-
Computer, Software and Data Security
Any employee who uses Company computer equipment must be aware of and comply with all of the requirements set out within the Staff Handbook, including without limitation sections 23, Security; and 25. Computer, Software and Data Security; and 26 Information Security.
Use of the Internet and electronic mail by employees via Company computer equipment is permitted for business purposes only.
Any employee who attempts to gain unauthorised access to any Company, personal or other confidential information stored on a data processed file or other storage system, or discloses Company, Client or an individual's personal data in breach of the Data Protection Principles, is liable to Summary Dismissal.
It is forbidden for any employee to run personal or unofficial software on Company computer equipment or, conversely, to enter any Company data to a privately owned computer system. All computer software used on Company premises or on the Company's behalf must be previously inspected and approved for use by the CEO.
Unless, exceptionally, specific authorisation is given in advance by the CEO no employee is permitted to undertake any work on behalf of the Company on any computing device that is not owned by the Company, to include, without limitation, mobile phones and smart phones.
Knowledge of any computer password or security access codes must be treated as strictly confidential and never disclosed to any unauthorised person. It is forbidden for employees use any personal computer password or security access code other than their own authorised password or code to access any item of hardware equipment or software being utilised by the Company unless full details have previously been communicated to and confirmed as authorised for use by the CEO. Nor must anyone introduce security codes or passwords which give them improper or unauthorised access, or which deny proper access to others.
Each item of computer software utilised within the Company is subject to individual licensing agreements which must be adhered to when using the software in question, recognising the copyright interest vested with the owners of the software. The restrictions in operation disallow any unauthorised copying, reproduction, transmission or other method of distribution of the software without the prior written consent of the relevant author or publisher.
-
Physical & Logical … Access & Security
Controls will be implemented as appropriate to prevent unauthorised access to, interference with, or damage to, information assets.
-
Computer Room Security
- Computer systems and networks will be protected by suitable physical, technical, procedural and environmental security controls
- Physical security for computer room areas must be properly maintained.
- Restricted key/access code or electronic card key access must be enforced for all machine rooms and network access points. Contractors working within the computer suite are to be supervised at all times.
-
LAN Security
- Hubs & Switches, LAN equipment, hubs, bridges, repeaters, routers, switches should be kept in secure Comms rooms or cabinets. Comms rooms and cabinets will be kept locked at all times and should not be interfered with.
- Access to Comms rooms, and in-office devices such as Hubs and Switches is restricted to authorised I.T. staff only.
-
Wiring
- All network wiring must be fully documented.
- All unused network points should be de-activated when not in use.
- All network cables should be periodically scanned and readings recorded for future reference.
- Users must not place or store any item on top of network cabling.
- Redundant cabling schemes will be used where possible.
- Access Devices (e.g. Workstations)
- Users must logout of their workstations when they leave their workstation for any length of time. Alternatively Windows workstations may be locked.
- All unused workstations must be switched off outside working hours.
-
Mobile Devices including Laptops, Phones & Tablets
When a mobile device is stolen two kinds of loss are suffered: loss of the device, and, perhaps far more serious, loss of information stored in the device. Mobile Device users must take the following precautions:
- Do not leave your Mobile Device unsecured in a Company office. Lock it in its docking station or secure it with a cable lock, or lock it up in a cabinet or your desk when it is not being used.
- Do not leave your Mobile Device unattended in open view in your hotel room. Utilise the room safe if possible.
- Do not leave your laptop unattended and in open view in your car. If you must leave it in your car, lock it in the boot.
- Never place your Mobile Device in checked baggage and keep it securely with you in hotel lobbies, airports, restaurants, and other public places.
- Be careful using your Mobile Device on airplanes and in public areas. Make certain those around you cannot read your screen if you are working with confidential presentations or other material.
- Use password protection and encryption, when possible.
-
Server Security
- Servers will be kept in computer rooms (see 25.1.1 Computer Room Security).
- Access to the system console and server disk/tape drives will be restricted to authorised I.T. Department staff only.
- Access to the network/servers will be restricted to normal working hours. Users requiring access outside normal working hours must request such access in writing on the forms provided by the I.T. Department.
- Default passwords on systems and devices will be changed after installation.
- Administrator passwords will be restricted to System Administrator staff only.
- On no account must anyone attempt to discover or use any password other than their own, or role-based passwords for which they have express authority.
