Post on 25-Feb-2021
TABLE OF CONTENTS
1. Key Takeaways ………………….1 2. Introduction ………………….2 3. Information Security ………………….2 4. Stewardship ………………….3 5. Legal Compliance ………………….4 6. Key Links ………………….5
Objective Technology is a powerful catalyst for productivity and informed decision-making. It can also bring significant risks for you and the foundation. To maximize its potential while mitigating these risks, the foundation has put into place a Technology Usage Policy that promotes the following outcomes: • You are supported in doing your best work.
• The foundation, including its information assets, reputation, and relationships with grantees and partners, are protected.
The foundation expects you to be knowledgeable about risks and to use informed good judgment when using technology resources. Inappropriate use of technology or failure to comply with this policy may result in disciplinary action, up to and including
termination of employment.
Technology Usage Policy
1
Technology Usage Policy
2
1. Introduction
1.1 Philosophy on Technology Usage
Responsible use of technology in today’s connected world is essential to safeguarding the foundation’s reputation and
ability to achieve its mission. Our philosophy is to balance flexible choice and use of technology with information
security and stewardship of resources. You are empowered to use technology to maximize your productivity with
minimal restrictions. In return, you are expected to use common sense and informed good judgment to make decisions
in the best interest of the foundation and to protect our information assets.
The Technology Usage Policy applies to all technology you use to do your work, including personal computers, mobile
phones, e-readers, tablets, online services, and hotel kiosks. It does not cover all situations or answer every question
regarding technology usage. If you encounter a situation that is not addressed or if you simply have questions regarding
this policy, please contact the foundation’s IT Service Desk.
2. Information Security
2.1 Foundation-Issued Devices
Foundation-issued devices are for staff use only, that is, for foundation employees and contingent workers. To perform
your job, you may be assigned foundation-issued equipment, such as a computer or mobile phone. You are responsible
for the equipment issued to you and its use. Due to the risk of theft or potential loss/compromise of foundation data,
you should always exercise caution if leaving your equipment unattended.
Foundation-issued equipment is configured with a number of safeguards. These may include anti-malware protection
software, screen locking, firewalls, automatic software patching, and encryption. It is essential for the security of the
foundation that these safety mechanisms remain enabled and functional as configured by IT. Contact the IT Service
Desk as soon as possible if you believe that one of these safeguards is not functioning properly.
2.2 Non-Foundation Devices
You may access certain foundation systems and information from non-foundation devices through specific IT services
designed to enhance your productivity, mobility, and ease of use. Information about these services, including specific
terms and conditions, may be found in the Any Device, Anywhere section of the IT Portal. If you utilize these services,
it is your obligation to understand and comply with the terms and conditions.
2.3 Information Access and Storage
You are expected to use informed good judgment in managing the foundation’s information to ensure protection
against unauthorized disclosure or use. Where and how information may be stored and used is dependent on its
sensitivity – that is, the ability of the unauthorized disclosure or use to cause harm to the foundation. Please refer to
the Data Storage Guideline for more information.
An important step in protecting foundation information is preventing unauthorized parties from accessing the systems
that store our information. Based upon your role at the foundation, you are assigned credentials that grant you the
access necessary to perform your job. Your credentials provide access to your confidential personal information, such
as HR data, as well as confidential foundation data. For these reasons, you must never share your credentials with
anyone, including co-workers and IT Service Desk professionals. These credentials are for your use only, and you are
responsible for their safekeeping.
In particular, be aware of phishing scams, in which fraudulent sites or email lure people into submitting confidential
information (e.g., passwords). Refer to the Awareness Guide – Phishing Attack document to learn more about
phishing attacks. If you believe your credentials have been compromised, contact the IT Service Desk immediately.
Also, do not reuse foundation passwords on external web sites or services. This puts the foundation at unnecessary
Technology Usage Policy
3
risk if the site or service is compromised. Refer to the Password Management Guideline for best practices on creating
and managing secure passwords.
2.4 Monitoring of Electronic Content, Electronic Communications, and System Use
It is not the foundation’s regular practice to monitor electronic content, electronic communications, or system use.
However, the foundation reserves the right to perform such monitoring as it deems necessary. Monitoring may be
performed without notification to support activities such as operational maintenance, auditing, and security on both
foundation-owned and non-foundation (e.g., personal) devices that are used for foundation work. Monitoring may also
be performed to understand how you use digital productivity tools and find ways to make them more accessible.
2.5 Awareness of Environment and Information Disclosure
In order to prevent the inadvertent disclosure of confidential or sensitive information, consider your surroundings
when you engage in discussions or work on sensitive documents, whether in person or online. Be particularly careful
in airports, airplanes, restaurants, and other public venues. Without knowing it, you may inadvertently disclose
information if people overhear your conversations or view information within your control.
Keep in mind that it is extremely difficult to use the Internet (including web browsing) anonymously. If you visit a
website, your activity on that website may be traced back to you or the foundation. Additionally, any information
you input into that website can be collected and used to learn about your web surfing patterns and habits. In the case
of controversial topics, this information can be used to build profiles and help malicious users exploit the foundation
by potentially damaging its reputation or stealing important foundation information.
3. Stewardship
Stewardship at the foundation applies not only to money, but to the use and security of technology and information.
3.1 Personal Use of Foundation Technology Resources
You are ultimately accountable for all activity that originates from your use of foundation technology. The foundation
takes no steps to maintain, retain, back up, or return personal data. You should not store sensitive or confidential
personal information on foundation resources.
Permitted use of foundation technology resources does not extend to individual political activities, which should occur
during off-duty hours, at your expense and without use of the foundation’s name, resources, facilities, technology or
equipment. More information about these prohibited political activities may be found in the Conflict of Interest Policy.
Your Gates Foundation email address is the property of the foundation. As such, please use discretion when sending
email from this address.
Gates Foundation email must not be used for signing personal, legally binding documents (including
DocuSign or similar technologies) or to communicate with outside attorneys on personal/non-foundation
business.
Foundation email must not be used to conduct non-foundation business transactions (i.e. mobile app store
purchases, content streaming sites and e-retailers).
3.2 Physical Loss
You should treat foundation-issued equipment with care. If you believe any of your foundation-issued equipment has
been lost or stolen, contact the IT Service Desk immediately. IT will work with you to assess the information lost and
help you to take the necessary steps to recover the data or prevent it from falling into the wrong hands.
3.3 Software and Technology Services Not Provided by IT
The freedom to install software and to use external technology services is a significant privilege that carries significant
responsibility.
Technology Usage Policy
4
If you install software or use external technology services on a foundation-issued device or on a personal device used
for foundation business, you must understand the associated risks. Unpatched software is a common source of viruses
and other malware, which pose a threat to the foundation’s information assets. Software written by untrustworthy
authors can result in loss of confidential data or system compromise. Use of online services can result in unintended
disclosure or even loss of foundation information assets.
You are responsible for managing these risks, including ensuring that the software or service is properly licensed (see
Section 4.2) and kept current with security patches. If the software has an auto-update function, consider enabling it.
Procurement of software and technology services must be in accordance with the foundation’s Travel and Expense
Policy.
4. Legal Compliance
You are required to use technology resources in accordance with all applicable laws and foundation policies.
4.1 Records Management
The foundation has a Records Management Policy that requires you to manage records under your control. Records
disposition includes the identification, retention, preservation, and disposal of electronic and physical records as part
of your day-to-day work. You are responsible for ensuring your use of technology complies with the foundation’s
Records Management policy.
In no event are you permitted to delete or destroy data that may be relevant to a pending or threatened claim or
government investigation.
4.2 Licensing and Copyright Laws
When installing or using software not provided by the foundation, you must ensure that the software is properly
licensed. This also applies to copyrighted materials, including music, pictures, videos, and movie files, as well as
written media. Contact the Legal Department with questions about copyrighted material and the IT Service Desk with
questions about software licensing.
4.3 Electronic Content and Messaging
You are encouraged to use electronic messaging technologies to facilitate the exchange of information and to promote
collaboration at the foundation. However, you may not send, download, store, or forward electronic messages or other
electronic content containing offensive language, images, sound clips, or harassing statements. This includes but is
not limited to disparagement of others or inappropriate content based on race, sex, sexual orientation, religion, caste,
creed, national origin, age, disability, marital or veteran status, or any other protected status. Please refer to the
foundation’s Online Social Media Policy for additional information about online communication.
4.4 Recording of Video, Web, or Telephone Conferences
Before recording any meeting or telephone conference, you should determine whether recording the meeting session
is appropriate. Further, to comply with privacy laws, you or the person recording must inform all presenters and
participants that the recording is taking place prior to the start of the meeting by providing the following
announcement:
IMPORTANT NOTICE: This meeting is being recorded by the foundation. Any documents and other
materials exchanged or viewed during the meeting session may also be recorded. By joining the meeting,
you consent to such recording. If you do not consent to the recording, you have the option not to participate
in the meeting.
