Security Policy (Internal)

Due to the nature of the industry we work in, we are frequently going to come into direct contact with a lot of sensitive & confidential information and it is all of our responsibility to take the relevant steps to make sure all sensitive data and information are kept secure.  All staff must do at least a 6 monthly review of software on all devices (laptops, tablets, and phones) and uninstall software/apps that are no longer required, which in addition to security will also help to ensure the fast performance of the devices.

Remember, security is a process, not a destination and is important for everyone from the outset.

User access levels

By default, all employees will be granted the lowest level of access that enables them to perform their jobs, in order to minimise security risks. 

Administrator level permissions to local devices and cloud services should only be granted to team members in senior positions who require this access in order to perform the function of their roles within the company. This will be kept to the minimum number of people and defined in the ARCI chart for each role.

Only a company Director is authorised to grant administrator permissions to an employee. This will be defined as part of the ARCI process when the job spec is created or updated. If an employee requires admin access to a system and does not have this permission, they must request it in writing to a company director, stating why they need it and the timeframe for which they need it. If approved, access will be granted for the defined timeframe only. Alternatively, a person with approved admin access will be assigned to perform the necessary tasks.

Equipment

Device encryption

On your company mobile devices, you must never install apps that do not come from the official Android or Apple app stores unless you are given permission in writing from a relevant manager for a specific use case.  Ideally, you should only install apps from a list of approved apps but may install other apps if they are necessary for the performing of your role.

Approved apps

  • G Suite apps
  • Harvest/Forecast
  • Default Android and iOS apps
  • WhatsApp
  • Slack
  • Receipt Bank
  • CamScanner
  • LastPass and other relevant password managers
  • Keyy and other relevant 2FA apps
  • Adobe creative cloud
  • BatchImageResizer
  • BetterSnapTool
  • Cyberduck
  • Dropbox
  • FontPlop
  • GitKraken
  • ImageOptim
  • Redbooth
  • Sequel Pro
  • Skype
  • Source Tree
  • The Unarchiver
  • VirtualBox
  • Zoom
  • Spotify
  • iTerm2
  • Photoshop / Sketch / Figma
  • VirtualBox
  • MAMP / Local by Flywheel
  • Visual Studio Code / Sublime text
  • all kind of browsers used for testing/development (including Chrome, Chrome Canary, FF, FF Developer Edition, Safari)
  • CrossBrowserTesting.com local
  • NodeJS
  • npm
  • Instagram
  • Repost
  • Twitter

Staff are NOT permitted to root or jailbreak your company devices

Password protect

Updates

Location tracking

Firewall

Anti Virus & Malware

  • Please make sure you have Anti Virus software installed, this goes for all operating systems and ensure that it is set to update daily and scan files automatically upon access. This is usually the default setting. It must also be set to scan web pages that you visit and warn you about malicious web pages. It is a common myth that Apple products are immune from viruses and also Windows Viruses can live on OSX and end up causing issues when you transfer files to a Windows user.

    All machines must run approved Anti-virus software as follows:
  • Mac: Kaspersky
  • Windows: Kaspersky, Malwarebytes or Windows Defender
  • Ubuntu: Potentially not needed, read: https://wiki.ubuntu.com/BasicSecurity#Linux_Vulnerabilities  – However, if you want one you can check out this: https://www.maketecheasier.com/ubuntu-antivirus-programs/
  • Emails: Please always run a full virus and malware scan on any and all attachments that you get sent – Google Apps has an automatic virus scanner which is great but for files sent via Dropbox or downloaded directly from a server (e.g. via FTP, BlogVault) should be scanned.

General

  • You should never leave your devices unattended, even if password protected. This includes mobile phones, laptops, MacBooks, tablets and any removable storage.

Device Backups

Ideally, a 3-2-1 backup strategy is recommended, this means 3 total copies of your data, 2 on-site (1 being your actual device and 1 being an external hard drive) and 1 offsite. Priority should be given to a secure offsite backup.

On-site backups

Offsite backups

Passwords

  • Always use a Password Manager (e.g. LastPass), never write the passwords down and never store or send them anywhere in plain text.
  • If for some unfortunate reason you receive a password in plain text then you should immediately save it to a Password Manager and then destroy the email/message you received it in.
  • Avoid sharing accounts where possible and instead set up individual user accounts.
  • Passwords should always be generated using a Password Manager, never use generic passwords.
  • Use strong passwords that are 16+ characters in length including letters, numbers, and symbols.
  • You must not use the same password for multiple accounts.
  • You must ensure that the password on your home router is NOT the one that came with the router and similarly any other devices.  You should reset the password following the manufacturer’s instructions and confirm in writing that this has been completed and that the new password is a strong password generated by LastPass.
  • A fun video of Edward Snowden on Passwords: https://www.youtube.com/watch?v=yzGzB-yYKcc
  • https://www.lastpass.com
  • https://1password.com
  • https://keepass.info

