Ireland
IR UK SG AU US PL
UK SG AU US PL

Information Security Policy

Purpose

The protection of our information is of primary importance to our organisation. Maintaining the confidentiality, integrity, and availability (CIA) of the information we use ensures that the operations we perform, and the services we provide, continue to meet our business objectives, comply with regulatory and legal requirements, and fulfil the requirements of our stakeholders. It also ensures that any personal data we process about our employees and customers is kept secure, minimising any potential risks or harm that may be caused by a breach of that data.

Management is committed to the security of our information, and have developed and approved this information security policy in line with the requirements of the ISO 27001 standard for information security, and our organisation’s business requirements.

This document sets out the approved information security policy so that it can be clearly communicated to all employees, contractors, and other relevant third-parties.

Scope

This policy shall apply to all the business processes and information processing activities that fall within the scope of our organisation’s Information Security Management System (ISMS). For simplicity, we consider all work-related activities of employees, contractors, or other relevant third-parties to be within the scope of this policy document unless explicitly excluded.

Audience

All employees, contractors, and other relevant third-parties shall adhere to this Information Security Policy while performing work-related activities as part of their day-to-day duties. For the purposes of this document, policy instructions directed at employees shall also apply to contractors, and other relevant third-parties, and shall be collectively referred to as “users”. Where discussing the classification and handling of information, users with overall responsibility for the data shall be referred to as the “data owner”.

Communication

This Information Security Policy shall be communicated to all employees and agency staff as part of our employee induction programme, and periodically following any changes to the policy. All contractors and other relevant third- parties shall be provided with a copy of this policy document as part of the process for contracting services, and shall be re-issued with updated versions periodically following any changes to the policy.

Disciplinary Process

Where an employee, contractor, or other relevant third-party performs an activity or activities in breach of this Information Security Policy, they shall be subject to the disciplinary process documented in the Company Manual or the applicable service contract.

Improvement

Management is committed to the continual improvement of our Information Security Policy, and shall review this document on an annual basis, or whenever an independent review of our organisation’s ISMS reveals a non-conformance or opportunity for improvement. The Management Review shall determine if this policy continues to meet the requirements of our organisation.

Management also endeavours to plan our business operations so that our information and information assets are not misused, either intentionally or unintentionally. This is done by identifying and assigning separate duties throughout our critical business activities to guard against misuses such as fraud, or errors in data processing activities, etc.

Where a user identifies potential conflicts or misuse of information or information assets due to improper planning and assignment of duties, users should raise their concern immediately with their line manager, or the ISMS Manager.

 

1. Classification & Handling of Information

To ensure that the information we process is handled appropriately and securely, it is important that all users know how to identify the sensitivity of the data, and follow our requirements for how to handle that data. This section sets out how our organisation classifies our information, and how users should handle that information.

Data Classifications

All data shared with customers should be converted to PDF before sending unless it’s a collaborative document, in this case it should contain a label “draft” or “work in progress”. In addition to the table below, users shall review and adhere to the data handling principles set out in the supporting document, Data Handling & Retention Guidelines. This will ensure that even unclassified data is properly handled and protected.

Confidentiality Level Description Typical Examples Labelling Legal/Regulatory Considerations Handling Availability/Disposal
Public Information that is or can be made publicly available. publishing and marketing materials, website content, published financial statements, social media communication and content, advertised job titles and roles, product catalogues and brochures No labelling required. We are a remote-first company and the only public data, printed on physical medium is marketing material that can be publicly shared. Material that can be shared publicly (video & content) is placed on Intranet and marked adequately. Other information that can be shared can be found in Evercam Trust Center Internal content regulations (Company Manual) no restriction on copying, printing and distribution No requirement for source destruction;

No data retention requirements on published data;

