Cyber Security Policy
Last Updated
01 November, 2024
Purpose
The Cyber Security Policy defines the guidelines and measures to protect the security of Business Intelli Solutions’ data and technology infrastructure. As our reliance on technology grows, so do the risks associated with security breaches. Potential threats such as human error, hacker attacks, and system malfunctions can result in significant financial damage and harm the company’s reputation. To mitigate these risks, we have established security protocols and provided instructions for all employees to follow.
Scope
This policy applies to all employees, contractors, volunteers, and anyone with permanent or temporary access to the company’s systems and hardware.
Key Policy Elements
Confidential Data Protection
Confidential data is sensitive and valuable to the company. Examples include:
- i ) Unpublished financial information
- ii ) Customer, partner, or vendor data
- iii ) Patents, formulas, or new technologies
- iv ) Current and prospective customer lists
All employees are responsible for safeguarding this information. Specific guidelines for preventing security breaches are outlined in this policy.
Device Security
Employees must ensure the security of both personal and company-issued devices that are used to access company emails, accounts, or systems. To maintain device security:
- i ) Use password protection on all devices
- ii ) Install and regularly update antivirus software
- iii ) Avoid leaving devices unattended or unsecured
- iv ) Install browser and system security updates as soon as they are available
- iv ) Access company systems only through secure, private networks
Avoid using public or unsecured devices to access company systems, and do not lend company devices to others.
New hires will receive company-issued equipment with instructions for setting up disk encryption, password management tools, and antivirus software. Employees must follow these instructions and contact the [Security Team] with any questions.
Email Safety
Emails can be a source of scams and malware. To prevent data breaches, employees should:
- i ) If an email seems suspicious, employees should contact the [IT Department].
- ii ) Avoid opening attachments or clicking on links from unknown sources
- iii ) Be wary of suspicious or clickbait email titles
- iv ) Verify the legitimacy of emails by checking the sender’s details
- v ) Look for inconsistencies in emails, such as poor grammar or unusual language
Password Management
Weak or leaked passwords pose a serious threat to company security. Employees are required to:
- i ) Use passwords with at least eight characters, including uppercase and lowercase letters, numbers, and symbols
- ii ) Avoid using easily guessed information (e.g., birthdates)
- iii ) Keep passwords confidential and avoid writing them down
- iv ) Change passwords every two months
- v ) Use the company-provided password management tool for generating and storing passwords securely
If credentials must be shared, prefer in-person exchange or phone calls over email, and verify the recipient’s identity.
Secure Data Transfer
Data transfers carry security risks, particularly when involving sensitive information like customer data or employee records. Employees must:
- i ) Only transfer sensitive data when absolutely necessary
- ii ) Use the company network for data transfers, avoiding public or unsecured connections
- iii ) Ensure data is shared only with authorized recipients who have proper security protocols
For mass data transfers, employees should seek assistance from the [Security Team].
Reporting Security Threats
Employees should report any suspected phishing attempts, malware, or security breaches to the [IT Department] immediately. The IT team will investigate and take necessary action, including issuing company-wide alerts if needed. The [Security Team] is also responsible for educating employees on how to detect suspicious activities.
Additional Security Measures
To further reduce security risks, employees must:
- i ) Lock their devices and screens when stepping away from their desks
- ii ) Report stolen or damaged devices to the [HR/IT Department] promptly
- iii ) Change all account passwords if a device is stolen
- iv ) Avoid downloading unauthorized or suspicious software
- v ) Report any potential security vulnerabilities in company systems
In cases of suspected abuse of sick leave or deliberate tardiness, managers should notify HR and initiate a progressive discipline process.
Responsibilities of Security Team
The [Security Specialists/Network Administrators] are responsible for:
- i ) Installing firewalls, anti-malware software, and access authentication systems
- ii ) Conducting regular security training for employees
- iii ) Notifying employees of emerging security threats or new scams
- iv ) Investigating security breaches and ensuring compliance with this policy
Unexcused or unreported absences are not considered working hours and will not be compensated.
Remote Employees
Remote employees must adhere to all security protocols, ensuring the same level of protection for company data when accessing systems from remote locations. They are required to follow data encryption guidelines and use secure networks. Any concerns or questions should be directed to the [Security Team].
Disciplinary Actions
Failure to comply with this policy may result in disciplinary action, depending on the severity of the breach:
- i ) For minor, unintentional first-time breaches, a verbal warning and security training may be issued
- ii ) For repeated, intentional, or severe breaches that cause significant damage, more serious consequences may include termination
Each incident will be reviewed on a case-by-case basis. Progressive discipline will apply even if no security breach has occurred, but there is evidence of negligence or non-compliance with security measures.
Commitment to Security
It is everyone’s responsibility, from employees to partners, to protect company data. By adhering to this policy and maintaining vigilance, we can safeguard our systems and earn the trust of our customers, employees, and stakeholders.