The device management systems will provide us with a first line defence but all of us still have a collective duty to ensure that we are doing everything we can to protect the data we have of our clients and others.
Passwords
Passwords are our first line of defence. Anyone attempting to break into our computers/files will start by trying the most common passwords.
Ensure use of long (over 8 characters), complex (include lower case, upper case, numbers and non alpha characters) passwords (as in BitWarden for example)
Use long, complex passwords on all laptops, smartphones, tablets, and WIFI access points used in connection with Quantico’s business
Two factor authentication must be enforced on any systems where sensitive information is shared where this option is available
Firewall
Use a Firewall with threat prevention to protect access to our devices & data
All devices must be secured with security software such as Anti-virus, Anti-SPAM and Anti-Phishing
Never plug in unknown USB devices
Encryption
Ensure company owned laptops have pre-boot encryption installed in case of loss or theft
Only use external hard drives and USB drives with encryption built in
Use strong encryption on your office and home wireless networks (WPA2)
Protect our data from eavesdroppers by encrypting wireless communication using VPN (Virtual Private Network)
Continual Maintenance of Laptops and Systems
Ensure operating systems and browser applications on all devices are regularly updated (i.e. Windows/Mac auto-update is turned on)
Uninstall software that isn’t needed so you don’t have to check for regular updates (e.g. Java)
Turn on automatic updates where available: Windows, Chrome, Firefox, Adobe
Cloud Applications and Storage
We use cloud applications and storage for all our partners but please note that this data is therefore no longer completely under our control - and remember not all cloud providers have equal security provisions
When using cloud services, assume content sent is no longer private
Don’t use the same password across multiple cloud service providers
Here is a list of non-exhaustive list of cloud software that we use on a regular basis. Our partners may request we do not use specific software on an exceptional basis. When in operation this will be recorded in the relevant finance wiki and communicated by the FinOps Lead.
Chaser
Coda
Front
Process Street
PayFit
Receipt Bank
Twilio
Zapier
G-Accon
Bitwarden
Clockify
Resource Guru
Webflow
Google Workspace
Asana
Slack
Xero
Hellosign
Pipedrive
Trello
Notion
Administrator Accounts
Administrator accounts should not be used for day-to-day activities, this makes it easier for hackers to cause damage if they gained entry to devices or systems
Simple user accounts for Windows/Mac devices should be used
Change passwords on all administrator accounts and devices at least quarterly
Bring-Your-Own-Device policy
Password locks must be used on employee owned devices
Access to sensitive information should only be accessed through encrypted VPN
No sensitive information should be stored on personal devices (i.e. customer data or bank account information)
Social Media
Social media sites are used by criminals to find information and create profiles on people which they use to improve their success rate for cyber attacks
Always be cautious when sharing anything on social media, including on your personal accounts
Use the privacy settings on social media carefully to protect your personal data
Training
We have annual training through Leapsome on cybersecurity, data protection and anti-money laundering.
This must be completed each year, or more frequently, as required.
Working with partners
Communication between RORA and our partners must take place via approved systems. WhatsApp and text must only be used in exceptional circumstances.
When working with partners who have their own security systems in place we must take reasonable steps to advise yourself of and comply with their policies. These should be documented and shared to enable new team members to inform themselves quickly.
Policy Enforcement
RORA may monitor devices for violations of this policy
RORA may from time to time update this policy for allowed/disallowed applications, services and websites
RORA may not use applications such as peer-to-peer file sharing applications which are inherently risky and often used to distribute malware
Want to print your doc? This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (