Device management
All company-owned are installed with a device management system, , and anti-virus software, . The device management systems will provide us with a first line defence but all of us still have a collective duty to ensure that we are doing everything we can to protect the data we have of our clients and others.
Passwords
Passwords are our first line of defence. Anyone attempting to break into our computers/files will start by trying the most common passwords. Ensure use of long (over 8 characters), complex (include lower case, upper case, numbers and non alpha characters) passwords (as in BitWarden for example) Use long, complex passwords on all laptops, smartphones, tablets, and WIFI access points used in connection with Quantico’s business Two factor authentication must be enforced on any systems where sensitive information is shared where this option is available Firewall
Use a Firewall with threat prevention to protect access to our devices & data All devices must be secured with security software such as Anti-virus, Anti-SPAM and Anti-Phishing Never plug in unknown USB devices Encryption
Ensure company owned laptops have pre-boot encryption installed in case of loss or theft Only use external hard drives and USB drives with encryption built in Use strong encryption on your office and home wireless networks (WPA2) Protect our data from eavesdroppers by encrypting wireless communication using VPN (Virtual Private Network) Continual Maintenance of Laptops and Systems
Ensure operating systems and browser applications on all devices are regularly updated (i.e. Windows/Mac auto-update is turned on) Uninstall software that isn’t needed so you don’t have to check for regular updates (e.g. Java) Turn on automatic updates where available: Windows, Chrome, Firefox, Adobe Cloud Applications and Storage
We use cloud applications and storage for all our partners but please note that this data is therefore no longer completely under our control - and remember not all cloud providers have equal security provisions When using cloud services, assume content sent is no longer private Don’t use the same password across multiple cloud service providers Here is a list of non-exhaustive list of cloud software that we use on a regular basis. Our partners may request we do not use specific software on an exceptional basis. When in operation this will be recorded in the relevant finance wiki and communicated by the FinOps Lead. Administrator Accounts
Administrator accounts should not be used for day-to-day activities, this makes it easier for hackers to cause damage if they gained entry to devices or systems Simple user accounts for Windows/Mac devices should be used Change passwords on all administrator accounts and devices at least quarterly Bring-Your-Own-Device policy
Password locks must be used on employee owned devices Access to sensitive information should only be accessed through encrypted VPN No sensitive information should be stored on personal devices (i.e. customer data or bank account information) Social Media
Social media sites are used by criminals to find information and create profiles on people which they use to improve their success rate for cyber attacks Always be cautious when sharing anything on social media, including on your personal accounts Use the privacy settings on social media carefully to protect your personal data Training
We have annual training through Leapsome on cybersecurity, data protection and anti-money laundering. This must be completed each year, or more frequently, as required. Working with partners
Communication between RORA and our partners must take place via approved systems. WhatsApp and text must only be used in exceptional circumstances. When working with partners who have their own security systems in place we must take reasonable steps to advise yourself of and comply with their policies. These should be documented and shared to enable new team members to inform themselves quickly. Policy Enforcement
RORA may monitor devices for violations of this policy RORA may from time to time update this policy for allowed/disallowed applications, services and websites RORA may not use applications such as peer-to-peer file sharing applications which are inherently risky and often used to distribute malware