Security Policy (Internal)
Due to the nature of the industry we work in, we are frequently going to come into direct contact with a lot of sensitive & confidential information and it is all of our responsibility to take the relevant steps to make sure all sensitive data and information are kept secure. All staff must do at least a 6 monthly review of software on all devices (laptops, tablets, and phones) and uninstall software/apps that are no longer required, which in addition to security will also help to ensure the fast performance of the devices.
Remember, security is a process, not a destination and is important for everyone from the outset.
User access levels
By default, all employees will be granted the lowest level of access that enables them to perform their jobs, in order to minimise security risks.
Administrator level permissions to local devices and cloud services should only be granted to team members in senior positions who require this access in order to perform the function of their roles within the company. This will be kept to the minimum number of people and defined in the ARCI chart for each role.
Only a company Director is authorised to grant administrator permissions to an employee. This will be defined as part of the ARCI process when the job spec is created or updated. If an employee requires admin access to a system and does not have this permission, they must request it in writing to a company director, stating why they need it and the timeframe for which they need it. If approved, access will be granted for the defined timeframe only. Alternatively, a person with approved admin access will be assigned to perform the necessary tasks.
Equipment
Device encryption
- You should make sure your Laptop / MacBook / Mobile Phone is set up with encryption enabled, this is important for ensuring client work is kept as secure as possible – there are so many horror stories about losing unencrypted computers and media in the world, please do not become one of them.
- Before setting an encryption on your current device please make sure that your data is backed up.
- Make sure you securely store any encryption keys as you would with passwords.
- OSX FileVault: https://support.apple.com/en-us/HT204837
- iOS: http://www.zdnet.com/article/how-to-turn-on-iphone-ipad-encryption-in-one-minute/
- iOS (iTunes Backups): https://support.apple.com/en-us/HT205220
- Windows: https://support.microsoft.com/en-us/help/4028713/windows-10-turn-on-device-encryption
- Android: https://source.android.com/security/encryption/full-disk
- Ubuntu: https://www.maketecheasier.com/encrypt-hard-disk-in-ubuntu/ (It is also possible to encrypt without a fresh install but this should only be used for advanced users and is not advised).
- All backups you take should also be encrypted.
On your company mobile devices, you must never install apps that do not come from the official Android or Apple app stores unless you are given permission in writing from a relevant manager for a specific use case. Ideally, you should only install apps from a list of approved apps but may install other apps if they are necessary for the performing of your role.
Approved apps
- G Suite apps
- Harvest/Forecast
- Default Android and iOS apps
- Slack
- Receipt Bank
- CamScanner
- LastPass and other relevant password managers
- Keyy and other relevant 2FA apps
- Adobe creative cloud
- BatchImageResizer
- BetterSnapTool
- Cyberduck
- Dropbox
- FontPlop
- GitKraken
- ImageOptim
- Redbooth
- Sequel Pro
- Skype
- Source Tree
- The Unarchiver
- VirtualBox
- Zoom
- Spotify
- iTerm2
- Photoshop / Sketch / Figma
- VirtualBox
- MAMP / Local by Flywheel
- Visual Studio Code / Sublime text
- all kind of browsers used for testing/development (including Chrome, Chrome Canary, FF, FF Developer Edition, Safari)
- CrossBrowserTesting.com local
- NodeJS
- npm
- Repost
Staff are NOT permitted to root or jailbreak your company devices
Password protect
- You Laptop / MacBook / Mobile Phone should always be password protected. You should require password no later than after 5 minutes of inactivity – the lower the better.
- OSX: https://support.apple.com/en-us/HT204379
- iOS: https://support.apple.com/en-us/HT204060
- Windows: http://www.thewindowsclub.com/lock-computer-inactivity-windows-10
- Android: Set screen lock settings to 5 seconds after sleep, enable “Power button instantly locks” and set the display to sleep to 1 minute.
- Ubuntu: https://help.ubuntu.com/stable/ubuntu-help/privacy-screen-lock.html and https://help.ubuntu.com/stable/ubuntu-help/shell-exit.html#lock-screen
- Make sure that your Laptop / MacBook / Mobile Phone / Tablet is set to require a password to wake up from sleep, e.g. when you close your lid it should automatically ask for your password when you re-open it.
- For websites containing sensitive information (assume all of them), login pages MUST be set to lockout after ten or fewer unsuccessful login attempts, or limit the number of login attempts to no more than ten within five minutes?
Updates
- You must ensure that your laptop and company phone is set to auto-update the operating system and all applications where possible. You must NOT ‘postpone’ software updates for more than 1 week. Your device may be checked after the release of a new software update to ensure that it has been installed within 14 days.
