Acceptable Use Policy

AL Refs: PMN01, GOV15

Purpose

The Acceptable Use Policy sets out the required behaviours and restrictions applied to all employees and contractors in order to protect information security. Breaches of this policy may increase the risk of compromised systems, virus/malware attacks, accidental or deliberate data breaches and other vulnerabilities of confidential information that may be exploited by external actors. Based on the importance of information security, breaches of this policy may lead to disciplinary action or termination.

Example Acceptable Use Policy

Responsibilities

Head of Security

Responsible for the review and update of this policy, communication to and acceptance from employees, and enforcement of this policy including initiating disciplinary action where requirements are breached. Approval of any exemptions from this policy requirements. 

Information Security Manager

Responsible for daily oversight of the implementation of this policy including tracking acceptances from employees, security awareness training, and raising instances of non-compliance to the Head of Security.

All Employees

All employees are responsible for adhering to the requirements of this policy and reporting any observed instances of non-compliance with this policy to the Security Manager or Head of Security. All employees should encourage others to abide by this policy and remind them of the requirements when necessary.

General behaviours

  • Acknowledge and adhere to AssuranceLab’s information security policies;
  • Report any breaches of policy or incidents including security breaches, system failures or near miss events, to the Information Security Manager or the Head of Security in a timely manner;
  • Do not disclose or share confidential information related to AssuranceLab or its customers to any person or entity without formal approval from management;
  • Apply the concept of least privilege where information, documents, and system access are only shared with others where there is a legitimate business need to do so;
  • Minimise the private and confidential data collected and stored from customers to where there is a legitimate business need. Seek approval from management in any cases where this business need is not pre-established;
  • Attend information security initiatives including the mandatory security awareness training for all employees;
  • Ensure no confidential or sensitive information is recorded on hard-copy documents or in unprotected devices that are left inside or outside AssuranceLab premises, unless secured in a pre-approved and locked storage location;
  • Never create, perform, or send any communications, regardless of their validity, that may cause damage or degrade anyone, or that may be interpreted as insulting, demeaning, or derogatory;

Use of Systems and Devices 

  • Store all private, confidential or otherwise sensitive data in approved and secure storage locations. This includes storing only on approved devices, databases, software, cloud-services, and shared drives, as applicable;
  • Use all AssuranceLab system assets, including laptops, mobile devices, external drives, and any other equipment for intended business purposes only;
  • Ensure all AssuranceLab system assets and any other devices used in connection with the role at AssuranceLab are updated regularly with the latest operating systems;
  • Ensure anti-virus software is installed and kept up-to-date on laptops used for AssuranceLab business;
  • Report any loss, damage or theft of AssuranceLab information assets immediately to the Information Security Manager or the Head of Security;
  • Use email and other AssuranceLab accounts and systems for business purposes only;
  • Use only the provided AssuranceLab email account and systems for communications with customers or other third parties related to AssuranceLab business;
  • Notify the security team of any virus alerts, hoax messages, phishing attempts or other security related matters. These should not be shared with any other employees;
  • Do not subscribe AssuranceLab email accounts to mailing groups unless for legitimate business purposes;
  • Obtain approval or only install pre-approved software on AssuranceLab devices;

Network Security

  • Never connect to the internet using public WiFi for AssuranceLab business activities. If travelling you may connect your laptop through your phones internet, use an approved AssuranceLab VPN, or limit use to avoid any access to sensitive information;
  • Only use appropriate internet services and avoid sharing of any confidential data over the internet;

Passwords

  • Apply best practice password and authentication standards across all systems used for AssuranceLab business. This should include using an approved password manager, multi-factor authentication, and/or selecting unique and strong passwords with a minimum of 8 characters and multiple character types;
  • Never share passwords or accounts with anyone else, including employees of AssuranceLab;
  • Never use the same password used for another system;
  • Never store passwords in written or electronic form unless within an approved password manager solution;
  • Log out of systems and apply a screen lock when finished, including when taking breaks or otherwise not directly using the device or systems;

Restrictions on Software Installation

Only approved software, as listed in the Application Whitelist, may be installed.

To add applications to this list, approval is required by the Information Security Manager that will ensure there are no known vulnerabilities or malware threats related to the software. New approved software is added to the Application Whitelist accordingly and is then considered pre-approved for use by others.

Application Whitelist:

  • Atlassian: Trello, JIRA, Confluence (cloud)
  • Checkbox.ai (cloud)
  • Github (cloud)
  • Hubspot (cloud)
  • Loom (desktop + cloud)

Software

Type

System owner

Approved date

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Bring Your Own Device (BYOD) Policy

When AssuranceLab provides employees with devices to use for company purposes, they are configured to meet the applicable security requirements and policies. AssuranceLab employees that use their own personal laptops, iPad’s and mobile devices for business purposes such as accessing AssuranceLab-related systems and data, are required to follow the BYOD Policy requirements.

BYOD used for AssuranceLab business purposes can only be used by AssuranceLab employees. There should be no sharing of the device, passwords or other access credentials used for the device. The devices should have these baseline security configurations systematically applied/enabled:

  • Screen lock when unattended for longer than 5 minutes;
  • Strong password configuration, biometric, and/or multi-factor authentication;
  • Hard-disk encryption for laptops (eg. FileVault, Bitlocker enabled);
  • Personal firewall enabled for laptops (eg. OSX’s application firewall or Windows firewall);
  • Anti-virus installed for laptops;
  • Operating system updates applied automatically and at least within 90 days of release of new versions;

No confidential or customer data is to be saved to the local drive. Any lost or stolen BYO devices previously or currently used for business purposes are to be notified to the Head of Security immediately.

 

Acknowledgement

 

Employee name:

Date:

__________________________