CYBER SECURITY POLICY
KEEP CONFIDENTIAL INFORMATION SECURE
Our employer is implementing cyber-security policies and best practices to improve security of our computer network and confidential work product. Please review carefully, implement each policy immediately, print and sign this policy statement and return to administration immediately.
The employer provides network, communications systems, equipment, devices and access to cloud services (”technology resources”) to carry out legitimate employer business. By using these technology resources, any user consents to disclosing the contents of any data files, information and communications created on, stored on, transmitted, received or exchanged via its network, communications systems, third party hosted applications, cloud services, equipment or devices.
There is no right to privacy in the use of employer’s technology resources. By using the employer’s technology resources any user consents to monitoring, recording, and reviewing the use of that technology resource.
Users are expected to act lawfully, ethically and professionally, and to exercise good judgment.
Users who are granted access to critical data are responsible for its protection.
Use of technology in violation of this policy is subject to disciplinary action up to and including termination.
1) Password policy
a) Do not use the same password for different sites.
b) Passwords must be strong. Strong passwords should:
i) Contain at least 8+ characters, use a passphrase instead of a password.
ii) Include upper and lower case letters, numbers and special characters
iii) Not use dictionary words (brute force attacks)
iv) Be unique to one person
v) Not be reused on multiple account logins
vi) Changed every 60 to 90 days
vii) Be required after a period of inactivity (screen saver with password enabled).
viii) Never be shared with anyone else
c) Appropriate storage of passwords. Do not write down passwords on paper. Do not store passwords on individual laptops, mobile devices or home computers unless they are saved safely in an encrypted application on your mobile device. Example: https://start.1password.com search ‘1password’ in the app store on your device.
d) Never provide security or personal information by email to anyone.
e) Passwords should never be shared.
f) Legal Computer Consultants will never call you to ask for your password over the phone. If you do need to provide other confidential credentials ensure that the employee has authority to receive such credentials from firm administrators or partners.
g) Client Password storage (need to discuss this, do we want CLIENT passwords stored on anything but in OUR system?) DO NOT STORE CLIENT PASSWORDS ON INDIVIDUAL LAPTOPS, DESKTOPS, MOBILE DEVICES OR HOME COMPUTERS.
2) Secure your PC
a) Always lock your computer before leaving your desk: Press the [Windows Key]+[L] to quickly lock your screen.
b) Enable screen savers with a password to be required after a period of inactivity.
c) Discuss this: Do not use USB memory devices on office PCs. Do not save or open files on USB memory media. Do not charge/connect Android devices or ‘Trust’ iPhones in USB ports.
3) Be Careful when you click:
a) Do not click on any link unless you know you can trust the source and you are certain of where the link will send you. If you are unsure about a link, the best thing to do is call the sender prior to clicking on the link. Do not follow links in emails asking to login to existing accounts. Delete the email and go directly to the web site in a web browser to login to an existing account.
4) Do not share confidential information or credentials with anyone by phone or email:
a) Social engineering is a non-technical approach hackers use to get sensitive information. Social engineering techniques include phishing emails, fake phone calls, and physical impersonation.
b) Credit card information must never be sent or received via messaging systems and staff are prohibited from copying, moving or storing of credit/debit card holder information onto local hard drives and removable electronic media when accessing such data via remote-access technologies.
5) Never click on links asking you to update your credentials for any web site. If you think the email may be legitimate, you should go directly to the website to update credentials.
6) Appropriate Use:
a) Report any suspicious activity or security concerns immediately.
b) PCs and the computer network are the property of the employer and should only be used for business purposes.
c) Do not install software (like streaming music) or use personal email.
d) Do not use the computer (including browsing the Internet) for personal use.
e) Internet/Intranet Usage:
i) Usage should be focused on business-related tasks.
ii) There is no right to privacy in an employee’s use of the Internet/Intranet.
iii) Use of the Internet, as with use of all technology resources, should conform to all employer policies and work rules.
iv) Visiting or otherwise accessing sites such as the following are prohibited:
(1) Adult Content
(4) Personals and Dating
7) Ownership of Data: The employer owns all employer data, files, information, and communications created on, stored on, transmitted, received or exchanged via its network, communications systems, equipment and devices, such as e-mail, voicemail, text messages and Internet usage logs “digital records” even if such communications reside in the cloud. The employer reserves the right to inspect and monitor any and all such communications at any time, including personal data stored on Employer systems, for any lawful purpose and with or without notice to the user. The employer may conduct random and requested audits of employee accounts (including accounts with commercial or other third party providers if used in the course of conducting Employer business) for any lawful purpose including but not limited to ensuring compliance with policies and requirements, to investigate suspicious activities that could be harmful to the organization, to assist the employer in evaluating performance issues and concerns, and to identify productivity or related issues that need additional educational focus within the employer. Digital records may be subject to public disclosure and the rules of discovery in the event of a lawsuit. The employer’s Internet connection and usage is subject to monitoring at any time with or without notice to the employee.
Agreement to follow cyber-security policy:
I understand and agree to abide by these cyber-security policies.
_______________________________ Dated: ____________