Retain a redundant copy of published data for reference purposes when required.
Internal Information that is intended for internal business use only. Unauthorised disclosure of internal information may pose some risk of reputation damage to our organisation. meeting agendas and minutes, contracts, operational documentation, policies and procedures, training material, employee training records, internal email communication, Intranet content, contact directories, purchasing data (payments authorisations, invoices) Due to the volume of internal data generated, labelling is not required. All unlabelled data shall be considered to be internal unless specifically labelled “Confidential” or “Highly Confidential” GDPR; Contractual obligations; ePrivacy Regulations 2011; Data Protection and Privacy Laws in the UK, USA, Australia, Singapore Access rights restricted when necessary;

Shall only be printed/copied where absolutely necessary;

Shall only be emailed externally with prior approval of data owner or where it is part of an approved business process;

Shall only be saved to and stored on approved business systems, devices and removable media;

Physical media and paper records shall be transferred in our data transfer policy outlined in Information Security Policy

 Digital records shall not be moved or deleted without prior approval from data owner;

Physical media and paper shall not be relocated or destroyed without prior approval from the data owner;

When no longer required printed records shall be shredded using the secure shredding facilities;

Devices and removable media containing internal data shall be returned to IT or a line manager for secure disposal.
Confidential Information that is intended for internal business use only. Unauthorised disclosure of confidential information may pose moderate risk of reputation damage and/or financial costs such as fines or penalties. customer personal data eg. customer records, analytics that contain extensive PII etc.; employee personal data eg. HR records, disciplinary records, quarterly reviews, etc.; unpublished financial records and reports; procurement/tender process documentation; source code; proprietary company data Documents of this nature created by Evercam should be labelled as “Confidential” in the footer of a document and in the file name. Any documents received from customers and labelled as “Confidential” should be treated as such. For digital records data owners shall save confidential data only to the organisation’s units and/or folders specifically designed for confidential data. Access rights shall be approved by the owner as required. GDPR; Data Protection Act 2018; Contractual obligations; Data Protection and Privacy Laws in the UK, USA, Australia, Singapore Access restricted and approved only by data owner;

Shall not be printed/copied unless approved by the data owner;

Shall not be printed to printers located in unsecured areas or general working areas;

Shall only be shared with authorised third parties with a non-disclosure and confidentiality agreement in place;

Shall only be emailed internally or externally with approval of data owner or where it is part of an approved business process;

Digital records shall only be shared externally using approved encrypted transfer method in line with our Data Transfer Policy

Shall only be saved to and stored on approved business systems;

Shall only be saved to and stored on approved and encrypted devices and removable media;

Physical media and paper records shall be transferred in our Data Transfer Policy.

 Digital records shall not be moved or deleted without prior approval from data owner;

Physical media and paper shall not be relocated or destroyed without prior approval from the data owner;

When no longer required printed records shall be shredded using the secure shredding facilities;

Encrypted devices and removable media containing confidential data shall be returned to IT or a line manager for secure disposal.
Highly Confidential Information that is intended for internal business use only. Unauthorised disclosure of highly confidential information may pose significant risk to the organisation and users, resulting in data breach, reputational damage and/or significant financial costs. special categories of personal data eg. medical records generic and biometric data, trade union memberships, ethical origin, religious believes; financial data eg. credit and debit card information; passwords, pincodes, security tokens; corporate negotiations, funding information Documents of this nature, created by Evercam should be labelled as “Highly Confidential” in the footer of a document and in the file name. Any documents received from customers and labelled as “Highly Confidential” should be treated as such. For digital records data owners shall save confidential data only to the organisation’s units and/or folders specifically designed for confidential data. Access rights shall be approved by the owner as required. GDPR; Data Protection Act 2018; Contractual obligations; Data Protection and Privacy Laws in the UK, USA, Australia, Singapore, Copyright and Related Rights Act 2000 Access restricted and approved only by data owner;

Access is strictly monitored;

Shall not be printed/copied unless approved by the data owner;

Shall not be printed to printers located in unsecured areas or general working areas;

Must be claimed immediately at the approved printer or be released for printing by PIN, ID and/or password authentication at the printer;

Shall only be shared with authorised third parties with a non-disclosure and confidentiality agreement in place;

Shall not be emailed other than in situation where on-time passwords and/or PIN is required;

Digital records shall only be shared externally using approved encrypted transfer method in line with our Data Transfer Policy;

Shall only be saved to and stored on approved business systems;

Shall only be saved to and stored on approved and encrypted devices and removable media;

Physical media and paper records shall be transferred in our Data Transfer Policy.

