Information Security Acceptable Use Policy

I. APPROPRIATE USE
It is the responsibility of each Authorized User to take the following steps as a condition of
employment and to ensure Company resources are utilized properly:
1. Read, understand, and maintain compliance with Company confidentiality
requirements.
2. Read and understand information security policies and procedures as required.
3. Complete security training relative to their job function or role.
4. Identify and report security incidents.
5. Access only those Information Assets that are required by and to their job
responsibilities.
6. Comply with all state and federal copyright laws, regulations and licensing
requirements.

A. Internet / E-mail / Data

1. Never visit Internet sites that contain obscene, hateful or otherwise objectionable
materials;
2. Never use the Internet, e-mail or instant messaging for purposes other than Company
business or reasonable personal use.
3. Never send or solicit e-mails or instant messages that are unrelated to business
activities or reasonable personal use, or solicit non-company business for personal
gain or profit.
4. Never use the Internet, e-mail or instant messaging for gambling or illegal activities.
5. Never download any software or electronic files without implementing virus
protection measures that have been approved by the company.
6. Never send or forward electronic chain letters;
7. Never browse or use data files for unauthorized or illegal purposes;
8. Never use data files for private gain or to misrepresent themselves, clients or the
Company.
9. Never make any disclosure of data that is not specifically authorized.
10. Never duplicate any data files, create sub-files of such records, remove or transmit
data unless the user has been specifically authorized to do so.
11. Never intentionally interfere with normal operation of the network by using the
internet, e-mail or instant messaging, including propagation of computer viruses, or
sustained high volume of network traffic, which substantially hinders others in their
use of the network.
12. Never bypass systems' security mechanisms;
13. Never send, receive, solicit, store or forward any material that contains obscene,
defamatory, hateful or otherwise objectionable materials or which is intended to
annoy, harass or intimidate another person.
14. Never use offensive or harassing statements or language including, for example,
disparagement of others based on their race, national origin, sex, sexual orientation,
age, disability, religious or political beliefs.
15. Never Upload, Download, Distribute or otherwise transmit commercial software or
copyrighted material in violation of its copyright; never perform any actions such as
sending unauthorized software or files through email or instant messaging which have
the potential to jeopardize the security of the desktop computers to which it is
delivered.

Page 1 of 8
Information Security Acceptable Use Policy
16. Never request and or accept Java applets from external sources via e-mail.
17. Never use another employee's ID to gain access; impersonate another user or mislead
a recipient about a sender's identity; never access, exam or change another person's
email or instant messaging files; never examine, change or use another person's files,
output or user name without explicit authorization.
18. Never use the Internet, e-mail or instant messaging to communicate the Company's
official position on any matter, unless specifically authorized to make such statements
on behalf of the Company.
19. Transmitting ePHI through the use of unauthorized web email programs is not
allowed.

B. Device
1. Protect the Device, the data on the Device, and any Company material in the
surrounding area from damage or theft.
2. Utilize only Devices that are Company issued, configured and/or Company approved
and/or installed. Refer to the IT equipment acquisition policies of the Company for
details on acquisition and installation procedures.
3. Only utilize the Device for Company business and reasonable personal use that does
not affect work productivity or violate Company policy.
4. Protect the Device from access by Unauthorized Users.
5. Devices cannot be shared between Authorized Users unless each Authorized User can
be separated and accountable for their actions on the Devices.
6. Keep portable Devices in their possession or in a controlled or secured location.
7. Physically secure the Device when it is not in the possession of the Authorized User.
Laptops must be secured by cable locks at the workplace when left unattended.
8. Logically lock the Device to protect Confidential Information, whenever possible.
9. Utilize the automatic lockout features whenever technically feasible, such as a screen
saver with a password, which locks the Device automatically if the Authorized User
walks away without locking the Device.
10. Make sure all Confidential Information and material contained in, on and around the
Device is not in view of Unauthorized Users.
11. Be present during any Device maintenance and/or updates to secretly provide the
logon, as necessary, and monitor any changes to the Device.
12. Separate privileged access Devices from Data access Devices. For example, do not
keep a FOB and a laptop that are used for remote access in the same briefcase. Never
store a FOB and its PIN in the same location, whether at rest or in transit.
13. When traveling with a Device that contains confidential information keep the Device
in your possession at all times, (i.e., not checked with luggage).
14. Protect the Data on the Device from being viewed except by authorized individuals.
15. Perform backups on any Company data stored on local Devices in accordance with
the Electronic Media Control Policy. (Data stored on local Devices and personal
Devices, and the backup of that Data, is the responsibility of the User.)
16. Authorized Users are encouraged to store all Company Data on network servers so
that automatic backup of Data will take place.
17. Physically and logically secure Devices in public, non-secure areas to prevent theft of
the Device or information contained/displayed on the Device. Refer to the Logical
Access Control Policy and the Facility Security Policy

