GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY

Transcription

GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY
GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY
Subject:
Original Issue Date:
May 1, 2009
Acceptable Use of Company
Information Sources Policy (V 2.0)
Revision Dates:
October 10, 2011; January 31, 2012
Effective Date:
U.S. - November 17, 2011
RoW – by March 15, 2012
Policy No.: IT-5
GENERAL ELECTRIC CAPITAL CORPORATION (GECC)
Acceptable Use of Company Information Sources Policy
(Short Name: AUP)
Issued by: GECC Information Technology and Legal
Issue Date: November 17, 2011
Effective Date: U.S. – November 17, 2011
Rest of World –by March 15, 2012
Approved on: October 14, 2011
By: GECC Chief Information Officer and General Counsel
Policy Owners: GECC Chief Information Officer and Chief Privacy Leader
Policy Owners: GECC Chief Information Officer and Chief Privacy Leader
Policy Contact: GECC Chief Privacy Leader
GE Internal
Page 1 of 24
GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY
Subject:
Acceptable Use of Company
Information Sources Policy (V 2.0)
Original Issue Date:
May 1, 2009
Revision Dates:
October 10, 2011; January 31, 2012
Effective Date:
U.S. - November 17, 2011
RoW – by March 15, 2012
Policy No.: IT-5
Contents
1.
Scope .............................................................................................................................................. 4
1.1 Applicability ............................................................................................................................................................................... 4
1.2 Effective date ............................................................................................................................................................................ 4
2. Definitions ...................................................................................................................................... 5
3. Company Information Resources Ownership ............................................................................... 6
4. Protection and Acceptable Use of Company Data ....................................................................... 7
4.1 Access to Company Data ................................................................................................................................................... 7
4.2 Control .......................................................................................................................................................................................... 7
4.3 Confidentiality of Company Data................................................................................................................................... 7
4.4 Sharing of Company Data with Third Parties .......................................................................................................... 7
4.5 Data Transmissions ............................................................................................................................................................... 8
4.6 Document Retention ............................................................................................................................................................. 8
4.7 Data Classification ................................................................................................................................................................. 8
4.8 Data Privacy .............................................................................................................................................................................. 8
4.9 Use of Personal Devices for Company Data ............................................................................................................ 9
4.10 Inappropriate Access Prohibited .................................................................................................................................... 9
4.11 Return of Company Data ................................................................................................................................................... 9
4.12 Disposal of Company Data ................................................................................................................................................ 9
4.13 Other Requirements Governing Company Data .................................................................................................... 9
5. Protection and Acceptable Use of Company Equipment ........................................................... 10
5.1 Use of Company Equipment ...........................................................................................................................................10
5.2 Control ........................................................................................................................................................................................10
5.3 Company Software on Company Equipment ........................................................................................................10
5.4 Reasonable Non-business Use .....................................................................................................................................10
5.5 Identity Management and Passwords ......................................................................................................................11
5.6 Protection of Company Equipment and Company Data .................................................................................11
5.7 Backup of Company Data ................................................................................................................................................11
5.8 Inappropriate Use Prohibited .........................................................................................................................................11
5.9 Return of Company Equipment ....................................................................................................................................11
5.10 Compliance with Other Rules .........................................................................................................................................11
6. Acceptable Use of Online Services .............................................................................................. 12
6.1 Use of Online Services ........................................................................................................................................................12
6.2 Use of Third Party Online Services for Company Business .............................................................................12
6.3 Reasonable Non-business Use .....................................................................................................................................12
6.4 Protecting the Company’s Online Services .............................................................................................................12
6.5 Company Email......................................................................................................................................................................12
6.6 Identity Management and Passwords - Protecting Security of Online Services.................................13
6.7 Inappropriate Use Prohibited .........................................................................................................................................13
6.8 Public Comment on Behalf of Company or GE is Restricted .........................................................................14
6.9 Social Media ............................................................................................................................................................................14
6.10 Use of New Technologies and Services ....................................................................................................................14
7. Monitoring of Users ..................................................................................................................... 15
8. Reporting of Violations and Incidents ......................................................................................... 16
9. Suppliers, Contractors and other Third Parties .......................................................................... 17
10. Questions about this Policy ......................................................................................................... 17
11. Document Change History .......................................................................................................... 17
Policy Owners: GECC Chief Information Officer and Chief Privacy Leader
Policy Contact: GECC Chief Privacy Leader
GE Internal
Page 2 of 24
GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY
Subject:
Acceptable Use of Company
Information Sources Policy (V 2.0)
Original Issue Date:
May 1, 2009
Revision Dates:
October 10, 2011; January 31, 2012
Effective Date:
U.S. - November 17, 2011
RoW – by March 15, 2012
Policy No.: IT-5
Appendix A – Social Media Guideline
Appendix B – Links to Other Policies Mentioned in this Policy
Policy Owners: GECC Chief Information Officer and Chief Privacy Leader
Policy Contact: GECC Chief Privacy Leader
GE Internal
Page 3 of 24
GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY
Subject:
Original Issue Date:
May 1, 2009
Acceptable Use of Company
Information Sources Policy (V 2.0)
Revision Dates:
October 10, 2011; January 31, 2012
Effective Date:
U.S. - November 17, 2011
RoW – by March 15, 2012
Policy No.: IT-5
1. Scope
1.1 Applicability
This Policy applies to GE Capital (the ―Company‖) employees globally, and all others who
have been authorized to use Company Information Resources or have access to Company
Data, including, but not limited to, contractors, temporary or contingent workers, agency
workers, employees of suppliers and vendors or employees of joint ventures (collectively
referred to as "Users"), all subject to the extent of their access. This applies to the use of
Company Information Resources in the workplace, at home, or at any other location.
This Policy is issued pursuant to General Electric Company’s (―GE‖) The Spirit & The Letter
Privacy and Protection of GE Information policies, and is a substitute to the GE Acceptable
Use of GE Information Resources (AUGIR). This Policy applies in addition to other applicable
policies of the Company and GE, but where such other policies conflict with this one, this
Policy shall prevail for the subject matter covered herein. Use of Company Information
Resources constitutes acceptance of this Policy and its requirements. The Company
reserves the right to change this Policy at any time.
This Policy sets a baseline of rules for all of the Company’s Users. However individual
business units of the Company may impose additional requirements where necessitated by
local law or regulation, or to comply with local business unit policies or requirements.
Where a business unit would like to impose requirements that do not meet the
requirements under this Policy, it shall contact the Policy Owners to seek an exception in
accordance with the process for policy exceptions.
Non-compliance with this Policy can result in disciplinary action, up to and including
termination of employment or assignment, in accordance with local law. Users who have
knowledge of a violation of this Policy and fail to report it to appropriate management will
be considered non-compliant with this Policy, in accordance with the requirements set
forth in Section 8 below, subject to local law and any legal restrictions on such reporting.
