The scope of this policy includes all people who have access to company-owned or company-provided computers or require access to the company network and/or systems. This policy applies not only to employees, but also to guests, contractors, and anyone requiring access to the company network.

2. Basic Security Rules

2.1 Definitions

Equipment – in the context of this Policy, the term equipment applies to all company-owned IT equipment and all online services used for company operations. It should be noted that personal equipment may be used for company-related activities but, in such cases, this equipment will be subject to the requirements of this policy.

Data - Data applies to all data generated as a result of company operations. Company data is confidential and should be treated as such. All users have a responsibility to protect the confidentiality of company data at all times.

User - A User is any authorised person who has access to company equipment or data as a result of a works contract.

2.2 General Conditions

You must not attempt to circumvent or defeat security or audit controls in any way

You must not open attachments, follow links or reply to emails which appear to be dubious or suspicious in any way

You should report any warning, suspicion or occurrence of a computer virus, hoax, persistent spam/phishing, denial of service or hacking attempt to ICT Support

You must not leave your computer or portable device unattended without locking the screen or logging out.

2.3 Acceptable use

Equipment is provided for business needs with the purpose of executing organization-related tasks. However reasonable personal use of the equipment is permitted. If unsure discuss with your manager.

2.4 Taking assets off-site

Equipment may not be taken off-site without prior permission by your line manager. This permission can be given to cover a long term basis.

As long as the equipment is outside the organization, they have to be controlled by the person who was granted permission for their removal.

2.5 Return of assets upon termination of contract

All company-owned equipment should be returned to the company upon completion of any works contract.

2.6 Wireless Access

Only company provided equipment are allowed to be connected to the main IRIS Connect WiFi

2.7 BYOD / Personal Devices

Use of personal devices within the office is allowed via the IRIS Connect Guest Wifi

Mobile Devices

Any personal device needs to have a passcode or biometric lock if it has Google Drive, Gmail or Podio access, or can access any Company Data

Any personal device needs to have automatic updates for apps and OS enabled and enough space for the updates to run.

Users are required to keep any personal mobile device that has access to company data (Gmail/Google Drive/Podio) up to date by regularly checking fortnightly for any software updates (for apps or Operating System). High risk or critical security updates for Operating Systems and applications must be installed within 14 days of release. Any issues with this need to be reported to the IT team.

Company emails must only be accessed through the Gmail app.

If employees are accessing company data on their mobile devices then the only apps that are permitted must be installed via the Playstore, App Store or IRIS Connect own apps.

Laptops/Computers

Any personal laptop or computer used for work purposes must be signed off by the Network Manager.

Requirements

1) ESET antivirus install

2) Connection to the company VPN

3) Review of software installed to ensure everything installed is:

a) supported
b) used (software that isn’t used should be removed)
c) up to date
d) licensed

4) Setup with a non admin account to use when working

5) Default passwords are changed

6) Operating system is kept up to date - checking fortnightly for any software updates. High risk or critical security updates must be installed within 14 days of release

7) All installed software is kept up to date - checking fortnightly for any software updates. High risk or critical security updates must be installed within 14 days of release

2.8 Homeworking and Remote Access

When working you must use the VPN to connect to the office network

Always lock your computer when not in use or not attended

2.8.1 Public (non-home spaces)

Alongside the points listed in 2.8, employees must

Use a secure, private Wi-Fi network. Public Wi-Fi networks are strictly prohibited for any work-related activities.

Ensure that devices are not left unattended in public places.

Use privacy screens when working in public areas to prevent shoulder surfing.

If you need any support with this contact the Network Manager.

2.9 Clear Desk

All staff should follow standard clear desk processes whether working from home or in the office. This includes not leaving confidential information available when not at your desk or documents or screens visible that contain PII (personally identifiable information).

2.10 Authorizations for equipment and data use

Users may only access equipment and data they have been authorised to do so.

Users must not take part in activities which may be used to bypass information system security controls.

3. Data Security

3.1 Responsibility for data

Data has an owner designated in the data map inventory. The data owner is responsible for the confidentiality, integrity and availability of information in the asset in question.

