Introduction

The Information Security department of EnterpriseWizard is responsible for defining, implementing, and enforcing security policy as well as coordinating other IT functions necessary for the smooth-running and secure operation of company and client resources and protection of data.

here

Risk Assessment Policy

1.0 Purpose

To empower Information Security to perform periodic information security risk assessments (RAs) for the purpose of determining areas of vulnerability, and to initiate appropriate remediation.

2.0 Scope

Risk assessments can be conducted on any entity within EnterpriseWizard or any outside entity that has signed a Third Party Agreement with EnterpriseWizard. RAs can be conducted on any information system, to include applications, servers, and networks, and any process or procedure by which these systems are administered and/or maintained.

3.0 Policy

The execution, development and implementation of remediation programs are the joint responsibility of Information Security and the department responsible for the systems area being assessed. Employees are expected to cooperate fully with any RA being conducted on systems for which they are held accountable. Employees are further expected to work with the Information Security Risk Assessment Team in the development of a remediation plan.

4.0 Risk Assessment Process

For additional information, go to the Risk Assessment Process.

5.0 Enforcement

Any employee found to have violated this policy is subject to disciplinary action, up to and including termination of employment.

Definitions

Term Definition

Entity

Any business unit, department, group, or third party, internal or external to EnterpriseWizard, responsible for maintaining EnterpriseWizard assets.

Risk

Those factors that could affect confidentiality, availability, and integrity of EnterpriseWizard’s key information assets and systems. Information Security is responsible for ensuring the integrity, confidentiality, and availability of critical information and computing assets, while minimizing the impact of security procedures and policies upon business productivity.

Secure Channel

Out-of-band console management or channels using strong encryption. Non-encrypted channels must use strong user authentication (one-time passwords).

Spam

Unauthorized and/or unsolicited electronic mass mailings.

Un-Trusted Network

Any network firewalled off from the corporate network to avoid impairment of production resources from irregular network traffic (lab networks), unauthorized access (partner networks, the Internet etc.), or anything else identified as a potential threat to those resources.

EnterpriseWizard Application Policies

In addition to compliance with other policies, the EnterpriseWizard applications, and the servers dedicated to this function, have a number of features designed to enhance security and reliability. These features are detailed in this section.

Non-essential Ports Closed

• Port 80: Access only allowed over HTTPS (HTTP over SSL version 2 or 3). Some KnowledgeBases may require end user access through port 80. In this case EW should not allow staff or admin logins over port 80.
• Port 8080: Access is closed from any IP address outside the machine (EW installation redirects between the web server and Tomcat for EW access and closes access to services such as JMX on port 8080 automatically).
• Database Port: EW communicates with a database installed on the same machine via a named pipe.

Authentication and Integrity

EnterpriseWizard uses login names and passwords to authenticate users against a standard server such as LDAP or the internal user table. Unique IDs for each user should be created to establish individual accountability. Authorization is controlled by highly granular group permissions that control access to table, record, and field levels. Accounts with extremely limited privileges can easily be created to support data input from untrusted users. Users communicate with the system using strong SSL encryption to ensure privacy. Login sessions are automatically expired and terminated after a period of inactivity.

Hyperlinks generated by EnterpriseWizard that include implicit authentication are secured by a public key encryption algorithm and have an expiration time embedded.

Audit trails are provided at the record and field level for changes to both the data and metadata. Integrity is maintained at both a physical level through a transactional database with foreign key integrity constraints and at the business/logical level through an active integrity manager.

Server Host Security

Hosted EnterpriseWizard Knowledge Bases are on servers dedicated to that function, and run under a secure Linux release. The server only has EnterpriseWizard hosting and maintenance services enabled and is further protected by a firewall and a “defense-in-depth” layering of security features including running all services and monitoring with minimum privileges, if possible in chroot jails, and by limiting maintenance access and file transfer to and from the server to logged, encrypted connections from specific IP addresses. Both remote and physical access is limited to specifically authorized personnel. Servers are monitored closely for signs of unusual activity. Security patches and updates are kept up to date with all security advisories. Servers are housed in a commercial data center (XO Communications) providing a high level of physical security and reliability. System backups are performed nightly.

The only software and services installed are those required by the installation, logging and audit information is increased and the kernel is patched if necessary, fire walling and individual services are configured to provide limited or local access only to appropriate network interfaces and IP addresses; unnecessary startup scripts and cron activities disabled, and security checksumming is done on vulnerable programs and files.

