Skip to content

Employee Handbook -- Cyber Security

Document Information
Version {{version}}
Effective Date {{effective_date}}
Document Owner {{document_owner}}
Next Review {{next_review_date}}
Approved By {{approved_by}}

Purpose

As part of our commitment to maintaining a secure and efficient work environment, we adhere to strict cyber security, data protection, and physical security measures. This summary outlines key policies and procedures every employee should follow. For detailed guidelines, please refer to the complete policy documents on the company intranet.

You should note that emails and direct messages transmitted or received on the {{company_name}}'s network or servers are the property of the company. The company reserves the right to access and disclose [all]{.underline} messages sent over its email and direct messaging system for any purpose.

Cyber Security and Information Security

  • Device and Network Security: Use company devices securely and responsibly. Ensure your devices are locked when not in use and report any suspicious activities or potential security breaches to IT immediately.

  • Passphrase (password) {{management_team}}: Use strong, unique passphrases for all systems, use a passphrase manager where possible and change them regularly. Do not share your passphrases with others. Using an account assigned to another individual is forbidden and staff must not use an account assigned to another individual.

  • Email and Communication Security: Be vigilant about phishing and suspicious emails. Do not open attachments or click on links from unknown sources. Emails on the company\'s servers are company property. The company reserves the right to access and disclose all messages. Do not use email accounts assigned to others.

  • Software and Applications: Only use approved software and applications. Requests for new software must go through the proper approval process as outlined in the Third Party Software Acquisition Policy.

  • Multi-Factor Authentication (MFA) with YubiKeys: All employees must use their assigned YubiKey, in addition to their passphrase, for enhanced security access to company systems. Treat your YubiKey as a sensitive asset, and report any loss or theft immediately. Compliance with MFA policies is mandatory.

Data Protection and Privacy

  • Data Classification and Handling: Familiarize yourself with our data classification categories: Public, Internal, Confidential, and Highly Confidential. Handle data according to its classification level.

  • Data Storage and Sharing: Store data securely using approved platforms. Share data internally and externally with caution and only as necessary for business operations. Ensure that only Public data is stored on the local drives of your devices and that data that has a classification of Internal, Confidential, and Highly Confidential is deleted from your device local drive.

  • Privacy Compliance: Respect privacy laws and regulations. Do not disclose personal or sensitive information without authorization.

Physical Asset and Environment Security

  • Asset {{management_team}}: Use and store physical assets, including devices and documents, securely. Report lost or stolen assets immediately.

  • Work Environment Security: Follow access control protocols for our facilities. Be aware of and participate in emergency and evacuation procedures as required.

Incident Response and Reporting

  • Incident Reporting: Report any security incidents or data breaches immediately according to the Incident Response Plan. Early reporting is crucial for effective mitigation.

  • Participation in Security Incidents: Cooperate fully with any investigations or required actions if a security incident or data breach occurs.

Backup and Disaster Recovery

  • Data Backup: Understand the importance of data backups as part of our Data Backup and Recovery Policy. Regular backups are performed to ensure business continuity.

  • Disaster Recovery: Familiarize yourself with our Business Continuity and Disaster Recovery Plan, especially your role and responsibilities in the event of a disaster.

General Staff Responsibilities

  • Training and Compliance: Complete all required security training sessions and keep yourself updated on policy changes.

  • Policy Review: The full set of detailed cyber security, data, and security policy documents are available on the company intranet. Employees are encouraged to review these documents in full.

User Responsibilities

  • Knowledge and Adherence: Maintain reasonable device knowledge and adhere to the policies forming our cyber security risk framework.

  • Security Practices: Use security mechanisms to protect information, maintain good passphrases, and advise on security improvements.

  • Observation and Reporting: Notify management of security violations or weaknesses and do not exploit system vulnerabilities and report to management other employees who do not abide by the cyber security risk framework

  • Social Media: Ensure you are familiar with the social media policy of the company.

Enforcement and Waivers

  • Policy Violations: Violations of these policies may result in disciplinary action, up to and including termination of employment.

  • Waivers: Any exceptions to these policies must be approved by the {{company_name}}'s board of directors.

Implementation Check

  1. Who owns this? {{policy_owner}}
  2. Are we doing it? {{implementation_status}}
  3. When will we check again? {{next_review_date}}