IT Security Policy
Covered in this policy
Responsibility
IT security problems can be expensive and time-consuming to resolve. Prevention is much better than cure.
Compliance with this policy is considered mandatory.
Violations of the policies, standards and procedures will result in corrective action by management.
This IT security policy helps Etch:
- Reduce the risk of IT problems
- Plan for problems and deal with them when they happen
- Keep working if something does go wrong
- Protect company, client and employee data
- Keep valuable company information, such as code and designs, secret
- Meet our legal obligations under the General Data Protection Regulation and other laws
- Meet our professional obligations towards our clients and customers
We will only classify information which is necessary for the completion of our duties. We will also limit access to personal data to only those that need it for processing. We classify information into different categories so that we can ensure that it is protected properly and that we allocate security resources appropriately:
- Unclassified. This is information that can be made public without any implications for the company, such as information that is already in the public domain.
- Employee confidential. This includes information such as medical records, pay and so on.
- Company confidential. Such as contracts, source code, business plans, passwords for critical IT systems, client contact records, accounts etc.
- Client-confidential. This includes personally identifiable information such as name or address, passwords to client systems, client business plans, new product information, market-sensitive information etc.
The deliberate or accidental disclosure of any confidential information has the potential to harm the business. This policy is designed to minimise that risk. We do not protectively mark documents and systems. Therefore, you should assume information is confidential unless you are sure that it is not, and act accordingly.
Using AI with company information
Staff may only use AI tools with company information that has explicitly been marked as Unclassified.
Exceptions have been made for the tools listed below. These may be used with any classification of data.
Approved AI tools
- Figma
- Notion
- Github Copilot
- TL;DV
Internally, as far as possible, we operate on a ‘need to share’ rather than a ‘need to know’ basis with respect to company confidential information. This means that our bias and intention is to share information to help people do their jobs rather than raise barriers to access needlessly.
As for client information, we operate in compliance with the GDPR ‘Right to Access’. This is the right of data subjects to obtain confirmation as to whether we are processing their data, where we are processing it and for what purpose. Further, we shall provide, upon request, a copy of their personal data, free of charge in an electronic format.
We also allow data subjects to transmit their data to another controller. However, in general, to protect confidential information we implement strong access controls, to the maximum that our service providers allow.
In addition, admin privileges to systems will be restricted to specific, authorised individuals for the proper performance of their duties.
When a new employee joins the company, we will add them to the systems that are needed for their responsibilities. Access levels will be granted based on their needs, but by default, employees will have the lowest level of access available.
We will provide training to new staff and support for existing staff to implement this policy. This includes:
- An initial introduction to IT security, covering the risks, basic security measures, company policies and where to get help
- Training on how to use company systems and security software properly
- On request, a security health check on their computer, tablet or phone
When employees leave the company, we will promptly revoke their access to company systems.
Effective security is a team effort requiring the participation and support of every employee and associate. It is staff members responsibility to know and follow these guidelines.
Staff are personally responsible for the secure handling of confidential information that is entrusted to them.
Staff may access, use or share confidential information only to the extent it is authorised and necessary for the proper performance of their duties.
Staff must promptly report any theft, loss or unauthorised disclosure of protected information or any breach of this policy to the persons listed under Responsibility.
Protecting your own devices
It is also staff members responsibility to use their devices (computer, phone, tablet etc.) in a secure way. However, we will provide training, software, and support to enable them to do so (see below). At a minimum:
- Remove software that you do not use or need from your computer
- Update your operating system and applications regularly
- Keep your computer firewall switched on
- Install our antivirus software
- Store files in official company storage locations so that it is backed up properly and available in an emergency
- Switch on whole disk encryption
- Understand the privacy and security settings on your phone and social media accounts
- Keep your work computer separate from any family or shared computers
- Make sure your computer and phone log out automatically after 15 minutes and require a password to log back in
Many of the above settings will be automatically applied by our MDM platform, but if a staff member is unsure, they should ask the persons listed in the Responsibility section.
Many of the above settings will be automatically applied by our MDM platform, but if a staff member is unsure, they should ask the persons listed in the Responsibility section.
Password Policy
Staff must change default passwords and PINs on computers, phones and all network devices, as soon as they receive them.
Staff must not share your password with other people or disclose it to anyone else, inside or outside of Etch.
Staff must not write down PINs or passwords outside of our password management software.
Staff must use our password management software to store and manage their passwords.
Staff must use our password management software to generate strong passwords. These must:
- Contain at least three of the five following character classes:
- Lower case characters
- Upper case characters
- Numbers
- Punctuation
- “Special” characters (e.g. @#$%^&*()_+|~-=`[]:";'<>/)
- Be at least 15 characters long
Staff must not use the same password for multiple accounts.
When using a PIN to protect a mobile device, it must be at least six numbers long.
As a rule, we do not enforce password rotation, because it encourages bad practices (such as reusing passwords, creating easy-to-remember passwords, and writing passwords down). We will only require password resets when there is an operational need to do so.
Two-Factor Authentication
Two-factor authentication, or 2FA, is a vital part of securing our accounts.
