Security & Compliance Policy
Control mapping: HIPAA §164.308(a)(1)(ii)(D) information system activity review, §164.308(a)(3) workforce security; CIS Control 8 (Audit Log Management); workforce conduct & consent
Establishes the company's right to monitor its systems, devices, data, and usage — and the consent each workforce member attests to.
This policy informs workforce members that Dunder Mifflin monitors its information systems and the activity conducted on them, and establishes each workforce member's acknowledgment of and consent to that monitoring. Monitoring protects Dunder Mifflin's data, systems, customers, and workforce, supports security and IT operations, and enables Dunder Mifflin to meet its legal, regulatory, and contractual obligations.
This policy applies to all workforce members — employees, contractors, temporary staff, and anyone else granted access to Dunder Mifflin systems — and to all Dunder Mifflin-owned or Dunder Mifflin-managed information resources. This includes company computers, servers, mobile devices, networks, internet connections, email and messaging accounts, business applications and cloud services, file and data stores, telephony, and physical facilities. It also applies to personally owned devices to the extent they are enrolled in Dunder Mifflin's management or used to access Dunder Mifflin systems or data.
Dunder Mifflin owns its information systems and the data they hold, and reserves the right — at any time, with or without prior notice, and to the extent permitted by law — to access, monitor, intercept, record, review, copy, retain, and disclose all activity and data on those systems, including:
Workforce members should have no expectation of privacy in anything they create, store, send, receive, or access on Dunder Mifflin systems, devices, or accounts, including incidental personal use. Deleting a message or file does not remove it from backups or logs. Anyone who needs privacy for personal matters should use their own devices, accounts, time, and network.
By accepting this policy, accessing Dunder Mifflin systems, or signing below, each workforce member acknowledges that they have read and understood this policy and expressly consents to Dunder Mifflin's monitoring as described — including the access, interception, recording, review, and retention of activity and data on Dunder Mifflin systems, devices, accounts, and usage. This consent remains in effect for the duration of the individual's access to Dunder Mifflin systems.
Compliance with this policy is mandatory. Violations may result in disciplinary action up to and including termination of employment or contracts, and may carry civil or criminal liability.
Any exception must be requested in writing, justified by a documented business need, risk-assessed, and approved by the Security Official before it takes effect. Approved exceptions are reviewed at least annually.