computer security awareness & acceptable use policy

Computer Security Awareness & Acceptable Use Policy

IT

Revised 11/06/2018 1

Overview The purpose of this policy is to outline the acceptable use of computer equipment at Urban Outfitters, Inc. (the Company) consistent with the Company’s established culture of openness, trust and integrity. Inappropriate use exposes the Company to risks, legal issues and potentially compromises the overall security of the Company computing environments and may expose our customers to identity theft and financial loss. It is imperative that this policy allows the URBN IT Department to maintain its network of PCs, laptops and thin clients as well as ensure the integrity and privacy of customer information (such as credit/debit card/check data) and Company information, including material non-public information and HIPAA-protected data. Effective security is a team effort involving the participation and support of every Company employee who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines and to conduct their activities accordingly. There is no right of privacy in connection with email and all software, data, and files of any and all types on Company computing equipment. The Company may at any time monitor, inspect or remove emails, files, programs or other software that resides on such equipment, either remotely or directly on the equipment. The Company may elect to amend, modify or revoke this policy at any time without notice. If you have a question about this policy, including your responsibilities under this policy, you should contact the URBN IT Department. The information can be found in the following order:

1. Scope 2. General Security 3. Internet Usage 4. Email Policies 5. Electronic Data Management 6. Acquisition and Installation of Software 7. Copyrighted Digital Media 8. Bring Your Own Device


IT

Revised 11/06/2018 2

9. Company Payment Systems 10. Handling Payment Card Data 11. Protecting Payment Devices 12. Termination 13. Enforcement

1. Scope This policy applies to all Company employees, including interns and seasonal/temporary employees, contractors, consultants, vendors and all other workers at Urban Outfitters, Inc., including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by Urban Outfitters, Inc. 2. General Security

• Information contained on the Company systems should be considered confidential, inside information that is owned by the Company. This includes, but is not limited to, information that is stored, transmitted and/or processed through the email and messaging system(s), network storage, intranet, blogs, project management systems, databases, and applications.

• Employees are entrusted with access to Company resources, as required and appropriate for their job responsibilities. With access to Company resources, each employee is responsible for the confidentiality, integrity and availability of the information entrusted to them. Employees should access only the information that is appropriate for their job responsibilities.

• Employees are responsible for the security of their passwords and accounts. Passwords must be changed every 90 days and comply with minimum password strength requirements. Company equipment is configured to remind employees to change their password per the minimum password strength requirements. If an employee fails to change his/her password after receiving these reminders, the workstation will lock the screen until the password is changed.

• Passwords must never be written down or shared with anyone, including the URBN IT Department or any computer support personnel.


IT

Revised 11/06/2018 3

• Employees must not use the same passwords on Company systems as they do on other non-Company systems.

• Employees must use their own logon ID and password when accessing Company equipment, systems and networks. Do not use another employee’s logon information.

• All Company equipment, including Company computers, is for employee use only. Family and friends cannot use Company computers and are not permitted to access Company systems and resources.

• Employees should secure their workstations by logging off or locking their screen when the workstation is not in use. The standard Company computer automatically locks users from their systems if no activity has occurred within a 15-minute time period.

• To ensure the confidentiality, integrity and availability of Company information, all employee

computers must adhere to the requirements below: o Anti-virus software must be installed and running at all times. The standard Company

computer includes Trend Micro anti-virus on all Windows computers. o Operating systems (e.g., Windows), applications (e.g., Microsoft Office, Adobe

Acrobat, and Chrome) and other system components (anti-virus) must be routinely updated to ensure critical security updates are installed.

o Personal firewall software must be running on every computer. This is part of the standard build and must not be disabled.

• Employees are responsible for the physical security of any Company-issued equipment (e.g.,

laptop) at all times, and should take all reasonable measures to protect Company equipment from theft or damage.

o Theft of Company-issued equipment must be reported to the URBN IT Department as soon as possible.

o Stolen equipment must be immediately reported to the police and must be accompanied by a police report. If a police report is not provided, the employee must reimburse the Company for the cost of the stolen equipment.

• When travelling, Company-issued equipment must remain with the employee. Do not put

Company laptops or other Company-issued equipment in checked baggage.


IT

Revised 11/06/2018 4

• Only salaried/exempt employees are permitted to set up Company email on their personal

mobile device. The personal mobile device must be password protected and will be subject to audit by the URBN IT Department. If that device is later lost or stolen the employee must contact the help desk to have the device deactivated from Company systems.