3.2 Backup and Storage procedure

Company data must be stored on authorised locations or cloud services (mainly Google Drive). For example users should not store documents on their desktop or my documents.

3.3 Data retention

All data must be regularly reviewed and destroyed in accordance with the Data Retention Policy - see Appendix 1:

3.4 Data security and Transfer

Whenever sending data, always review what level of personal data it contains. Make sure you use secure transfer methods as required, such as google sheets so access and edit rights can be restricted.

3.5 Data Privacy

When sharing data be mindful of what type of information it is. Is it confidential, internal use or customer facing. If unsure check with your manager

3.6 Antivirus protection

Approved antivirus will be installed on each company laptop and desktop by the IT department with activated automatic updates.

3.7 Internet use

Access to the Internet via company equipment is for company use only and should be treated as such.

Approved browsers are Chrome, Firefox, Edge, Safari. Users are responsible for keeping their browser updated.

The browser should have web page scanning turned on ( browsers do this automatically). Users are not permitted to turn this setting off.

3.8 E-mail and other message exchange methods

Company email and other messaging services should only be used for company-related purposes. Users may not send or post any company-related data without prior authorisation. When posting company related data users may only use official company accounts.

All company related emails must only be sent from your work IRIS Connect Gmail accounts.

The approved live chat method for the company is slack.

3.9 Removable media (USB drives)

The use of USB drives are blocked via the network settings to help maintain data and network security. If you have a specific need for this please speak to your manager

4. Account Management

4.1 User account responsibilities

Users are responsible for their individual equipment and data access accounts. These accounts must not be shared. Authorised group accounts can be shared between agreed users.

4.2 Password responsibilities

Setting an appropriate password is an important step to maining data security. This policy applies both to your computer login and logins to cloud based systems. All employees are responsible for choosing strong passwords and protecting their log-in information from unauthorised people.

4.3 Password Creation

If available possible staff must use 2-factor authentication or single sign-on options
Employees must choose passwords that are at least eight characters long, it is suggested you make use of multiple words (a minimum of three) to create a password, (e.g., 'Three Random Words')
The last 3 passwords must not be used
In addition to meeting those requirements, employees should also use common sense when choosing passwords. They must avoid basic combinations that are easy to crack. For instance, choices like “password,” “password1” and “Pa$$w0rd” are equally bad from a security perspective as well as dictionary words, common phrases, common or discoverable passwords, such as a pet's name or common keyboard patterns
No variation of ‘therenow’ can be used as a password as this has been compromised.
All passwords should be unique for each account (and not used for personal accounts)
If any member of staff has any concerns about the security of a password they are required to speak to the Network Manager. The Network Manager will assess the risk and if necessary will instruct the user to change the password making sure that this has been changed.
Default passwords — such as those created for new employees when they start or those that protect new systems when they’re initially set up — must be changed as quickly as possible.

4.4 Password Management and Protection

Employees may never share their passwords with anyone else in the company (or external parties) except for group access accounts.
Where sharing of passwords is needed this needs to be approved by a line manager and should only be conducted over LastPass
Employees must refrain from writing passwords down
All staff are encouraged to use a password manager and the Marketing, Support, Development team are required to use the company approved password management systems.
Access to Podio must be via your Gmail login or via Podio login with 2 Factor Authentication.
Any user with an IRIS Connect web platform Super account must never log in to it on a customer machine
Any user using a password manager must never log in to it on a customer machine

Administrators of cloud service systems:

are required to set 2FA enforced or enabled if avaliable
should not enforce regular password expiry
should not enforce password complexity requirements

5. General

5.1 Copyright

All company-related data remains the copyright of the company. Company-related data cannot be reproduced without authorisation.

5.2 Software/Service Management

All new commissioned hardware will have all unnecessary software removed during setup by the IT team. The standard approved IRIS Connect software and antivirus and firewall software will be installed by default. If you require any additional software to be installed during initial setup this will need to be signed off by your line manager.