1.2 Effective date
This Policy has been issued on November 17, 2011. It is effective from the date of issue in
the U.S. and by March 15, 2012 in the rest of the world – business units shall communicate
the Policy to its employees once approved locally for rollout. Delays beyond March 15,
2012 shall require the filing of an exception request.
Policy Owners: GECC Chief Information Officer and Chief Privacy Leader
Policy Contact: GECC Chief Privacy Leader
GE Internal
Page 4 of 24
GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY
Subject:
Original Issue Date:
May 1, 2009
Acceptable Use of Company
Information Sources Policy (V 2.0)
Revision Dates:
October 10, 2011; January 31, 2012
Effective Date:
U.S. - November 17, 2011
RoW – by March 15, 2012
Policy No.: IT-5
2. Definitions
Company Information Resources – includes Company Data, Company Equipment,
Software and Online Services as well as Personal Devices, as defined below.
Company Data – any electronic information that is owned, used or stored by the Company
or GE, or that is otherwise collected and/or processed by a User in the ordinary course of
business. This includes information about, relating to, or from the Company’s or GE’s
customers and suppliers or potential customers and suppliers, which resides on or is
accessed from Company Equipment or Online Services, or from Personal Devices, as
defined below. Company Data does not include private data stored on a Personal Device.
Company Equipment – this consists of the following components:
a. Hardware – desktops, servers, peripherals and any other device that connects to the
Company network/infrastructure such as printers, copiers, video conferencing systems,
CCTV, and wireless network equipment, that is purchased, provided, paid for or
otherwise approved by the Company or GE for business use by Users, or otherwise
used in connection with Company Data.
b. Portable Devices – any type of electronic device that is meant to be carried rather than
kept stationary, such as laptops, Blackberries, iPhones and other cell phones, iPads and
other tablet computers, and Removable Data Storage Media, that is purchased,
provided or approved by the Company or GE for business use by a User, or any other
such device that is used in connection with Company Data.
c. Telecommunications Equipment – Company telephone services (including voicemail),
facsimile machines and related telecommunications hardware purchased, provided or
approved by the Company or GE for business use by Users, or otherwise used in
connection with Company Data.
d. Removable Data Storage Media – Disks, Tapes, DVDs, CDs, USB Thumb Drives,
external hard drives and other data storage devices purchased, provided or approved
by the Company or GE for business use by Users, or otherwise used in connection with
Company Data.
Online Services – the Internet, intranets of GE or the Company, email, and other online
data services or collaboration tools such as SupportCentral, WebEx, GE Folders and GE
Libraries, and instant messaging solutions that are provided, purchased or approved by the
Company or GE for business use by Users, or otherwise used in connection with Company
Data.
Policy Owners: GECC Chief Information Officer and Chief Privacy Leader
Policy Contact: GECC Chief Privacy Leader
GE Internal
Page 5 of 24
GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY
Subject:
Original Issue Date:
May 1, 2009
Acceptable Use of Company
Information Sources Policy (V 2.0)
Revision Dates:
October 10, 2011; January 31, 2012
Effective Date:
U.S. - November 17, 2011
RoW – by March 15, 2012
Policy No.: IT-5
Personal Device – any type of Hardware, Portable Device, Telecommunications Equipment,
Removable Data Storage Media or Online Service that is purchased or supplied by a User without reimbursement by the Company - and is used for business purposes (even if also
used for personal purposes) or is used in connection with Company Data (even if it also
stores private data). Any Personal Device that is not used for business purposes AND is not
used in conjunction with Company Data is out of scope of this Policy and is an Exempt
Personal Device.
Social Media – Internet-based tools and services that allow subscribers to network and
communicate with each other as well as share data, photos, files, and other User
generated content, or to provide updates about themselves, as well as other sites that
allow users to read and share their views, or virtual worlds, to name some of the more
common social media segments. Some popular social media services include, but are not
limited to, Facebook, LinkedIn, Twitter, and YouTube as well as blogs, vlogs, and content
sharing sites.
Software – any application installed by the Company on Company Equipment, including
but not limited to the Coreload Operating System and other software installed by the
Company on a User’s PC, networked applications such as Oracle GL, or any other
application, including online applications such as SalesForce.com or Intralinks, that is
licensed and provided by the Company or GE, or otherwise approved by the Company or
GE for business use by Users, or in connection with Company Data.
3. Company Information Resources Ownership
The Company and/or GE is the owner of all Company Information Resources other than
Exempt Personal Devices. Subject to local laws and regulations, Users shall have no
expectation of privacy in their use of Company Information Resources, including Personal
Devices, and may be subject to monitoring, as described in this Policy.
Policy Owners: GECC Chief Information Officer and Chief Privacy Leader
Policy Contact: GECC Chief Privacy Leader
GE Internal
Page 6 of 24
GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY
Subject:
Original Issue Date:
May 1, 2009
Acceptable Use of Company
Information Sources Policy (V 2.0)
Revision Dates:
October 10, 2011; January 31, 2012
Effective Date:
U.S. - November 17, 2011
RoW – by March 15, 2012
Policy No.: IT-5
4. Protection and Acceptable Use of Company Data
4.1 Access to Company Data
Access to Company Data is provided to Users for legitimate business purposes only and in
accordance with applicable policies, guidelines and instructions of the Company. Company
Data is intended for business use only. Users may only seek access to Company Data that
is necessary to perform their current job responsibilities and requests for access to
Company Data to which they do not ordinarily have access shall follow any existing
processes and controls of the Company, in accordance with local laws and regulations.
4.2 Control
It is each User’s responsibility to properly manage, maintain, and guard the security of the
Company Data to which he/she has access or control as specified in the GE Capital
Information Security Policy and any other applicable policy or guidance issued by the
Company or GE, or any separate agreement signed between the User and the Company.
4.3 Confidentiality of Company Data
Users should be aware that Company Data and/or the processes used to transmit, store or
access Company Data, may be proprietary, confidential, or business-sensitive to the
Company, its clients, customers, partners, suppliers or others. Company Data may be
subject to contractual limitations on its use, or may be the subject of intellectual property
rights such as patents or copyrights.
Therefore, Users need to safeguard all Company Data that they possess or have access to
from unauthorized or accidental disclosure, use, modification, copying, publication,
damage, loss or destruction, consistent with policies and procedures of the Company, as
well as local legal requirements. This includes exercising care in handling of Portable
Devices, and in discussing business matters over cellular phones, cordless phones,
speakerphones, or in public areas so as not to compromise GE Confidential or GE Restricted
data. Users should also be aware that emails and voicemails may easily be copied or
forwarded to others and therefore Users should not send any email or voicemail that they
wouldn’t feel comfortable seeing reproduced in public. As a reminder, all Company Data,
whether in paper or electronic format (this may include email and Webex chats) may be
subject to discovery in litigation, subject to local laws and regulations.