Technology Usage Policy
5
5. Key Links
Any Device, Anywhere
Awareness Guide – Phishing Attack
Conflict of Interest Policy
Data Storage Guideline
Email Management Standards
IT Service Desk
Legal Department
Online Social Media Policy
Password Management Guideline
Records Management Policy
Travel and Expense Policy
The foundation hopes that you have a productive, secure, and enjoyable computing experience. For any questions,
please contact the IT Service Desk, or call 206.709.3545
Policy: Records Management Approved by: Connie Collingsworth Revision Date: April 30, 2015
Records Management Policy
Records exist in a variety of forms, including physical and electronic. The foundation produces, receives, stores and disposes of a large number of records in the normal course of its ongoing activities. The foundation must manage and dispose of its records in order to ensure compliance with legal requirements, respond to internal and external inquiries, preserve our institutional knowledge and history, and operate efficiently.
Accordingly, it is the policy of the Bill & Melinda Gates Foundation to ensure its records are (i) properly identified and retained for the time periods needed to support the foundation’s operations and comply with legal requirements, and (ii) disposed of in a responsible and timely manner.The responsibilities in this Records Management Policy and Procedures apply to all foundation staff and/or agents who create, receive, manage or maintain custody or control of records of the Bill & Melinda Gates Foundation and its wholly owned affiliates; IRIS Holdings LLC, Gates Philanthropy Partners, and the Bill & Melinda Gates Foundation Trust.
Inquiries
Any questions regarding this Policy should be directed to legal@gatesfoundation.org.
Records Management Procedures
2
1.0 Definitions
Active Business Record: A Business Record needed to perform current foundation business/operations, subject to frequent use, and typically easily accessible to the relevant foundation employee(s). Examples include an active investment tax file, current strategy document, or active employee personnel file. Business Record: The official copy of a record that has business or legal significance to the foundation, based on its content and context, and needs to be preserved to meet business or legal requirements. Business Records are identified on the Records Retention Schedule by department and office. Compliance Team: Members of the Legal, IT and Facilities departments and a foundation-wide team of Records Administrators. Electronic Record: A record in digital form (e.g., email, Microsoft Office suite files, Adobe files) generated and used by electronic information systems (e.g., Outlook, SharePoint, Unison, ICS, Workday, Concur, network drives), or information technology devices (e.g., laptop, tablet, phone). Disposal: Secure, permanent deletion or destruction of records so that information cannot be recovered and data cannot be reproduced by the foundation or, if historically significant, transfer of records to the Gates Archive for permanent preservation. Disposal Notice: An annual notice sent to all employees as a reminder that (a) certain Outlook records will be automatically deleted upon the stated Disposal date (generally 28 days following the Disposal Notice) according to the Email Management Standards as well as eligible tagged Business Records in ICS, Unison and SharePoint; and (b) they must identify and Dispose of all untagged Business Records that have met their Retention Period and all Non-Business Records that are no longer useful. Gates Archive: An external partner to the foundation whose purpose is to identify, catalog, preserve and curate records that have historical significance to the foundation and the Gates family. Inactive Business Record: A Business Record that is related to completed activities or is no longer needed to conduct current foundation business, but must be preserved until it meets the end of its retention period to fulfill legal or business requirements. Examples include a closed investment tax file, paid invoice, final annual report, or personnel file for an employee who has left the foundation.
Legal Hold: Procedure used by the Legal department, via a notice sent to specified employees or others, to temporarily cease modification or Disposal of identified records, even though they otherwise may be eligible for Disposal.
Records Management Procedures
3
Legal Hold Release: Procedure used by the Legal department, via a notice sent to specified employees or others, to release the Legal Hold of identified records so that they revert back to their normal operating status and Retention Period.
Non-Business Record: A record that does not have business or legal significance to the foundation and does not need to be retained once it is no longer useful. Examples include working documents, convenience copies, duplicates, drafts, email, and records that may be useful but do not provide formal evidence of a foundation business activity or outcome. Physical Record: A record in paper or other tangible form which takes up physical space (e.g., paper, photograph, DVD). Recordkeeping System: A hard copy or electronic repository designated as the official place of deposit for housing, storing, maintaining, and providing access to a specified Business Record in compliance with law and established business practices. Recordkeeping Systems can be physical (e.g., file cabinets or off-site storage) or electronic (e.g., SharePoint, Unison, ICS or vendor-hosted electronic information systems) and are specifically designated for optimum protection and storage capacity. Records Administrator: A foundation staff person who is assigned to coordinate Records Management administration within his or her department. The Records Administrator works with the Compliance Team and his or her department personnel to support or manage records Disposal, Legal Holds and Releases, offsite and vendor-provided storage, and the foundation’s Records Retention Schedule Records Management: The process of managing records in a cost-effective and legally-compliant manner. The foundation is required by law and foundation business requirements to retain certain Business Records for a specific Retention Period and, once that time has passed, Dispose of those records in a timely and consistent manner. Foundation records must be managed regardless of their format, media, or storage location. Records Retention Schedule: The approved list of all foundation Business Record types, including their description, Retention Period, and designated Recordkeeping System. Retention Period: The period of time for which Inactive Business Records are to be retained prior to routine Disposal, as identified in the Records Retention Schedule. The Retention Period begins from the date a Business Record becomes inactive. For example, if the required Retention Period for invoices is 7 years, then invoices should be retained for 7 years from the date they were paid (i.e., the date they became Inactive Business Records). Retention Policy Tag: A tool available in Outlook, SharePoint, ICS, and Unison which enables staff to automate records preservation and Disposal by incorporating Retention Period metadata into Electronic Records.