5.2.1 Installation & Removal

Users should not install software on a local computer without explicit permission by your line manager unless it is on the approved software list. This can be found on Podio. Illegal or unauthorised software must never be installed on company equipment.

When the software is no longer required ensure you remove the software and notify the Network Manager.

5.2.2 Updates

All users should run updates within 1 week of being prompted to ensure all software is kept up-to-date. This is imperative both for data security and also benefiting from the latest fixes and features. All issue with updates should be promptly reported to the Network Manager.

For software that cannot be controlled centrally, patches are installed manually by each member of staff upon the Network Manager advisory communication. This is overseen by the department’s manager to ensure updates are installed.

5.2.3 Administrator Accounts

Before creating an administrator account for any software/service you need to get a manager to approve this. Any new administrators must be recorded in the Approved Applications app in Podio.

5.3 Leaver Policy

Line managers are responsible for notifying the Network Manager when a member of their team leaves the company via the Starter/Leaver app in Podio

Within 1 week of notification (unless a different time scale is agreed) the Network Manager will ensure user access to company equipment and data is removed upon completion of all works contracts.

5.4 New Starter / New Account Policy

Line managers are responsible for notifying the Network Manager when a new starter joins the company. This includes making clear:

What hardware they will need (include any that will need purchasing), if hardware is being repurposed from another member / team
What accounts (other than default ) require creating, and what accounts require admin access

A minimum of 5 days is required for the Network Manager to set up the access and equipment.

5.5 Firewall Changes

All firewall change requests are required to be submitted via email to the network manager. All requests must be signed off by a line manager prior to submitting and the reason for the rule must be clearly included.

The IT team must be notified at the earliest possible moment of any firewall rules that are no longer.

5.6 Access Control & Special Access Requests

All special access requests are required to be submitted via email to the network manager. All requests must be signed off by a line manager prior to submitting and the reason and time for the access must be clearly outlined.

The IT team must be notified at the earliest possible moment of any access that are no longer needed.

Each manager is responsible for reviewing their team’s permissions and access on an ongoing basis ensuring the lowest level is achieved.

5.7 Enforcement

This policy is enforced by Company Directors. Compliance management is delegated where required to appropriate members of staff. Failure of any user to comply with the requirements of this policy can result in the immediate removal of that user's access to company equipment and data or disciplinary action.

6. Additional Security

6.1 Physical Security - Office

Security of the office is very important. When locking up follow the locking up steps on the guide by the door.

Never reveal the passcode for the lockbox to anyone who is not a member of staff.

Never give anyone your keys to the office who is not a member of staff.

6.2 Physical Security - Devices

All devices with company data on need to have a screen lock and either a biometric or passcode access restriction.

Always be mindful about what data is stored on your devices, what accounts are accessible on your devices and where you are taking them.

6.3 Incident and Security Response

If a data security incident or data breach is reported report this immediately to a manager. The will escalate this to the relevant team who will follow the processes in place to deal with it.

6.4 Social Engineering Awareness

Be aware there is an increase in phishing emails. If you are unsure about the validity of an email always check with your manager before opening it. Be especially careful with links and attachments.

Appendix 1

Table 1: Data Retention Period

Data record	Mandated retention period	Record owner
Recycle Bins	Cleared monthly	Individual employee
Downloads	Cleared monthly	Individual employee
Inbox	Reviewed quarterly, any documents containing PII deleted after 3 years or as soon as no longer needed	Individual employee
Deleted Emails	Automatically deleted after 30 days	Individual employee
Personal Network Drive	Reviewed quarterly, any documents containing PII deleted after 3 years or as soon as no longer needed	Individual employee
Local Drives & files	Moved to network drive weekly, then deleted from local drive	Individual employee
Google Drives	Reviewed quarterly, any documents containing PII deleted after 3 years or as soon as no longer needed	Individual employee
CVs, interview notes & recordings 1) Where the candidate is unsuccessful 2) Where the candidate is successful	1) Deleted immediately 2) Duration of employment	Individual Manager

Please refer to the Data Retention Policy for further information.

1. Purpose, Scope and Users

1.1 Purpose

1.2 Scope