| Key | Details |
|---|---|
| Practice: | 20 |
| Title: | Acceptable Use Practices |
| Last-Modified: | 2017-09-29 |
| Author: | Sam MacCloud, Greg Elin |
| Status: | Active |
| Type: | Process |
| Created: | 01-Aug-2017 |
| Post-History: | 06-Nov-2017 |
| Confidentiality: | General public |
| Read-Time: | 10 min |
This practice describes policy and practices that will be followed when using GovReady PBC’s systems and devices, and when handling GovReady PBC’s information and data. This practice also specifies how GovReady PBC defines misuse, and how GovReady PBC will address misuse. This practice applies to any person who carries out work in any capacity for GovReady PBC and its subsidiaries, and includes all employees, workers, contractors, sub-contractors, volunteers, trainees and apprentices.
GovReady PBC's of staff, contractors, and all those who have access to GovReady PBC’s systems must uphold acceptable security practices while interacting with GovReady PBC’s systems, and while handling GovReady PBC’s information. These practices provide practical guidance, designed to ensure that GovReady PBC’s systems and information remain protected while GovReady PBC staff and contractors carry out their responsibilities.
GovReady PBC uses strong passwords and keeps them safe at all times. GovReady PBC requires passwords used for work-related accounts, including systems owned by GovReady PBC and from external providers. Passwords used for GovReady-related accounts, including systems owned by GovReady PBC and from external providers, must be strong and difficult to guess or computationally expensive to crack.
GovReady PBC uses two Factor Authentication for all systems that support it. The use of an authenticator application, such as Google Authenticator or Authy, is recommended over use of SMS for Two Factor Authentication.
GovReady PBC requires SSH keys be protected with passphrases and the passphrase is either memorized or stored in approved Password Management software.
You are responsible for the management of your account credentials and the quality of your passwords.
Use two Factor Authentication for all systems that support it. The use of an authenticator application, such as Google Authenticator or Authy, is recommended over use of SMS for Two Factor Authentication.
Create and use SSH keys with passphrases and either memorize the passphrase or store the passphrases in approved Password Management software.
Store your passwords only in an approved Password Manager.
Approved Password Managers Website LastPass https://www.lastpass.com Passpack https://www.passpack.com 1Password https://1password.com Apple Keychain https://support.apple.com/en-us/HT204085 Pick unique, difficult to guess passwords. Passwords must:
- Be at least 10 characters long
- Not be used for any other accounts, including personal accounts
- Be kept secret
- Not be written down or stored anywhere except in approved Password Management software
Do not share credentials or passwords with other people except where individuals are require access to the same account for redunancy and the credentials are shared only through an approved Password Manager.
Do not transmitted passwords via email, SMS (text message) or instant messaging services except under special circumsntances such as providing credentials to a new account and the password will be immediately changed.
GovReady PBC always handles with due care and does not share with unauthorized parties information regarding the internal operation of GovReady PBC and GovReady PBC clients. This includes emails, slack communications, details of internal discussions, documents and information relating to our clients.
GovReady PBC staff and contractors only use tools provided by or identified and approved by GovReady PBC, for example G-Suite and slack, to share information marked or identified as confidential.
GovReady PBC does not handle any on any of its systems information identified by the U.S. government as Classified.
GovReady PBC has established controls for handling Controlled Unclassified Information (CUI) in accordance to NIST Special Publication 800-171.
You are a stewart of GovReady PBC sensitive information.
- GovReady PBC will only be disclosed to you with prior authorisation.
- Disclose GovReady PBC to others with prior authorization.
- Return all GovReady PBC you have in your possession upon the conclusion of your business relationship with GovReady PBC, including any notes or paper records that belong to GovReady PBC or GovReady PBC clients.
- Use tools provided by or identified and approved by GovReady PBC, for example G-Suite and slack, to share information marked or identified as confidential.
GovReady PBC does not handle any on any of its systems information identified by the U.S. government as Classified.
GovReady PBC considers client data, and data from production systems to be especially sensitive and handled with additional care. GovReady PBC always encrypts client data in transit, and at rest (for example on an encrypted hard drive). GovReady PBC does not transmit client data via email, unless requested explicitly by the client, and instead uses secure file sharing services. GovReady PBC data securely archives and/or destroys client information as soon as it is no longer required to provide customer support or for legal requirements.