Staff members must enable 2fa on any account that offers the functionality, even if it is not enforced by the application provider.
If the provider offers the use of TOTP authentication, then this must be the 2FA option used.
Our password management software must be used for TOTP creation and storage.
If the service supplies recovery codes, these must be stored in our password management software.
Destruction of sensitive data and information
Printed Media
Documents that are classified as Employee confidential, Company confidential, or Client confidential should only be printed where required by law or client contract.
All printed media that is classified as Employee confidential, Company confidential, or Client confidential should be securely stored until it is no longer required, at which point it must be shredded or incinerated.
Digital Media
All digital media that contains data related to Etch data that is classified as Employee confidential, Company confidential, or Client confidential must be rendered unreadable once it has reached the end of its life.
Staff are reminded that hammers, angle grinders, and large magnets are all suitable tools, but that thermite is always a safe bet.
Be alert to other security risks
While technology can prevent many security incidents, staff member’s actions and habits are also important. With this in mind:
- Take time to learn about IT security and stay informed. Get Safe Online is a good source for general awareness.
- Use extreme caution when opening email attachments from unknown senders or unexpected attachments from any sender.
- Staff must be on guard against social engineering such as attempts by outsiders to persuade them to disclose confidential information, including employee, client or company confidential information. Fraudsters and hackers can be extremely persuasive and manipulative.
- Be wary of fake websites and phishing emails. Don’t click on links in emails or social media. Staff should not disclose passwords or other confidential information unless they are sure they are on a legitimate website.
- Use social media, including personal blogs, in a professional and responsible way, without violating company policies or disclosing confidential information.
- Staff must take particular care of their computer and mobile devices when they are away from home.
- Staff must return any company property, transfer any company work-related files back to the company and delete all confidential information from your systems as soon as is practicable, if they leave the company.
The following activities are, in general, prohibited on company systems and while carrying out duties for the company and may result in disciplinary action:
- Anything that contradicts our equality and diversity policy, including harassment.
- Circumventing user authentication or security of any system, network or account.
- Downloading or installing pirated software.
- Disclosure of confidential information at any time.
The above list is non-exhaustive. If you are unsure if an activity is appropriate, please consult with the persons listed under the Responsibility section.
The primary objectives of this policy are to:
- Protect sensitive information by implementing robust encryption measures.
- Ensure compliance with relevant UK data protection laws, such as the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).
- Minimize the risk of unauthorized access, data breaches, or data leakage.
- Align encryption practices with the NIST Cybersecurity Framework’s best practices.
Data Encryption at Rest
- All sensitive and confidential data stored on company devices, servers, databases, and other storage systems must be encrypted using approved encryption algorithms and methods.
- Encryption should be applied to data backups, archives, and any data residing in cloud services.
- Staff are responsible for verifying that encryption mechanisms are in place before storing sensitive data on any device or storage system.
Data Encryption in Transit
- All forms of communication, including emails, file transfers, remote access sessions, and transmissions over public networks, must use encryption protocols like TLS (Transport Layer Security) or equivalent secure methods.
- Remote access to company-managed networks or systems must be carried out over the VPN. This must be enforced via firewalls and security policies.
Key Management
- Encryption keys used for data encryption must be securely stored and managed separately from the encrypted data.
- Regularly review and update encryption keys to maintain security integrity.
- Access to encryption keys must be limited to authorized staff only.
This is how we back up our business-critical systems.
- Laptops are backed up continuously
- Servers are backed up nightly and mirrored across multiple regions for redundancy.
- Databases are backed up by the SAAS provider that hosts them using the most high-fidelity option available.
This is how we will respond to potential interruptions to our business:
- Loss of internet and/or phone connection - Email, call or send a Slack message to one of the team.
- Loss or theft of systems - As soon as safe, email [email protected] with details of the loss or theft.
We will test these contingency plans at least once a year.
This is how we will respond to IT security issues:
- Malware infection detected by scanners - Immediately isolate the device from critical systems by removing it from the network. Email [email protected] for further remediation and resolution.
- Ransomware - Immediately isolate the device from critical systems by removing it from the network. Email [email protected] for further remediation and resolution.
- Critical system failure - Critical systems are fully monitored and alerts are automatically sent via Slack and email. A response from the team will depend on the type of security issue and can vary from isolating a compromised system, to proactively responding to an attack.
- Attempted social engineering - Tell the rest of the team in Slack so we can have a giggle.
In this policy, the following terms are defined as follows:
- Us/We/Etch
- Etch Software Limited
- GDPR
- The General Data Protection Regulation
Although this Policy explicitly covers the responsibilities of staff, it does not cover the matter exclusively. Other Etch policies, standards, and procedures define additional responsibilities. All users are required to read, understand and comply with other policies, standards, and procedures. If any staff member does not fully understand anything in these documents, they should consult with the persons listed under responsibilities. The aforementioned persons shall resolve any conflicts arising from this policy.
Thanks for reading this policy
Please feel free to use it as a template for your own document.
This policy is licensed under CC BY 4.0
Policies
We have shared our other policy docs publicly too.
Read more
Feedback
If you have any questions or feedback please contact us.
[email protected]