Terms of Use (TOU) for IT Systems and Services

Purpose

These Terms of Use (“TOU”) define acceptable and secure use of the RIN Services Group (including RIN Identity Services, RIN Network Services and RIN Mail), referred to henceforth as ‘RIN Services’ information systems, including Microsoft 365, email, OneDrive, VMWare Horizon Virtual Desktop Infrastructure (VDI), internal networks, Zero‑Trust Network Access (ZTNA) remote connectivity, and web hosting infrastructure.
 

1. Scope and Authority

  • This TOU covers all access to and use of RIN Services systems, data, networks, devices, accounts, and hosted services, whether on-premises or cloud.
  • Violations may result in disciplinary action up to and including termination, contract termination, civil liability, and/or criminal referral.
  • This TOU is complemented by the Information Security Policy, Data Protection/Privacy Policy, Password Policy, Incident Response Plan, and related procedures. Where conflicts exist, the stricter control applies.

2. Core Principles

  • Confidentiality: Protect non‑public information from unauthorized disclosure.
  • Integrity: Do not alter or destroy data or systems without authorization.
  • Availability: Use systems responsibly so services remain reliable and performant.
  • Accountability: Actions on corporate systems are attributable to individuals; credentials must never be shared.

3. Use of Microsoft 365 (M365) Services

Email

  • Use corporate email for business purposes; personal use is permitted but must be compliant with this TOU and not pose a risk to the information or systems.
  • Prohibited: phishing, spam, harassment, illegal content, unauthorized forwarding of confidential data, auto‑forwarding to personal accounts.
  • Email is a business record; retention follows RIN Services records management schedule (or the respective sub-organisation as per the appropriate contract).

OneDrive and SharePoint

  • Store business files in approved locations only (OneDrive/SharePoint/Teams).
  • Do not sync corporate data to unapproved devices or personal cloud storage without approval.
  • External sharing must be limited to the minimum necessary, time‑bound, and approved; use secure sharing settings (e.g., “specific people,” expiration dates, view‑only where feasible).
  • Personal use of this storage is permitted ‘in-moderation’ and at the discretion of the Administrator on the basis that the data poses no risk.

Teams and Collaboration

  • Use official channels and apply appropriate data labels/classification.
  • Do not post confidential information in public or unmanaged spaces.

Data Loss Prevention (DLP) and Monitoring

  • DLP may block or warn on risky actions (e.g., sending sensitive data externally). Users must not circumvent safeguards.

4. VMWare Horizon Virtual Desktop Infrastructure (VDI)

  • Access VDI only via approved clients and hardened endpoints. Alternatively, utilise the web-based access client.
  • No local storage of sensitive data outside the VDI unless explicitly authorized.
  • Clipboard, USB redirection, printing, and file transfer may be restricted; do not bypass controls.
  • Log out or disconnect sessions when not in use; lock the VDI when stepping away.
  • Report performance or security anomalies immediately (see Section 14).

5. Acceptable Use of Internal Network Resources

  • Use network resources for legitimate business activities only.
  • Prohibited: unauthorized scanning, sniffing, port probing, rogue access points, man‑in‑the‑middle tools, cryptocurrency mining, media piracy, or hosting unapproved services.
  • Connect only compliant, managed devices with current security patches and endpoint protection.

6. Zero‑Trust Network Access (ZTNA) for Remote Connectivity

  • ZTNA access requires strong authentication (MFA), device health checks, and least‑privilege authorization to specific applications—not broad network access.
  • Do not share ZTNA links, tokens, or session information.
  • Use only approved remote access methods; VPN or remote tools outside ZTNA are prohibited unless explicitly authorized.

7. Acceptable Use of Web Hosting Infrastructure

  • Host only approved applications/content compliant with legal, regulatory, and brand requirements.
  • Keep platforms patched; apply secure configurations, least privilege, and secrets management.
  • Prohibited: storing credentials in code/configs, weak admin portals, unvetted plugins/themes, or direct internet exposure of sensitive services without compensating controls (WAF, MFA, segmentation).

