Welcome to RORA

Our model

Your Role

Contracting at RORA

Candidate hub

Explore

Policies

Cybersecurity policy

Device management

All company-owned are installed with a device management system,

Jumpcloud⁠

, and anti-virus software,

Avast⁠

The device management systems will provide us with a first line defence but all of us still have a collective duty to ensure that we are doing everything we can to protect the data we have of our clients and others.

Passwords

Passwords are our first line of defence. Anyone attempting to break into our computers/files will start by trying the most common passwords.

Ensure use of long (over 8 characters), complex (include lower case, upper case, numbers and non alpha characters) passwords (as in BitWarden for example)

Use long, complex passwords on all laptops, smartphones, tablets, and WIFI access points used in connection with Quantico’s business

Two factor authentication must be enforced on any systems where sensitive information is shared where this option is available

Firewall

Use a Firewall with threat prevention to protect access to our devices & data

All devices must be secured with security software such as Anti-virus, Anti-SPAM and Anti-Phishing

Never plug in unknown USB devices

Encryption

Ensure company owned laptops have pre-boot encryption installed in case of loss or theft

Only use external hard drives and USB drives with encryption built in

Use strong encryption on your office and home wireless networks (WPA2)

Protect our data from eavesdroppers by encrypting wireless communication using VPN (Virtual Private Network)

Continual Maintenance of Laptops and Systems

Ensure operating systems and browser applications on all devices are regularly updated (i.e. Windows/Mac auto-update is turned on)

Uninstall software that isn’t needed so you don’t have to check for regular updates (e.g. Java)

Turn on automatic updates where available: Windows, Chrome, Firefox, Adobe

Cloud Applications and Storage

We use cloud applications and storage for all our partners but please note that this data is therefore no longer completely under our control - and remember not all cloud providers have equal security provisions

When using cloud services, assume content sent is no longer private

Don’t use the same password across multiple cloud service providers

Here is a list of non-exhaustive list of cloud software that we use on a regular basis. Our partners may request we do not use specific software on an exceptional basis. When in operation this will be recorded in the relevant finance wiki and communicated by the FinOps Lead.

Chaser

Coda

Front

Process Street

PayFit

Receipt Bank

Twilio

Zapier

G-Accon

Bitwarden

Clockify

Resource Guru

Webflow

Google Workspace

Asana

Slack

Xero

Hellosign

Pipedrive

Trello

Notion

Administrator Accounts

Administrator accounts should not be used for day-to-day activities, this makes it easier for hackers to cause damage if they gained entry to devices or systems

Simple user accounts for Windows/Mac devices should be used

Change passwords on all administrator accounts and devices at least quarterly

Bring-Your-Own-Device policy

Password locks must be used on employee owned devices

Access to sensitive information should only be accessed through encrypted VPN

No sensitive information should be stored on personal devices (i.e. customer data or bank account information)

Social Media

Social media sites are used by criminals to find information and create profiles on people which they use to improve their success rate for cyber attacks

Always be cautious when sharing anything on social media, including on your personal accounts

Use the privacy settings on social media carefully to protect your personal data

Training

We have annual training through Leapsome on cybersecurity, data protection and anti-money laundering.

This must be completed each year, or more frequently, as required.

Working with partners

Communication between RORA and our partners must take place via approved systems. WhatsApp and text must only be used in exceptional circumstances.

When working with partners who have their own security systems in place we must take reasonable steps to advise yourself of and comply with their policies. These should be documented and shared to enable new team members to inform themselves quickly.

Policy Enforcement

RORA may monitor devices for violations of this policy

RORA may from time to time update this policy for allowed/disallowed applications, services and websites

RORA may not use applications such as peer-to-peer file sharing applications which are inherently risky and often used to distribute malware

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.