Data Usage Policy

This policy supports our I.T. Security Policy. The purpose of this policy is to prevent unauthorised disclosure, modification, removal or destruction of information assets, and disruption to our business activities.

The document forms part of our alignment to the ISO 27001 Information Security Management System standard.

Location

This policy is applicable to all staff and contractors using Convivio systems and those of its clients and suppliers.

Responsibility

It is the responsibility of the CEO and COO to accept and implement this policy and to ensure that the security controls are implemented. All staff have a responsibility to comply with this policy. Failure to comply with this policy may affect our information services and could result in disciplinary action.

Purpose

The purpose of this policy is to prevent unauthorised disclosure, modification, removal or destruction of our information assets, and disruption to any of our business activities.

Except when specifically authorised after a risk assessment of the necessary business case, corporate records/data shall not be stored on local computers, mobile devices including laptops, USB memory sticks, PDA’s, external hard drives or any other mobile device or media such as smart phones, CD or DVD except for agreed backups.

Security Procedures

No real time data should be used for testing purposes, the use of annonymised information should be used outside of live environments. Unless specifically required by the client and the project, the use of anonymised data should be used for testing in staging and live environments.

All pass-phrases or decryption keys used for encryption/decryption purposes must be sufficiently long and complex to prevent the encrypted information from attack. The decryption pass-phrase or key must never be sent with encrypted removable media.

A password manager (1Password) should be used to generate any personal passwords at least 8 characters in length containing alphanumeric and punctuation characters required for hardware and software and stored within the encrypted password facility.

In all cases where data encryption is used, a full auditable record should be maintained of the media and data involved and its intended purposes including dates of encrypted file creation, transmission and destruction.

Audit spot checks will be conducted by the organisation to ensure this policy is complied with. Any compliance issues will be reported to the line managers concerned and may be handled through staff disciplinary processes or contractual arrangements.

All incidents involving encrypted data must be reported to the Management immediately.

Personal Computers including Laptops, Tablet and Handheld Computers Whole Disk Encryption shall be applied. Laptop encryption Mac: default in Lion or later: FileVault 2 uses full disk, XTS-AES 128 encryption to help keep your data secure. Using FileVault 2, you can encrypt the contents of your entire drive.

Phone encryption

iOS

Data protection is available for devices that offer hardware encryption, including iPhone 3GS and later, all iPad models, and iPod touch (3rd generation and later). Data protection enhances the built-in hardware encryption by protecting the hardware encryption keys with your passcode. This provides an additional layer of protection for your email messages attachments, and third-party applications.

Android

Android users must use full disk encryption, please refer to Android documentation for more information.

Removable Media

Removable media such as CD, SD cards DVD or ZIP drives MUST be avoided unless for approved backup purposes and then they must be stored securely.

Any requests to do otherwise must be authorised as per the management.

Email and Document Management

Google's Gmail and Drive apps must be installed on all machines and used to manage email and documents. These services include a scan for viruses, malware and Trojans and will help us prevent the spread of infection.

Because our end users can be considered the weak link, we use Google products for email (Gmail) and document storage (Google Drive) to take advantage of the automatic virus, spyware and trojan scanning. Although our Macs and iPhones are safe from executable files, we need to prevent the spread of infection.

We use Gmail for all email correspondence. Gmail’s anti-virus scanner alerts you if a virus, spyware or trojan is discovered before sending email and gives you the option not to send. When Gmail finds a virus attached to an email that’s been sent, it rejects the message and prevents you from downloading the attachment. This helps us prevent the spread of infection between ourselves and our clients and partners.

We use Google Drive for document storage, access management and sharing. Google Drive scans a file for viruses before the file is downloaded or shared. If a virus is detected, users can't share the file with others, send the infected file via email, or convert it to a Google Doc, Sheet, or Slide, and they'll receive a warning if they attempt these operations. The owner can download the virus-infected file, but only after acknowledging the risk of doing so.

By installing the applications on our local machines we protect ourselves from infections and prevent the spread of infections to our clients and partners.

Last updated