BACK TO ARTICLES

INFORMATION SECURITY POLICY

March 20, 2020

EFFECTIVE March 2, 2015

INTRODUCTION

Computer information systems and networks are an integral part of business at Muncie Power Products. The Company has made a substantial investment in human and financial resources to create and maintain these systems.

The enclosed policies and directives have been established in order to:

  • Protect this investment
  • Safeguard the information contained within these systems
  • Reduce business and legal risk to the Company and employees
  • Protect the good name of the Company
  • Enhance system functionality through standardization

 

ADMINISTRATION

 

The Information Technology Management Team (IT Management) is responsible for the administration of this policy.

CONTENTS

 

The topics covered in this document include:

 
  1. Statement of responsibility

  2. The internet and e-mail

  3. Computer viruses

  4. Access codes and passwords

  5. Physical security

  6. System data integrity

  7. Copyrights and license agreements

  8. Violations

 

I. STATEMENT OF RESPONSIBILITY

General responsibilities pertaining to this policy are set forth in this section. The following sections list additional specific responsibilities.

  1. Manager Responsibilities
    Managers and supervisors must:
    • Ensure that all appropriate personnel are aware of and comply with this policy.
    • Create appropriate performance standards, control practices, and procedures designed to provide reasonable assurance that all employees observe this policy.
  2. IT Management Responsibilities
    IT Management must:
    • Develop and maintain written standards and procedures necessary to ensure implementation of and compliance with these policy directives
    • Provide appropriate support and guidance to assist employees to fulfill their responsibilities under this directive.
    • Review this document annually.

 

II. THE NETWORK, INTERNET, AND E-MAIL

Muncie Power’s corporate network connects all devices together for the purpose of communications. The internet is a very large, publicly accessible network that has billions of connected users and organizations worldwide. One popular feature of the internet is e-mail.

  1. Policy
    Access to the internet is provided as needed to employees for the benefit of Muncie Power Products and its customers. Employees are able to connect to a variety of business information resources around the world. Conversely, the internet is also replete with risks and inappropriate material. To ensure that all employees are responsible and productive internet users and to protect the Company’s interests, the following guidelines have been established for using the internet and e-mail.
  2. Acceptable Use
    Employees using the internet are representing the Company. Employees are responsible for ensuring that the internet is used in an effective, ethical, and lawful manner
    Examples of acceptable use are:
    • Using web browsers to obtain business information from commercial web sites.
    • Accessing databases for information as needed for Company purposes.
    • Using e-mail for business contacts.
  3. Unacceptable Use
    Employees must not use the internet for purposes that are illegal, unethical, harmful to the Company, or nonproductive.
    Examples of unacceptable use include, but are not limited to:
    • Sending or forwarding chain e-mail (i.e. messages containing instructions to forward the message to others).
    • Broadcasting personal e-mail (i.e., sending the same message to more than 5 recipients).
    • Conducting a business for personal gain using Company resources.
    • Transmitting any content that is offensive, harassing, or fraudulent.
    • Accessing Company networks with personal devices
    • Streaming media for non-business purposes.
  4. Downloads
    File downloads from the internet are not permitted unless specifically authorized by IT. This does not include files that are necessary for an employee’s job functions.
  5. Employee Responsibilities
    An employee who uses the internet or e-mail shall:
    • Ensure that all communications are for professional reasons and that they do not interfere with the productivity of the employee
    • Be responsible for the content of all text, audio, or images that (s)he places or sends over the internet.
    • All communications should come from the employee’s mailbox (the user’s name will be in the ‘from’ field)
      • Specifically in the case of the multi-function-copiers (MFC) scans should be sent to the employee’s mailbox first and then forwarded to the intended recipient.
      • Modification or exclusion of the MPP approved signature is prohibited
    • Not transmit copyrighted materials without permission of the owner.
    • Know and abide by all applicable Muncie Power Products policies.
    • Not download or receive executable file(s) received through the internet unless approved by IT management.
    • Avoid transmission of nonpublic customer information. If it is necessary to transmit nonpublic information, employees are required to take steps reasonably intended to ensure that information is delivered to the person authorized to receive such information for a legitimate use.
  6. Copyrights
    Employees using the internet are not permitted to copy, transfer, rename, add or delete information or programs belonging to others unless given express permission to do so by the owner. Failure to observe copyright or license agreements may result in disciplinary action by the Company and/or legal action by the copyright owner.
  7. Monitoring
    All messages created, sent, or retrieved over the internet are the property of the Company and may be regarded as public information. Muncie Power Products reserves the right to access the contents of any messages sent, received, or to monitor internet access from Company computers if the Company believes, in its sole judgment, that is has a business need to do so.