Related systems used for backup or providing other services (SMTP, DNS, etc.) are secured similarly, appropriate to the services provided.

Data Separation

Protections are in place to ensure that data from different clients hosted on one server are kept distinct and separate. In some case we may dedicate an entire server to a customer with particularly strict requirements.

Backup, Failover, and Disaster Recovery

Every knowledgebase is backed up on a daily basis according to the standard pattern and stored on at least two redundant servers and optionally on tape or disc media. If the customer has a dedicated server, a knowledgebase can also be made available for daily downloads to their facility.

The data is recovered by importing the knowledgebase onto an active server.

Redundant server configurations are also available whereby the data is mirrored onto a fail-over redundant server in real time via a dedicated 1 GB connection. The master and slave servers communicate via a heart-beat and the slave is configured to automatically take over from the master in the event that it dies.

The entire system, that is all of the data, customizations, scripts, permissions, etc. are restored from the knowledgebase backup file and can be put back into active use in the time it takes to import the knowledgebase (this depends on KB size and machine speed, but typically is less than an hour).

Disaster recovery consists simply of restoring this file from backup. The only variables are whose server it is restored to and from what location. These depends upon the specific customer contract.

If requested, we are willing to provide a dedicated backup server for installation at the customer’s facility or a third party facility for use in the event of a disaster such as a major earthquake.

Internet Equipment Policy

1.0 Purpose

The purpose of this policy is to define standards to be met by all equipment owned and/or operated by EnterpriseWizard located outside EnterpriseWizard’s corporate Internet firewalls. These standards are designed to minimize the potential exposure to EnterpriseWizard and EnterpriseWizard’s clients from the loss of sensitive or company confidential data, intellectual property, damage to public image etc., which may follow from unauthorized use of EnterpriseWizard resources.

Devices that are Internet facing and outside a EnterpriseWizard firewall are subject to this policy. These devices (network and host) are particularly vulnerable to attack from the Internet since they reside outside the corporate firewalls.

The policy defines the following standards:

• Ownership responsibility
• Secure configuration requirements
• Operational requirements
• Change control requirement

2.0 Scope

All Internet-facing equipment or devices owned and/or operated by EnterpriseWizard (including hosts, routers, switches, etc.) and/or registered in any Domain Name System (DNS) domain owned by EnterpriseWizard must follow this policy.

This policy also covers any host device outsourced or hosted at external/third-party service providers, if that equipment resides in the “EnterpriseWizard.com” domain or appears to be owned by EnterpriseWizard.

All new equipment that falls under the scope of this policy must be configured according to the referenced configuration documents, unless a waiver is obtained from Information Security. All existing and future equipment deployed on EnterpriseWizard’s un-trusted networks must comply with this policy.

3.0 Policy

3.1. Ownership and Responsibilities

Equipment and applications within the scope of this policy must be administered by Information Security for system, application, and/or network management, and will be responsible for the following:

• Equipment must be documented in the corporate wide enterprise management system. At a minimum, the following information is required:
  • Host contacts and location.
  • Hardware and operating system/version.
  • Main functions and applications.
  • Password groups for privileged passwords.
• Network interfaces must have appropriate Domain Name Server records (minimum of A and PTR records).
• Password groups must be maintained in accordance with the corporate wide password management system/process.
• Immediate access to equipment and system logs must be granted to members of Information Security upon demand, per the Risk Assessment Policy.
• Changes to existing equipment and deployment of new equipment must follow and corporate governess or change management processes/procedures.

To verify compliance with this policy, Information Security will periodically audit equipment per the Risk Assessment Policy.

3.2. General Configuration Policy

All equipment must comply with the following configuration policy:

• Information Security as part of the pre-deployment review phase must approve hardware, operating systems, services and applications.
• Operating system configuration must be done according to the secure host and router installation and configuration standards.
• All patches/hot-fixes recommended by the equipment vendor and Information Security must be installed. This applies to all services installed, even though those services may be temporarily or permanently disabled. Administrative owner groups must have processes in place to stay current on appropriate patches/hotfixes and to be notified of security vulnerability advisories.
• Services and applications not serving business requirements must be disabled.
• Trust relationships between systems may only be introduced according to business requirements, must be documented, and must be approved by Information Security.
• Access control lists must restrict services and applications not for general access.
• Insecure services or protocols (as determined by Information Security) must be replaced with more secure equivalents whenever such exist.
• Remote administration must be performed over secure channels (e.g., encrypted network connections using SSH, SSL, or IPSEC) or direct console access. When possible, a highly secure cipher such as 256-bit AES shall be employed. Where a methodology for secure channel connections is not available, one-time passwords (DES/SofToken) must be used for all access levels.
• All host content updates and backups must occur over secure channels. Host content updates shall be initiated by the receiving system, and backups shall be initiated by the sending system.
• Security-related events must be logged and audit trails saved to Information Security-approved logs. Security-related events include (but are not limited to) the following:
  • User login failures.
  • Failure to obtain privileged access.
  • Access policy violations.
• Information Security will address non-compliance waiver requests on a case-by-case basis and approve waivers if justified.