You are a stewart of client information.
- Encrypted in transit, and at rest (for example on an encrypted hard drive). Do not store client data on a computer that doesnothave an encrypted hard drive.
- Do not share sensitive or proprietary client data via email.
- Do not transmit client data via any network, unless it is encrypted in traffic.
- Share sensitive or proprietary client detail via secure file sharing service identified by the client of GovReady PBC. This may take a couple of minutes longer, but you will have less worries.
- Securely destroy client sensitive or proprietary data as soon as it is no longer required to provide customer support.
- Store client data in Google Drive only if client approves.
GovReady PBC requires devices be protected while unattended.
- Lock computing devices (e.g. computer, mobile phone) when they are unattended.
- Configure computing devices (e.g. computer, mobile phone) to autolock after a few minutes while unattended.
- Immediately remove sensitive or classified information from printers.
- All computers and mobile devices issued to staff remain the property of GovReady PBC.
- GovReady PBC takes no responsibility for personal devices used for work purposes.
- Remember all computers and mobile devices issued to staff remain the property of GovReady PBC.
- You are responsible for personal devices that you use for work purposes.
- Employees, contractors, and other staff must surrender all GovReady PBC computers and mobile devices upon the conclusion of their business relationship with GovReady PBC.
All devices (workstations, laptops and mobile devices) must require a login password.
Configure your GovReady PBC devices to require a login password.
All devices (workstations, laptops and mobile devices) must have device (disk) encryption enabled.
Encryption of storage devices has become very reliable and very insvisible.
- Enable storage/disk encryption on all GovReady PBC devices.
- Enable storage/disk encryption on all personal devices that may hold GovReady PBC information.
- Encrypt any personal information about your relationship with GovReady PBC that you store on personal devices.
- Store any decryption recovery key codes in secure and separate location from where your GovReady PBC devices live.
All devices (workstations, laptops and mobile devices) must be patched and kept up to date. Applying patches and updates is the responsibility of the operator of the device, and patches must be applied within one week of release. Critical security patches must be applied immediately. It is highly recommended that automatic updates are enabled on workstations, laptops and mobile devices.
You are responsible for applying software patches to GovReady PBC devices in your trust. It is OK to prioritize updating patches over other work deliverables for GovReady PBC.
Communications sent from GovReady PBC’s email, slack or Social Media systems impact on the reputation of the company. The content of such communications should be professional.
- Communications sent from GovReady's email, slack or Social Media systems impact on the reputation of the company. The content of such communications should be professional.
- Public comments regarding the internal operation of GovReady should not be made without authorisation.
- Private GovReady PBC information will not be disclosed without prior authorisation.
- All GovReady PBC computers should be running a local firewall.
- All devices should be running Anti-Virus software.
GovReady PBC’s systems and devices will not be used to create, share or access any material that is illegal, obscene, lewd, pornographic, defamatory or otherwise inappropriate for the workplace. GovReady PBC does not provide access to any device or system owned by GovReady without authorization. GovReady PBC requires employees and staff not use personal accounts, or any unauthorised 3rd party services, to store or process information owned by GovReady PBC.
GovReady PBC investigates and may take disciplinary action for misuse of GovReady PBC’s devices and systems.
- Do not use GovReady PBC’s systems and devices to create, share or access any material that is illegal, obscene, lewd, pornographic, defamatory or otherwise inappropriate for the workplace.
- Do not grant access to GovReady PBC's systems without authorisation.
- Do not use personal accounts, or any unauthorised 3rd party services, to store or process information owned by GovReady.
Misuse of GovReady PBC’s devices and systems will be investigated and may lead to disciplinary action being taken.
GovReady PBC owns all communications stored in or sent through its systems. The company has the right to access any material in GovReady PBC email or stored in GovReady accounts, electronic communication, storage and internet access using GovReady PBC’s systems and is not considered private unless the communication is of type that is considered private by law even within a corporation.
GovReady PBC owns all communications stored in or sent through its systems and has the right to access any material in your email or stored in GovReady accounts, your electronic communication, storage and internet access using GovReady’s systems.
Do not consider communications sent or stored in GovReady PBC systems or accounts personally private. Use personal email for private communications.