    All communications, including text and images, can be disclosed to law enforcement or other third parties without prior consent of the sender or the receiver. This means don’t put anything into e-mails that you wouldn’t want to see on the front page of the newspaper or be required to explain in a court of law.

 

III. COMPUTER VIRUSES AND MALWARE

Computer viruses and malware are programs designed to make unauthorized changes to programs and data. Therefore, viruses and malware can causes destruction of corporate resources.

  1. Background
    It is important to know that:
    • Computer viruses and malware are much easier to prevent than to cure.
    • Defenses against computer viruses and malware include protection against unauthorized access to computer systems, using only trusted sources for data and programs, saying ‘no’ to prompts that were not initiated by the end user, and maintaining virus-scanning software.
  2. IT Responsibilitiess
    IT shall:
    • Install and maintain appropriate anti-virus and anti-malware software as needed.
    • Respond to all virus and malware attacks, destroy any virus and malware detected, and document any incidents that require IT resources. Antivirus software keeps logs of detected problems that have been automatically resolved.
  3. Employee Responsibilities
    These directives apply to all employees:
    • Employees shall not knowingly introduce a computer virus into Company computers.
    • Employees shall not load any removable media (USB Flash Drives, CDs, diskettes, zip disks, backup tapes, flash, etc.) of unknown origin.
    • Incoming removable media (USB Flash Drives, CDs, diskettes, zip disks, backup tapes, flash, etc.) shall be scanned for viruses before they are read.
    • Any employee who suspects that his/her workstation has been infected by a virus shall IMMEDIATELY POWER OFF the workstation and contact IT staff immediately.
    • Employees shall not forward any virus warnings of any kind to anyone other than the IT staff. All virus warnings should be sent to the IT staff only. If it is determined that the warning is valid, the IT staff will notify all employees of the potential hazard, if deemed necessary. A virus warning coming from anyone other than the IT staff should be forwarded to the IT staff and ignored.
    • Employees must scrutinize all emails with attachments, check validity of the sender and the attachment, and then proceed with caution when opening attachments.

 

IV. ACCESS CODES AND PASSWORDS

The confidentiality and integrity of data stored on Company computer systems must be protected by access controls to ensure that only authorized employees have access. This access shall be restricted to only those capabilities that are appropriate to each employee’s job duties.

  1. IT Responsibilities
    IT Management shall be responsible for the administration of access controls to all Company computer systems. IT Management or designated IT staff will process adds, deletions, and changes upon receipt of a written request from the end user’s supervisor or Human Resources.

    Deletions may be processed by a verbal request prior to reception of the written request. The IT Management will maintain a list of administrative access codes and passwords and keep this list in a secure area.
  2. Employee Responsibilities
    Each employee:
    • Shall be responsible for all computer transactions that are made with his/her User ID and password.
    • Shall not disclose passwords to others. Passwords must be changed immediately if it is suspected that they may have become known to others. Passwords should not be recorded where they may easily obtained.
    • Will change passwords regularly (system enforced).
    • Should use passwords that are not easily guessed by others and are of sufficient complexity to foil the efforts of password crackers and dictionary attacks.
    • Shall not store passwords in macros for the purpose of automatic sign-in.
    • Should log out or lock (Windows + L) when leaving a workstation for an extended period.
    • Users are not to set hardware or BIOS passwords
    • Must report any suspicion of unauthorized access or use must be reported immediately to IT Management.
  3. Supervisor’s Responsibility
    Managers/supervisors will notify IT Management prior to or immediately after an employee leaves the Company or transfers to another department so that his/her access can be revoked. Involuntary terminations must be reported concurrent with or before the termination.
  4. Human Resources Responsibility
    Human Resources will notify IT Management prior to or immediately after all terminations. Involuntary terminations must be reported concurrent with or before the termination.

 

V. Physical Security

It is Company policy to protect computer hardware, software, data, and documentation for misuse, theft, unauthorized access, and environmental hazards.

