It is the policy of University Bank that no employee, director, or agent of the bank shall accept anything of value from a customer of the bank or a vendor to the bank other than:
• Gifts of a reasonable value based on a family or personal relationship where that relationship is the obvious motivating factor for the gift.
• Meals, refreshments, entertainment, accommodations, or travel arrangements of a reasonable value provided they are in the course of a meeting or occasion, the purpose of which is to hold bona fide business discussions or to foster better relations, and provided that the expense would be paid for by the bank if not paid for by another party.
• Advertising or promotional material with a value of less than $25.00
• Gifts with a value of less than $50.00 related to commonly recognized events, such as a promotion, religious holiday, wedding or retirement
• Discounts or rebates on merchandise or services that do not exceed those available to other customers of the merchant
• Awards for recognition of service or accomplishment from civic, charitable, educational, or religious organizations
No employee, director, or agent of the bank shall solicit anything of value from any customer of the bank or vendor to the bank.
University Bank has adopted a Code of Ethics, which forbids an employee, director or agent of University to use their bank positions for personal gain.
Newly hired employees will be given a copy of a Code of Ethics that includes guidelines for compliance with the Bank Bribery Act Policy. This Code of Ethics is included in the University Bank /ADP TotalSource Employee Handbook. Employees will sign acknowledgment of receipt of this handbook.
Ethics and Employee Conduct for Personnel Using Data Processing Resources
STATEMENT OF NEED AND DEFINITION
This policy is designed for University Bank and it’s subsidiary companies, including but not limited to Midwest Loan Services and University Insurance and Investment Services, referred to individually and collectively as “University Bank” or “the bank.”
The board of directors recognizes that it is essential to develop standards for ethical employee conduct to protect the bank from possible legal claims, computer crimes, and overall breaches of security policy and procedure.
PURPOSE
The purpose of this policy is to provide guidelines for and to encourage ethical employee conduct with respect to certain data processing related activities. Defining these expectations is essential to the success of the overall security program for University Bank. In addition, the board of directors expects that implementation of this policy will reduce the incidence of computer related crime and protect the bank should a legal claim be made against it.
GENERAL GOAL
The general goal of this policy is to provide guidelines for ethical employee conduct with respect to certain data processing activities. Since many of the issues discussed in this policy affect employees in other departments, it should be shared with all affected departments.
SPECIFIC GOALS
This policy has the following goals:
• Establish guidelines for proper use of electronic mail by employees and for proper monitoring of electronic mail activity by management.
• Develop a classification system for information and define related policy for controlling such information.
• Establish guidelines for proper use of copyrighted and licensed software.
• Establish policy to educate employees on computer viruses and on the use of anti-virus software.
• Establish home computer requirements for certain data processing positions.
• Establish policy on alternative work arrangements.
• Provide a sample employee acknowledgment form to help document employee awareness of policy issues.
POLICY ELEMENTS
Authority
The personal computer/local area network (PC/LAN) administrator and the data processing manager have overall responsibility for monitoring compliance with this policy. However, certain responsibilities may be delegated to middle management personnel who are immediately supervising an employee. In addition, the security administrator has responsibility for enforcing and monitoring compliance with certain portions of this policy. Employees found to be in noncompliance with this policy will be subject to disciplinary action, up to and including suspension or dismissal.
Risk Management
The information systems (IS) steering committee, in managing data processing resources including PC/LAN systems, must have an awareness of various or different types of internal risks, particularly those related to staff conduct and ethics. The board of directors and senior management must be aware of the potential risks that may arise. Disruption to operations due to internal fraud, criminal activities, etc., will impact the organization both in the short term as well as in the future. Different types of risk management techniques should be considered. Not only should management policies and procedures address data processing staff code of conduct issues, but also internal monitoring should offer sufficient scope and coverage to detect risks. In managing the data processing function by establishing the IS steering committee, the board has evaluated various risks. These risks, and their related management techniques, include:
• Compliance risk. Maintaining legal compliance with various appropriate regulations as well as compliance with the organization’s data processing policies and procedures.
• Transaction risk. Impacting earnings or capital due to problems with service or product delivery. Transaction or operational risk occurs in the delivery of all products and services, and it may be addressed through consideration of all aspects of information management, including data input, data processing, and data output. Effective management of people, equipment, forms, data files, and other significant elements of data processing to ensure the integrity and viability of data processing are critical to customers of the organization and the viability of the institution.
