Computing Policy Document - Generic Template
by: bill schell <bill@vikingasia.org>  9 September 1999  version 3a
reformatted: 2_May_2002

	This document is published for the _____________ location of
<Organization_Name> to set-out general policies, procedures, and outline responsibilities, authorities and actions for the various people,
groups, and users involved in the Computing Environment in this site.

	Section 1.): - some definitions -

	1.) Systems Administration Community:  these are loosely called
"admins" and they are the people concerned with planning, ordering,
installing, configuring, supporting, backing-up, and helping users
with computer problems - both hardware and software.   In "most" sites
the admin group does not (normally) support 'APPLICATIONS' (used to
develop software), they only support hardware, networking and
operating systesm - and in some cases "systems-like-applications"
(ftp, telnet, web-acces, etc.)

	2.) user community: the (in general) software developers and
support groups (finance, hr, accounting, facilities.  - In general
this community is also typically broken down into two general groups -
technical computing (usually s/w developers - usually Unix-based and
the support-groups - primarily an office-automation group - primarily
Macintosh & Windows NT based

	3.) management: the group of people who though users, typically
make high-level policy decisions about the business - but not
necessarily about computing specificially.

	4.) Motorola's "Corporate" Departments: - Telecomm & Info
Security (sometimes known as "GCT" (Global Computing & Telecomms)
 Audit, Finance, HR, Facilities, etc.   These groups are
primarily in the business of deciding & implementing high-level policy
and rolling-out to organizations like GSD guidelines for implementing
policies & procedures.

	5.) EISS or (New)EISS - "Electronic Information Security
Standards" is a document (actually a set of documents) that roughly
outline the requirements and recommendations that a group of
organizations including Finance, Information Security & Audit have
outlined for Motorola organizations (Like GSD) to protect the
intellectual property that we all work-with, on a day-to-day basis,
for the protection of our profits over the long-run.


	Section 2.): - an Introduction and outline of areas covered -

	Computing Policy at _________________ is comprised of several
areas:

	1.) Company INFORMATION RESIDING or STORED ON <Organization_Name>
COMPUTING PLATFORMS (including but not limited to:  desktop computers,
laptop computers, servers, PDAs (portable digital assistants), networks
connecting these and networks connecting these to the
"outside" <Organization_Name> world, PABXs (Private Branch Exchanges
(telephones & voice-mail systems).

	2.) your MOVING Motorola INFORMATION to & from these systems and
to & from <Organization_Name> and outside customers, vendors, research
organizations and the like.

	2.a.) your USING the computers involved for purposes that are not
"<Organization_Name> Appropriate Use" - and how that is defined.

	3.) Disaster recovery planning & execution - what would happen to
the Motorola data in the event of a natural or man-made disaster at
your site that caused the site to be un-useable for the normal
execution of the business that is conducted there.


	There are two very important documents that outline a large
majority of what might be covered here - but in a very generic format:

	####  Computing Policy Document: - a document signed by all <Organization_Name> employees when they are hired that asks the employee to agree that his / her use of <Organization_Name> computing resources
(including but not limited to all those mentioned above) will be for
"<Organization_Name> Appropriate Use" only.  

- In "general" this means that a <Organization_Name> employee,
regardless of the physical or geographical location in which he
/ she works, lives, or travels to, and while using <Organization_Name>
computing hardware, software and networks will not access Playboy,
CNN, ESPN, Hotmail, Vacation or other "such" Web-Sites; send
in-appropriate e-mail, or otherwise engage in non
"Business Appropriate Use" computing activities.

	Each employee must make a decision after signing this document as
to what they deem "appropriate use"... and act accordingly.   Some 
discussion of "Appropriate Use" with one's manager may be appropriate. 


	#### the "<Organization_Name> Appropriate Web-Useage" document takes the
above concepts and specifically expands it to cover the use of World
Wide Web Accesses from a Motorola - owned computing platform.   This
document specifically puts the employee on notice that every single
access that the employee makes from a <Organization_Name> computer
to a web-site outside of the <Organization_Name> network is logged,
and (may be) reviewed by both the admin teams and by management,
as well as by the Corporate Audit Committee.

And - access to any site deemed "in-appropriate use" accessed
by the computer to which the employee is assigned can be traced
and may be used in a disciplinary action.