When sending GE Confidential or GE Restricted data outside of the Company, Users shall
follow the Data Transmissions rules in Section 4.5 below.
4.4 Sharing of Company Data with Third Parties
Users are not allowed to release Company Data to third parties without a business
justification and without the proper controls as specified below. Users should be cautious
when transmitting, sending or forwarding email messages and attachments, documents
and files, voice mail messages, instant messaging texts (i.e., chat or SMS) or other
Policy Owners: GECC Chief Information Officer and Chief Privacy Leader
Policy Contact: GECC Chief Privacy Leader
GE Internal
Page 7 of 24
GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY
Subject:
Original Issue Date:
May 1, 2009
Acceptable Use of Company
Information Sources Policy (V 2.0)
Revision Dates:
October 10, 2011; January 31, 2012
Effective Date:
U.S. - November 17, 2011
RoW – by March 15, 2012
Policy No.: IT-5
information to other Users (even if they are co-workers), as they may not have a valid need
to know the contents of such data. Users shall not forward GE Confidential or GE Restricted
data outside the Company without permission from the original sender or author of the
data, or their manager, unless they are acting in the ordinary course of business as part of
their Company role. When sending such information, Users shall follow the Data
Transmissions rules in Section 4.5 below.
Engagements with suppliers, contractors, and other third parties shall be handled
consistent with the GE Capital Sourcing Policy and GE Capital Material Activities
Outsourcing Policy to ensure the IT and Information Security teams are properly consulted
on necessary precautions before transferring Company Data to a third party and adequate
contractual provisions are in place
4.5 Data Transmissions
In light of the inherent risk that data sent over the Internet (including email) may be
intercepted or altered during transmission or in storage, and the risk that unauthorized
third parties may seek to use the data for financial gain, it is crucial that all data
transmissions be done securely. When sending GE Confidential or GE Restricted data
outside the Company, Users need to employ the most current security technology
recommended by the Company and available to them, such as password protection,
encryption, digital certificates and digital signatures, all as specified in the GE Capital
Information Security Policy.
4.6 Document Retention
All Company Data is subject to the Company’s Records Management policy, procedures,
retention schedules and the GE Capital data classification requirements in Section 4.7
below. Users shall be familiar with the rules that apply to them and adhere to those rules
from the reception or creation and storage of Company Data, through final disposition.
4.7 Data Classification
All Company Data should be defined, stored and handled in accordance with Appendix A of
the GE Capital Information Security Policy, which outlines the appropriate treatment for
various types of information (such as GE Restricted, GE Confidential, GE Confidential with
Sensitive PII, etc).
4.8 Data Privacy
Use of Company Information Resources and handling of Company Data is subject to the
Company’s and/or specific business unit data privacy policies and guidelines, and local
legal requirements. Users should be familiar with and follow any such rules that apply to
Company Data they handle in the ordinary course of business. In particular, Users should
follow the Spirit & Letter Privacy Policy and the Employment Data Protection Standards.
Policy Owners: GECC Chief Information Officer and Chief Privacy Leader
Policy Contact: GECC Chief Privacy Leader
GE Internal
Page 8 of 24
GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY
Subject:
Original Issue Date:
May 1, 2009
Acceptable Use of Company
Information Sources Policy (V 2.0)
Revision Dates:
October 10, 2011; January 31, 2012
Effective Date:
U.S. - November 17, 2011
RoW – by March 15, 2012
Policy No.: IT-5
4.9 Use of Personal Devices for Company Data
Personal Devices may not be used for any business purpose or to store Company Data
without approval of the User’s manager and in accordance with policies and rules of the
Company for the use of Personal Devices. If approval is given, all such devices become
subject to this Policy as applicable. Users may also be required to sign an agreement
imposing supplemental requirements and terms of use as a condition to the use of
Personal Devices. By way of example, if you use a home PC or laptop to access Remote
Office, if you get approval to use a personal iPad or other tablet computer in the office, or if
you get approval to purchase a thumb drive to port Company Data from work to your
home PC or laptop, such devices all become subject to the relevant portions of this Policy
and may be subject to search, monitoring or document disclosure and production
obligations, subject to local law. Users may also be required to install certain software on
their Personal Device and to deploy other controls such as use of a password on the device.
Failure to comply with all such requirements violates this Policy. Users may not use or
install Software on any Personal Device if advised by the Company that such Software is on
the list of unapproved Software. This section does not apply to Exempt Personal Devices.
4.10 Inappropriate Access Prohibited
Users are prohibited from accessing the data of another User or accessing Company Data
to which they have not been granted access, unless such access is: (1) with the other
User's or owner of the Company Data’s express consent; or (2) required as part of the User's
job responsibilities and the User has gone through the appropriate approval process to
gain such access, as further described in Section 7 below.
4.11 Return of Company Data
Company Data shall be returned to the Company immediately upon termination of
employment or status as an authorized User, as further detailed in Section 5.9 below.
4.12 Disposal of Company Data
Company Data should be disposed of in accordance with the Company’s Records Retention
rules, any data disposal guidance issued by the Company, any applicable business unit
policies and rules, and local laws and regulations. When in doubt, apply the most secure
manner of disposal taking into account the highest potential data classification for the
Company Data being disposed.
4.13 Other Requirements Governing Company Data
Users should become familiar with and ensure they are complying with all applicable laws,
regulations and GE policies that apply to the Company Data they are handling, as well as
any contractual obligations that may apply.
Policy Owners: GECC Chief Information Officer and Chief Privacy Leader
Policy Contact: GECC Chief Privacy Leader
GE Internal
Page 9 of 24
GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY
Subject:
Original Issue Date:
May 1, 2009
Acceptable Use of Company
Information Sources Policy (V 2.0)
Revision Dates:
October 10, 2011; January 31, 2012
Effective Date:
U.S. - November 17, 2011
RoW – by March 15, 2012
Policy No.: IT-5
5. Protection and Acceptable Use of Company Equipment
5.1 Use of Company Equipment
Company Equipment is provided to Users for legitimate business purposes only and in
accordance with applicable policies, guidelines and instructions of the Company. Users
outside of IT may not modify Company Equipment configurations without proper approval
from the IT team.
5.2 Control
It is each User’s responsibility to properly manage, maintain, and safeguard all Company
Equipment to which he/she has access or control.
5.3 Company Software on Company Equipment
Company Equipment may come with standard pre-installed Software. Users may not
disable or uninstall such Software. The Company may also routinely install additional
Software on Company Equipment and any attempt to permanently prevent such Software
installations is prohibited. Only Software that was reviewed and approved by the Company
may be loaded onto Company Equipment. The Company reserves the right to monitor
Company Equipment and remove unapproved software including, but not limited to,
freeware, open source software, peer-to-peer file sharing programs, remote control
software, voice chat, hacking tools, anonymizers, instant messaging tools or any Software
determined or suspected of being malware.