- You should always have the latest security patch updates installed on your system – this includes all operating systems and devices. Ideally, you should have security patch updates turned on by default. You can find more information about this at the links below:
- OSX: https://support.apple.com/en-us/HT201541
- Windows: http://www.update.microsoft.com
- iOS: https://support.apple.com/en-us/HT204204
- Android: https://support.google.com/nexus/answer/4457705?hl=en
- Ubuntu (See Desktop method): https://help.ubuntu.com/community/AutoWeeklyUpdateHowTo#Desktop_method_-_default
Location tracking
- You should enable device tracking on your Laptop/MacBook/Mobile Phone/Tablet so if in a worst case scenario that you lose your device you can relocate it ASAP.
- OSX/iOS: https://support.apple.com/explore/find-my-iphone-ipad-mac-watch
- Android: https://www.google.com/android/devicemanager
- Windows: https://support.microsoft.com/en-us/help/11579/microsoft-account-find-and-lock-lost-windows-device
- If you would prefer to use an Open Source alternative then you could look into using Prey: https://www.preyproject.com Prey offers multiple pricing options, the free version should be sufficient if you are utilising correct disk encryption, however, the $5 per month version allows for remote wiping for added security.
- Ubuntu: You should use Prey Project and install the Ubuntu version.
Firewall
- Please enable your firewalls.
- OSX: https://support.apple.com/en-us/HT201642
- Windows: https://support.microsoft.com/en-us/help/4028544/windows-turn-windows-firewall-on-or-off
- Ubuntu: https://www.linuxbabe.com/desktop-linux/getting-started-gufw-ubuntu-16-04
Anti Virus & Malware
- Please make sure you have Anti Virus software installed, this goes for all operating systems and ensure that it is set to update daily and scan files automatically upon access. This is usually the default setting. It must also be set to scan web pages that you visit and warn you about malicious web pages. It is a common myth that Apple products are immune from viruses and also Windows Viruses can live on OSX and end up causing issues when you transfer files to a Windows user.
All machines must run approved Anti-virus software as follows: - Mac: Kaspersky
- Windows: Kaspersky, Malwarebytes or Windows Defender
- Ubuntu: Potentially not needed, read: https://wiki.ubuntu.com/BasicSecurity#Linux_Vulnerabilities – However, if you want one you can check out this: https://www.maketecheasier.com/ubuntu-antivirus-programs/
- Emails: Please always run a full virus and malware scan on any and all attachments that you get sent – Google Apps has an automatic virus scanner which is great but for files sent via Dropbox or downloaded directly from a server (e.g. via FTP, BlogVault) should be scanned.
General
- You should never leave your devices unattended, even if password protected. This includes mobile phones, laptops, MacBooks, tablets and any removable storage.
Device Backups
Ideally, a 3-2-1 backup strategy is recommended, this means 3 total copies of your data, 2 on-site (1 being your actual device and 1 being an external hard drive) and 1 offsite. Priority should be given to a secure offsite backup.
On-site backups
- OSX (Time Machine): https://support.apple.com/en-us/HT201250
- Windows (File History): https://support.microsoft.com/en-us/windows/backup-and-restore-in-windows-352091d2-bb9d-3ea3-ed18-52ef2b88cbef
- Ubuntu (Deja Dup): https://www.lifewire.com/backup-ubuntu-4126286 – Make sure you backup to an external hard drive and not just your home folder.
Offsite backups
- OSX / Windows / Ubuntu: Tresorit is a great solution and is GDPR compliant: https://tresorit.com
- OSX / Windows: Backblaze is widely used within the industry, they should be becoming GDPR compliant but we need to monitor this: https://www.backblaze.com
- iOS (iCloud): https://support.apple.com/en-us/HT203977
- Android (Google Drive): https://support.google.com/nexus/answer/2819582?hl=en
- Dropbox is a good solution for individual files but does not meet the criteria for this section so please do not solely rely on this.
Passwords
- Always use a Password Manager (e.g. LastPass), never write the passwords down and never store or send them anywhere in plain text.
- If for some unfortunate reason you receive a password in plain text then you should immediately save it to a Password Manager and then destroy the email/message you received it in.
- Avoid sharing accounts where possible and instead set up individual user accounts.
- Passwords should always be generated using a Password Manager, never use generic passwords.
- Use strong passwords that are 16+ characters in length including letters, numbers, and symbols.
- You must not use the same password for multiple accounts.
- You must ensure that the password on your home router is NOT the one that came with the router and similarly any other devices. You should reset the password following the manufacturer’s instructions and confirm in writing that this has been completed and that the new password is a strong password generated by LastPass.
