Users are prohibited from:

• Gaining unauthorized access to any Corporate information system
• Abusing authorized access for personal gain, malicious purposes, or in a way that would result in damage, alteration, or disruption of these systems
• Capturing or obtaining passwords, encryption keys, or any other access control mechanism which could permit unauthorized access

Purpose

Users must not exceed their authorized access, regardless of technological capabilities or barriers

Examples

• If a business user discovers unprotected confidential data, the user should notify their manager.  The user should not access that data if said data is outside the scope of their authority.
• An IT administrator should not attempt to access HR data that doesn’t pertain to their job function, even if there are no access controls that would prevent such access
• An administrator of the payroll database should not attempt to access the payroll data except in pursuit of authorized business function
• A network administrator should not collect passwords while resolving unrelated network issues

Exceptions

Exceptions under this policy must be detailed in a Risk Acceptance form approved by the System/Application Business Owner, Executive Lines of Business representative and the IT Custodian and the Information Security Compliance Department.

www.bestitdocuments.com