-
Continuity of Electricity Supply
- All servers will be fitted with UPS's that also condition the power supply.
- All hubs, bridges, repeaters, routers, switches and other critical Network equipment will also be fitted with UPS's.
- In the event of a mains power failure, the UPS's will have sufficient power to keep the network and servers running until the generator takes over or the systems are shutdown cleanly.
- Software will be installed on all servers to implement an orderly shutdown in the event of a total power failure.
- All UPS's will be tested periodically.
-
Inventory Management
- The I.T. Department will keep a full inventory of all computer equipment and software in use throughout the Company.
- All Equipment must be tagged and labelled and entered into the Company asset register / Floorplan database.
- Computer hardware and software audits will be carried out periodically. These audits will be used to track unauthorised copies of software and unauthorised changes to hardware and software configurations.
-
Data & Equipment Disposal
- Data must be permanently deleted from all media before disposal.
- All computer equipment must be deactivated in the Floorplan database and be accompanied by a disposal form prior to disposal.
- Equipment must be disposed through approved suppliers.
-
Access Control
Software security procedures (e.g. concerning access control, passwords) specified by the Company and its Clients should be strictly adhered to.
- Users will only be given sufficient rights to all systems to enable them to perform their job function. User rights will be kept to a minimum at all times.
- Users requiring access to systems must make a written application on the forms provided by the I.T Department.
- Where possible no one person will have full rights to any system.
- The I.T. Department will control network/server passwords and system passwords will be assigned by the system administrator in the end-user department.
- The system administrator will be responsible for the maintaining the data integrity of the end-user department’s data and for determining end-user access rights.
- Access to the network/servers and systems will be by individual username and password or by smartcard and PIN number.
- Usernames and passwords must not be shared by users.
- Usernames and passwords should not be written down.
- Usernames will conform to the company standard, which is currently defined initials and surname.
- All users will have a password of at least 7 alphanumeric characters with at least one number and at least one capital or non-alphanumeric character.
- Passwords will expire every 30 days and must be unique for at least the last 20 passwords.
- The I.T. Department will be notified of all employees leaving the Organisation’s employment. The I.T. Department will then remove the employee’s rights to all systems.
- Network/server supervisor passwords and system supervisor passwords will be stored in a secure location in case of an emergency or disaster, for example a fire safe in the I.T. Department.
- The use of administrative usernames is to be kept to a minimum and should not be used if an alternative is available.
-
Data Security
Imported data (including data and software) must not be loaded onto ANY Company computer without prior consent of a Director and even then may only be loaded on machines equipped with company approved virus detection software. All staff are responsible for complying with data protection and confidentiality obligations (see elsewhere in this document).
-
Software Security (incl. malware)
- Only Company computers may be connected to a Company data network. In all cases, the connection must be made in accordance with the access authorisation and network management procedures currently in force.
- the Company’ network and computers must be installed with up to date virus scanning Anti-Virus and Spyware scanning software. Users may not remove, disable or tamper with these applications in any way.
- the Company’ network and computers must be routinely monitored for Break-ins, Viruses, Worms, and Trojan Horse attacks.
- In the event of a possible virus infection the user must inform the I.T. Department immediately. The I.T. Department will then scan the infected machine and any removable media or other workstations to which the virus may have spread and eradicate it.
- It is forbidden to use unlicensed software, or to cause the Company to breach a software license agreement.
- It is forbidden to introduce any programs or data into the Company that have not been specifically authorised in writing. This includes bringing in unauthorised software, inserting media such as disks, tapes or CDs into any Company computer, downloading unauthorised software or data from the internet etc.
- All demonstrations by vendors will be run on their machines and not the Organisation’s.
- Company computers may be subject to audit, to ensure compliance with points above.
- The Company has the right to remove an employee's computer to ensure the integrity of the computer files.
-
Information Security
During the course of your employment you may come into the possession of information relating to the business of the Company and of its Clients. You should be aware that all such information must be treated as confidential irrespective of its content.
-
Legislation
You are reminded that you have an important role to play in ensuring that both you and the Company do not breach legislation which applies to the provision of computing services. In particular, you are reminded that:
- The Data Protection Acts 1984 and 1998 provide for criminal offences and redress through the Civil Courts should personal data be intentionally used or disclosed for an unauthorised purpose.