 Digital records shall not be moved, changed or deleted without prior approval from data owner;

Physical media and paper shall not be relocated,marked or destroyed without prior approval from the data owner;

When no longer required printed records shall be shredded using the secure shredding facilities;

Encrypted devices and removable media containing highly confidential data shall be returned to IT or a line manager for secure disposal.

 

1.1  Transferring Data

The handling requirements for the identified confidentiality levels of data are provided at a high level in the table above. This section provides detail on our approved policy for transferring data.

1.1.1   Digital data

Where there is a requirement to transfer internal, confidential, or highly confidential digital data outside of our organisation, the following shall apply:

  • Users shall ensure that they use only the approved method for transferring the data. These methods are approved by data owners and system administrators. Examples include, but are not limited to:
    • Forced TLS
    • Secure web transfer e.g. secure web-portals, API, etc. SFTP
    • GPG
    • Approved document sharing methods such as Google Drive Encrypting individual files and sending as email attachments

Where users encrypt individual files as email attachments, the encryption key must be sent to the recipient using a second channel, such as SMS, or phone call. Users must never send both the data and the encryption key via email.

1.1.2   Physical data

Where there is a requirement to transfer internal, confidential, or highly confidential data in physical format such as paper records, backup media, tape, CD/DVD, USB, etc. the following shall apply:

  • Users shall use only approved couriers for physical media collection and transfer. Couriers that are approved for use ensure the required levels of security in handling and delivering the physical media.
  • Users shall ensure that physical media storing digital data, such as USB, hard disk, etc. is encrypted wherever possible.
  • Users shall ensure that physical media is packaged in a way that does not allow the physical media to be accessed and/or damaged during transit. For example, with backup tape media, this may include secure containers provided by the backup tape collection and storage provider, etc.
  • Users shall request confirmation from the courier that the package has been delivered as expected, and that it has been signed for by the intended recipient, or persons nominated by the recipient.
  • Users shall confirm with the recipient that the package is received in an undamaged/unaccessed state.
  • When receiving physical media, users shall ensure that they are available to sign for the package wherever possible. Where this is not possible, users must nominate another user to sign, and must ensure that the user knows how to secure the package. Packages containing physical data must not be left unattended in reception, or other common areas.

1.2  Protecting Data From Loss

Even where users adhere to the handling requirements set out in the table above, the daily use, coping, and sharing of information may result in unintended loss, or data leakage. To minimise the likelihood of data leakage, the following policies shall apply:

  • Users shall not take photos or screenshots of sensitive or confidential information. Where the photo or screenshot is saved to the device, it may be stored in an unsecure location, and accessible to unauthorised users.
  • Users shall regularly review and purge temporary file locations, such as the “Downloads” folder, draft document locations, operating system recycle bins, and other trash functions. Files created and downloaded for temporary use may contain sensitive or confidential data, and remain stored in unsecured locations indefinitely, increasing the risk of unauthorised access and data breach.
  • Users shall not use auto-completion of email addresses when sending emails. Where auto-completion of email addresses is used, this can result in the wrong email address being selected, and sensitive or confidential information being sent to unintended recipients. Users should either copy and paste, or fully type out, the correct email address when it is necessary to send sensitive or confidential information via email. Sensitive or confidential information shall always be secured in line with section 1.1.1 of this policy when emailed.

 

2. Securing Working Environments

Whether in the office or at home, physical security measures are essential for ensuring that our users, information, and information assets are protected at all times. This section sets out our requirements for physical security.