3.3. New Installations and Change Management Procedures

All new installations and changes to the configuration of existing equipment and applications must follow the following policies/procedures:

• New installations must be done via procedures approved for the equipment and/or software.
• Configuration changes must follow the Corporate Change Management (CM) Procedures.
• Information Security must be invited to perform system/application audits prior to the deployment of new services.
• Information Security must be engaged, either directly or via CM, to approve all new deployments and configuration changes.

3.4 Monitoring and Backups

• Regular backups of data to separate physical locations shall occur as follows:
  • Monthly full backups, retained for a minimum of 2 years. Certain backup sets, such as customer data, can be written to inexpensive non-reusable media (such as DVD-R) and retained indefinitely.
  • Weekly full backups, retained for at least 1 month.
  • Daily incremental backups, retained for at least 1 month.
• All security-related events on critical or sensitive systems must be logged and audit trails saved with backups. Security-related logs shall be kept online for a minimum of 1 week.
• Detection software such as logwatch on Linux should be employed and monitored to increase awareness of threats.
• File integrity management tools, such as tripwire on Linux, should be employed to maintain system file integrity. Database integrity should also be checked regularly using the appropriate tools.

3.5 Compliance

• Audits will be performed on a regular basis by authorized organizations within EnterpriseWizard.
• The internal audit group or Information Security, in accordance with the Audit Policy, will manage audits. Information Security will filter findings not related to a specific operational group and then present the findings to the appropriate support staff for remediation or justification.
• Every effort will be made to prevent audits from causing operational failures or disruptions.

3.6. Incident Response

Security-related events will be reported to Information Security. Corrective measures will be prescribed as needed. Security-related events include, but are not limited to:

• Port-scan attacks
• Worm attacks
• Evidence of unauthorized access to privileged accounts
• Anomalous occurrences that are not related to specific applications on the host

Customers are notified of security-related events as soon as they are detected, usually within two hours.

Incidents are managed via an EnterpriseWizard workflow with voice and email communication points to customers for responses and notifications. An EW table contains standard fields to log incidents and allow attachment of relevant low-level log files, etc.

3.7. Equipment Outsourced to External Service Providers

The responsibility for the security of the equipment deployed by external service providers must be clarified in the contract with the service provider and security contacts, and escalation procedures documented.

4.0 Enforcement

Any employee found to have violated this policy is subject to disciplinary action, up to and including termination of employment.

External service providers found to have violated this policy is subject to financial penalties, up to and including termination of contract.

Password Policy

1.0 Overview

Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of EnterpriseWizard’s entire corporate network. As such, all EnterpriseWizard employees (including contractors and vendors with access to EnterpriseWizard systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

2.0 Purpose

The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.

3.0 Scope

The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any EnterpriseWizard facility, has access to the EnterpriseWizard network, or stores any non-public EnterpriseWizard information.

4.0 Policy

4.1 General

• All system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed on at least a quarterly basis.
• All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every six months. The recommended change interval is every four months.
• User accounts that have system-level privileges granted through group memberships or programs such as “sudo” must have a unique password from all other accounts held by that user.
• Passwords must not be inserted into email messages or other forms of electronic communication.
• Where SNMP is used, the community strings must be defined as something other than the standard defaults of “public,” “private” and “system” and must be different from the passwords used to log in interactively. A keyed hash must be used where available (e.g., SNMPv2).
• All user-level and system-level passwords must conform to the guidelines described below.

4.2 Expiration/Termination

Passwords and other access methods shall be removed or disabled when no longer necessary, and immediately when an individual no longer has authorized access, such as termination of employment.