- A fun video of Edward Snowden on Passwords: https://www.youtube.com/watch?v=yzGzB-yYKcc
- https://www.lastpass.com
- https://1password.com
- https://keepass.info
2-Factor Authentication
- Wherever possible you should be using 2-Factor Authentication. If given the choice you should use Google Authenticator or another app such as Authy instead of SMS, however , MS is certainly better than nothing. E.g:
- Slack
- Redbooth
- Google Apps
- Dropbox
- Charlie HR
- LastPass
Sharing Secure Credentials and Granting Access
- Secure credentials (such as passwords, sFTP, FTP, SSH details, anything else that can be deemed sensitive information) should never be shared over Email or Slack and should not be stored in a plain text document of any kind or unencrypted in cloud storage such as Dropbox or Google Cloud. Instead, you should use primarily use LastPass, alternatively, you can use the Signal App. You can install Signal App on your Phone (Android or iOS) and then connect it to your desktop using the desktop app for Mac/Win.
- https://signal.org
- If you need to sign a client up to an online service then it is better to talk them through how to do it over the phone or via email rather than actually doing it for them, this way you do not have to worry about sharing credentials and making sure they change the password and talk them through how to set up 2FA. In rare cases that you do need to do it for them then you can set up an account using a secure password under their email address and then reset their password using the “Forgotten Password” option which should send them an email to reset their password themselves and then talk them through setting up 2FA.
- User accounts must be issued by management only on the basis of need. This is primarily driven by job role responsibilities. If access is required that does not fit a specific responsibility defined in the job role then it will be reviewed by a line manager and documented for the specific use case included a timescale for review. If access is no longer required then it must be revoked.
- Administrator accounts for devices, software and websites must only be used to perform functions that require administrator access. User accounts with non-administrator privileges must be used for day to day use such as checking emails, browsing the web and publishing blog articles.
- We must keep an up to date log of all administrator accounts for software, devices, and web applications
Wireless Networks (Wi-Fi)
Public networks
- Public Wi-Fi should be avoided where possible, however due to nature of remote work you are likely to come into contact with various public Wi-Fi’s. Public Wi-Fi’s are potential targets for sniffing and hijacking therefore you should never connect directly to these and only connect if you are using a VPN.
- https://www.bestvpn.com/best-uk-vpn/
- ProtonVPN offer a free starter (slower connection) https://protonvpn.com/pricing and paid versions (faster connections).
- You should stay away from insecure networks.
Home network
- The wireless network must be WPA2 protected as a minimum, not use WEP.
- The wireless password must be changed at a minimum of every 3 months.
- You should regularly check for and apply security firmware updates.
- Keep a constant check for unauthorised users and remove any accounts not in use.
- The router should be setup to keep a log of all network intrusion attempts.
- In the event that you identify that a non-authorised person may have access to your home network, you must reset your router to a new password. You are accountable for ensuring that your home network is secure and in the event of a possible breach you must inform a line manager and to confirm in writing that you have reset the password.
Removable Media
- Media such as External Hard Drives, USB Sticks, SD cards, CD’s, DVD’s etc should be strictly avoided unless for the purpose of a secure home backup solution such as Apple’s Time Machine, Windows File History or Ubuntu’s Déjà Dup.
- When use an External Hard Drive for secure backups you should make sure they are encrypted and stored in a secure location.
- Ensure ‘auto-play’ for DVD drives (if anyone still has one) and memory sticks are disabled on your laptop.
Phishing
- You should never send any sensitive information via email when asked (please see Sharing Secure Credentials).
- You should be wary of links you click in emails and never click on links sent from an unknown source.
- Never open an attachment from an unknown sender.
Data Breaches
- This document sets out to avoid any data breaches, however in the event it does happen we need to be prepared under the new rules of GDPR.
- A data breach refers to a breach of security that can lead to the destruction, loss, alteration and unauthorised disclosure of, or access to, personal data.
- A data breach must be reported as soon as you have become aware of it to the Managing Director without fear of reprisal, where the severity can be determined and whether or not ICO needs to be notified – data breaches must be reported to ICO within 72 hours of discovery if it’s likely to result in a risk to people’s rights and freedoms.
- If a device has been compromised we will take the appropriate action which can include:
- Remove SSH keys from GitLab, GitHub and server they are being used for as soon as the breach has been reported.
- Sign out of all active sessions from any service being used, e.g. Google Apps, Google Mail, Google Calendar, Dropbox etc.
- Change of password for all online services.
- Use location tracking in event of a lost/stolen device.
- Remote wiping in event of lost/stolen device.
- Notify any additional affected parties ASAP.
Staff Departures
- In the event a staff member leaves the company then all company devices must be handed back securely with data.
- Access to all company used online services will be removed.
- Where required any passwords to client websites will need to be reset.