ISO

HED ENGINEERING operates in a continuous changing sociopolitical and technological environment and must ensure the Confidentiality, Integrity and Availability of its information assets (including information assets from clients) and the efficient provision of its services. For this reason, HED ENGINEERING implements an Information Security Management System (ISMS) that complies with ISO / IEC 27001:2013 requirements.

 

Acceptable Use Policy

 

Table of Contents

 

1      Introduction.

2      Roles and responsibilities.

3      Acceptable Use Policy.

3.1     Objective.

3.2     Scope.

3.3     Policy.

3.3.1      Information Classification.

3.3.2      Use of Devices.

3.3.3      Access Control & Passwords.

3.3.4      Clear Desk and Clear Screen.

3.3.5      Use of Internet & Email

3.3.6      Information Transfer Policy.

3.3.7      Bring (use) your own device.

3.3.8      Incident report.

3.3.9      Monitoring.

3.4     User Responsibilities.

4      Control of Policy.

 

 

 

1         Introduction

 

This document is HED ENGINEERING Acceptable Use Policy. The basic security requirements of the ISO 27001:2013 standard for this policy are addressed, and a summary of the main points of all HED ENGINEERING security policies is provided.

 

2         Roles and responsibilities

 

The Information Security Officer is responsible for:

  • Developing the Acceptable Use Policy.
  • Developing awareness and training materials.

System Administrators are responsible for:

  • Monitoring systems for misuse.
  • Promptly reporting suspicion or occurrence of any unauthorized activity.

Managers/Supervisors are responsible for:

  • Communicate to the personnel under their supervision the policies regarding the acceptable use of information resources.
  • Ensuring that personnel under their supervision comply with these policies and procedures.

 

3         Acceptable Use Policy

 

3.1       Objective

The objective of this policy is to outline the HED ENGINEERING Acceptable Use Policy. These rules are in place to protect the employees and HED ENGINEERING data. Inappropriate use exposes HED ENGINEERING to risks including virus attacks, compromise of systems and services, and legal issues.

It is HED ENGINEERING’s duty to protect the information collected, transmitted and processed by its Information Systems.

All HED ENGINEERING employees must be fully compliant with all HED ENGINEERING Information Security Policies and report any potential or identified breaches of these policies to their supervisor or the Information Security Officer.

This policy provides a summary of the key points of HED ENGINEERING information security policies, and employees must sign it to state that they have read and understood its provisions.

Anyone breaching the HED ENGINEERING information security policies may be subject to disciplinary action. The Disciplinary process consists of a first verbal warning, of a second written warning, and afterwards of a dismissal, in case of a serious single breach or repeated breaches for which warnings have been issued.

 

3.2       Scope

This policy applies to all HED ENGINEERING systems, people and processes, including board members, directors, employees, contractors and other third parties who have access to HED ENGINEERING information systems.

 

3.3       Policy

 

3.3.1     Information Classification

Employees should know the classification level of the data/ information they are using:

  • UNCLASSIFIED – PUBLIC: publicly available information such as HED ENGINEERING web site areas, Newsletters for external transmission
  • INTERNAL: internal information, such as Company business plans, ISMS Policies and Procedures
  • RESTRICTED: restricted information, such as Security Plans, Customer business data and contracts, Non-disclosure agreements with clients/vendors, Staff Personal data, Repair Orders, Cost List, System parameterization data, Network Rules, etc.
  • CONFIDENTIAL: internal information processed by the top management such as salaries and other personnel data, accounting data and internal financial reports, technical drawings, basic measurements, board meetings content, legal data, etc.

 

Based on the classification level, the following controls should be respected:

  • Restricted and Confidential data should not be exported from a HED ENGINEERING device.
  • Hard copies of Restricted and Confidential should be destroyed via shredding.
  • E-mails (including attachments) should be encrypted whenever Confidential data is contained.
  • All Confidential data transferred outside of HED ENGINEERING should be encrypted.
  • All removable media, including memory sticks containing non-public data should be encrypted.

Further details related to the classification requirements are available in the ISMS-PO-02 Information Security Policy (Section 10. Information Asset Classification and Data Protection Policy).

 

3.3.2     Use of Devices

All company owned devices (workstations / laptops) should be used for business purposes only.

Employees using company owned devices (workstations / laptops) should keep their devices locked when unattended to avoid disclosure of HED ENGINEERING information to unauthorized individuals. In the event of a lost or stolen device employees should report this event to the Information Security Officer immediately.