2.1  Security in the Office

When working from our designated offices or warehouses, the following policies shall apply:

  • Users that are issued with keys or access fobs will not lend or transfer them to any other member of staff without prior authorization.
  • Users must report the loss of any keys or access fobs immediately.
  • Users must ensure any company offices or warehouses are secured before departure and Users must inform management if, for any reason, they are unable to secure the premises.
  • Users shall ensure that all site visitors are accompanied by a staff member.
  • Users shall not allow tailgating into the office i.e. users shall not allow anyone who does not have their own key or access fob to follow them into controlled office areas. The person may not be approved to enter our office area/s, and may pose a risk to other users and/or our assets.
  • When a user notices an unauthorised person, or unaccompanied guest, in our office area/s, they should approach them only if they consider it safe to do so. In this case, the user shall escort the person back to reception. In a situation where it may be unsafe to challenge the person, users shall alert security staff and/or colleagues, and ensure the person remains in sight until assistance arrives.
  • Where PIN codes are used for access, users shall not write down their PINs, or communicate their PINs to other users. Where PIN codes are needed, these shall be provided to users during their induction period and shall not be shared.
  • Users working in secure areas shall not leave the secure area unlocked when they are not present.
  • Where maintenance is required in secure areas, users working in secure areas shall ensure that the work taking place is monitored at all times.
  • When receiving deliveries at a loading area or service access area, the user receiving the delivery shall ensure that delivery or service personnel are monitored at all times until the delivery is complete. The user shall ensure that the delivery is then appropriately secured.

2.2  Security at Home

When working from home, it can be difficult to implement physical security measures. Wherever possible, users should follow this set of recommendations:

  • Users should not leave guests, builders, or service engineers unattended in the designated home office area. Where this is unavoidable, users should observe strict clean desk and clear screen policies as set out in section 3.2 below, and should not leave mobile phones or other easily removable devices in plain view.
  • Users should instruct family members or housemates who may share the space to not leave guests, builders, or service engineers unattended in the designated home office area.
  • Users should ensure work-related deliveries are not left in shared areas where they may be inadvertently opened.

2.3  Security in Public or Shared Spaces

When working in public areas, or other shared spaces such as co-working environments, it can be even more difficult to implement physical security measures than in a home environment. The following policies apply for working in public and shared spaces:

  •  Users shall ensure that they are familiar with, and abide by, the physical security policies of any co-working spaces that they may use while carrying out work on behalf of our organisation. This may include being issued with a unique ID badge for authorised access to work spaces and facilities, reception sign-in, secure check-in, adherence to safety instructions and drills, etc.
  • Where there is a lack of physical security controls in a co-working space, or the controls contradict the requirements set out for office security in section 2.1 above, users shall adhere to the requirements of section 2.1 of this policy, wherever possible. This will ensure a minimum level of physical security is applied, no matter where the user may be required to work from.
  • Users shall immediately raise any concerns regarding the security of their physical working environment with their line manager. Concerns may include, but not be limited to:
    • No facility to securely receive work-related deliveries
    • Other users of the space sharing authentication mechanisms such as PIN codes, ID badges, fobs, etc.
    • No facilities for secure document disposal such as lockable waste bins or document shredders No facility to print documents securely such as personal printers or authenticated print release No facilities to secure equipment or belongings such as lockers or lockable drawers
    • No perimeter security for the building or work space
    • Lack of appropriate health and safety mechanisms that may make the space unsafe to work in
  • When working in more public environments such as a hotel, conference centre, public transport, etc., it may not be possible to apply necessary physical security measures. In this case, users shall adhere to section 3 of this policy, and shall ensure they appropriately protect all information assets they may be using while travelling or working outside of the office or home.
  • Where there is a lack of suitable privacy in any public environment a user may be working in, users shall not conduct confidential calls or meetings related to their work. Users shall wait until a suitable level of privacy is available, or alternatively issue required communications via a secure channel, such as company email.

3. Using Information Assets

Our organisation provides approved equipment and services to users so that they can carry out their work-related duties. The equipment and services are our information assets, and this section sets out the policies for using those assets appropriately.