5.4 Reasonable Non-business Use
Reasonable or occasional non-business use of Company Equipment is permitted provided
it does not conflict with business objectives, policies and guidelines of the Company and
provided it is not an abuse of the Company’s time or resources.
User Personal Files: Users may keep a reasonable amount of personal files and data on
Company Equipment (in particular a laptop or desktop or server space allocated for data
backup). All such files shall be clearly marked as personal. Users may not store large
repositories of photographs or audiovisual materials such as music (mp3 files) or movies.
The Company reserves the right to periodically sweep Company Equipment for improper
storage of personal files and delete any files deemed to exceed this Policy with no notice to
Users, and the use of Company Equipment for storing personal files constitutes consent to
such action by the Company. Users are encouraged to minimize any such storage and to
have another backup for their personal files. It is also each User’s responsibility to ensure
that their personal files stored on Company Equipment do not contain any illegal,
inappropriate or offensive materials. Any such material found on Company Equipment
may result in disciplinary action even if contained in a folder marked ―personal‖, all subject
to local laws and regulations.
Policy Owners: GECC Chief Information Officer and Chief Privacy Leader
Policy Contact: GECC Chief Privacy Leader
GE Internal
Page 10 of 24
GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY
Subject:
Original Issue Date:
May 1, 2009
Acceptable Use of Company
Information Sources Policy (V 2.0)
Revision Dates:
October 10, 2011; January 31, 2012
Effective Date:
U.S. - November 17, 2011
RoW – by March 15, 2012
Policy No.: IT-5
5.5 Identity Management and Passwords
Accounts, IDs, and passwords are issued to individuals and are personal to that User and
may not be shared with anyone. Passwords must be kept strictly confidential. Password
selection requirements are specified in the GE Capital Information Security Policy. Users
shall be responsible for all actions taken in their accounts, under their ID or with their
passwords unless they have promptly reported the loss, theft or compromise of their
account and/or password to the Company.
5.6 Protection of Company Equipment and Company Data
Users shall protect Company Equipment and Company Data residing on it by following the
GE Capital Information Security Policy as well as any other guidelines or rules of the
Company, their business unit, or applicable local laws and regulations. Users may not
tamper with or remove any security protections or settings on Company Equipment
without the approval of the IT team.
5.7 Backup of Company Data
Users are responsible for ensuring that all Company Data on Company Equipment in their
possession and control is properly backed-up by approved methods and to approved
storage locations. If in doubt as to the proper backup methods, contact your Help Desk.
5.8 Inappropriate Use Prohibited
Users shall not use Company Equipment to perform an act that is illegal, abusive, or
otherwise inconsistent with or in violation of this Policy, GE’s Spirit and Letter Policy or any
other policy of the Company or GE (e.g., conducting outside business ventures - even if
declared on a conflicts of interest statement, or excessive personal use of Company
Equipment).
5.9 Return of Company Equipment
At the end of life, or end of use by a User (e.g., upon resignation, termination of employment
or assignment or any end of status as an authorized User), all Company Equipment needs
to be returned to the Company. Where the Company Equipment needs to be sent offsite
for disposal, storage or other use, the appropriate procedures need to be followed to
ensure Company Data is kept secure while in transit and where applicable, the Company
Data should be destroyed in accordance with guidelines issued by the Information Security
Team and the EHS team.
Managers are responsible for ensuring that all Company Equipment is returned to the
Company prior to a User’s departure from the Company.
5.10
Compliance with Other Rules
Users shall adhere to all other applicable asset management and physical security rules,
guidelines and procedures communicated to them with respect to Company Equipment.
Policy Owners: GECC Chief Information Officer and Chief Privacy Leader
Policy Contact: GECC Chief Privacy Leader
GE Internal
Page 11 of 24
GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY
Subject:
Original Issue Date:
May 1, 2009
Acceptable Use of Company
Information Sources Policy (V 2.0)
Revision Dates:
October 10, 2011; January 31, 2012
Effective Date:
U.S. - November 17, 2011
RoW – by March 15, 2012
Policy No.: IT-5
6. Acceptable Use of Online Services
6.1 Use of Online Services
Online Services are provided to approved Users for legitimate business purposes only and
in accordance with applicable policies, guidelines and instructions of the Company. Not all
Users will have access to all Online Services and the Company reserves the right to limit or
revoke such access. Users may not circumvent access controls imposed by the Company
whether done via Company Equipment or via Company Software (e.g., proxy and security
settings in Web browsers).
6.2 Use of Third Party Online Services for Company Business
Users may not use Online Services offered by third parties (e.g. online email or calendar
services offered by companies like Google, Yahoo, or Facebook) to conduct Company
business unless such tools are offered to Users by the Company or are expressly approved
by the Company for business use.
6.3 Reasonable Non-business Use
Reasonable or occasional non-business use of Online Services is permitted provided it does
not conflict with business objectives, policies and guidelines of the Company, and provided
it is not an abuse of the Company’s time or resources. Users may not use Online Services
to run a personal business, even if such a personal business is declared in a conflicts of
interest statement.
6.4 Protecting the Company’s Online Services
The Company will employ appropriate controls, through a combination of processes and
technologies, to protect its Information Resources from misuse, data theft and other harm
to the Company, its Users and Company Data. Elements of this protection may include, for
example, restricting User access to the Internet or certain sites or categories of sites, or
placing controls on the transfer of Company Data, as well as deploying certain monitoring
and logging capabilities. Users may not circumvent these controls.
6.5 Company Email
The Company email is an asset of the Company and as such it may only be used to
conduct Company business (subject to Section 6.3 above). Users may not use the
Company email address (i.e., FirstName.LastName@ge.com) to subscribe to external
services (e.g., Facebook, LinkedIn, Twitter) unless such use is allowed under the GE Capital
Social Media Guideline in Appendix A of this Policy. Users also may not use the Company
email to promote their own personal services or business activities to co-workers (offering
any products or services) other than incidental uses. For example, offering tickets to a
show or a game to a select group of employees is allowed; having a side business of selling
tickets to shows or games and regularly emailing employees with offers is not allowed.
Policy Owners: GECC Chief Information Officer and Chief Privacy Leader
Policy Contact: GECC Chief Privacy Leader
GE Internal
Page 12 of 24
GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY
Subject:
Original Issue Date:
May 1, 2009
Acceptable Use of Company
Information Sources Policy (V 2.0)
Revision Dates:
October 10, 2011; January 31, 2012
Effective Date:
U.S. - November 17, 2011
RoW – by March 15, 2012
Policy No.: IT-5
6.6 Identity Management and Passwords - Protecting Security of Online Services
See Section 5.5 above.
6.7 Inappropriate Use Prohibited
Users may not use Online Services to access, send, forward, download, import, create or
display material that is inappropriate, offensive or otherwise in violation of any applicable
law or regulation, or of any policies, procedures, guidelines or instructions of the Company
– including but not limited to those uses described below.