2-Factor Authentication

  • Wherever possible you should be using 2-Factor Authentication. If given the choice you should use Google Authenticator or another app such as Authy instead of SMS, however , MS is certainly better than nothing. E.g:
  • Slack
  • Redbooth
  • Google Apps
  • Dropbox
  • Charlie HR
  • LastPass

Sharing Secure Credentials and Granting Access

  • Secure credentials (such as passwords, sFTP, FTP, SSH details, anything else that can be deemed sensitive information) should never be shared over Email or Slack and should not be stored in a plain text document of any kind or unencrypted in cloud storage such as Dropbox or Google Cloud. Instead, you should use primarily use LastPass, alternatively, you can use the Signal App. You can install Signal App on your Phone (Android or iOS) and then connect it to your desktop using the desktop app for Mac/Win.
  • https://signal.org
  • If you need to sign a client up to an online service then it is better to talk them through how to do it over the phone or via email rather than actually doing it for them, this way you do not have to worry about sharing credentials and making sure they change the password and talk them through how to set up 2FA. In rare cases that you do need to do it for them then you can set up an account using a secure password under their email address and then reset their password using the “Forgotten Password” option which should send them an email to reset their password themselves and then talk them through setting up 2FA.
  • User accounts must be issued by management only on the basis of need.  This is primarily driven by job role responsibilities.  If access is required that does not fit a specific responsibility defined in the job role then it will be reviewed by a line manager and documented for the specific use case included a timescale for review.  If access is no longer required then it must be revoked.
  • Administrator accounts for devices, software and websites must only be used to perform functions that require administrator access.  User accounts with non-administrator privileges must be used for day to day use such as checking emails, browsing the web and publishing blog articles.
  • We must keep an up to date log of all administrator accounts for software, devices, and web applications

Wireless Networks (Wi-Fi)

Public networks

  • Public Wi-Fi should be avoided where possible, however due to nature of remote work you are likely to come into contact with various public Wi-Fi’s. Public Wi-Fi’s are potential targets for sniffing and hijacking therefore you should never connect directly to these and only connect if you are using a VPN.
  • https://www.bestvpn.com/best-uk-vpn/
  • ProtonVPN offer a free starter (slower connection) https://protonvpn.com/pricing and paid versions (faster connections).
  • You should stay away from insecure networks.

Home network

  • The wireless network must be WPA2 protected as a minimum, not use WEP.
  • The wireless password must be changed at a minimum of every 3 months.
  • You should regularly check for and apply security firmware updates.
  • Keep a constant check for unauthorised users and remove any accounts not in use.
  • The router should be setup to keep a log of all network intrusion attempts.
  • In the event that you identify that a non-authorised person may have access to your home network, you must reset your router to a new password.  You are accountable for ensuring that your home network is secure and in the event of a possible breach you must inform a line manager and to confirm in writing that you have reset the password.

Removable Media

  • Media such as External Hard Drives, USB Sticks, SD cards, CD’s, DVD’s etc should be strictly avoided unless for the purpose of a secure home backup solution such as Apple’s Time Machine, Windows File History or Ubuntu’s Déjà Dup.
  • When use an External Hard Drive for secure backups you should make sure they are encrypted and stored in a secure location.
  • Ensure ‘auto-play’ for DVD drives (if anyone still has one) and memory sticks are disabled on your laptop.

Phishing

  • You should never send any sensitive information via email when asked (please see Sharing Secure Credentials).
  • You should be wary of links you click in emails and never click on links sent from an unknown source.
  • Never open an attachment from an unknown sender.

Data Breaches

  • This document sets out to avoid any data breaches, however in the event it does happen we need to be prepared under the new rules of GDPR.
  • A data breach refers to a breach of security that can lead to the destruction, loss, alteration and unauthorised disclosure of, or access to, personal data.
  • A data breach must be reported as soon as you have become aware of it to the Managing Director without fear of reprisal, where the severity can be determined and whether or not ICO needs to be notified – data breaches must be reported to ICO within 72 hours of discovery if it’s likely to result in a risk to people’s rights and freedoms.
  • If a device has been compromised we will take the appropriate action which can include:
  • Remove SSH keys from GitLab, GitHub and server they are being used for as soon as the breach has been reported.
  • Sign out of all active sessions from any service being used, e.g. Google Apps, Google Mail, Google Calendar, Dropbox etc.
  • Change of password for all online services.
  • Use location tracking in event of a lost/stolen device.
  • Remote wiping in event of lost/stolen device.
  • Notify any additional affected parties ASAP.

Staff Departures

  • In the event a staff member leaves the company then all company devices must be handed back securely with data.
  • Access to all company used online services will be removed.
  • Where required any passwords to client websites will need to be reset.