3.1  Monitoring

To ensure that our information and information assets are accessed and used in a secure way that minimises any information security risks, and that we meet our legal and regulatory requirements, our organisation retains the right to carry out monitoring of our equipment and services. These monitoring activities are not productivity monitoring activities, and any examination of user account activity shall be done only with appropriate management and/or HR approval.

In order to carry out monitoring activities, we may:

  • Install applications that provide alerting or activity reporting on equipment provided to users
  • Configure alerting or activity reporting on services provided to users
  • Install remote management software on devices, such as Mobile Device Management (MDM) Intercept and view internet and email traffic on our network
  • Store and review logs or other data generated from monitoring activities

Users shall comply with our monitoring activities as follows:

  • Users shall not attempt to remove or tamper with any monitoring applications or remote management software installed on the laptop, computer, or mobile phone provided.
  • Users shall not attempt to disable or bypass settings that facilitate monitoring, such as proxy server or web- filtering settings.
  • Users shall use only the user account assigned to them when using our equipment and services unless authorised to use service or privileged accounts for specific reasons.
  • Users shall not attempt to access or alter any logging data that may be stored on the laptop, computer, or mobile phone provided.

3.2  Securing Equipment & Records

While using equipment and services, the following policies shall apply:

  • Users shall not leave equipment such as laptops and mobile phones unattended in communal office areas such as meeting rooms, toilets, kitchens, reception, etc.
  • When leaving laptops unattended in unsecured areas is unavoidable, users shall use the security cables provided to secure laptops to desks, meeting room tables, etc.
  • Users shall adhere to the clear desk and clear screen principle, even when working from home, by ensuring the following whenever they step away from the desk:
    • That all work-related documents and mobile devices are placed in drawers or secured in lockable cabinets
    • That their computer or laptop is locked and cannot be viewed or accessed by any other person
  • Users shall ensure any paper records are secured in designated filing areas or secure filing cabinets. When working from home, users should keep printing to a minimum, and should not leave work-related documents in general areas.
  • Users shall ensure that any printed records not required for filing shall be disposed of in the secure recycling bins provided. When working from home, users requiring document disposal shall contact their line manager to discuss providing either collection services, or separate shredding facilities.

3.3  Using Equipment

Our organisation allows the use of personal devices for company use under certain conditions. This is typically known as a Bring Your Own Device (BYOD) policy, and allows users to continue to carry out their duties in situations where access to the equipment and services at our offices may not be possible, or may be impractical. For example, where home working is enforced due to movement restrictions, or where the user is a third-party who may need to use their own computer equipment to carry out the required work. However, the use of personal devices is risk assessed in line with our Risk Management Process, and may not be permitted in some situations, such as with users responsible for processing highly confidential information. The use of personal devices is therefore subject to management review and approval.

The following section sets our general security requirements for using both company and personal equipment.

3.3.1   Company equipment

When using company computers, laptops, or mobile phones, the following policies apply:

  • Users shall not log into, or attempt to log into, company equipment that is not assigned to them.
  • Users shall not install unapproved applications or software.
  • Users shall not connect unapproved removable media such as USBs, external hard-drives, and mobile phones.
  • Users shall not insert, or run applications from, removable media such as CDs and DVDs.
  • Users shall not transfer data from their company equipment to any removable media unless approved by their line manager and IT.
  • Users shall not tamper with, or disable, any anti-virus and/or anti-malware applications installed. Users shall not tamper with, or disable, any firewall applications installed.
  • Users shall not tamper with, or disable, any MDM software installed.
  • Users shall not tamper with, or disable, any web-filtering applications installed.
  • Users shall not tamper with, or disable, any VPN software installed, and shall ensure that it is used when connecting to office services and network drives, etc.
  • Users shall use only the provided applications to edit and store data. For example, company network drives and folders, Microsoft 365, OneDrive, Upscaler, etc. Information stored locally on the device may be lost if the computer fails, mobile is stolen, etc.
  • Users shall not attempt to log onto company equipment with a user account that does not belong to them.
  • Users shall not take or remove company equipment unless approved. For example, where provided with a desktop computer, a user shall not take the computer home unless authorised to do so by their line manager and IT.
  • Users shall ensure that reasonable precautions are taken when carrying or transporting company equipment outside of the office. For example, laptops should be locked in the boot of the car while unattended, laptops should not be left unattended while on public transport, etc.
  • Users shall notify their line manager and IT immediately if any device is lost or stolen.
  • Users shall not disable security update applications.

