Cyber Security Policy
Dated: 1 July 2024 at 6:58am
This Cyber Security Policy includes guidelines, provisions for security measures, connection to day-to-day work, how we manage data together and to help mitigate cyber security risk.
It applies to all company employees, contractors, volunteers, and anyone who has permanent or temporary access to the CLIENT NAME systems and hardware.
This is the internal and external policy for management of operations.
1.CONFIDENTIAL DATA
1.1 Confidential data is valuable and is kept secret. Company confidential data includes:
– Unpublished financial information
– Data of customers/partners/vendors
– Patents and intellectual property.
– Formulas or new technologies
– Customer lists (existing and prospective)
All parties are obliged to protect this data.
1.2 All data is at-rest (when stored) in the ‘CLOUD’ in secure folders, on either GOOGLE DRIVE OR ONEDRIVE OR ICLOUD.
Depending on what system will be whether it’s on which cloud platform. PEOPLE&PEOPLE do not accept working with DROPBOX.
1.3 If data is in-transit (when communicating) it will be stored locally encrypted, it will only be stored locally for up to 7 days, at 7 days the files will be deleted or otherwise moved to the chosen cloud platform.
If the data is in-transit the data is backed up 24/7.
1.4 Websites are backed up on a fortnightly and/or monthly basis.
1.5 Back-ups are stored on the cloud for 30 days unless a backup occurs prior due to an update.
2.SAFEKEEPING EMAILS
2.1 Emails can host scams and malicious software. To avoid virus infection or data theft, all parties must:
– Avoid opening attachments and clicking on links when the content is not adequately explained (e.g., Watch this video, Its amazing.
– Be suspicious of clickbait titles (e.g., offering prizes, advice).
– Check email and names of people they received a message from to ensure they are legitimate
– Look for inconsistencies or giveaways (e.g., grammar mistakes, capital letters, excessive number of exclamation marks)
2.2 If PEOPLE&PEOPLE AND/OR CLIENT NAME isn’t sure that an email the received is safe, they can refer to the company Security specialist.
3.DATA TRANSFERS
3.1 Transferring data introduces security risk. PEOPLE&PEOPLE must:
Avoid transferring sensitive data (E.g., customer information. employee records) to other devices or accounts unless necessary. When mass transfer or such data is needed, PEOPLE&PEOPLE request all parties are to ask the company’s Security Specialist for help.
3.2 It is required when sharing confidential data that it should be done over the company network/system and not over public Wi-Fi.
3.3All parties must be ensured that the recipients of the data are properly authorized people or organizations and have adequate security policies.
Report scams, privacy breaches and hacking attempts.
4.SYSTEMS
4.1 When systems are being backed up this is done Monday-Sunday from 9am – 10pm to ensure files are secure and encrypted. This is managed by ELIZABETH-MARIE NES.
4.2 If an update is unsuccessful a backup will be instigated immediately.
4.3 The programmes which are accessed are via online, Xero, Canva and *SOCIAL MEDIA PLATFORMS, Trello and WordPress.
4.4 the programmes that are accessed offline are Adobe Photoshop DC, Excel, WORD,
4.5 PEOPLE&PEOPLE, ELIZABETH-MARIE NES is the only person who has internal access.
4.6 External access users are as follows ACCOUNTANT and ACCOUNTANT ASSISTANT. 4.7 The relevant access is provided based on skill set for external accessors and is reviewed on a 6 monthly basis.
5. SECURITY AND PROTECTION
5.1 When accessing systems, if the system provides Two-Factor Authentication or VPN recommended, this is used to prevent security breach and that all systems are secure.
5.2 Systems can be accessed remotely via hotspot or in the office or in preferred supplier or customers venue. THESE INTERNET CONNECTIONS MUST be done on a PRIVATE INTERNET CONNECTION. PUBLIC CONNECTION IS NOT ACCEPTABLE.
5.3 ALL devices can be used but when accessing work related content and systems at work, it must be done on a secure private connection.
5.4 All devices must have up-to-date operating systems and have current antivirus and security updates.
5.5 All systems passwords that are used must be to the standard of the company password policy (6) whether it be with/ or without shared custody via the CLIENT NAME.
6.PASSWORDS POLICY
6.1 Password leaks are dangerous since they can compromise the company’s entire infrastructure. Not only should passwords be secure so they will not be easily hacked. but they should also remain secret. For
this reason.
When passwords are used in combined access. ALL PARTIES are to:
-Choose passwords with at least ten characters (including capital and lower-case letters, numbers, and symbols) and avoid information that can be easily guessed (e.g., birthdays).