- The Copyright, Designs and Patents Act 1988 provides for criminal offences and redress through the Civil Courts should unauthorised copies of proprietary software be made.
- The Computer Misuse Act 1990 provides for criminal offences if there is intentional and unauthorised access to a computer or if deliberate and unauthorised modifications are made to computer programs or data.
- On and after 25 May 2018, Regulation 2016/679 of the European Parliament provides for the protection of people in the EU with regard to the processing of personal data (GDPR)
If you become aware of a misdemeanour (e.g. any unauthorised disclosure of personal data, any copying or reproduction which infringes copyright, or any misuse of any computer equipment) or any potential security breach, then you must report this to the Company.
-
IT Security Policy
Every employee is accountable for the safeguarding of assets and information in their custody, and for taking reasonable steps to ensure the physical and logical security of the Company, its staff and property. It shall be the responsibility of the I.T. Department to provide adequate Protection and confidentiality of all corporate data and proprietary software systems by means of backup, physical security, logical security and offsite storage, to ensure the continued availability of data and programs to all authorised members of staff, and to ensure the integrity of all data and configuration controls. However all staff are responsible to ensure they take all reasonable actions to support this policy, and do nothing to obstruct it.
-
Information Protection
- You must not, at any time during your employment with the Company, divulge to any unauthorised person any information concerning the business of the Company or its Clients which is not in the public domain.
- This duty of confidence remains if you leave the Company. Confidential information can be presented or stored in many forms, including but not limited to: Paper documents, information on electronic storage media, information passed by voice, charts and graphic presentations, audio and video tapes, and email. In any form, it must be protected.
- Only Company computers (i.e. any computer owned, leased or rented by the Company) may be used to store or process Company or Client data.
- Data unconnected with the affairs of the Company (including software not owned or licensed by the Company) may not be stored or processed on Company computers.
- File systems will have the maximum security implemented that is possible.
- No data should be stored on a local PC without specific permission to do so. Data should be stored on a suitable network drive which is backed up and has appropriate security.
- Reports or files containing 'personal data' (e.g. contact details including email addresses, names, telephone numbers etc should not be transmitted as email attachments unless password protection is applied.
- Staff will comply with the Data Retention & Deletion Policy at all times.
- the Company must develop and implement a comprehensive, tested backup procedure that includes making backups, storing backup material, and recovering data.
- Computer files, including e-mail, created on the Company’ computer systems are Company property. They should not be considered private and may be searched for litigation or other corporate purposes at any time as needed.
- Sensitive and/or confidential record information must be secured. Printed copies, disks, and tapes should be kept in locked cabinets or rooms.
- When no longer needed, confidential and/or sensitive hard copy output must be shredded.
- Data that can be identified with a natural person must be protected from loss, misuse or unauthorised access. I
-
Email & other Information Applications
For the purposes of this document “Email & other Information Applications” includes without limitation all Internet-based applications such as social networks, instant messaging, and mobile apps; all mobile devices including mobile phones, portable laptops, tablets, web books; etc.
Company-provided electronic mail and Internet/Intranet services are valuable business tools that enhance productivity and communication. These tools many must not be used for personal use, solicitation of non-company business, advancement of individual views, or illegal activity. All use and product of such use, including e-mails, is and shall remain the Company’s property, not the individual’s.
- Electronic information on the Company-provided electronic mail and Internet/Intranet services is an asset of the Company, not the individual User.
- The Company has the right at all times to monitor all electronic activity and information on the Company-provided electronic mail and Internet/Intranet services. This Policy serves as notice to each User that the Company may monitor activity on Company-provided electronic mail and Internet/Intranet services without any advance notification to or consent by the User.
- The Company reserves the right to disclose any information or communication transmitted or received using the Company-provided electronic mail and Internet/Intranet services as may be appropriate, including disclosure to management, internal security, and law enforcement
- Information published using Company computers are covered by the employee confidentiality agreement. Posting to public bulletin boards or sending e-mail to large distribution lists from Company computers may constitute publication.
- Access to the Company-provided electronic mail and Internet/Intranet services must be approved. Only company-approved software may be used when connecting to the Internet through the Company's network. Before access to the Company-provided electronic mail and Internet/Intranet services will be granted, the User is required to acknowledge receipt and understanding of this policy and sign a statement of acceptance. Account IDs and passwords for the Services are strictly for the use of the registered User and should not be shared or made accessible to others. Under circumstances in which passwords must be provided to others to gain access to the computer, such as system maintenance or repair, a new password should be created and used after the completion of that process.