Employees are responsible for storing all business files only in their corporate workstations and HED ENGINEERING approved systems.

Unauthorized connection and use of information systems in the HED ENGINEERING network, that have not been procured by HED ENGINEERING and approved by the Information Security Officer is not permitted.

For further details regarding the appropriate rules and controls to be applied when using mobile devices that are owned or provided by HED ENGINEERING please refer to ISMS-PO-02 Information Security Policy (Section 8. Mobile Device and BYOD Policy).

 

3.3.3     Access Control & Passwords

  • Users are responsible for ensuring that appropriate access to the data is maintained in accordance with the ISMS-PO-02 Information Security Policy (Section 2. Access Control Policy) and any other contractual obligations they may have to meet.
  • Security passwords and keys are strictly personal (see more inISMS-PO-02 Information Security Policy (Section 2. Access Control Policy).
  • Password length must be >= 8 characters. New passwords must be different than the previous ones. We strongly suggest using a mobile password manager.
  • All access to sensitive information must be restricted to prevent unauthorized individuals from obtaining sensitive data (see here ISMS-PO-02 Information Security Policy (Section 10. Information Asset Classification and Data Protection Policy).
  • Administrators of production resources should use Two-Factor authentication.
  • Authentication of remote users to cloud resources and data must be protected, using Two-Factor Authentication.
  • Physical access to HED ENGINEERING offices is controlled via HED ENGINEERING remote controller application. Only the CEO can provide access to the company’s premises.

Further details regarding the rules and appropriate controls that are set for managing privileges and authentication rights as well as the basic rules for creating, distributing, and protecting passwords for HED ENGINEERING users please refer to ISMS-PO-02 Information Security Policy (Section 2. Access Control Policy).

 

3.3.4     Clear Desk and Clear Screen

  • HED ENGINEERING’s desktops, laptop computers and mobile devices should be locked if unattended, to avoid disclosure of HED ENGINEERING’s Information to unauthorized individuals.
  • The screen must lock after fifteen (15) minutes of inactivity for laptops and after one (1) minute for mobile phones.
  • Documents containing “INTERNAL” information must be removed from printers and faxes immediately.
  • Documents containing “INTERNAL” information are never disposed of in the general waste bins. These documents should be destroyed before being disposed of.
  • Hard copies should be kept to a minimum to avoid accidental disclosure of sensitive information.
  • When not in use, removable media (such CDs or DVDs) that contain data should be kept away safely.

 

3.3.5     Use of Internet & Email

  • Employees will use the HED ENGINEERING internet facilities only for business purposes and in accordance with the ISMS-PO-02 Information Security Policy (Section 9. Internet and Email Acceptable Use Policy).
  • HED ENGINEERING email account is used only for HED ENGINEERING business related purposes. Personal communication is permitted on a limited basis, but non-company related commercial uses are prohibited.
  • Sending chain letters or joke emails from a HED ENGINEERING email account is prohibited.
  • Every employee is responsible for the proper and safe use of his email account and must use it in a way that does not harm HED ENGINEERING.
  • The HED ENGINEERING email system must not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin.
  • Email messages sent by employees from a HED ENGINEERING email address must contain a disclaimer.
  • HED ENGINEERING may monitor messages without further prior notice than the one stated hereby.
  • Employees are prohibited to access other users’ personal email accounts. If this needs to be carried out for business purposes, it must be done only after the approval of the email account owner and their supervisor.
  • Employees should not open suspicious email URLs or file attachments, even if they come from known senders. If an unexpected attachment is received, employees should contact the sender (preferably by a method other than email, such as phone) to confirm that the attachment is legitimate.
  • Employees should not provide passwords, PINs, or other access codes in response to emails or unsolicited popup windows.
  • Employees should not respond to any suspicious or unwanted emails (asking to have an email address removed from a malicious party’s mailing list confirms the existence and active use of that email address, potentially leading to additional attack attempts).