Page 2 of 8
Information Security Acceptable Use Policy
II. DATA SECURITY
1. Data stored on PCs for employees that are terminated, transferred, or resigned will be
stored in accordance with the Company Records Management Policy. Specific
adherence will be placed on the current “no automatic deletion of specific data”
policy issued by Legal Affairs until such policy changes.
2. The employee’s manager is responsible for retaining such records in accordance with
the records retention policy. The manager will be given 30 days to copy, save or
archive all appropriate data. Access will only be granted to the terminated employee’s
manager and, only if access is specifically requested.
3. The following data will be accessible if requested
a. For desktop PCs, only data stored in the “My Documents” folder will be
accessible. IT will take all reasonable measures to prevent access to areas other
than the “My Documents” folder.
b. In cases where local administrator access is granted or a laptop is used, the entire
user account located in the “Documents and Settings” will be accessible.
c. All company information is considered confidential and private. It is imperative
that all company data remain secure and not fall into the hands of a 3rd party.
d. All employees and associates are responsible for protecting the data stored by
their assigned hardware. Employees and associates are required to delete all
sensitive and confidential data when they are done using it in accordance with
their job responsibilities.
e. Employees and associates are required to protect their assigned personal computer
or electronic device from damage, loss or theft. All employees and associates to
whom devices are assigned are responsible for maintaining all pertinent
information about such devices. This includes make, model, serial number and a
listing of all confidential or proprietary information stored on such devices.
f. Should a device be damaged, stolen or lost, employees or associates may be
required to reimburse Horizon for the cost of the device in accordance with the
statement signed at the time of delivery of the device to the employee or
associate.
g. The responsibility of the employee or associate to reimburse Horizon will be
based on whether, in the opinion of the Company, the damage, loss or theft was a
result of negligence on the part of the employee or associate.

III. DEVICE ISSUANCE AND ASSIGNMENT

Company users will be assigned a Device (laptop, BlackBerry, cellular phone, air card) in
accordance with supplier management area rules. Any exceptions to Company approved
equipment must be approved by an officer of the Company.

A. Personal Computers
1. All Company employees will be assigned one PC unless circumstances dictate that no
PC is necessary. Associates will be assigned one PC, only if the associate needs a PC
to perform the job. No employee or associate will be assigned more than one PC
unless there is a business need justified and approved by an Officer and the CIO.
2. The PC assigned to any particular employee or associate may or may not be new at
the time of assignment. IT will utilize existing inventory before assigning new PCs.

Page 3 of 8
Information Security Acceptable Use Policy
3. Employees will receive the current standard Company configuration of hardware
(desktop or laptop) and software on the basis of their roles and responsibilities. Any
exceptions to the hardware issuance policy must be approved by a Director.
4. Department Head level or above approval is required to issue a laptop.
5. Associates will receive a desktop if the job requires the use of a PC. Associates will
only receive Horizon issued laptops with business justification and Officer approval.
6. A Director must approve and provide business justification for any Desktop to leave
the Company’s premises.
7. An Officer must approve any other exceptions to the hardware policies.
8. A Director must approve and provide business justification for any additional
software that is not included in the basic image. Any additional software approved by
the Director will be limited to software currently in Company’s suite of approved
software programs.
9. All company provided PC hardware is leased. Upon lease expiration, IT will replace
the existing hardware with replacement hardware that conforms to the current
company standard based on the employee’s role. Lease exchanges are not voluntary
on the part of the employee or associate.

B. SMARTPHONES / PDA’S
1. All requests for Smartphones / PDA devices must be supported by a business
requirement, and have CIO approval.
2. New or used Smartphones / PDA devices will be provided, upon request, to any
Officer or Department Head. Frequent travelers, or IT support staff who require a
Smartphone / PDA must have Director approval.
3. All other services for new or used Smartphones / PDAs will be limited to the
minimum necessary to perform the job function.
4. Requestors granted phone capability with a Smartphone / PDA must surrender any
other company-issued cell phone/paging device(s).

C. MOBILE COMPUTING PLATFORMS

1. iPads are currently approved for Executive and Board Member use only.
2. All Approved iPads will have a data protection/security controls installed and
configured.
3. Requests for iPad use or any other platforms performing similar functions must be
approved by the CSO and CIO.