- Computers capable of live access to the Company-provided electronic mail and Internet/Intranet services should not be left unattended. Sensitive Company information must be protected while being transmitted over the Services.
- Use of Social media including without limitation Facebook, LinkedIn and Twitter, must be kept either totally separate from work, so that your personal use of social media is not identifiable as being associated with the Company, or totally professional such that your social media activity in no way disadvantages the Company, including without limitation: bringing the Company into disrepute, breaching any confidence, giving competitors commercial advantage, causing or significantly increasing the probability of solicitation of Company staff, etc.
-
Reporting Security Risks and Incidents
The vigilance and co-operation of all Employees is essential to security, and you are encouraged to report any security concerns. All breaches or suspected breaches of security must be reported to the employee’s line manager and escalated through management. All breaches or suspected breaches of security must separately be reported in writing to the CEO who will then arrange for the breach or suspected breach of security to be investigated.
The purpose of this policy is to establish a standard for escalating, reporting and resolving information security incidents. The Company will escalate potentially sensitive information security incidents and issues to your line manager, the IT Department or the CEO by email and telephone.
Potentially sensitive incidents include, but are not limited to:
- Security breaches of Company systems, whether or not resulting in the loss of Company or Client confidential information, intellectual property, or other highly sensitive information;
- Violations of the Company Professional Conduct and Code of Conduct
- Violations of the Company Confidential Information Protection Policy.
- Significant instances of misuse or misappropriations of computer assets and systems
- Thefts of Company computing assets
- Situations requiring forensic analysis/investigation of Company computing assets, and any situation which may pose a serious threat to the Company’ IT business processes and potentially impact on the Company’ ability to continue operations or service its Clients.
-
Incident Reporting
Immediately report unauthorised disclosures or uses of confidential information, as well as other potential information security issues, to your line manager, the IT Department or the CEO.
-
Resolution
- Information Security will confer on the referred matter as soon as possible to identify the potential risks/exposure and potential responses.
- If the incident affects client data or systems, then the matter should be referred to the client via the relevant Account Manager for risk assessment.
- Company Information Security will engage appropriate Personnel, in determining the appropriate course of action.
- Enforcement
- Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment
EIMS Outlook Online Mailbox Policy
As part of our company’s commitment to efficient and secure use of Office 365 applications, the following guidelines apply:
-
- EIMS Outlook Online Mailbox Policy
The mailbox storage policy applies to all Agent level users. These users are supplied with Microsoft’s F3 license.
- EIMS Outlook Online Mailbox Policy
-
-
- Users will have the following mailbox storage settings:
- Mail Storage limit: 2GB.
- EIMS mailbox are limited to 2GB of storage, you can check your storage usage here: https://outlook.office.com/mail/options/general/storage/mailboxStorage
- Important Emails
- For personal emails, users should save any important emails they need to keep to their ‘My Files’ OneDrive folder.
- For client-related emails, users should save important correspondence to the relevant ‘EIMS Drive’ SharePoint site.
(Trainings: ‘How to save an email from Outlook’)
- Mail Storage limit: 2GB.
- Users will have the following mailbox storage settings:
-
-
-
-
- Mail (Inbox/ Sent items) Retention: 1 year.
- All emails will be automatically deleted after 1 year from the date of receipt.
- Users have the option to manually change the retention policy on an email-by-email basis where required (Trainings: ‘keeping Important emails’)
- Junk and Deleted Items Retention: 30 days.
- Junk and Deleted items will be automatically deleted after a period of 30 days.
- Users are encouraged to regularly review their Junk and Deleted items folders.
- Document Sharing: Use SharePoint links for internal document sharing.
- From now on, all internal document sharing should be completed using SharePoint links.
- Avoid sending attachments via email; instead, the document should be in the relevant folder in the EIMS Drives and share the link with your teams (Trainings: ‘How to attach files on OWA (Outlook Web App)’)
- Mail (Inbox/ Sent items) Retention: 1 year.
-
-
Please adhere to these policies to ensure efficient and secure use of Office 365.
For any questions or clarifications, please contact the IT department.