• In addition to the above, employees must refrain from engaging in the following prohibited

activities when using Company equipment, systems and networks: o Downloading, copying or stealing electronic files without permission. o Engaging in any activity that violates copyright laws. o Attempting to access or accessing another’s accounts, private files, or email, except

as authorized by the appropriate authority. o Performing any activity that is not approved by the Company that may degrade the

performance of systems or networks (for example, copying files to unapproved cloud storage services).

o Performing any activity that circumvents security or access control of the Company, business partners or any other entity, including the possession or use of hardware or software tools intended to defeat software copy protection, discover passwords, identify security vulnerabilities, decrypt encrypted files, or compromise information security by any other means.

o Accessing Company networks via any remote access service unless reviewed and approved by the URBN IT Department.

o Accessing any network not under the management of the URBN IT Department, including personal home networks, unless explicitly authorized by the URBN IT Department.

o Promoting or maintaining a personal or private business using Company information resources.

o Conducting fraudulent or illegal activities using any Company resource. o Disclosing any Company information that is not classified as public.

3. Internet Usage

• Employees have access to the Internet and can visit websites for Company use. Access to the Internet during work hours must be appropriate, and must be consistent with one’s


IT

Revised 11/06/2018 5

professional role, obligations, and job responsibilities. Since Internet activities are logged and monitored, employees accessing the Internet shall have no expectation of privacy.

• Employees who engage in prohibited activities when using the Internet may be subject to

disciplinary action, up to and including termination. These prohibited activities include, but are not limited to:

o Visiting websites that violate local, state, federal, provincial or international law. o Visiting websites for the purpose of gambling for money. o Visiting pornographic or hate-based websites, hacker or cracker sites, or other sites

that the Company has determined to be off-limits. o Posting, sending, or acquiring sexually explicit or sexually oriented material, hate-

based material, hacker-related material, or other material determined to be off-limits.

o Posting or sending sensitive information outside of the Company without management authorization.

o Using other services available on the Internet, such as file transfers, streaming video or remote access, on systems that the user does not have an account or that do not permit access without an account.

o Posting commercial announcements or advertising material. o Promoting or maintaining a personal or private business. o Receiving news feeds and push data updates, unless the material is required for

Company business. o Using non-work related applications or software that occupy excess workstation or

network processing time (e.g., processing in conjunction with screen savers).

• Access to any network or computer, including cloud services, must be reviewed and approved by the URBN IT Department prior to use.

• Remote access to personal home networks from the Company networks is not permitted. Guest Wireless

• If a guest, vendor, contractor or consultant needs Internet access for their own device, they can be granted guest wireless access by connecting to the URBN Guest network.


IT

Revised 11/06/2018 6

• If a guest, vendor, contractor or consultant must use a Company computer, the responsible URBN employee must obtain a vendor account. No guest, vendor, contractor or consultant is permitted to access Company computers or networks without being given their own account.

4. Email Policies

• An electronic mail system has been installed by the Company to facilitate business communications. The email system belongs to the Company and the contents of email communications are accessible at all times by the Company for any business purpose. All email messages are Company records. The contents of emails, properly obtained for legitimate business purposes, may be disclosed within the Company without employee permission.

• Employees should not be using personal email accounts to conduct Company business. All corporate electronic communications must be sent via approved, URBN support messaging (email, messaging applications and websites). Use of third-party solutions, including non-URBN email systems (Google, Yahoo, Hotmail, etc.) are not approved. Variances from this policy must be reviewed by the URBN IT Security Department and may be approved on a case-by-case basis.

• The use of email must be done in a manner that is consistent with the Company’s interests and responsibilities. No email should violate any local, state, federal, provincial or international law.

• It is expected that the language and content of emails be expressed with care knowing that

there is no expectation of privacy. All business-related items should reflect the Company’s culture and respect for good business practice and etiquette.

• Emails and all other electronic files may be subject to disclosure in legal and regulatory matters and proceedings.

• Employees should be careful when opening email from unknown sources, since these are more likely to contain viruses, worms and other malicious code. Report to the URBN IT


IT

Revised 11/06/2018 7

Department any instance where you believe that you are being targeted by suspicious email or spam.

• Employees are not permitted to use consumer online file sharing services, such as Dropbox,

when sharing Company files and other documents. Consumer online file sharing services are not secure and, more importantly, not controlled by the URBN IT Department, and create a significant risk of data loss or exposure.

• To send sensitive information through the email system, whether to an internal employee or external location, the word “encrypt” can be added to the subject line of any email. This will protect the email with encryption and ensure secure delivery of the message to the intended recipient.

