To protect your information assets, you need to define acceptable and unacceptable use of systems and identify responsibilities for employees, IT staff, and supervisors/managers. This policy offers a comprehensive outline for establishing rules and guidelines to secure your company data.

From the policy:

Employee responsibilities
An employee who uses the company workstations or systems to conduct business operations must:

• Ensure that all equipment use is for business/professional reasons.
• Access only information that is needed to perform their jobs or assist others in doing so as part of the valid scope of their duties.
• Be responsible for the content of all data, including text, audio, and images they share internally or externally. All communications should have the employee’s name attached.
• Be responsible for all actions/transactions performed with their accounts.
• Use passwords and screen locks on company-owned systems or devices, or those that have been approved for access to company data.
• Log out when leaving a workstation for an extended period.
• Store all shared passwords (such as for departmental accounts) in a centralized and encrypted password database, such as Password Safe or KeePass. The main password for these databases must also be kept private and provided only to authorized individuals.
• Change passwords per company policy (e.g., every 90 days).
• Know and abide by all applicable company policies dealing with security and confidentiality of company records.