Examples of Inappropriate Use: The following are examples of unauthorized and/or
inappropriate uses of Online Services which, subject to local law, can subject a User to
discipline, up to and including termination of employment or work assignment:
- Using an Online Service to access data of another User or of a third party outside of the
Company or GE, unless done in compliance with Section 7 below.
- Streaming movies, music, radio, and other multimedia content from the Internet
(excluding content transmitted or broadcasted by the Company or GE) unless done for
approved business uses or when connected to a non-GE network. Content played
directly from the hard drive of a laptop or computer is not covered by this rule.
- Sending out communications to multiple clients, customers or suppliers and listing
them in the ―to‖ or ―cc‖ lines rather than ―bcc,‖ thereby exposing their email and
relationship with the Company, unless done with their consent or other appropriate
authorization.
- Accessing, downloading, printing, creating, displaying, transmitting, sending,
forwarding or otherwise conveying unprofessional, inappropriate, offensive,
intimidating or harassing material or communications internally or externally, including
materials that are inconsistent with the Fair Employment Practices Policy contained in
the Spirit and Letter Policy (e.g., information that may be considered pornographic,
offensive or defamatory or may constitute harassment or create a hostile working
environment on the grounds of age, sex, race, disability or other protected class).
- Copying or downloading Software in a manner that is inconsistent with or in violation of
any applicable law or regulation, or any relevant licensing agreement or contract.
Users are referred to the GE Software Use Guidelines.
- Downloading or uploading any copyrightable material or anything else that is deemed
proprietary or subject to a license fee without paying the license fee, including music,
images, videos or subscription material. Any such conduct may expose both the User
and the Company to civil and criminal liability. Possession of copyright-infringing
materials on Company Information Resources is also prohibited.
- Sending "chain letters‖, solicitations, spam or other mass mailings (whether done by
text, voice, fax or email) without a legitimate and approved business purpose.
- Sending, forwarding, downloading, uploading or disclosing any nonpublic information
about GE, the Company, or the Company’s customers or suppliers, or personal data of
employees, or any other information that is marked as GE Confidential or GE Restricted
or is otherwise of a sensitive nature, unless done with proper justification.
Policy Owners: GECC Chief Information Officer and Chief Privacy Leader
Policy Contact: GECC Chief Privacy Leader
GE Internal
Page 13 of 24
GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY
Subject:
Original Issue Date:
May 1, 2009
Acceptable Use of Company
Information Sources Policy (V 2.0)
-
Revision Dates:
October 10, 2011; January 31, 2012
Effective Date:
U.S. - November 17, 2011
RoW – by March 15, 2012
Policy No.: IT-5
Excessive personal use that impacts Company Information Resources or a User’s ability
to perform their job.
Use that – if made public – could expose the Company to reputational harm.
Using Online Services to perform any act that is inconsistent with or in violation of this
Policy, GE’s Spirit and Letter Policy or any other policy of the Company or GE.
6.8 Public Comment on Behalf of Company or GE is Restricted
Users should remember that use of Online Services or Company Equipment may identify
them as employees and/or representatives of GE or the Company and as such their
comments on Online Services may appear to represent the positions and views of the
Company or GE. Users shall therefore ensure that all communications using Online
Services are professional and business-related. When Online Services are used for
reasonable personal use, Users need to clearly indicate that the opinions expressed are
their own and not necessarily those of GE and/or the Company.
6.9 Social Media
Users may have access to some Social Media at work. Any such access is subject to the
Company’s discretion and access may be restricted or revoked at any time based on a
User’s role or conduct. The use of Social Media by Users for their own personal benefit is
subject to Sections 6.7 and 6.8 above as well as the GE Capital Social Media Guideline in
Appendix A to this Policy. Users shall be familiar with the relevant rules for use of Social
Media and follow them. Users should be aware that many of the Social Media rules apply
to them even if they are not using Company Equipment and are using the Social Media
from their home or the road. Failure to comply with the Social Media rules may result in
disciplinary action, up to and including termination, subject to local laws and regulations.
The use of Social Media by Users acting on behalf of the Company is subject to their
business unit rules and any guidelines of the Company that may exist.
6.10 Use of New Technologies and Services
The Internet offers a wealth of new online technologies and services that Users may believe
will enhance their ability to perform their job or otherwise deem to be useful. However, the
use of untested and unapproved technology or services poses a serious risk to Company
Data and Company Equipment as the use of such technology or service may create legal
liability or expose Company Data and Company Equipment to security vulnerabilities.
Users who wish to explore use of a new technology or service for business purposes should
contact their IT team to ask for a review and approval before downloading, installing or
using a new technology or service.
Policy Owners: GECC Chief Information Officer and Chief Privacy Leader
Policy Contact: GECC Chief Privacy Leader
GE Internal
Page 14 of 24
GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY
Subject:
Original Issue Date:
May 1, 2009
Acceptable Use of Company
Information Sources Policy (V 2.0)
Revision Dates:
October 10, 2011; January 31, 2012
Effective Date:
U.S. - November 17, 2011
RoW – by March 15, 2012
Policy No.: IT-5
7. Monitoring of Users
The Company reserves the right, subject to local laws and regulations, to review, audit,
monitor, intercept, access and disclose all uses of its Information Resources, and in
particular, email, voicemail, Instant Messaging Services (e.g. Webex), Internet use and all
files or information stored on Company Equipment, without prior notification to the User(s)
concerned, provided that such monitoring is done for legitimate business reasons,
including:
1. To protect the security of the Company/GE, its customers, suppliers and employees;
2. To protect and maintain proper operation and use of the assets of the
Company/GE;
3. To investigate unauthorized access to or use of Information Resources;
4. For an urgent, legitimate business need (e.g. employee unavailable and timing
critical, or to access Company Data after an employee has left the Company); or
5. To investigate a reasonable suspicion of violation of law or policy of the
Company/GE by a User or ex-User;
6. To respond to a subpoena or government investigation or otherwise comply with
applicable laws or regulations; or
7. To monitor quality and to assure compliance with regulatory requirements and
customer obligations.
A failure to monitor in a particular situation shall not be deemed a waiver of the right to
monitor in other similar situations.
The Company reserves the right to carry out other forms of monitoring of use of or access
to its Information Resources, such as the use of data loss prevention tools (e.g., Digital
Guardian), closed-circuit television, video monitoring, building access and security systems,
email scanning, web content filtering, network content monitoring, etc., all subject to
applicable legal requirements and restrictions on such monitoring.
If the Company discovers any User misconduct (including any violation of this or any other
policy or guideline of the Company) or criminal activity involving Company Information
Resources, the files or information related to such conduct may be used to document the
conduct and, subject to local laws and regulations, may be disclosed to appropriate
authorities - civil and criminal, both inside and outside the Company. The User may be
subject to disciplinary action up to and including termination of employment or work
assignment, subject to local laws and regulations, as well as any applicable civil/criminal
penalties. The Company also reserves the right, subject to local law, to consent to a valid
law enforcement request to search Company Equipment for evidence of a crime stored on
the equipment.