D. AIR / WIRELESS CARDS

1. Air cards may be provided only to Officers and Company employees working
predominately in the field.
2. No other type of wireless device (other than an air card/wireless card) is acceptable.

E. FOBS
1. Remote access FOBs may only be used on Company devices.
2. Employees or Associates issued a Laptop, will also be issued a FOB in order to
perform work at home functions when necessary.

F. PRINTERS

Page 4 of 8
Information Security Acceptable Use Policy
1. Individuals are permitted to use Company approved printers in accordance with the
IT End User Guidelines.
2. If a non-Company approved printer is requested, that printer must be tested by IT for
system compatibility. Until that testing process is complete, the user will not be
permitted to use their non-Company approved printer.
3. Any individual receiving permission to print from home must also use a cross-cut
shredder to destroy any printed documentation containing PHI or
proprietary/confidential information.

G. WEARABLE TECHNOLOGY
1. Individuals are not permitted to use personally-owned wearable technology on the
Company premises. These devices include, but are not limited to, eyewear with
heads up display (HUD), and timepieces that integrate with cellular technology.
2. Company issued wearable technology, such as pedometers, is permitted.

Page 5 of 8
Information Security Acceptable Use Policy
PROCEDURES
Voluntary and Involuntary Terminations/Recovery of Assets
Assets of Horizon employees whose employment is terminated (voluntarily or involuntarily)
must be managed as follows:
1. The employee’s manager should adhere to all Company policies regarding employee
termination. The manager shall notify the Service Desk within 24 hours of the
resignation or termination of the employee. It is the manager’s responsibility to
collect all Horizon assets from the employee/associate unless working with the
Special Investigations Unit prior to a termination. At the time of termination,
management must reach out to Corporate Investigations and Security to secure
the open laptop and/or communication device agreement which must be
executed by a Horizon representative and delivered to the employee/associate
prior to leaving. This will confirm that all Horizon equipment has been
returned.
2. After the manager contacts the Service desk, the manager will turnover to IT all PC
hardware, BlackBerry devices, peripherals, other devices, and software provided by
the company.
3. If area management is unable to recover the devices to be returned to IT, the
employee may be required to reimburse Horizon for the cost of the device(s) in
accordance with the statement signed at the time of delivery of the device.
4. For Associates who are not Horizon employees, the hiring manager must notify IT
before the conclusion of the engagement to arrange for turn over of all assets to IT
and the execution of the laptop and/or communication device agreements forms if
applicable..

Transfer of Employee within Horizon

1. When an employee is transferred to another role or job within Horizon BCBSNJ, the
PC/laptop should be handed back to IT to ensure the data on the PC is wiped clean.

2. It will also be determined whether a laptop is required in the employee’s new role. If
so, and the employee currently has a desktop PC then area management will complete
a request for a laptop in accordance with this policy. If not, a desktop will be
redeployed in that employee’s new area.
It is management’s responsibility to make the proper timely notifications to IT to
ensure policy and procedures are followed.

Responsibility – In the event of Theft or Loss

Employees and associates are responsible for fulfilling these responsibilities whenever a loss
or theft has occurred, or is suspected:

1. Immediately make note of the circumstances of the loss. Include date and time of
discovery, exact location device was last seen, any signs of forced or covert entry,

Page 6 of 8
Information Security Acceptable Use Policy
e.g. into a hotel room, vehicle, employee or associate’s home, etc. witnesses, and
suspicious persons or circumstances.
2. Call the Horizon BCBSNJ Service Desk and report the loss or theft including as
much detail as possible. This call should happen immediately upon realization that
the device is missing. If calling from a Horizon BCBSNJ phone, dial 45200. If
calling from a non-Horizon BCBSNJ phone, call 732-256-5200.
3. Call local security if you are in a hotel and report the theft or loss.
4. If loss or theft occurred outside of Horizon’s work site, call police for the
jurisdiction in which the theft or loss occurred and ask police to respond to you and
make a full report. Ascertain how and when you can obtain a copy of the police
report.
5. Notify immediate supervisor (employees) or hiring manager (associates).
6. Cooperate with police and Special Investigations in all activities relating to
recovery of device, apprehending person(s) responsible and recovering proprietary
information.
7. Obtain a copy of the police report (if applicable) and provide it to the Special
Investigations Unit.

Page 7 of 8
Information Security Acceptable Use Policy

Accepted by:
________________________________________________________________________
Signature
________________________________________________________________________
Date

Page 8 of 8