5. Electronic Data Management The Company provides multiple approved methods to store, transmit, process, and share data for business purposes, and only these methods may be used by employees when storing, transmitting, processing, or sharing data. Data Storage

• When storing electronic documents, spreadsheets, presentations, applications or other electronic information, employees must use a network drive provided by the URBN IT Department, or SharePoint or One Drive, both of which are provided by the Company.

• Employees are not permitted to use personal USB drives, Cloud storage such as Dropbox, or any other solution not provided by the Company.

Data Sharing

• Data sharing is permitted based on the classification of the data to be shared and the method of sharing:

o For information on data classification, please refer to the Data Classification and Control Policy in the URBN Information Security Policy.

o The Company provides multiple approved data sharing methods to share data both inside and outside of the Company. The following are approved data sharing methods: Email with data written in the email.


IT

Revised 11/06/2018 8

Email using the “encrypt” function. Link to One Drive or SharePoint.

• Attachments that include executables, compressed files, and other common methods for

distributed malicious software present a risk to the Company and therefore are blocked and will not be sent.

• Some data is never permitted to be shared unless there is an explicit job requirement and approval. This includes, but is not limited to, the following:

o Cardholder data, including all aspects of payment cards, such as card numbers, expiration dates, security codes (CVV), PINs.

o Personally Identifiable Information, which is any information that is personally identifiable to an individual (e.g., Social Security numbers, driver’s license and other government identification numbers).

o In addition, please refer to Section 10 below on handling payment card data. 6. Acquisition and Installation of Hardware and Software Acquiring Hardware and Software

• All hardware and software must be purchased through the URBN IT Department. This will ensure that all corporate discounts are applied and that licensing meets corporate requirements. In addition, this will ensure ongoing management, including software updates and hardware maintenance.

• To ensure compliance with copyright and licensing laws, all software used on Company systems and networks shall be licensed and registered in the name of the Company. All employees shall comply with copyright and licensing laws, and shall not obtain, install, replicate or use software except as permitted by the software licensing agreement.

• Employees are not permitted to purchase hardware or software, including Software as a Service (SAAS), on a Company Purchasing Card (P-Card).


IT

Revised 11/06/2018 9

• Non-standard software requirements (e.g., software development tools) must be reviewed with the URBN IT Department to ensure compatibility, security control, and other requirements for software onboarding are managed correctly.

• Personally owned software is not permitted for use on the Company systems or networks.

This includes, but is not limited to, personally purchased and licensed applications, shareware, freeware, downloads from bulletin boards, Internet, Intranet, FTP Sites or other personally owned or controlled software. These products can compromise the stability of Company systems. Many freeware and shareware agreements conflict with the Company’s non-disclosure agreements and can place the Company at both legal and financial risk.

Installing and Using Hardware and Software

• All hardware and software must be installed and managed by the URBN IT Department.

• Employees are prohibited from engaging in the following conduct: o Installing Company software onto a personal computer or other personal electronic

device. o Installing personal software onto Company-owned equipment or Company systems

or networks. o Giving Company software to any person or entity not affiliated with the Company,

including, but not limited to, contractors or vendors. o Installing or using unreleased or evaluation versions of software, such as Demo, Beta

or Trial Software. These types of software are not “production ready” and could compromise the stability of our systems.

• Employees are responsible for updating software with the current security patches.

• The URBN IT Department will deliver software updates for all software installed on Company-owned equipment and Company networks and systems.

• The URBN IT Department reserves the right to remove any unauthorized software, including, but not limited to, music and movies, installed on Company-owned equipment and Company networks or systems.


IT

Revised 11/06/2018 10

7. Copyrighted Digital Media Digital media includes, but is not limited to, digital music (MP3s, WMAs), movies and movie clips, and images. The storage, distribution, and use of illegally copied digital media on Company equipment, systems or networks is strictly prohibited. 8. Bring Your Own Device

• Personal devices are not permitted on Company networks. This includes, but is not limited to, mobile phones, tablets, laptop computers, television hardware (e.g., Apple, Amazon, Roku), game systems (e.g., Xbox, PlayStation), network storage, network switches, routers, wireless access points, and remote access equipment.

• The Company provides a robust guest network, URBN Guest, which provides access to the Internet for personal devices. The Company does not restrict the device type permitted on the guest network.

• The URBN Guest network permits access for the following time periods: o Non-employees or individuals who do not log in using their Company-provided

username and password will be required to log in every 24 hours. Access will be interrupted after 24 hours until the individual logs back in.

o Employees who log in using their Company-provided username and password will be required to log in every 14 days. Access will be interrupted after 14 days until the individual logs back in.