• Reputation risk. Developing and retaining marketplace confidence in handling customers’ financial transactions in an appropriate manner, within an acceptable time frame, as well as meeting the emerging needs of the customer base and community, are important to protecting the safety and soundness of the organization.
Definitions
Definitions used in this policy are consistent with terms and acronyms recognized in the data processing industry. It is incumbent on directors and management of the organization to have a familiarity with and understanding of the terms and acronyms to successfully manage the data processing function.
Electronic Mail Practices
Use of electronic mail (e-mail) at University Bank should primarily be for work-related messages. The bank considers all data developed on its systems, including e-mail data, to be property of the bank. Improper use of the e-mail system is a misuse of bank resources.
Executive management may, at their discretion, have access to messages on the e-mail system and may periodically monitor select e-mail transactions. This written policy serves to inform employees that e-mail messages may be monitored.
Classification of Information
University Bank personnel are responsible for the security and control of information belonging to the bank. To define these responsibilities, University Bank has established a classification program for certain classes of information, as discussed below. The originator, or owner of the information, must categorize the data within the following classes:
• University Bank Internal Use Only
Electronic data and information in this category are restricted to use within the bank. Such information may be disclosed or discussed with any University Bank employee. Any intended disclosure outside the bank must receive prior approval by the department manager.
• University Bank Confidential — Sensitive
Electronic data and information in this category are restricted to use by employees who need to know the information to perform their job or assignment. Employees may disclose or discuss this class of information only with other bank employees who also need the information to perform their jobs.
• University Bank Confidential — Classified
Electronic data and information in this category are afforded the highest level of control. This type of information generally has high business sensitivity and disclosure outside the bank could be extremely detrimental to the bank. Employees with access to this information must have a need to know that is predetermined by the originator or owner of the information. Disclosure to other employees requires prior approval by the originator. .Information in this category sent via e-mail should be marked “FOR YOUR EYES ONLY” or some similar statement indicating the high level of security required. Software Copyrights and License Agreements
University Bank uses various purchased software packages, from complex mainframe packages to programs purchased for use on personal computers. This section of the policy generally refers to software packages purchased for use on personal computers. Software used on mainframe systems is subject to similar restrictions, although the practice of copying such software is not as easy or as common.
Packaged software is generally licensed for use rather than sold outright and is normally protected by copyright laws. All employees must be aware of and conform to copyright laws and software licensing agreements for software packages purchased by the bank, particularly in the case of software packages for personal computers. University Bank has adopted a policy of conforming to the restrictions of the copyright laws and licensing agreements of the software vendors. University Bank does not condone the unauthorized duplication of purchased software. Management considers the practice of illegally copying software to be plagiarism and to be ethically wrong. In general, University Bank restricts use of the software package to the particular computer for which it was purchased.
Employees should be guided by software licensing agreements or contracts, which are often attached to the envelope containing the disks. Such agreements generally allow only a single copy for backup purposes. In other words, the software is limited to one user. Employees should also be aware that although the bank purchases software under stand-alone licenses, it might also purchase a network license, which allows more than one user, such as on the local area network operated at the bank.
University Bank management recognizes the seriousness of violating this policy and those penalties for noncompliance, with respect to both legal settlements and negative publicity, continue to increase. The bank also understands that a violation of this policy, breach of a licensing agreement, or copyright infringement could expose it to possibly costly litigation. Further, such outside groups as the Software Publishers Association, the Business Software Alliance, and the Federation Against Software Theft, which may prosecute offenders on behalf of their members, may police enforcement of software licensing. Internally, the security administrator bears responsibility for enforcing and monitoring compliance with this section of the policy.
The PC/LAN administrator will perform periodic compliance reviews, which may include the following actions:
• Comparing software inventory records to physical inventory
• Reviewing physical storage of original, licensed software disks
• Reviewing employee awareness and recognition of this policy
• Reviewing software purchasing, inventory, and controls
Computer Viruses
The proliferation of computer viruses, or malicious logic infecting corporate computer systems, continues to increase. It is the policy of University Bank to educate employees on the potential for spreading computer viruses and to ensure that the bank guards against such viruses. The development of a computer virus is considered an unethical activity. These viruses can have various results on computer systems, ranging from harmless changes to severely damaged files or data. University Bank makes available virus detection software packages to scan a computer system for any suspected virus, should any unusual activity occur on a system. Further, anti-virus protection software should be installed on those systems that access other on line systems outside the bank, such as electronic bulletin board services.