Records Management Procedures
4
2.0 Managing Business Records and Non-Business Records
Business Records must be identified, classified, and retained for the applicable Retention Period, in the designated Recordkeeping Systems, and then permanently Disposed of in a timely and consistent manner. Non-Business Records may be retained while still useful and then Disposed of when they are no longer useful.
These procedures apply to:
• All foundation records created or received in conjunction with foundation programs and operations, IRIS Holdings LLC, Gates Philanthropy Partners, and the Bill & Melinda Gates Foundation Trust.
• All locations where foundation records are maintained, regardless of format or media, including with vendors, in regional offices, at offsite storage locations, and on personal electronic devices.
• All forms of foundation staff (including employees and contingent workers), contractors, consultants, outsourced service providers, vendors, and agents who create, receive, and manage foundation records.
2.1 Records Retention
Once a Business Record becomes an Inactive Business Record, the specified Retention Period begins and, for the duration of the Retention Period, the foundation must retain the Business Record in the specified Recordkeeping System. Non-Business Records should be retained for as long as they are useful.
2.2 Records Disposal
The Legal department will issue an annual Disposal Notice. Within the time frame stated in the Notice, generally within 28 days, each staff member must take the following steps to ensure Disposal of all Business Records whose Retention Periods have expired and Non-Business Records that are no longer useful:
Physical Records stored on or off site: Each staff member will identify and Dispose of physical Business Records in his or her control for which the Retention Period has expired, and physical Non-Business Records that are no longer useful.
Electronic Records in SharePoint, Unison and ICS: IT will Dispose of Business Records in accordance with their assigned Retention Policy Tags. Each staff person shall identify and Dispose of Non-Business Records which are no longer useful.
Electronic Records in Network Drives, Hard Drives, Phones, Thumb drives, CDs, and Personal Electronic Devices: Each staff person shall identify and Dispose of Non-Business Records which are no longer useful.
Electronic Records in Vendor-Hosted Electronic Information Systems (e.g., Workday, Great Plains, BrassRing, Concur): Records Administrators shall provide a Disposal Notice to vendors who may host or store their department’s electronic records.
Email: IT will ensure deletion of certain Outlook records (e.g., email, conversation
history) as established by the Email Management Standards. Each staff person shall identify and Dispose of Outlook items which are no longer useful.
Records Management Procedures
5
In order to protect the foundation’s legal interests, to the best of our ability, Disposal must be performed in a defensible, timely and consistent manner and in accordance with these Procedures. Transferring or duplicating records to circumvent Disposal is prohibited. Disposal of Business Records prior to the expiration of their Retention Period is prohibited. Persons engaging in such actions may be subject to disciplinary actions, up to and including dismissal.
3.0 Legal Hold and Legal Hold Release
When there is a possibility of litigation, audit, or governmental investigation involving the foundation, Disposal of records associated with the inquiry or potential inquiry must be suspended immediately and the records become subject to a Legal Hold. Records subject to a Legal Hold cannot be modified or Disposed of even when otherwise specified by the Records Retention Schedule. Disposing of, discarding, withholding, or altering records pertinent to an audit, litigation or governmental investigation is a crime. Persons found guilty of such actions may be subject to disciplinary actions, up to and including dismissal.
The Legal department will notify all relevant staff of a Legal Hold, identify for them the types of records affected, and assist, as needed, with their preservation obligations. The Legal department will similarly notify all relevant staff of a Legal Hold Release, at which time the subject records are released from Legal Hold. Staff who receive this notice should review the subject records for Disposal no later than the next Disposal Notice. The Legal Department has sole authority to issue a Legal Hold or Legal Hold Release.
4.0 Records Retention Schedule
The Legal department will work with the Records Administrators to periodically review the Records Retention Schedule to identify and incorporate any necessary modifications or updates.
5.0 Records Management Organization
The Compliance Team is responsible for managing execution and compliance with the Records Management Policy and Procedures.
Questions about the Records Management program should first be directed to the appropriate Records Administrator. If the Records Administrator should need assistance in responding to an inquiry, the Records Administrator should contact legal@gatesfoundation.org.