• All activity is monitored on the guest network to ensure the security of the environment and protect Company networks from any malicious or inadvertent security risks.

9. Company Payment Systems

• Company Payment Systems include any systems that transmit, store or process payments, and include, but are not limited to, any systems or networks that are used to process merchandise for sale, collect cardholder data for payment processing, and print receipts or transaction information (e.g., MPOS, GPOS, registers, printers).

• Employees who require access to Company Payment Systems must submit a request to the URBN IT Department to obtain approval for access. Access is limited to only individuals


IT

Revised 11/06/2018 11

who have a specific role and responsibility that requires access. If approved, a username and password unique to the approved individual will be provided.

• Access to Company Payment Systems must be executed through a secure network access point that is managed by the URBN IT Department and requires strong authentication. All actions on Company Payment Systems are logged and monitored.

• Employees who are responsible for processing merchandise and payment transactions must have a unique username and passwords. Employees must not share their username and password. All activities are logged and monitored for each individual user.

• Use of Company Payment Systems for unapproved activities is strictly prohibited. This includes, but is not limited to, using the Company Payment System to access applications, Internet websites, or for any other personal use. Violations of this policy will result in disciplinary action, up to and including termination.

• Altering the configuration of any component in a payment system, including adding, removing or changing hardware or software, is strictly prohibited. Any changes must be made by an approved individual from the URBN IT Department and tracked with standard change and problem management procedures.

• All activity on Company Payment Systems is monitored, and violations of this policy will result in disciplinary action, up to and including termination.

• Employees who have access to Company Payment Systems must know and adhere to the guidelines in Sections 10 and 11 below.

10. Handling Payment Card Data Employees are not permitted under any circumstance to write down, photograph, email, or otherwise keep an electronic or written copy of Payment Card Data. For purposes of this policy, Payment Card Data includes:

• Credit or debit card numbers • Customer PIN


IT

Revised 11/06/2018 12

• Card security code (“CVV”) • Credit or debit card expiration date

11. Protecting Payment Devices Unauthorized access to payment devices could compromise customer payment information and the integrity of the Company’s payment systems. To reduce this risk, employees with direct access to payment devices must adhere to the guidelines below. General Device Handling

• Employees are not permitted to remove payment devices from the store except for brand-approved events (e.g., sidewalk sales).

• Employees are not permitted to attach or connect any personal or other non-URBN devices to payment devices.

Inspection of Payment Terminals Payment terminals must be inspected daily to verify the following:

What to check Example Applicable brand and manufacturer logos


IT

Revised 11/06/2018 13

What to check Example

Sticker showing that the URBAN security key is installed


IT

Revised 11/06/2018 14

What to check Example Serial number stickers

Unobstructed, operating lights illuminate during transactions

Illuminate when Activated


IT

Revised 11/06/2018 15

What to check Example Terminal and cables are free from any additional devices or attachments

Awareness • Employees should be aware of suspicious behavior around payment devices. This includes

attempts by any unauthorized person to unplug, interact with, or open payment devices. • Immediately contact your SBL/GM and RLPM if you suspect that a payment device has

been tampered with or replaced, or if you witness any suspicious behavior or attempts to access payment devices from unauthorized individuals.

o Be sure to note the time of day and register number. o The SBL/GM should contact the Help Desk or open a support case with the details if

they feel a device has been compromised. • Refer to the Security Policy and “Service Technicians and Calls” section below for

information on verifying access to payment devices.


IT

Revised 11/06/2018 16

Service Technicians and Calls • Only employees and URBN-approved contractors are permitted in non-sales or back-of-

house areas. • All visits by non-Home Office employees will be scheduled in advance by the Home Office

and communicated by email to the SBL/GM. • To protect against unauthorized access to payment devices, employees must verify the

identity of anyone claiming to be repair or maintenance personnel before allowing access to the payment device.

• Any person who visits a store or restaurant to perform work of any type (for example, on POS and IT systems, computers, MPOS devices) must have a work order that identifies the specific work to be completed, the company’s name, and visitor’s/repairperson’s name.

o This information must match the information provided by Home Office. o If the person does not have a work order or the information on the work order does

not match what was provided by Home Office, contact your DBL and RLPM immediately.

12. Termination Upon separation from the Company, employees must return all Company-issued equipment on or before their last day worked. If an employee fails to do so, the value of the equipment will be deducted from the employee’s final paycheck. 13. Enforcement Any employee found to have violated this policy will be subject to disciplinary action, up to and including termination.

computer security awareness & acceptable use policy

Documents