the transfer of personal information
is subject to specific privacy legislation and restrictions in certain jurisdictions,
such as Data Protection / Privacy Acts in Canada (PIPEDA) and European countries
(for example the Data Protection Act in the UK.) This includes both personal
information as well as information collected about other individuals as part of
normal business responsibilities. If you have questions regarding the protection
of personal information, particularly around the transfer of personal
information outside of your country, you should seek advice from
your supervisor, your local Information Protection department or
your legal department. Additional details are available in business
unit specific privacy policies.
11
Other Requirements
Conference Calls and Web Meetings
• When chairing a Ceridian conference call or Web meeting, confirm that all
participants are authorized to participate.
• When sending an invitation to a Ceridian teleconference call, do not reveal
the moderator code to all participants.
• When receiving an invitation to a Ceridian teleconference call, particularly
calls of a confidential nature, ensure that the participant pass code is not
revealed to unauthorized people.
• Permanent moderator codes are the responsibility of the owner. The owner of
the code will be responsible for all use credited to that code.
Backup of Data Stored Locally
Information that is stored on the local drive of any workstation is not necessarily
backed up. To ensure that data is available when you need it, store important
files on a network drive that is being backed-up by your local IT Services group.
(Note: some laptops and workstations are backed up in the US Payroll business
unit. Check with your local IT support group to determine if you have this
software running).
As described in the Portable Asset Protection and Protection of Confidential
Information sections, confidential or restricted information should never be stored
locally except as noted for short term requirements and only if encrypted.
Classification of Data
All information generated and maintained within Ceridian is
classified into a category ranging from Restricted to Public Use.
Classifications are based on risk of the information and special
security requirements and have been documented for each
class. Please see your local business unit’s Asset Management
Policy, Data Classification Standard or Data and Records
Retention Policy for further information.
Christy R.,
SVS
12
Other Requirements, continued
Remote Desktop Tools
Remote desktop software, also known as remote access
tools, provide a way for computer users and support
staff to share screens, diagnose issues or demonstrate
procedures on another computer. While these tools can
save significant time and money by eliminating travel
and enabling collaboration, they also provide a back
door into the Ceridian network that can be used for theft
of, unauthorized access to, or destruction of assets. As a
result, only approved, monitored, and properly controlled
remote access tools may be used.
• Users may only accept remote support from
authorized support groups. At this time only internal
technology support groups (such as internal service
desks) are authorized to support Ceridian users in
such a manner. Users may not accept such support
from any external agent or group, where external
means any group outside of Ceridian.
• All remote support actions must be monitored by the
equipment user/owner.
• Remote PC Support services may only be provided to
a customer with the customer’s explicit permission
and the remote session will be terminated
permanently once the support issue is resolved to
the customer’s satisfaction. Support personnel must
exercise the utmost discretion and professionalism.
• Only the specifically authorized actions and support
can be provided. Snooping, general browsing for
unrelated issues or any navigation other than the
minimum required to solve the specific issue being
supported is strictly prohibited.
13
Other Requirements, continued
Data and Records Retention
All information generated and maintained within Ceridian must have a specific
retention period. Ceridian retention periods comply with all legal, regulatory and
contractual requirements. Ceridian will promptly dispose of data and records
that have outlived operational usefulness, unless retention is required by law,
regulation, or rule.
As soon as retention periods are exceeded, reasonable efforts must be made to
ensure data and records are destroyed using approved disposal methods (please
check your local information security policy for data and document destruction
requirements). Archive or contingency storage may only be maintained for periods
required by network backup and operational contingency as defined by service
continuity requirements. It is your responsibility to ensure that any data under your
control complies with data and record retention requirements.
Need to Know Basis
All information within Ceridian must be treated with the “need to know” principle.
Basically this means that information must only be shared with those that need to
know it in order to fulfill their job obligations. All users are responsible for ensuring
that information within their control is only shared with other Ceridian users that
have a valid requirement to have the information or data.
Telephones / Cellular Phones / FAX
Users are cautioned that cell phones are less secure than land lines and should
therefore take appropriate action when discussing highly confidential information.
Also, ensure that confidential conversations cannot be overheard and be cautious
of telephone conversations held outside of Ceridian premises. Keep in mind that
voicemail systems are not always “private” so discretion should be used when
leaving voice messages.
When sending confidential documents via FAX, verify you have the correct phone
number of the destination. If you are receiving confidential information by FAX,
request advance notification by the sender so that you may retrieve documents
from FAX machines as they are printed. Where possible, utilize FAX technology
that routes documents directly to your company email account or other secure fax
imaging system.
14
Reporting Security and Privacy Incidents
Users are our first line of detection for security incidents. Early
detection and reporting will permit appropriate countermeasures
to be implemented. All security related incidents must be
reported immediately to your IT Service Desk using the normal
contact process within your business unit or the email contact
information in the Questions and Comments section of this
policy. The IT Service Desk will contact the appropriate incident
response team immediately before conducting any investigation.
In the event of a breach of security, all events and actions will be
documented and handled internally by the appropriate Security
Incident Response Teams. Under no circumstances are users
to discuss security incidents with other Ceridian employees,
customers, the media or law enforcement without Ceridian senior
management approval. Only authorized individuals may speak to
the press, law enforcement, or other external sources.
Any user who is aware of a violation of any Ceridian security
policy is obligated to report the violation, either to your help
desk, your manager, your information protection team, your legal
department, the Ethics Hotline, or Ethicspoint.com.
&
Q A
Q: I lost my travel bag
containing some customer
information, but my computer
is still with me. Therefore,
I don’t have to report this
as a security incident
because the loss did not
affect an IT resource.
A: False. Physical
documentation is considered
an information asset. If you
suspect the theft or loss of
any information asset,
especially those containing
sensitive information, you
must report this incident to the
IT Service Desk and/or local
Information Protection team.
15
Questions and Comments
Questions and comments regarding this policy can be sent to your
local Information Protection team using the contact information
below.
• US & Mauritius (including Dayforce): infosec@ceridian.com
• Canada (including Dayforce): corporate_governance@ceridian.ca
• Comdata and Stored Value Systems: infosec@comdata.com
• UK & Ireland: infosecuk@ceridian.com
16
About Ceridian
Ceridian is a global product and services company delivering trusted results and transformative
Human Capital Management technology. We help organizations save time and money, increase
employee engagement and productivity. Our offering includes payroll, benefits, tax services, human
resources including Dayforce Human Capital Management, Employee Assistance Programs and
compliance. As the driving force in payment innovations, we are the leader in payroll outsourcing,
gift cards and corporate expense management. Our award-winning products and services deliver
trusted results to more than 140,000 customers in 52 countries. For more information about Ceridian
visit www.ceridian.com or call 800-729-7655.
This document contains information that is proprietary and trade secret to Ceridian Corporation and
is intended solely for the use of our customers and prospects in evaluating Ceridian solutions.
This document is not to be duplicated or distributed in printed or electronic format without the prior
written consent of Ceridian Corporation.
Ceridian
3311 East Old Shakopee Road
Minneapolis, Minnesota 55425
800-729-7655
www.ceridian.com
Stored Value Solutions
©2012 Ceridian Corporation. All rights reserved.
Printed in USA
E08406-002 10/12 LR