1. Information technology resources, such as PCs, laptops, smartphones, and tablet devices offer new and exciting ways of working and engaging with our colleagues and citizens. However, we must also be aware that improper use can impact us, our colleagues, citizens, OFGEM’s reputation and the public purse.
2. This Acceptable Use Policy (AUP)aims to protect all users of OFGEM equipment and minimise such risks by providing clarity on the behaviours expected and required by OFGEM and the consequences of breaching the AUP. It sets a framework with in which to conduct OFGEM’s business and explains how we can achieve compliance and evaluation of new business and technology requirements.
1. To ensure that users understand their responsibility for the appropriate use of OFGEM’s information technology resources.Understanding this will help users to protect themselves and OFGEM’s equipment, information and reputation.
1. The use of all OFGEM equipment and information (all information systems, hardware, software and channels of communication, including voice-telephony, social media, video, email, instant messaging, internet and intranet). Any information stored by OFGEM employees in OFGEM information systems for private use within the boundaries of “Personal use of OFGEMIT” is also subject to the provisions of this policy
1. All OFGEM employees, agents, contractors, consultants and anyone else (referred to in this documentas ‘users’) with access to OFGEM’s information, information system sand equipment.
1. Use Ofgem IT in a sensible, professional way in accordance with the Civil ServiceCode.
2. Don’t do anything on your device that could harm or embarrass Ofgem, it’s employees, suppliers, partners or citizens.
3. Only use Ofgem equipment to access Ofgem information. Don’t use your own
computers, phones or email accounts.
4. Report anything that you think may have breached this policy to SPaR.
1. Be responsible for your own actions and act responsibly and professionally, following the Civil ServiceCodeand respecting the Department and fellow employees, suppliers, partners, citizens.
2. Use information, systems and equipment in line with OFGEM security and Information Management policies. OFGEMSecurity Policies and Standards apply to OFGEM suppliers and contractors where explicitly statedin the Security Schedule of the contract. OFGEM Standards are not a cross government requirement.
3. Immediately report any breach of this Acceptable Use Policy to your line manager.
4. Never undertake illegal activity, or any activity that would be harmful to OFGEM’s reputation or jeopardise staff and/or citizen data, on OFGEM technology.
5. Understand that both business and personal use will be monitored.
6. Be aware that you can use whistleblowing procedures to raise a concern if you believe that someone is misusing OFGEM information or electronic equipment.
7. Undertake regular education and awareness on security and using OFGEM information systems and equipment, including the annual Responsible For Information training, in order to be able to understand, recognise and report threats, risks and incidents. Complete all mandatory IT training, and any other training relevant to your job role.
1. Protect login credentials (usernames and passwords).
2. Create secure passwords by following guidance below.
3. Do not logon to any OFGEM systems using another user’s credentials.
4. Lock the screen when you are away from your device.
5. Log out of all electronic devices connected to OFGEM’s internal network when you have finished for the day. Switch off mobile devices when not working unless you need to be contactable for business purposes including out of hours escalations and/or contingency reasons.
1. Use a password that is easy for you to remember, but hard for someone else to guess. Stringing three words together is a good way of doing this. You can add numbers and symbols as well if you want. An example might be: red house monkey or 74 red house monkey?!
2. Donot use words that are specific to you and therefore easy for a hacker to guess or find out - such as birthdays, child'sname, pet's name, sports team, musician, band etc. Remember, though, that a combination of these might be a useful way of constructing a memorable, but hard to guess, phrase. For example: fido beatles 060713
3. Some of our systems (such as myHR)have legacy requirements for passwords using a complex combination of letters, numbers and symbols.We are working to update these to support our new guidance but, in the meantime, please comply with the requirements of the system. They will be clearly displayed on screen.
4. Similarly, Bit locker PINs should be memorable (perhaps a combination of memorable dates) but hard to guess.
5. Employees are personally responsible for protecting their passwords. You
6. must not:
• Share passwords with friends, colleagues or family
• Share passwords with unsolicited callers, even if they claim to be an official.
7. If you need to share a password with someone (e.g. if you are sending a password protected file by email)please share the password by separate means such as text message or telephone. This protects any document intercepted by email from being accessed. Remember, do not use your Ofgem login password.