4.3 Guidelines

A. General Password Construction Guidelines

Passwords are used for various purposes at EnterpriseWizard. Some of the more common uses include: user level accounts, web accounts, email accounts, screen saver protection, voicemail password, and local router logins. Since very few systems have support for one-time tokens (i.e., dynamic passwords which are only used once), everyone should be aware of how to select strong passwords.

Poor, weak passwords have the following characteristics:

• The password contains less than eight characters
• The password is a word found in a dictionary (English or foreign)
• The password is a common usage word such as:
  • Names of family, pets, friends, coworkers, fantasy characters, etc.
  • Computer terms and names, commands, sites, companies, hardware, software.
  • Company names, city names, or any derivation.
  • Birthdays and other personal information such as addresses and phone numbers.
  • Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
  • Any of the above spelled backwards.
  • Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

Strong passwords have the following characteristics:

• Contain both upper and lower case characters (e.g., a–z, A–Z)
• Have digits and punctuation characters as well as letters e.g., 0–9, !@#$%^&*()_+|~-=\{}[]:";'<>?,./)
• Are at least eight alphanumeric characters long.
• Are not a word in any language, slang, dialect, jargon, etc.
• Are not based on personal information, names of family, etc.
• Passwords should never be written down or stored online. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: “This May Be One Way To Remember” and the password could be: “TmB1w2R!” or “Tmb1W>r~” or some other variation.

NOTE: Do not use either of these examples as passwords!

B. Password Protection Standards

Do not use the same password for EnterpriseWizard accounts as for other non-EnterpriseWizard access (e.g., personal ISP account, option trading, benefits, etc.). Where possible, don’t use the same password for various EnterpriseWizard access needs. For example, select one password for the Engineering systems and a separate password for IT systems. Also, select a separate password to be used for an NT account and a UNIX account.

Do not share EnterpriseWizard passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, Confidential EnterpriseWizard information.

Here is a list of “don’ts”:

• Don’t reveal a password over the phone to ANYONE
• Don’t reveal a password in an email message
• Don’t reveal a password to the boss
• Don’t talk about a password in front of others
• Don’t hint at the format of a password (e.g., “my family name”)
• Don’t reveal a password on questionnaires or security forms
• Don’t share a password with family members
• Don’t reveal a password to coworkers while on vacation

If someone demands a password, refer them to this document or have them call someone in the Information Security Department.

Do not use the “Remember Password” feature of applications (e.g., Eudora, Outlook, Netscape Messenger).

Again, do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system (including Palm Pilots or similar devices) without encryption.

Change passwords at least once every six months (except system-level passwords which must be changed quarterly). The recommended change interval is every four months.

If you suspect that an account or password has been compromised, report the incident to Information Security and change all passwords.

Password cracking or guessing may be performed on a periodic or random basis by Information Security or its delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it.

C. Application Development Standards

Application developers must ensure their programs contain the following security precautions. Applications:

• Should support authentication of individual users, not groups.
• Should not store passwords in clear text or in any easily reversible form.
• Should provide for some sort of role management, such that one user can take over the functions of another without having to know the other’s password.
• Should support TACACS+ , RADIUS and/or X.509 with LDAP security retrieval, wherever possible.

D. Use of Passwords and Passphrases for Remote Access Users

Access to the EnterpriseWizard Networks via remote access is to be controlled using either a one-time password authentication or a public/private key system with a strong passphrase.

E. Passphrases

Passphrases are generally used for public/private key authentication. A public/private key system defines a mathematical relationship between the public key that is known by all, and the private key, that is known only to the user. Without the passphrase to “unlock” the private key, the user cannot gain access.

Passphrases are not the same as passwords. A passphrase is a longer version of a password and is, therefore, more secure. A passphrase is typically composed of multiple words. Because of this, a passphrase is more secure against “dictionary attacks.”

A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters. An example of a good passphrase:

“The*?#>*@TrafficOnThe101Was*&#!#ThisMorning”

All of the rules above that apply to passwords apply to passphrases.

5.0 Enforcement

Any employee found to have violated this policy is subject to disciplinary action, up to and including termination of employment.

Acceptable Use Policy

1.0 Overview

Information Security’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to EnterpriseWizard’s established culture of openness, trust and integrity. Information Security is committed to protecting EnterpriseWizard’s employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.

Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of EnterpriseWizard. These systems are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations. Please review Human Resources policies for further details.

Effective security is a team effort involving the participation and support of every EnterpriseWizard employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.

