I, __________________________, while an employee of Alphabet Bonding Company ("ABC"), may run software related to computer and network security ("security software") to discover vulnerabilities, monitor access, and otherwise test the security of information systems and networking equipment owned by ABC.
In general, security software falls under four categories:
Particular types of software may include but are not limited to:
Security software will be run on systems owned by ABC to scan systems owned by ABC, and will consume ABC system and network resources while being run. Systems running security software may be accessed remotely over an encrypted channel from systems not owned by ABC.
Running security software may expose company or employee information not usually made available under typical system administration operations. I will treat all sensitive information as confidential and adhere to the non-disclosure agreements I signed when becoming an employee of ABC.
Different pieces of security software may be obtained commercially or downloaded freely from the internet. Any commercial security software that is run must be purchased by ABC for legal use on the number and type of systems being scanned. Reasonable measures will be taken, including industry acceptance, to ensure freely-obtained security software is legitimate and does not contain malicious or "trojan horse" code, with the understanding that a certain risk always exists of introducing a vulnerability through the use of security software.
These programs will, in some cases, be the same programs an attacker might use to illegally gain access to a system. It is understood that I am using security software legally to evaluate and monitor systems to which I already have administrative access.
When a risk of downtime exists from the use of security software, such software will be run outside regular business hours to minimize the impact of possible customer downtime. In addition, such scans will be run non-intrusively as possible while delivering the required level of analysis, on one system at a time. Recent backups must be available in the event of a catastrophe. Adequate notice will be given before such scans to allow ABC management the opportunity to notify customers and/or delay or cancel security related activities for any reason.
While the end result of running security software is to minimize the risk of unauthorized intrusion into systems owned by ABC, no guarantees are implied regarding the level of security before or after any security software is run. It is understood that to some degree, any information system is vulnerable to unauthorized access or monitoring.
__________________________
Employee
__________________________
Supervisor
__________________________
Manager