3.3.2   Personal equipment

When using personal computers, laptops, or mobile phones, the following policies apply:

  • Users shall ensure that they install anti-virus on their personal laptop, desktop, and/or mobile phone. Where the user does not have anti-virus software, they should contact their line manager, and it can be provided, where required.
  • Users shall use only the provided web-based applications to edit and store data. For example, Microsoft 365, OneDrive, Upscaler, etc. Information stored locally on the device may be lost if the computer fails or is breached, mobile is stolen, etc.
  • Users shall ensure that reasonable precautions are taken when carrying or transporting equipment. For example, laptops should be locked in the boot of the car while unattended, laptops should not be left unattended while on public transport, etc.
  • Users shall ensure their mobile phones are secured with at least a PIN.
  • Users shall notify their line manager and IT immediately if any personal devices used to access our services and information is lost or stolen.
  • Where users have accepted the installation of MDM software on their personal mobile phone, they shall not tamper with, or disable it.
  • Where users have accepted the installation of VPN software, they shall not tamper with, or disable it. Where VPN software is available, users shall always connect to office services using the VPN, and shall disable the VPN as soon as their session is complete.
  • Where available, users should always use 2FA for accessing company services from personal devices, and shall always log out from the service once their session is complete.

3.4  Returning Equipment & Records

When leaving the organisation or completing a contract for services, the following policies apply:

  • Users shall return all company laptops, computers, paper records, and mobile phones on departure from the organisation
  • Where personal devices have been used, users shall ensure that they have logged off of all company services such as Microsoft 365, OneDrive, VPNs, etc.
  • Users shall ensure that any company information that may have been stored locally on personal devices is transferred to company services and/or networks, and is deleted permanently from the device.
  • Where working from home, users shall contact their line manager to discuss providing either collection services, or separate shredding facilities for paper records.

3.5  Using the Internet

Acceptable use of our internet service is set out in our Company Manual. Policies governing the secure use of internet services provided by users working from home, or at remote working sites, hotspots, etc. are outside the scope of this document. The following is a set of recommendations for users in these scenarios, and should not be considered exhaustive:

  • Users working from home and using wi-fi should carry out the below steps to ensure that their home network is reasonably secure:
    • Change the default SSID to something that does not identify the modem, provider, or network location
    • Enable WPA2
    • Set a strong network password; default passwords should be changed immediately
  • Do not provide the network password to guests, builders, or service engineers; where this is absolutely necessary, the password should be changed immediately after they no longer require access
  • When using cabled internet, users working from home should ensure that the cabling from their equipment to the modem does not run outside of the home in a way that could be tampered with or damaged.
  • Users should avoid using open, unsecured wi-fi hotspots as they are frequently exploited by malicious attackers.
  • Users should avoid connecting to wi-fi networks that request personal data and/or login credentials to access the service. These may be attempts to steal data.
  • Where in any doubt, users should use the tethering facility on their mobile phone for internet access.

3.6  Using Email

Acceptable use of our email service is set out in our Company Manual. Policies governing the secure use of personal email while working from home on personal devices is outside the scope of this document. The following is a set of recommendations for users working from home and using their own equipment:

  • Users should be careful not to use their work email when placing personal online orders. This will assist in identifying malicious email campaigns that try to exploit expected package delivery to steal login credentials.
  • Where not enforced, users should always use 2FA for accessing company email services from personal devices.
  • Users should be careful to always check which email they are using before sending any work-related email as they may inadvertently be in their personal email.
  • Users should avoid using auto-complete when selecting recipient email addresses, and check the recipient address is correct before sending any work-related email.
  • Users shall be careful of any email asking for confirmation of login credentials; as a rule users should not click on email links unless they have just requested a password reset and the email has been received as part of the reset process.