2.0 Purpose

The purpose of this policy is to outline the acceptable use of computer equipment at EnterpriseWizard. These rules are in place to protect the employee and EnterpriseWizard. Inappropriate use exposes EnterpriseWizard to risks including virus attacks, compromise of network systems and services, and legal issues.

3.0 Scope

This policy applies to employees, contractors, consultants, temporaries, and other workers at EnterpriseWizard, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by EnterpriseWizard.

4.0 Policy

4.1 General Use and Ownership

• While EnterpriseWizard’s network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of EnterpriseWizard. Because of the need to protect EnterpriseWizard’s network, management cannot guarantee the confidentiality of information stored on any network device belonging to EnterpriseWizard.
• Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their supervisor or manager.
• Information Security recommends that any information that users consider sensitive or vulnerable be encrypted. For guidelines on information classification, see Information Security’s Information Sensitivity Policy. For guidelines on encrypting email and documents, go to Information Security’s Awareness Initiative.
• For security and network maintenance purposes, authorized individuals within EnterpriseWizard may monitor equipment, systems and network traffic at any time, per Information Security’s Audit Policy.
• EnterpriseWizard reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.

4.2 Security and Proprietary Information

• The user interface for information contained on Internet/Intranet/Extranet-related systems should be classified as either confidential or not confidential, as defined by corporate confidentiality guidelines, details of which can be found in Human Resources policies. Examples of confidential information include but are not limited to: company private, corporate strategies, competitor sensitive, trade secrets, specifications, customer lists, research data, and clients’ data. Employees should take all necessary steps to prevent unauthorized access to this information, including the removal of such information from plain view in work areas when not present.
• Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts. System level passwords should be changed quarterly; user level passwords should be changed every six months.
• If possible, passwords should be memorized and not stored in any machine-readable form. If written down, passwords should be maintained within the physical control of individuals and never in plain view around work areas.
• Use encryption of information in compliance with Information Security’s Acceptable Encryption Use policy.
• Because information contained on portable computers is especially vulnerable, special care should be exercised. Protect laptops in accordance with the “Laptop Security Tips”.
• Postings by employees from a EnterpriseWizard email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of EnterpriseWizard, unless posting is in the course of business duties.
• All hosts used by the employee that are connected to the EnterpriseWizard Internet/Intranet/Extranet, whether owned by the employee or EnterpriseWizard, shall be continually executing approved virus-scanning software with a current virus database. Unless overridden by departmental or group policy.
• Employees must use extreme caution when opening email attachments received from unknown senders, which may contain viruses, email bombs, or Trojan horse code.

4.3. Unacceptable Use

The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).

Under no circumstances is an employee of EnterpriseWizard authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing EnterpriseWizard-owned resources.

The lists below are by no means exhaustive, but attempt to provide a framework for activities that fall into the category of unacceptable use.

System and Network Activities

The following activities are strictly prohibited, with no exceptions:

• Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by EnterpriseWizard.
• Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which EnterpriseWizard or the end user does not have an active license is strictly prohibited.
• Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question.
• Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, email bombs, etc.).
• Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.
• Using an EnterpriseWizard computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user’s local jurisdiction.
• Making fraudulent offers of products, items, or services originating from any EnterpriseWizard account.
• Making statements about warranty, expressly or implied, unless it is a part of normal job duties.
• Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, “disruption” includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
• Port scanning or security scanning is expressly prohibited unless prior notification to Information Security is made.
• Executing any form of network monitoring which will intercept data not intended for the employee’s host, unless this activity is a part of the employee’s normal job/duty.
• Circumventing user authentication or security of any host, network or account.
• Interfering with or denying service to any user other than the employee’s host (for example, denial of service attack).
• Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user’s terminal session, via any means, locally or via the Internet/Intranet/Extranet.
• Providing information about, or lists of, EnterpriseWizard employees to parties outside EnterpriseWizard.

Email and Communications Activities

• Sending unsolicited email messages, including the sending of “junk mail” or other advertising material to individuals who did not specifically request such material (email spam).
• Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages.
• Unauthorized use, or forging, of email header information.
• Solicitation of email for any other email address, other than that of the poster’s account, with the intent to harass or to collect replies.
• Creating or forwarding “chain letters”, “Ponzi” or other “pyramid” schemes of any type.
• Use of unsolicited email originating from within EnterpriseWizard’s networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by EnterpriseWizard or connected via EnterpriseWizard’s network.
• Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).

5.0 Enforcement

Any employee found to have violated this policy is subject to disciplinary action, up to and including termination of employment.