	Section 3:)  - supported / authorized software and hardware -

	This section will outline the appropriate computer system
platforms (hardware and operating systems) that are allowed,
supported, and "guaranteed" to be available at this site.    This
information is due to change relative to budgets, and people who are
trained & capable of doing this support.

	Generically the network environment consists of a number of
servers in a (restricted access) computer room with a number of
X-terminals on desktops in users workspaces & offices - this
recommended architecture is primarily because:

	1.) security of data, computing equipment, and
backup-media-storage 2.) to reduce support complexity, time  and risk
3.) ease of backup-restore operations

	Typically at a given <Functional_Business_Unit> site these are the
supported platforms:

	Unix Servers of some form (primarily Sun Solaris operating system
on Sun Sparc hardware platforms,  (typically accessed by X-terminals
on the users / engineers desktops)

	Macintosh and/or Windows NT as an "Office Automation" environment.
(as in Windows NT served by a  "WinDD Server" and clients with
X-terminals on their desktops)

	Networking in the form of TCP/IP protocol suite living on
10-base-T ethernet hardware environment - usually in a combination of
switched and shared topologies

	Software applications available include the operating systems to
drive the above hardware platforms, networking infrastructure
applications (such as, but not limited to: e-mail, DNS, NFS, NIS,
SMTP, POP, IMAP, LDAP, etc. as defined and needed) are typically
supported by the admin groups.

	S/W Development tools applications (such as compilers, debuggers,
configuration management tools (such as ClearCase), documentation
tools (such as FrameMaker) are usually supported by an SETC group.  IF
the "admin groups" will support these tools then that should be
adequately documented here.

	Unless there is some over-riding business need - this will be the
limits of what is purchased, installed and supported by the admin
teams.



	Section 4.): - activities -

	Though explained to some extent in other parts of this document,
this section explicity outlines a number of activities related to
computer & network useage that are NOT ALLOWED under ANY CIRCUMSTANCES
at this site.

	Some of these are not only illegal, but immoral, as well as being
<Organization_Name> deemed "not appropriate" - some others are just 'good
computer practice useage' guidelines.  

In any case none of these should not be practiced.

1.) e-mail chain letters

2.) e-mail spamming

3.) e-mail forging

4.) e-mail enclosures  or attachments over 1 megabyte in size.

5.) e-mail mailing list-hosting WITHOUT the consent of the admin groups

6.) computer accounts shared amongst human users - 1 account = 1 human

6.a.) use of another person's account

7.) Web-useage to any restricted sites

8.) Web-useage that is not very strictly
          "<Organization_Name> Appropriate Use"




	Section 5.):  - the auditing & / or policing role or an admin
group -

	Many times in the past - in different parts of Motorola - a loss
of Intellectual Property has happened.  When / if that were to happen
at your site, and under specific, written direction(s) from management
at your site as well as from the Corporate "Loss Prevention" group,
your admin team has both the right and the authority to:


	1.) review any and all logs of computer and network activity to
evaluate who is / might be responsible for a loss 

2.) read any and all e-mail suspected of being relevant to a case 

3.) re-login-to any web-site that was connected to from the computer a user is assigned to - (to determine if it was an "appropriate use" of <Organization_Name>'s computers to access that web-site. 

4.) if you use a computer at home to conduct <Organization_Name>
then that computer becomes an extension of <Organization_Name>'s
network & computing environment - and it, too, as well as the data,
becomes subject to search & review in a time of data-loss or suspected
data-loss. 

 This is especially important if that computer you use at home was
 purchased by you, and is not "necesarily" an <Organization_Name> Asset. 
- It is, nevertheless an extension of the <Organization_Name> Facilities...

	There are two distinct philosophies that you should remember every
time you use a <Organization_Name> computer / network:

	a.) you are employed by <Organization_Name> to deliver certain work, and your use of the computing resource environment was put there to assist you
in that work, not for your personal pleasure or gain

	b.) because of a.) above - the data, all the data - on that
computer is the property of <Organization_Name>, not you, personally, AND
therefore they (and/or their agents and assignees) have a right to
review that data, at any time, any place, and the legal system in this
country gives them that right. 

	Additinally - remember - that it is the "systems admins group(s)"
that are ultimately responsibile for " a majority "of the (safekeeping)
of data, and that is why these rules & regulations and practices are
implemented as they are, to protect them in their role in protecting
<Organization_Name>'s Intellecutual Property...