Policy Owners: GECC Chief Information Officer and Chief Privacy Leader
Policy Contact: GECC Chief Privacy Leader
GE Internal
Page 15 of 24
GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY
Subject:
Original Issue Date:
May 1, 2009
Acceptable Use of Company
Information Sources Policy (V 2.0)
Revision Dates:
October 10, 2011; January 31, 2012
Effective Date:
U.S. - November 17, 2011
RoW – by March 15, 2012
Policy No.: IT-5
The Company does not use any monitoring devices or other means to attempt to discover
the identity of anyone using an Ombuds hotline or any other Ombuds/complaint reporting
tool advertised as allowing anonymous reporting, and will not do so unless required by law
or court order.
The Company also does not intend to monitor, review or disclose communications between
employees and their personal attorneys, however, the Company disclaims any and all
liability for any inadvertent access to or disclosure of such communications.
All requests for a User’s personal data in connection with an investigation, litigation or
other situation requiring access to such data without the consent of a User shall be
handled in accordance with the Company’s Procedure for Review and Approval of Requests
for Indirect Access and Collection of Certain Types of Employees’ and Contractors’ Records,
which is issued under this Policy.
8. Reporting of Violations and Incidents
Inappropriate Use: Users shall immediately notify their IT helpdesk or the Local Security
Leader of any unusual behavior pertaining to Company Information Resources, subject to
local law and any legal restrictions on such reporting.
To the extent a User encounters any offensive or harassing materials on Online Services
used by another User, he or she should contact his or her manager, Human Resources,
Compliance or Ombudsperson, again subject to local law and any legal restrictions on such
reporting. Users should also consider whether it is appropriate to notify the sender not to
send such material in the future (however, as a reminder, Users should never reply to spam
messages).
Failure to report inappropriate use of Company Information Resources may, subject to local
law, result in disciplinary action up to and including termination of employment or work
assignment. As a reminder, retaliation against employees who report policy violations is in
itself a violation of GE’s Spirit & Letter policy and will subject the violator to disciplinary
action, up to and including termination.
Theft, Misappropriation or Other Incidents: The theft, loss or accidental destruction of any
Company Information Resources must be promptly reported in accordance with the
Company’s procedures for reporting such incidents. Users shall be familiar with the proper
channel for reporting such matters.
Policy Owners: GECC Chief Information Officer and Chief Privacy Leader
Policy Contact: GECC Chief Privacy Leader
GE Internal
Page 16 of 24
GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY
Subject:
Original Issue Date:
May 1, 2009
Acceptable Use of Company
Information Sources Policy (V 2.0)
Revision Dates:
October 10, 2011; January 31, 2012
Effective Date:
U.S. - November 17, 2011
RoW – by March 15, 2012
Policy No.: IT-5
9. Suppliers, Contractors and other Third Parties
This Policy applies to use of Company Data, Company Equipment and Online Services by
suppliers, contractors and other third parties, subject to any particular contractual
arrangement in place with such third parties and any other external legal obligation that
may exist under the local law of the third party.
Company Users who work with suppliers, contractors and other third parties must comply
with Section 4.4 above.
10. Questions about this Policy
For questions about this Policy, please contact your local, regional or global Information
Security Leader, Privacy Leader, Human Resources Manager, or Compliance Officer.
11. Document Change History
Versions and Review
Version
Comments
Dates
V 1.1
Amended sections 1.2 and 4.9
January 31, 2012
Policy Owners: GECC Chief Information Officer and Chief Privacy Leader
Policy Contact: GECC Chief Privacy Leader
GE Internal
Page 17 of 24
GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY
Subject:
Original Issue Date:
May 1, 2009
Acceptable Use of Company
Information Sources Policy (V 2.0)
Revision Dates:
October 10, 2011; January 31, 2012
Effective Date:
U.S. - November 17, 2011
RoW – by March 15, 2012
Policy No.: IT-5
APPENDIX A
GE Capital – Social Media Guideline
This Guideline of GE Capital (―GE Capital‖ or ―Company‖) for access to and use of Social Media is
meant to supplement and clarify The GE Capital Acceptable Use Policy (―AUP‖) and in particular
Section 6 – Acceptable Use of Online Services. The Guideline applies to all GE Capital
employees who access the Internet – whether from work, while traveling, or from home,
including if the access is from a Personal Device or an Exempt Personal Device, as well as to all
other Users who use Company Equipment to access the Internet.
INTRODUCTION
Social Media sites allow members to network and communicate with each other as well as
share data, photos and other user generated content, or to provide updates about themselves,
play games or interact with other members, to name some of the more common social media
uses. Social media sites come in many flavors including social networking sites (such as
Facebook, LinkedIn, Twitter, Google+ and Yammer), peer-to-peer networks, content posting
sites (such as YouTube, Wikipedia and other wikis, and sites like Scribd and SlideShare), as well
as various online communities (such as virtual worlds like SecondLife).
The use of Social Media can be a great way for Company workers to connect and interact
customers or potential customers, colleagues and potential employees, and friends and family
around the globe or down the street. However, you should remember that whatever you do or
say online reflects not only on your reputation, but can reflect on the Company as well. It is
therefore very important that you pay attention to situations where your personal life and your
GE life become co-mingled, and that you always follow this Guideline – even if you’re engaging
in Social Media activities at home on your personal computer – as the rules below will help
keep both you and the Company safe. In short, before posting information on or interacting
with Social Media sites, it’s important that you understand the risk, reward and reach involved,
and the expected behaviors.
Recognize that there are various ways in which your online activity can establish a connection
to the Company or your workplace, and as a result may impact the Company:
(i)
(ii)
(iii)
If you identify your affiliation with the Company (either directly or indirectly),
anything you do or say – even if unrelated to the Company - may be perceived as
an official position of the Company;
If you discuss matters related to the Company, even if you don’t identify yourself as
affiliated with the Company, if your connection to the Company is revealed, you
may be perceived as a knowledgeable insider; also hiding your Company
connection may be illegal in some cases;
Anything you do or say, even if totally unrelated to the Company and where you
haven’t identified yourself as a Company employee, may be viewed and/or
disseminated in the workplace.
Policy Owners: GECC Chief Information Officer and Chief Privacy Leader
Policy Contact: GECC Chief Privacy Leader
GE Internal
Page 18 of 24
GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY
Subject:
Original Issue Date:
May 1, 2009
Acceptable Use of Company
Information Sources Policy (V 2.0)
Revision Dates:
October 10, 2011; January 31, 2012
Effective Date:
U.S. - November 17, 2011
RoW – by March 15, 2012
Policy No.: IT-5
Due to various legal, policy or jurisdictional concerns, not all Company employees will have
access to Social Media sites from work. The Company routinely reassesses what sites to allow
and what sites to block and some decisions depend on your country, business, and even your
role. Regardless, this Guideline applies even when accessing Social Media sites while traveling
or from home. Bottom line – you have two brands to protect in your Social Media activity– the
Company brand and your own.
