Advantus IT Policy (Updated 10/24/23)
Advantus Corp (or “Company”) makes available to our workforce access to one or more forms of electronic media and services, including computers, e-mail, telephones, voicemail, external electronic bulletin boards, wire services, online services, intranet and the Internet.
Scope
This policy applies throughout the organization as part of the corporate governance framework. It applies regardless of whether staff use computer systems and networks, since all staff are expected to protect all forms of information assets including computer data, written materials/paperwork, and intangible forms of knowledge and experience. This policy also applies to third party employees working for the organization whether they are explicitly bound (e.g. by contractual terms and conditions) or implicitly bound (e.g. by generally held standards of ethics and acceptable behavior) to comply with our information security policies.
Business Use
The computers, electronic media and services provided by Advantus Corp are primarily for business use to assist employees in the performance of their jobs. Limited, occasional or incidental use of electronic media (sending or receiving) for personal, non-business purposes is understandable and acceptable, and all such use should be done in a manner that does not negatively affect the systems’ use for business purposes.
Ownership
All information and messages that are created, sent, received, or stored on the Company’s e-mail system, messaging platforms, and servers is the sole property of Advantus.
Right to Review
Advantus reserves the right, at its discretion, to review any employee’s electronic files and messages to the extent necessary to ensure electronic media and services are being used in compliance with the law, this policy, and other Company policies. All e-mail and instant messages are subject to the right of the Company to monitor, access, read, disclose, and use such e-mail without prior notice to the originators and recipients of such e-mail. E-mail may be monitored and read by authorized personnel for the Company for any violations of law, breaches of Company policies, communications harmful to the Company, or for any other reason.
Prohibited Content
The Company’s anti-harassment and discrimination policies also apply to the use of Company’s resources. This means that an investigation will be conducted, and discipline imposed where necessary.
Electronic media cannot be used for knowingly transmitting, retrieving, or storing communication that is:
- Discriminatory or harassing.
- Derogatory to any individual or group.
- Obscene, sexually explicit or pornographic.
- Defamatory or threatening.
- In violation of any license governing the use of software; or
- Engaged in any purpose that is illegal or contrary to the Company’s policy/business interests
No Presumption of Privacy
All communications should not be assumed to be private, and security cannot be guaranteed. Employees should have no expectation of privacy or security with respect to incoming and outgoing messages and all other documents stored on their computer. Highly confidential or sensitive information should not be sent via e-mail. Advantus reserves and intends to exercise the right to review, audit, intercept, access and disclose all messages and documents created, received, or sent over the electronic system for any purpose. The contents of electronic mail properly obtained for legitimate business purposes, may be disclosed within the Company without the permission of the employee.
Notwithstanding the Company’s right to retrieve and read messages and documents, such information should be treated as confidential by other employees and accessed only by the intended recipient. Employees are not authorized to retrieve or read any e-mail messages that are not sent to them. Any exception to this policy must receive prior approval by the Company.
Certain Prohibited Activities
Employees may not, without the Company’s express written authorization, transmit trade secrets or other confidential, private, or proprietary information or materials through electronic media. Employees also shall not send (upload) or receive (download) copyrighted materials through the electronic media system.
Anyone obtaining electronic access to other companies’ or individuals’ materials must respect all copyrights and cannot copy, retrieve, modify or forward copyrighted materials except as permitted by the copyright owner.
Social Media Use
Social media accounts are intended to be used solely for business purposes. Depending on the nature of the employee’s duties, these purposes may be addressed through a variety of services, including but not limited to Facebook, X (Twitter), LinkedIn, and YouTube. Legitimate business use includes:
- Building positive brand image.
- Increasing mind share.
- Improving customer satisfaction
- Gaining customer insights
- Increasing customer retention
- Increasing revenue
- Reducing cost of servicing customers
Message Retention and Creation
Employees should be careful in creating e-mail. Even when a message has been deleted, it may still exist in printed version, be recreated from a back-up system, or may have been forwarded to someone else. Please note that appropriate electronic messages may need to be saved. Also, if so ordered, the Company may be required to produce e-mail in litigation.
Email Signature and Background
Uniform default signatures for all employees have been created to maintain Advantus Corp’s high business standards. Adding personal signatures and email backgrounds are strictly prohibited.
Computer/Electronic Media Move
Most computers and electronic media are connected to the network and are centrally managed by the IT department.
Viruses
Any viruses, tampering or system problems should be immediately reported to IT Support.
Consequences of Violations
Any employee who abuses the privilege of their access to computers, electronic media, and intranet in violation of this policy will be subject to corrective action, including possible termination of employment, legal action, and criminal liability.