8. If you think someone knows your password, please change it as soon as you can.
9. Try not to write passwords down but, if you do, keep them ina secure place (e.g. a fileon your H Drive or iPhone, a password manager or a piece of paper in a locked cupboard).
1. Protect personal and sensitive information.
2. Ensure that all information is created, used, shared and disposed of in line with business need and in compliance with security policies and any Information Asset Inventory guidance. More information on security policies can be found on the The Wire.
3. Do not attempt to access personal data unless there's a valid business need that is appropriate to your job role.
4. Do not provide information in response to callers or e-mails whose identity they cannot verify.
5. Be careful not to be overheard or overlooked in public areas when conducting OFGEM business.
6. Apply the GovernmentClassification policy appropriately to document headers and email subject lines in relation to theOFFICIAL-SENSITIVE handling caveat. The Policy states that particularly sensitive information, such as (but not limited to) that markedOFFICIAL-SENSITIVE will require additional handling controls, particularly in respect of sharing. Where Ofgem staff are sharing sensitive information beyond Ofgem’s own systems and infrastructure (e.g. to non-Ofgem Email addresses) the information should be password protected, or encrypted, to limit the risk of exposure. As with all activity on Ofgem’s systems, Information sharing is subject to monitoring and potential non-compliance with this Policy will be raised to line management for their assessment and oversight.
7. Do not attempt to access, amend, damage, delete or disseminate another person’s
files, emails, communications or data without the appropriate authority.
8. Do not attempt to compromise or gain unauthorised access to OFGEM IT, telephony or content, or prevent legitimate accessto it.
1. Users are personally accountable for what they do online and with OFGEM technology.
2. Appropriate personal use of IT resources, such as access to the internet, is permitted and youmust use proper judgement to assess what is appropriate.
3. You must ensure that all personal information stored is appropriate i.e. legal, appropriate and compliant with this policy.
4. The ability to store personal information on OFGEM owned devices and systems is a privilege and OFGEM has a right to require the data is removed should this data interfere with business activity or use.
5. You must ensure activities do not damage the reputation of OFGEM, its employees and citizens including accessing, storing, transmitting or distributing links to material that:
• Could embarrass or compromise OFGEMin any way;
• Is obtained in violation of copyright or used in breach of a licence agreement;
• Can be reasonably considered as harassment of, or insulting to, others;
• Is offensive, indecent or obscene including abusive images and literature.
6. You must follow the Civil ServiceCode and must not use OFGEM systems to:
• Trade or canvass support for any organisation on official premises, whether it is for personal gain from any type of transaction or on behalf of external bodies.
• Send messages or material that solicit or promote religious, political or other non-business related causes, unless authorised by OFGEM.
• Use any type of applications and/or devices to circumvent management or security controls.
• Download software to OFGEM devices except where permitted from an official source and appropriately licensed. This software must not compromise the performance or security of the device.
• These prohibitions do not include community activity such as fundraising,
charity activity and prayer groups.These are all encouraged as part of Ofgem’s D+I strategy.
1. Only use appropriate language in messages, emails, faxes and recordings. Threatening, derogatory, abusive, indecent, obscene, racist, sexist or otherwise offensive content is a disciplinary matter
2. Do not materially alter or change the meaning of a third party’s message when
forwarding it unless authorised.
3. Do not try to assume the identity of another user or create or send material designed to mislead people about who originated or authorised it (e.g.through misuse of scanned signatures).
4. Be vigilant to phishing email sand know how to spot them and, if in doubt, report suspicious emails.
5. Internal emails are potentially disclosable under the Freedom of Information Act 2000 (FOIA), the EnvironmentalInformation Regulations 2004 as well as subject access requests under the GDPR and Data Protection Act 2018. Care should therefore be taken in howe mails are set out to not cause embarrassment to Ofgem or give rise to an allegation of libel.
6. Only use your OFGEM email address to register or create accounts for OFGEM business related activities and linked organisational activity (e.g. OFGEM discount schemes,CSL, Civil Service Jobs).
7. When logging onto external websites for personal use (e.g. for retail or internet banking purposes), OFGEMstaff must use their personal email addresses. If you have already registered for personal services using your OFGEM email address you are requested to change your personal details to register a personal email address as soon as possible.
1. Only access appropriate contentusing OFGEM technology and not intentionally visit sites or news groups that are obscene, indecent oradvocate illegal activity.
