Common use of COMPUTER USAGE AND NETWORK ACCESS POLICY Clause in Contracts

COMPUTER USAGE AND NETWORK ACCESS POLICY. In order to comply with Ohio law and to ensure the security and integrity of AGO network resources (e.g. routers, switches, servers, workstations, printers, etc.), the User shall: Acknowledge he/she has been provided with and will comply with the provisions of this Policy; Utilize the AGO’s network resources and any information/data provided therefrom for authorized use only; Use all computer resources, including, but not limited to, equipment, hardware, software, documentation, and data solely for AGO business; Immediately notify the AGO of any proven or suspected unauthorized disclosure or exposure of any AGO data or of information or identity theft; Immediately notify the AGO if a Security Event has occurred or if suspicion of a Security Event has been identified. A Security Event includes, but is not limited to: Any abnormality in the environment that could lead to a compromise of the system integrity or result in disclosure of data, Hack attempts, Malware, Changes in security infrastructure, System failures, Compromised user accounts, and Lost/stolen laptop or media. Promptly notify the AGO of the date of separation if User leaves the employer or if access to AGO networks, applications, systems, and/or AGO data is no longer required. Access to the AGO network may be rescinded for failure to provide such notice; Take all reasonable precautions to prevent the dissemination of User’s credentials by any means, including, but not limited to, not sharing the User’s username and password, not writing down the username and password, etc.;

COMPUTER USAGE AND NETWORK ACCESS POLICY. In order to comply with Ohio law and to ensure the security and integrity of AGO network resources (e.g. routers, switches, servers, workstations, printers, etc.), the User shall: • Acknowledge he/she has been provided with and will comply with the provisions of this Policy; • Utilize the AGO’s network resources and any information/data provided therefrom for authorized use only; • Use all computer resources, including, but not limited to, equipment, hardware, software, documentation, and data solely for AGO business; • Immediately notify the AGO of any proven or suspected unauthorized disclosure or exposure of any AGO data or of information or identity theft; • Immediately notify the AGO if a Security Event has occurred or if suspicion of a Security Event has been identified. A Security Event includes, but is not limited to: o Any abnormality in the environment that could lead to a compromise of the system integrity or result in disclosure of data, o Hack attempts, o Malware, o Changes in security infrastructure, o System failures, o Compromised user accounts, and o Lost/stolen laptop or media. • Promptly notify the AGO of the date of separation if User leaves the employer or if access to AGO networks, applications, systems, and/or AGO data is no longer required. Access to the AGO network may be rescinded for failure to provide such notice; • Take all reasonable precautions to prevent the dissemination of User’s credentials by any means, including, but not limited to, not sharing the User’s username and password, not writing down the username and password, etc.;; • Create a password in compliance with the AGO password criteria set forth below. The AGO reserves the right to change the password criteria from time to time. Compliance with the AGO password criteria will be enforced via automated password authentication or public/private keys with strong pass-phrases. The AGO password criteria are as follows: o Minimum 12 characters, o Must include 3 of the 4: a-z, A-Z, 0-9, and special characters, o Passwords will require being reset based on level of access at the AGO’s discretion, o Passwords must be kept securely by the account owner, and never be shared, o Passwords must not contain sequences 01, 123, abc, etc., o Passwords must not contain properly spelled dictionary words, and o Passwords must not be directly identifiable to the user (e.g. social security number, date of birth, spouse’s name, username, etc.). Password history will be retained for 24 changes to ensure unique passwords. Inactive accounts will be disabled at 90 days, and removed at 120 days. Users of accounts that reach 120 days of inactivity must reapply for an account. • Comply with all applicable network or operating system restrictions, whether or not they are built into the operating system or network, and whether or not they can be circumvented by technical means; • Comply with all federal, Ohio, and any other applicable law, including, but not limited to: Internal Revenue Service Publication 1075 which is based on United States Code Title 26, Section 6103; Ohio Revised Code Chapter 1347; the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the associated omnibus rule to modify the HIPAA Privacy, Security and Enforcement Rules; and the Health information Technology for Economic and Clinical Health (“HITECH”) Act; and • Comply with all applicable contracts and licenses. User shall not: • Move, alter, delete, copy, or otherwise change any information/data stored or contained on AGO networks or computers without express, written authorization by the AGO (e.g. a written agreement, scope of work, or approved vendor quotation). • Leave a computer unattended for any period of time unless it is secured in such a way that the computer cannot be used by any other individual (e.g. sign-off procedure, password protected screen saver, etc.); • Make paper, electronic, or any other copies or reproductions of any AGO information/data or licensed materials, regardless of how the information/data or materials were obtained, without prior authorization from the AGO; • Use an e-mail account, username, or signature line other than the User’s own; • Attempt to represent himself or herself as any individual other than him/herself. This specifically includes, but is not limited to, use of the Internet, e-mail, online service account, or signature line; and • Share any information/data gained through use of AGO networks with anyone outside the AGO without prior authorization from the AGO.