  1. Employee Responsibilities
    The directives below apply to all employees:
    • Removable media should be stored out of sight when not in use. If they contain highly sensitive or confidential data, they must be secured.
    • Removable media should be kept away from environmental hazards such as heat, direct sunlight, and magnetic fields
    • Critical computer equipment, e.g. file servers, must be protected by an uninterruptible power supply (UPS). Other computer equipment should be protected by a surge suppressor.
    • Environmental hazards to hardware such as food, smoke, liquids, high or low humidity, and extreme heat or cold should be avoided.
    • Since IT Management or designated IT staff is responsible for all equipment installations, disconnections, modifications, and relocations, employees are not to perform these activities. This does not apply to temporary moves of portable computers for which an initial connection has been set up by IT
    • Employees shall not take shared portable equipment such as laptop computers out of the work area without informed consent of their department manager. Informed consent means that the manager knows what equipment is leaving, what data is on it, and for what purpose it will be used.
    • Employees should exercise care to safeguard the valuable electronic equipment assigned to them. Employees who neglect this duty may be accountable for any loss or damage that may result.

 

VI. System Data Integrity

It is the policy of Muncie Power Products to protect the system data integrity against misuse and/or misrepresentation.

  1. Employee Responsibilities
    The directives below apply to all employees:
    • Employees will not make updates/modifications/changes to any of the data downloaded or copied from the Power7 to a file (ie. Excel, CSV, TXT, etc.).
    • Employees may use base data to create additional information not downloaded or copied from Power7.

 

VII. Copyrights and License Agreements

It is the policy of Muncie Power Products to comply with all laws regarding intellectual property.

  1. Legal Reference
    Muncie Power Products and its employees are legally bound to comply with the Federal Copyright Act (Title 17 of the U.S. Code) and all proprietary software license agreements. Noncompliance can expose Muncie Power Products and the responsible employee(s) to civil and/or criminal penalties.
  2. Scope
    This directive applies to all software that is owned by Muncie Power Products licensed to Muncie Power Products or developed using Muncie Power Products resources by employees or vendors.
  3. IT Responsibilities
    IT Management will:
    • Maintain records of software licenses owned by Muncie Power Products
    • Periodically (at least annually) scan Company computers to verify that only authorized software is installed. IT has the option to remove any and all non-authorized software installed on a machine.
  4. Employee Responsibilities
    Employees shall not:
    • Install software unless authorized by IT Management.
    • Copy software unless authorized by IT Management.
    • Download software unless authorized by IT Management.

    Only software that is licensed to or owned by Muncie Power Products is to be installed on computers unless preapproved by IT Management.
  5. Civil Penalties
    Violations of copyright law expose the Company and the responsible employee(s) to the following civil penalties:
    • Liability for damages suffered by the copyright owner
    • Profits that are attributed to the copying
    • Fines up to $150,000 for each illegal copy
  6. Criminal Penalties
    Violations of copyright law that are committed “willfully and for purposes of commercial advantage or private financial gain” (Title 18 Section 2319(b)) expose the Company and the employee(s) responsible for the following criminal penalties:
    • Fine up to $500,000 for each illegal copy.
    • Jail terms for up to five years.

 

VIII. Violations

Acceptable and unacceptable use of the internet along with employee responsibilities is reviewed in earlier paragraphs of this policy. Unacceptable use or failure to follow established employee responsibilities will result in a violation of this policy which may result in disciplinary action per Progressive Disciplinary Procedures, as stated in the Employee Handbook. While the established Progressive Disciplinary Procedures provides guidelines to help improve and correct employee problems, there are some situations that may result in immediate discharge.

Examples of types of these situations that may result in immediate discharge may include, but not be limited to:

  1. Disseminating or printing copyrighted materials, including articles and software in violation of copyright laws.
  2. Sending, receiving, printing, or otherwise disseminating proprietary data, trade secrets, or other confidential information of Muncie Power Products in violation of the Company policy or proprietary agreements.
  3. Offensive or harassing statements or language including disparaging remarks of other people based upon race, national origin, sex, sexual orientation, age, disability, religious, or political beliefs.
  4. Sending or soliciting sexual oriented messages or images.
  5. Operating a business, usurping business opportunities or soliciting money for personal gain, or searching for jobs outside Muncie Power Products.
  6. Gambling or engaging in any other activity in violation of local or federal law.
  7. Purposefully damaging or, without prior permission, removing media, hardware, and other equipment.
  8. Intentionally downloading and/or transmitting computer viruses.

  9. Employees who receive unsolicited, inappropriate, or questionable e-mails from any source should immediately contact Human Resources.

    Muncie Power Products retains the discretion to use progressive discipline when appropriate.

 

© 2025 MUNCIE POWER PRODUCTS, INC.