2. Report any access to a site that should be blocked to their line manager or the IT Service Desk
3. Contact the IT ServiceDesk with requests to unblock a website and do not attempt to bypass OFGEM web filters.
4. Use social media appropriately by making themselves aware of the Social MediaGuidance .
5. Do not put OFGEM information including anything that is sensitive / personal information onto online forums, blogs or social networking sites unless authorised to do so.
6. Be aware that their social media content may be available for anyone to see, indexed by Google and archived for posterity.
1. Only use systems, applications, software and devices which are approved, procured and configuration managed by OFGEM when undertaking official business, and apply OFGEM standards and guidance in their use.
2. Only use approved OFGEM devices connected to OFGEM network(s). Do not use your personal email accounts to process Ofgem business information.
3. Insome exceptional circumstances, it may be necessary for staff to use personal email accounts or personal devices to process OFGEM information. These circumstances will be limited to:
• Business continuity incidents where normal business systems are unavailable.
• A pressingbusiness requirement where use of personal IT is the only reasonable option. This must be cleared by a line manager.
4. Personal devices may be used to access VirtualDesktop Interfaces where this has been set-up by the IT Service Desk
5. Any emails in personal mailboxes are still subject to the provisions of the Freedom of Information Act and therefore must be copied to a valid OFGEM email address.
6. OFGEM permits connecting OFGEM devices, laptops, etc., by WiFi (or Ethernet) to the internet to connect back to the department from anywhere e.g. home or a hotel. Some organisations require you to connect to WiFI via a Captive Portal.These are web pages that you are obliged to view, and sometimes sign in to, before connecting to a WiFi network typically in hotels, on trains and in coffee shops. Only connect your Ofgem device to CaptivePortals provided by reputable organisations such as train operators, airlines and major hotel or coffee shop chains. If in in any doubt, please consider tethering your laptop to your Ofgem mobile phone instead.
7. OFGEM permits wirelessly connecting a OFGEM Device to a OFGEM, or personal, mobile phone via a personal hotspot for the purpose of acquiring an internet connection (tethering) for work purposes. Tethering a personal mobile phone is permissible but OFGEM cannot be held liable for this use of a personal mobile phone including any data charges, and so any use of a personal phone for this purpose is the individual’s choice.
8. Ensure no official information is stored on devices without OFGEM security controls, unless explicitly allowed in exceptional circumstances (such as a business continuity situation) as described earlier in this policy.
9. Raise all software requests through the IT Service Desk.
1. OFGEM employees and contractors travelling outside the UK and wishing to take OFGEM devices may do so. However, the following countries are considered high threat and devices must not be taken to these: Belarus, China, Cuba, Egypt, Hong Kong, Iran, Israel, North Korea,Pakistan, Russia, Syria, Ukraine, Vietnam.
1. Be responsible for keeping all portable devices assigned to them safe and secure and immediately report any loss or damage of their equipment to their line manager.
2. Protect OFGEM equipment appropriately when travelling e.g.
• Laptops must always be carried as hand luggage
• Never leave a portable device in sight in parked vehicles
3. Return all OFGEM equipment when leaving OFGEM.Line Managers must complete all appropriate exit procedures with leavers.
1. If for any reason users are unable to comply with this policy or require use of technology which is outside its scope, this should be discussed with their line managerin the first instance and then the IT Service Desk who can provide advice onescalation/exception routes.
2. All requests to use new software not currently approved by OFGEM must be subject to approval though the IT Service Desk.
3. Line managers are responsible for ensuring that users understand their responsibilities and consequences as defined in this policy and continue to meet its requirements for the duration of their employment with OFGEM. They are also responsible for monitoring employees’ ability to perform assigned security responsibilities. However, this does not remove responsibility from employees, they are responsible for ensuring that they too understand their responsibilities as defined in this policy and continue to meet the requirements. It is a line manager’s responsibility to take appropriate action if individuals fail to comply with this policy.
4. All instances of non-compliance should be reported as potential Data Breaches
5. Where there are instances of deliberate non-compliance, disciplinary action may be considered in line with Ofgem procedures. This includes instances of directing other staff to undertake actions that are non-compliant.
6. Instances of accidental non-compliance will be investigated and may, where appropriate, be considered under relevant disciplinary procedures.
7. When line managers are considering disciplinary action in relation to these matters, they should always consult with their HR Business Partner.