GENERAL GUIDANCE
o
ONLINE RULES ARE NOT DIFFERENT: The rules for acceptable behavior on Social
Media sites don’t change just because you’re online; only the speed with which
information can be shared—intentionally or accidentally—does, and as a result, the
impact of mistakes or improper behavior can be greatly magnified. Anything that
would be prohibited in the ―real world‖ doesn’t become permissible just because
you’re online. For example, posting comments that are offensive, discriminatory or
threatening; similarly offering recommendations or endorsements of ex-employees,
suppliers and others who interact professionally with the Company may not be
acceptable on Social Media sites where you appear in your Company capacity, as
that may be considered a prohibited endorsement; last, communications with the
media on Social Media sites must also follow the real world procedures governing
such contact – refer all such inquiries to the media and communications team at
your business. These are just three examples of situations that may arise in the
online space that are no different than the ―real world.‖
o
FOLLOW EXISTING POLICIES: Any use of Social Media sites that violates any
Company policy, including the Acceptable Use Policy, and The Spirit & Letter, even
when done with personal resources, on the road or from home, is prohibited.
o
POSTING ANY GE CONFIDENTIAL, RESTRICTED OR OTHER PROPRIETARY
INFORMATION, CONTENT OR FILES, OR ANY MATERIAL-NONPUBLIC
INFORMATION ON SOCIAL MEDIA SITES IS PROHIBITED. Similarly, don’t post any
non-public or proprietary information about any Company competitor.
o
DON’T MISUSE COMPANY RESOURCES: You may not create, host or maintain a
Social Media sites using Company resources unless you’re authorized to act for the
Company. You may however access and post to Social Media sites from work
(subject to this Guideline).
o
AVOID SOCIAL MEDIA SITE ACTIVITY THAT INTERFERES WITH YOUR WORK
COMMITMENTS: Don’t allow workplace access to Social Media sites to become a
distraction to you or your co-workers. This includes excessive personal use or any
personal-business use of Social Media sites. Remember that such access, where
granted, is a privilege, and it may be revoked or restricted.
Policy Owners: GECC Chief Information Officer and Chief Privacy Leader
Policy Contact: GECC Chief Privacy Leader
GE Internal
Page 19 of 24
GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY
Subject:
Original Issue Date:
May 1, 2009
Acceptable Use of Company
Information Sources Policy (V 2.0)
o
Revision Dates:
October 10, 2011; January 31, 2012
Effective Date:
U.S. - November 17, 2011
RoW – by March 15, 2012
Policy No.: IT-5
WHEN IN DOUBT – ASK BEFORE YOU ACT: You’re responsible for your actions.
Whatever you do or say on Social Media sites may be viewed by work colleagues,
customers, regulators or the media. Think before you act or post. If you’re not sure
if certain conduct online is appropriate or legal, consult your business Compliance,
Legal, Information Security, Privacy or Communications Leader, HR manager or
direct manager.
KEEPING YOURSELF AND THE COMPANY SEPARATE, EXCEPT WHERE APPROVED
o
DON’T SPEAK FOR THE COMPANY UNLESS IT’S YOUR JOB: Each business has
guidelines for speaking on the Company’s behalf and responding to media
inquiries. Unless it’s your job to speak on behalf of the Company, you may not
create an appearance that you’re doing so. When in doubt, consult your
Communications Leader for further guidance.
o
DON’T MAKE PREDICTIVE OR FORWARD LOOKING STATEMENTS: You should not
say anything that may reveal the Company’s business strategy or future
performance. Don’t discuss financial performance or litigation/legal proceedings or
Company business-related rumors. GE is a publicly traded company with
designated professionals who are authorized to comment on such matters. Your
comments, especially if perceived to come from a ―knowledgeable insider‖ could
create exposure.
o
DON’T USE THE GE EMAIL: Using your GE email account to join or interact with any
Social Media sites isn’t permitted unless: (i) you have a formal role in using the site
as a Company communicator or spokesperson; (ii) you’re using the site on behalf of
the Company with your manager’s approval; or (iii) this is expressly required by a
site which has a professional use (e.g., Yammer). All other activities that are
conducted in your personal capacity require that you use a personal email.
Adhering to this rule will reduce the appearance of personal activities being
sponsored by or pertaining to the Company and also reduces the likelihood of
phishing attempts against Company workers.
o
MAKE SURE THAT IT’S ALWAYS CLEAR THAT YOUR VIEWS ARE PERSONAL: Unless
it’s your job to represent the Company, avoid using GE indicators (like a GE email or
your title) when posting comments on Social Media sites. You may, however, use
your Company relationship and title in your profile when using a professional Social
Media site such as LinkedIn. Where possible, speak in the first person (―I‖). If you
find a need to identify yourself in any way as affiliated with the Company, or are
known as such (for example on LinkedIn, or by joining a Company Facebook group),
exercise care before discussing anything related to the Company; if you find that
you must say something concerning the Company use a prominent disclaimer
Policy Owners: GECC Chief Information Officer and Chief Privacy Leader
Policy Contact: GECC Chief Privacy Leader
GE Internal
Page 20 of 24
GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY
Subject:
Original Issue Date:
May 1, 2009
Acceptable Use of Company
Information Sources Policy (V 2.0)
Revision Dates:
October 10, 2011; January 31, 2012
Effective Date:
U.S. - November 17, 2011
RoW – by March 15, 2012
Policy No.: IT-5
indicating that your comments represent your personal views and don’t represent
the Company’s views.
o
AVOID MISUSE OF GE’S BRAND: Don’t use any GE logos or trademarks to create
the impression that your communication is attributable to or approved by the
Company unless specifically authorized to do so. This includes use of the GE email
(see above), use of the GE Monogram in connection with any online group you form
(e.g., on LinkedIn or Facebook), or use of a GE brand in your online name or handle.
o
USE OF SOCIAL MEDIA AS A BUSINESS TOOL: Social Media sites can be effective
outreach and marketing tools when used thoughtfully. If you have a business need
to create a presence on Social Media sites for which you identify your Company
affiliation (e.g., a Facebook page or a LinkedIn group) you must contact your
Communications Leader, and in some cases, business legal counsel, to get their
advice; always follow any business specific rules or procedures that apply.
o
USE OF SOCIAL MEDIA SITES FOR COVERT MARKETING OR PUBLIC RELATIONS: If
it’s not your job to engage in marketing or public relations on behalf of the
Company then don’t. Even if it’s your job, don’t engage in such activities that do not
identify the Company or you as a Company worker. If you discuss a Company
product or service, or one offered by a competitor, you must clearly disclose your
relationship with the Company.