 

3.3.6     Information Transfer Policy

  • Confidentiality, the owner’s approval, legal and contractual obligations should be taken into consideration before communicating information.
  • Employees must only send information that is necessary for the stated purpose and must remove any unnecessary data, and any data not required should be redacted or removed completely (as appropriate) before being transferred.
  • Employees must not use unsecure platforms and applications when transferring restricted, confidential and/or sensitive corporate information. Classification policy measures apply.
  • Employees should always be informed whether there are any data sharing agreements or contracts in place that cover the transfer of data.
  • Filename or subject line must not reveal the full contents of attachments or disclose any sensitive personal data.
  • Employees should use only SFTP/ FTPS or other encrypted protocols for Confidential and Restricted transfer of information to customers.

 

3.3.7     Bring (use) your own device

  • Employees may use their personal mobile device (laptop, tablet, wearable, etc.) to access company-owned resources such as email, calendars, contacts, documents, etc.The employee is expected to use these devices in an ethical manner and adhere to the company’s BYOD policy (see more in ISMS-PO-02 Information Security Policy (Section 8. Mobile Device and BYOD Protection Policy).
  • Passwords used must be strong and difficult to guess (further details related to proper password use are available in the ISMS-PO-02 Information Security Policy (Section 2. Access Control Policy).
  • The screen must lock after fifteen (15) minutes of inactivity for laptops and after one (1) minute for mobile phones.
  • Devices may not be used at any time to store or transmit illegal materials including unlicensed software, or proprietary information belonging to another company.
  • Lost or stolen devices must be reported to the company as soon as the loss is realized so that sessions are invalidated, and devices are prevented from accessing company data.
  • Employees are responsible for notifying their mobile carrier immediately upon loss of a device.
  • At least once a year the Information Security Officer audits the employees’ devices that are used for business purposes. This is performed during working hours only.
  • Further details related to the use of personal devices are available in the ISMS-PO-02 Information Security Policy (Section 8. Mobile Device and BYOD Policy).

 

3.3.8     Incident report

Employees are responsible for reporting any actual or suspected security incident promptly to the Information Security Officer (see more in ISMS-PR-05 Incident Management Procedure).

 

3.3.9     Monitoring

HED ENGINEERING reserves the right to audit and monitor employee usage of systems to ascertain regulatory compliance (e.g., review of audit logs), detect unauthorized use, prevent and/ or detect criminal activity, as detailed in the ISMS-PO-02 Information Security Policy (Section11. Logging and Monitoring Policy).

 

3.4       User Responsibilities

Please make sure that you read the following summary of the key points of HED ENGINEERING information security policies.

  1. I accept that Information created and stored on company computing devices is the property of HED ENGINEERING and is not considered private to the employee or contractor. HED ENGINEERING retains the right to access this information for business, security, or investigative purposes, or as required by law.
  2. I accept that I am responsible for the use of the security credentials (e.g., password) which are provided to me, and I will not share these security credentials with anyone.
  3. I will not access or try to access any systems to which I’m not been given access.
  4. I will not write, develop, compile, copy, publish, perform, or attempt to import code, designed to replicate, destroy, or in some way affect the normal operation of a file, software, or information system (e.g., malware).
  5. I will protect all HED ENGINEERING classified material, including both electronic and paper copies.
  6. I will not send Restricted and Confidential information unless encryption is used to protect from unauthorized access.
  7. I will not take my own unencrypted backups of classified information e.g., to a non-authorized cloud storage provider or personal storage device.
  8. I will ensure that I am not overlooked by unauthorized people when processing classified information and I will not leave my computer unattended.
  9. I will securely store HED ENGINEERING classified printed material and ensure it is correctly destroyed when no longer needed.
  10. I will inform the Information Security Officer immediately if I detect a security incident.
  11. I will not remove equipment or information from my work facilities without the proper approval.
  12. I will not import viruses or other malware into the HED ENGINEERING Information Systems, and I will not deactivate the anti-virus protection on my computer.
  13. I will not install or uninstall any software without prior approval.
  14. I will comply with the legal, regulatory, or contractual obligations that HED ENGINEERING informed me of my role.
  15. I will report immediately to the IT Department in the event of a lost or stolen corporate device.
  16. Upon leaving HED ENGINEERING, I will return all the classified documents I have in my possession, and I will destroy any copies that are not controlled.
  17. Upon leaving HED ENGINEERING, I will inform my supervisor before leaving for any important information in my account and I will return all the equipment and other assets I have been provided with by HED ENGINEERING as part of my work.

4    Control of Policy

The HED ENGINEERING Information Security Officer and/or Internal Auditor carries out audits at regular intervals (at least once a year) to ensure that this policy is fully followed.