3.7  Using Company Social Media

Acceptable use of social media services is set out in our Company Manual. Policies governing the secure use of personal social media while working from home on personal devices is outside the scope of this document. Users working from home and using their own equipment should keep the following in mind when using social media services:

  • Users should be careful to always check which social media profile they are using before posting any work-related communications or content as they may inadvertently be in their own personal social media profile.
  • Wherever possible, users should always use 2FA for accessing company social media services from personal devices.

4. Controlling Access to Information Assets

Our organisation uses various authentication information such as passwords, security tokens, 2FA, and PIN codes to authenticate our users, and to secure our services and equipment from unauthorised use. The following policies apply for securing authentication information:

  • Users shall not write down, or share their login credentials or PIN codes with anyone; IT and colleagues should never ask for login credentials, and a request for your details might be an attempt to steal them, or bypass anti-fraud measures, etc.
  • Users shall create strong, complex passwords. Strong, complex passwords will typically have:
    • A minimum of 8 characters
    • A mix of numbers, uppercase, lowercase, and special symbols such as (*%!&)
  • Users shall create passwords that are not easily guessed. Passwords that include the names of friends, family, children, pets, birth dates, etc. are easily guessed and may be brute-forced by a malicious attacker. Examples of passwords that are easily guessed will typically have a combination of:
    • Month Day Year e.g. January0120!, February2012*, etc.
    • Name Birthday e.g. JohnSmith2390!
  • Users shall always use a unique password for each service and account used, regardless of whether it is a personal or company account. If a personal social media account or other personal web-based service account is compromised, malicious persons might gain unauthorised access to company services, or vice versa.
  • Where personal devices are used to access company services, users shall not share their login credentials or PIN codes with family members, or allow family members to use the devices.
  • Users shall use 2FA for accessing company services, wherever possible. Users shall not tamper with or remove security tokens.

5. Identifying & Reporting Incidents

While performing work-related activities, a situation may arise where a user suspects that a security incident has taken place. Users may notice some of the following:

  • Suspicious emails such as replies to emails they didn’t send, phishing emails, large numbers of spam emails, multiple password reset request emails, etc.
  • Pop-ups, notifications, or web-pages that they do not recognise Sudden slowness of their device and inability to use company services Malware notifications
  • Disconnection from the office network Inability to log into company services
  • Persons in office areas that they should not be in Persons without staff badges who are unaccompanied Passwords or PINs written down
  • Users verbally sharing their user credentials, or logging onto each other’s devices Confidential documents left at printers
  • Security doors propped open and unattended Theft of a mobile phone or laptop
  • Email containing confidential data accidentally sent to the wrong person
  • Reports from customers or other third-parties of unavailability of services, or suspicious activity such as spam
  • Where users suspect that an incident has taken place, the following policy applies:
    • Users shall immediately contact IT and their line manager regarding the suspected incident Users shall provide the following information when reporting the incident:
      • Name
      • Department
      • Contact details
      • The time that they first noticed the issue
      • A description of the issue, to the best of their ability
  • Where appropriate, users can take photos of the affected device’s screen, or in situations where they have seen doors propped open, where there is evidence of potential theft or break-in, etc. Caution should be used in taking any photos which may display personal data, such as other users in the image, visible personal information on printed documents, etc.
  • Users shall treat the incident as confidential, and shall not discuss the incident with other users unless it is necessary for assisting the incident investigation.
  • Users shall not communicate any detail of the incident on any social media service, or to any external persons or third-parties. Communication of the incident externally is considered a data breach, and will be investigated. Communication of the incident will be handled and approved as required by management.