PARTICIPATE INTELLIGENTLY AND SECURELY
o
BEHAVE SECURELY: Be cautious about clicking on links embedded in Social Media
sites or downloading applications. Sites like Facebook and Twitter have sometimes
unwittingly displayed links to malicious applications that can damage computers
and/or steal information. Beware of imposters pretending to be someone else, and
individuals who post comments using only pseudonyms. Don’t accept friend
requests from strangers and don’t befriend anyone whom you don’t know. Avoid
anything that sounds too good to be true – it probably is. Remember that Social
Media sites have become a prime target for cybercriminals; don’t become a victim.
o
KNOW WHO OWNS THE SITE: Before participating in any Social Media site, make
sure you understand if this is a Company or GE owned site or external; what the
access and security controls are, and what content is appropriate for
posting/sharing. Some Social Media sites may have a dedicated GE area, or what
appears to be a GE sponsored area (e.g., Yammer), but that area may not be a safe
place to post Company content. When your main goal is to share data internally,
always use resources that are approved for business use (e.g., GE Connect).
o
RESPECT YOUR AND OTHERS’ PRIVACY: Avoid sharing your personal information
or that of others beyond what’s absolutely necessary; in general, identifying
Policy Owners: GECC Chief Information Officer and Chief Privacy Leader
Policy Contact: GECC Chief Privacy Leader
GE Internal
Page 21 of 24
GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY
Subject:
Original Issue Date:
May 1, 2009
Acceptable Use of Company
Information Sources Policy (V 2.0)
Revision Dates:
October 10, 2011; January 31, 2012
Effective Date:
U.S. - November 17, 2011
RoW – by March 15, 2012
Policy No.: IT-5
information posted online should be extremely limited.
Remember that
cybercriminals search for personal information online, and may use it for identity
theft and other types of fraud.
o
CONNECTING WITH CO-WORKERS: Before inviting or accepting an invitation from
a co-worker to connect with you on a Social Media site, ask yourself if that online
connection is appropriate. Employees may not feel comfortable with a ―friend
request‖ from a manager and managers may feel uncomfortable with requests
from members of their teams. While you may have meaningful friendships that
lead to such connections, exercise good judgment in initiating or accepting them.
When in doubt consult HR, Legal, or Compliance.
o
CONNECTING WITH CUSTOMERS AND SUPPLIERS: Before inviting or accepting an
invitation from a Company Customer or Supplier to connect with you on a Social
Media site, ask yourself if that online connection is appropriate. While you may
have meaningful friendships that lead to such connections, exercise good
judgment in initiating or accepting them. When in doubt consult Compliance, Legal,
Sourcing, or your direct manager.
o
SPECIAL RULES FOR HIRING: GE has special guidelines on the use of Social Media
sites for screening/hiring employment candidates. Consult those guidelines before
acting, and when in doubt, always consult HR and Labor & Employment counsel in
your jurisdiction.
GUIDANCE FOR SMART COMMUNICATIONS
o
EXERCISE GOOD JUDGMENT AND USE COMMON SENSE when posting, blogging,
chatting or communicating on Social Media sites or through any electronic means
like email: don’t say anything that you wouldn’t say in writing and don’t post or
upload anything you might not want the world to see. Don’t assume that your post
will remain private amongst your friends or not find its way into the workplace.
There’s no online ―recall‖ button – removing content isn’t always easy and even if
you succeed, Internet search engines never forget anything and your deleted post
may live on in search engines. And remember, you may have personal liability for
comments that are defamatory, libelous, obscene or violate a law.
o
BE RESPECTFUL of GE, its officers, employees, shareholders, customers, suppliers,
partners and competitors. Posts that malign individuals or other businesses, or
which expose Company proprietary information can create legal exposure for the
Company, and for those who post such comments. Uploading compromising
photographs of co-workers is inappropriate. Be respectful of others when you reply
to their posts or comments. Avoid divisive issues such as religion, politics or
social/political advocacy your comments might be perceived to be an official
Company position or opinion. Do not disparage Company products or services.
Policy Owners: GECC Chief Information Officer and Chief Privacy Leader
Policy Contact: GECC Chief Privacy Leader
GE Internal
Page 22 of 24
GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY
Subject:
Original Issue Date:
May 1, 2009
Acceptable Use of Company
Information Sources Policy (V 2.0)
Revision Dates:
October 10, 2011; January 31, 2012
Effective Date:
U.S. - November 17, 2011
RoW – by March 15, 2012
Policy No.: IT-5
Remember that what you post can migrate into the workplace and/or come to the
attention of customers and other Company partners. To be clear, this rule doesn’t
seek to prohibit any honest and accurate comments you may have about the
Company or GE – you’re free to express your views (even if negative). Nothing
herein precludes any discussion covered by the NLRA or equivalent foreign laws
covering concerted activity or revoke any rights granted to you by local law.
o
BE ACCURATE AND TRANSPARENT: If you make a mistake, promptly correct it.
Avoid posting comments that include rumors, or misleading information. Stay
timely and keep posted information up to date. Indicate changes when altering a
previous post or comment. Remember that the Internet has a long memory, and
that even deleted postings may be searchable. Never post intentionally inaccurate
information about the Company or its officers, employees, shareholders, customers,
suppliers, partners or competitors.
Policy Owners: GECC Chief Information Officer and Chief Privacy Leader
Policy Contact: GECC Chief Privacy Leader
GE Internal
Page 23 of 24
GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY
Subject:
Original Issue Date:
May 1, 2009
Acceptable Use of Company
Information Sources Policy (V 2.0)
Revision Dates:
October 10, 2011; January 31, 2012
Effective Date:
U.S. - November 17, 2011
RoW – by March 15, 2012
Policy No.: IT-5
APPENDIX B
LINKS TO OTHER POLICIES MENTIONED IN THIS POLICY
The GECC Information Security Policy and other Information Security guidelines and
information can be found on the GECC Information Security Portal:
http://supportcentral.ge.com/products/sup_products.asp?prod_id=120895
The GECC Sourcing Policy, Records Retention Policy and other GECC policies can be found
on the GECC Policy Portal:
http://corp.home.ge.com/portal/site/gecfinsidecompliance/menuitem.bff63188bc18a07fc5
e793104ecda730
GE’s EDPS and other information on data privacy policies rules and information can be
found on the GECC Privacy Portal:
http://supportcentral.ge.com/products/sup_products.asp?prod_id=26719
All Spirit & Letter policies can be found on the GE Compliance Portal:
http://integrity.ge.com/
The GE Software Use Policy/Guide can be found here:
http://data.supportcentral.ge.com/upload/37462/doc_1612873.pdf
Other helpful links:
GE’s Global Security Website is here: http://security.ge.com
Policy Owners: GECC Chief Information Officer and Chief Privacy Leader
Policy Contact: GECC Chief Privacy Leader
GE Internal
Page 24 of 24