-Passwords can be generated by https://passwordsgenerator.net/
-Remember passwords Instead or writing them down. If employees need to write their passwords, they are obliged to keep the paper or digital document confidential and destroy it when their work is done.
-Do not use the most used English words and information connected to personal meanings, i.e. post code, address, or birthday.
-Do not use the same password on multiple accounts.
-Exchange credentials only when necessary. When exchanging them in-person is not possible employees should prefer the phone instead of email, and only if they personally recognize the person they are talking to.
-Passwords are to be changed every four months.
-A vulnerable password meter is used to ensure there is no compromised passwords, this ensures no system password is the same.
6.2 It is recommended that password managers are used for secure password management.
7.PEOPLE&PEOPLE USERS Including STAFF/CONTRACTORS/CLIENT NAME
7.1 all parties when accessing business internal systems and accounts are required to be on company internet systems. Accessing via other people’s devices may not be acceptable. UNLESS an emergency emerges, this access may be acceptable, and PEOPLE&PEOPLE must be notified.
7.2 If an error is discovered on any given network PEOPLE&PEOPLE must be informed.
7.3 An error might be security error, failed update, failed back up, hack,
7.4 It is required that all devices using the company platforms are backed up and updated on a regular basis by the end user to ensure safety measures are met.
7.5 If an error is found on PEOPLE&PEOPLE accounts, PEOPLE&PEOPLE must be informed, and the CLIENT NAME must be within 8 hours of the error.
7.6 All devices must have up-to-date operating systems and have current antivirus and security updates.
8.PHYSICAL DEVICES AND SYSTEMS
8.1.1 Devices are covered under insurance by Vodafone and AON. if stolen a police report will be requested.
If damaged photographic evidence will be required.
8.1.2 The devices are protected against the environment with the above managed insurance policies, including water damage.
8.1.3 Devices must have strong passwords or passcodes.
8.1.4 Devices must be using encryption.
8.1.5 All devices can be used outside the office in secure means of secure networks if needing to go online.
8.1.6 If at any time PEOPLE&PEOPLE, need to go offline or out of mobile data coverage. All CLIENT NAMEs must be notified, and the preferred contractor must be available on stand-by.
8.2 When new hirers receive company-Issued equipment, they will receive Instructions for: Disk encryption setup, Password management tool setup whether it’s LastPass or Google password manager. Installation or antivirus/anti-malware software
8.3 When accessing systems, logs are generated to ensure there are no safety breaches including unusual or unexpected events don’t occur.
Logs are generated for
-changes to the files on your CMS and any other hosting software you use.
-letting PEOPLE&PEOPLE know if there are any changes made without your knowledge, example malicious file breeches.
-Alerting if a log configuration is changed meaning the logs stop logging.
-unsuccessful logins with two-factor authentication (2FA). This will alert
8.4 PEOPLE&PEOPLE if someone tries to access ANY account with a valid username and password, but without a second factor to authenticate it. This will ensure changes are sorted immediately.
-For checking and testing of websites.
-In case software needs to be set up or plugin patching is required.
8.5 Logs are recorded for
-CMS systems
-Websites, WordPress and Shopify
-CPANEL hosting
-SOCIAL MEDIA PLATFORMS*
-THE DNC register
9.PROBLEMS AND INCIDENTS
9.1 For any issue caused by CLIENT NAME or PEOPLE&PEOPLE.
The following proceedings would be:
– An incident report will be written.
– PEOPLE&PEOPLE and CLIENT NAME must be informed.
– Any other relevant contractors must be informed.
– Progress report to CLIENT NAME, CLIENT NAME must be informed if incident costs money.
– CLIENT NAME must pay if caused by CLIENT NAME.
– Ongoing communication will be required.
– Documenting post incident is required and follow up analysis of up to a year is required for any given incident.
– If an incident is discovered up to 6-months after it must be documented.
9.2 IF there is a potential risk to CLIENT NAME, the CLIENT NAME will be informed.
10.NOTIFYING OF PROBLEMS
IF at ANY given time a system error occurs and is picked up by CLIENT NAME. CLIENT NAME must immediately inform PEOPLE&PEOPLE to ensure the problem can be dealt.
11.VIEWING OF POLICY
This complete policy is available to be viewed on PEOPLE&PEOPLE WEBSITE.
12.UPDATES TO POLICY
If this policy is updated at any given time, an email will be sent out 24 hours prior to the update and what the changes will be highlighted in the email.
13.PEOPLE&PEOPLE do NOT support CLOUDFLARE.
*SOCIAL MEDIA PLATFORMS INCLUDE: FACEBOOK, MAILCHIMP, INSTAGRAM, PINTEREST, X, YOUTUBE, TIKTOK, THREADS.