Home Computers
For certain employees in the organization, including individuals who perform systems and programming assignments, University Bank considers home computers to be essential for the proper performance of their jobs. Such employees, and those that become subject to such requirements, will receive letters from the PC/LAN administrator or data processing manager notifying them of this requirement and describing the reasons why the purchase and maintenance of a home computer is considered a condition of employment for that position. The letter will include specifications for the required hardware and software systems. University Bank has drafted this section of the policy in such a way as to enable employees to claim tax deductions for the equipment purchased as a required condition of employment.
Work at Home Arrangements
University Bank supports flexible alternative work programs and currently offers work at home arrangements for select positions in the data processing department. Employees participating in these programs are subject to individualized employment arrangements, which will be reviewed on at least an annual basis. These arrangements will cover such items as the following:
• Equipment needs (e.g., computers and phone lines)
• Supervisory monitoring techniques
• Requirements for periodic in bank workdays and meetings
• Minimum and maximum number of work hours
• Agreements covering on site employer visits to the home work site
Employees with on line access to the bank’s computer systems must adhere to University Bank’s security policy regarding on line activity. The policy governing the installation and on line use of microcomputers from employees’ homes includes the following elements:
• Screening employees who have this privilege
• Limiting the types of activities employees may perform on line from home computers
• Ensuring strict adherence to separation procedures (e.g., returning equipment and terminating access and passwords)
Consequence for Failure to Follow Policy Guidelines
Inappropriate use or misuse of the Internet privileges afforded a bank employee may ultimately expose the organization to civil and criminal penalties and/or liability. While disciplinary actions may take the form of warnings and reminders, depending on the significance of the abuse of privileges, misuse may result in loss of Internet access privileges. Depending on the level of misuse or severity of the abuse, employment probation or even termination may be a consequence.
Examples of inappropriate or abusive activities include:
• Sending message that contain computer viruses
• Using data from any system, internal or external, when the employee does not have authority to access the information
• Using another person’s password
• Allowing another person to use your personal password
• Entering other individuals’ e-mail boxes or reading another person’s e-mail without authorization
• Breaking or attempting to break into systems when the employee does not have authorization to access (also commonly referred to as hacking)
• Sending fictitious messages that could be mistaken for bank official statements, marketing, or materials
• Sending fictitious messages representing to be someone else
• Sending or posting confidential bank information outside the bank or forwarding to unauthorized individuals
• Causing copyright violations
• Using abusive or objectionable language in private or public messages
• Sending or posting libelous statements
• Using the bank’s property and Internet access for personal gain, in non job-related activities or entertainment
• Sending chain letters or participating in betting pools, schemes, etc.
• Sending threats, harassing messages, or other inappropriate or illegal materials, including materials promoting hate, violence, discrimination, or pornography
• Refusing to cooperate with bank management conducting an authorized, reasonable internal security investigation
If bank employees question whether an action or activity via the Internet would violate this policy, then the employee is required to first request supervisor guidance or directions from the electronic banking coordinator.
Attachment A
Employee Acknowledgment
DP Ethics/Security Responsibilities
I hereby acknowledge that as an employee of University Bank, and by using my user ID and password for any University Bank’s on line system, I am responsible for understanding and adhering to ethical and security policies established by the bank. I understand that violations of this policy may be cause for dismissal from the bank. My responsibilities include:
1. Proper control over my password, including:
• Preventing unauthorized use or disclosure of my password
• Changing my password at least every 30 days, as required by University Bank’s security policy
• Randomly selecting passwords that cannot be easily identified with me (e.g., names or initials of family members)
2. Notifying other users if I should learn their password
3. Notifying my manager when I leave employment with University Bank, so that my user ID can be deleted promptly
4. Limiting e-mail use to primarily work-related messages, and being aware that e-mail data are considered bank property and that management may monitor e-mail use
5. Adhering to the policy of control over classified University Bank information
6. Making no unauthorized copies of copyrighted software purchased under a licensing agreement
7. Being aware of computer virus activity and the bank’s policy on the use of anti-virus software
Signature ____________________________ Date ________________________
Name (please print)____________________ Department___________________