8. Safe Browsing Within the Corporate Environment

  • Access only business‑relevant websites; ad‑blocking, safe browsing filtering, and DNS security may be enforced.
  • Prohibited: adult, extremist, hate, illegal, or unsafe content; circumventing filters; installing unapproved extensions.
  • Be cautious with downloads and macros; verify sources; use sandboxed/open‑in‑protected‑view where applicable.

9. Passwords & Account Management

  • Do not share credentials (including temporary codes or MFA prompts).
  • Use MFA wherever supported; never approve unexpected MFA prompts.
  • Follow the corporate Password Policy (length/complexity, rotation if required, no reuse).
  • Store passwords only in approved enterprise password managers.
  • Immediately change compromised passwords and report suspected account compromise (Section 14).
  • Service accounts, API keys, tokens: store/rotate in approved secrets management and never hard‑code in source.

10. Data Handling & Classification

  • Apply the correct data classification labels (e.g., Public, Internal, Confidential, Restricted).
  • Encrypt sensitive data at rest and in transit; use approved tools (BitLocker, TLS, Azure Information Protection/M365 sensitivity labels).
  • Do not copy restricted data to personal devices or unapproved locations.
  • Use anonymization/pseudonymization for analytics when feasible; minimize personal data collection.

11. Software, Scripts, and Devices

  • Install software only from approved catalogues or with IT Security approval.
  • Prohibited: unlicensed software, unauthorized drivers, kernel/root utilities, packet capture, remote admin tools.
  • Personal devices (BYOD) must meet security baselines; IT may restrict or revoke access if non‑compliant.
  • IoT and lab equipment must be segmented and registered before network use.

12. Use of AI and Third‑Party Cloud Tools

  • Do not input confidential, personal, or proprietary information into non‑approved AI or cloud services.
  • Use only sanctioned AI tools and follow data handling, export controls, and IP guidance.
  • Model outputs must be reviewed for accuracy; do not rely solely on AI for regulated decisions.

13. Privacy, Logging, and Monitoring

  • RIN Services may log, monitor, and audit activities on corporate systems for security, compliance, and operational purposes, consistent with applicable laws and policies.
  • Users have no expectation of privacy on corporate systems except as permitted by law and policy.

14. Cyber Security Incident Reporting

  • All suspected or confirmed security incidents must be reported immediately via the process at:
    https://rinservices.co.uk/cyber-security-incident-reporting/
  • Examples: phishing, malware, lost/stolen device, misdirected email, unauthorized access, suspicious MFA prompts, data leakage, or policy violations.
  • Do not attempt to investigate deeply or remediate alone; preserve evidence and contact IT Security.

15. Records Management, Backups, and Retention

  • Follow retention schedules; do not delete records subject to legal hold or investigations.
  • Backups are for business continuity; do not rely on personal copies or shadow IT storage.

16. Third‑Party Access and Suppliers

  • Third parties must sign appropriate agreements and meet security requirements before access.
  • Use least privilege, time‑bound accounts, and monitor vendor activities.
  • Remove access promptly when no longer needed.

17. Physical Security

  • Protect devices with screen locks, secure storage, and clean desk practices.
  • Report lost or stolen devices immediately (also see Section 14).
  • Do not leave badges or keys unattended; challenge tailgating politely.

18. Enforcement and Sanctions

  • Violations may lead to access revocation, HR action, contractual penalties, regulatory reporting, and legal consequences.
  • Managers must enforce and escalate per HR and Security guidance.

19. Exceptions

  • Request exceptions via the formal risk acceptance process; approvals are time‑limited, documented, and reviewed periodically.

20. Acknowledgment

By using any of the RIN Services Group systems (including RIN Identity Services, RIN Network Services and RIN Mail), you confirm you have read, understand, and agree to comply with this TOU and all related policies and procedures.