Security
Except in cases in which explicit authorization has been granted by the Advantus Executive Committee, employees are prohibed from engaging in, or attempting to engage in:
- Monitoring or intercepting the files or electronic communications of other employees or third parties.
- Hacking or obtaining access to systems or accounts they are not authorized to use.
- Using other people’s logins or passwords; and
- Breaching, testing, or monitoring computer network security measures.
No e-mail or other electronic communications can be sent that attempt to hide the identity of the sender or represent the sender as someone else.
Electronic media and services should not be used in a manner that is likely to cause network congestion or significantly hamper the ability of people to access and use the system.
The e-mail system is only to be used by authorized persons, and an employee must have been issued an e-mail password to use the system. Employees shall not disclose their codes or passwords to others and may not use someone else’s code or password without express written authorization from the Company.
Mandatory IT Training
The Advantus IT department requires that each employee upon hire and at least annually thereafter successfully complete mandatory training. Certain staff may be required to complete additional training modules depending on their specific job requirements upon hire and at least annually.
Simulated Social Engineering Exercises (Phishing Tests, etc)
The Company will conduct periodic simulated social engineering exercises, like email phishing tests. The Company will conduct these tests at random throughout the year with no set schedule or frequency, and may also conduct targeted exercises against specific departments or individuals based on a risk determination.
Remedial Training Exercises
From time to time, staff may be required to complete remedial training courses or may be required to participate in remedial training exercises with members of the IT department as part of a risk-based assessment.
Compliance & Non-Compliance with Policy
Compliance with this policy is mandatory for all staff, including contractors and executives. The Company will monitor compliance and non-compliance with this policy and report to the executive team the results of training and social engineering exercises.
Non-Compliance Actions
Certain actions or non-actions by personnel may result in a non-compliance event (Failure).
A non-live/exercise Failure includes but is not limited to:
- Failure to complete required training within the time allotted
- Failure of a social engineering exercise
- Failure to report the exercise to the IT department
Failure of a social engineering exercise (i.e. a phishing test) includes but is not limited to:
- Clicking on a URL within a phishing test
- Replying with any information to a phishing test
- Scanning a QR code within an exercise
- Opening an attachment that is part of a phishing test
- Entering any data within a landing page as part of a phishing test
- Plugging in a USB stick or removable drive as part of a social engineering exercise
- Failure to report the exercise to the IT department
A live/non-exercise Failure includes but is not limited to:
- Clicking on a live (non-test) phishing link and/or entering data in a phish event
- Opening an attachment that is part of a live (non-exercise) phish event
- Entering any data within a landing page as part of a phishing event
Compliance Actions
Certain actions or non-actions by personnel may result in a compliance event (Pass). At the discretion of the Company, a Pass may remove a previous Failure from counting towards the employee’s Failure count. See Schedule of Failure Penalties.
A Pass includes but is not limited to:
- Successfully identifying a simulated social engineering exercises
- Not having a Failure during a social engineering exercise (not clicking, not taking action)
- Reporting real social engineering attacks to the IT department
- Completing additional training required by the IT department
- One year since the last training/social engineering exercise
Responsibilities
All Managers are responsible for ensuring that their staff and other workers within their responsibility participate in the information security awareness, training, and educational activities where appropriate and required.
All Staff are personally accountable for completing the security awareness training activities, and complying with applicable policies, laws, and regulations at all times.
Schedule of Failure Penalties
The following table outlines the penalty of non-compliance with this policy. Steps not listed here may be taken by Advantus to reduce the risk that an individual may pose to the Company.
| Testing/Social Engineering (Exercise) Failures | |
| Failure Count | Resulting Level of Remediation Action |
| First Failure | Mandatory completion of remedial training. |
| Second Failure | Mandatory completion of remedial training. |
| Third Failure | Face to face meeting with their manager |
| Fourth Failure | Face to face meeting with their manager and HR Possibility that additional administrative and technical controls will be implemented to prevent further Failure events |
| Fifth Failure | Formal review of employment with Head of Human Resources |
| Sixth and Subsequent Failures | Potential for Termination of Employment or Employment Contract |
| Live (Non-Exercise) Failures | |
| Failure Count | Resulting Level of Remediation Action |
| First Failure | Mandatory completion of remedial training, face to face meeting with their manager Possibility that additional administrative and technical controls will be implemented to prevent further Failure events |
| Second and Subsequent Failures | Formal warning, face to face meeting with their manager and HR Potential for Termination of Employment or Employment Contract |