Version 7 - 29 January 2021
UMi Holdings Limited and its subsidiary companies (trading as “UMi”) takes the security of its data and IT systems, and that of its staff and other interested parties very seriously.
As well as ensuring that the appropriate technology and infrastructure is in place in order to meet this need, UMi requires that its staff and all other users of its systems are aware of the rules and behavioural expectations surrounding use of its IT systems and equipment and access to information.
UMi regularly reviews its IT security measures to ensure that they reflect changes in legislation, technology, and relevant risks, and remain in line with best practice recommendations for cyber security.
For the purposes of this policy document, the following terminology is used:
- “IT systems” refers to all equipment, software and data supplied, accessed, or used by UMi and its staff and any other user, including devices authorised for use under its BYOD Policy.
- “User” refers to all UMi staff and any other party granted access to UMi’s IT systems, such as
associates, service providers, authorised contractors and temporary or agency workers.
This policy outlines the rules that must be followed when using or otherwise accessing IT systems provided by UMi.
This policy applies to all users who may be granted permission to use or access UMI’s IT systems.
There are no exceptions and breaches of this policy may lead to disciplinary action.
This policy applies to all UMi owned or supplied hardware including computers, laptops, and mobile devices, etc., as well as any devices authorised for use under its BYOD Policy.
5. ACCESS RIGHTS
In line with UMi’s IT Security Administration Policy, all access rights are granted in accordance with business requirements. Access rights are administered by the UMi IT Technology Team, supported by UMi’s service provider ITPS, following set authorisation procedures. Where a system is not managed by the IT Technology Team, e.g. a social media tool, the relevant line manager is responsible for overseeing permissions and access rights.
Authentication is by means of a unique log in and password (which must comply with the password rules set out below). Multi Factor Authentication (MFA) will also be used wherever possible. This will always be the case for accessing Microsoft tools, namely Microsoft 365 (Outlook, Word, PowerPoint, Excel, Teams, OneNote, OneDrive and SharePoint, etc.), Dynamics 365 and Keeper.
MFA is facilitated by using the Microsoft Authenticator application on a mobile device. In instances where it is not possible to use the MS authenticator application then MFA should be completed using a one-time passcode (OTP) sent via mobile phone (text or call) or a different email account to the one linked to the system being accessed. All UMi staff and other interested parties must use MFA to access these tools where the facility is available and installed by the IT Technology Team.
Responsibilities of all users:
- Not attempt to access any systems for which they have not been granted access.
- Accountability for all usage under their login and password in all systems, and as such must not disclose these details to others.
- Follow the password rules set out below.
- Use MFA where available and installed.
- Keeping password details secure at all times. In the event that any user feels that their password may have become known to others then it should be changed immediately, ITPS informed, cc Chief Technology & Investment Officer and their line manager notified of the circumstances.
- Lock workstations when leaving a PC or laptop unattended.
- Ensure that UMi equipment (including laptops, tablets, mobile phones) provided for their use is not made available for use by any third party - including family members or friends.
All new users will be initially issued with a unique temporary password which they will be forced to change at first logon.
All passwords used to access UMi’s IT systems must comply with the following rules, even where a
third-party system or application has a lower standard and is not enforced:
- Be a minimum of 12 characters in length.
- Differ from your username.
- Be random and complicated.
- Include both alphabetic and numeric characters.
- Include at least one special character (e.g. !, $, %, & etc.) ( don’t replace alphabetic characters with obvious characters, e.g. @ for ‘a’).
- Contain no more than two identical characters in a row.
- Not be easily guessed.
- Not be disclosed to others.
- Not previously used, i.e. do not reuse passwords on the same or other accounts. Just changing a number, special character or letter to make it different is not acceptable. New passwords have to be completely different and new.
- Do not use common passwords, for example 12345678, password (and variations of), qwertryuiop.
- Not include obvious dictionary words (when used on their own), proper nouns, dates, locations, sports teams, brands, etc.
- Contain multiple words that are not obviously related together or to you as an individual. When having to use dictionary words, chose multiple random words which do not make an obvious phrase and each word to be as long as possible to make the password as random and as less obvious as you can. Having chosen this phrase randomise the spacing between the words, use ‘spaces’ and special characters. Not use the same password anywhere else, at work or home.
- Not write passwords down or store them at anytime and anywhere that can easily be accessed, for example in a notebook or diary or on a post-it note, etc.
- Never store passwords in files that are not encrypted, and password protected on your device or network drive e.g. not in a Word, Excel, Notepad file, etc. Wherever possible this should be avoided, and Keeper used.
- Make use of the ‘Keeper’ password vault for creating random passwords, storing them and accessing them.
- The master password required to access the Keeper vault should be twice the complexity of the password strength described above.
- Remember your Keeper password, master question and answer.
After 3 unsuccessful attempts in trying to access the network (Office 365 login), users will be locked out and passwords will need to be reset.
Replacement passwords can only be obtained via a service request to ITPS, approved by the relevant line manager. A temporary password will be issued, and the steps above must then be followed to put in place a new password.
In addition, employees may also make use of biometric: fingerprint or face recognition technologies, where these are available.
Keeper Password Vault
UMi recognises that there is a requirement to have multiple passwords across multiple systems and as such has provided all staff (and associates as required) with a password vault, Keeper. This will enable UMi staff to store and easily access via mobile device or web browser their passwords in a secure and efficient way. The Keeper solution also has a randomised password generator, this should be used and configured to at least the minimum standards above when passwords are required. Keeper enables password sharing, where this is allowed and there is a need to have multiple staff access accounts, for instance UMi social media accounts, etc. In these instances, Keeper enables the creation of groups where common access to such passwords are shared. The
password vault requires a master password to access it, this password must be at least 24 characters long and follow the rules set above, for instance it could be short random phrase or sentence containing spaces, and all the other parameters noted above. MFA using MS authenticator app on a mobile device should also be used when accessing Keeper.
In line with UMi’s IT Security Administration Policy, only approved software either downloaded or accessed as a service via a web browser is permitted for use. No other software, files or folders may be transferred or downloaded onto UMi’s network from external networks, or via any medium such as CD-ROMS, USB sticks, file transfer mechanisms unless it has been authorised as free of viruses and malware by the IT Technology Team and ITPS.
Responsibilities of all users:
- Not install, access, subscribe to, copy or download software of any sort unless specifically authorised by the Chief Technology & Investment Officer. Only software that is licensed to UMi may be installed on any Computer or device, used or subscribed to and accessed via a web browser. Software requests should be made using the ICT Request form available in SharePoint.
- In the event that a user receives software directly from a vendor, it should be passed to ITPS for installation.
- Do not attempt to disable or over-ride any of UMi’s installed software, including anti- malware software, firewalls and automatic updating services.
7. INTERNET, EMAIL AND SOCIAL MEDIA USAGE
There are risks associated with use of the internet, email and social media therefore the following rules must be followed at all times. Failure to do so may result in disciplinary action, including gross misconduct and in some cases dismissal.
When using the internet, email, video conferencing and messaging apps (e.g. MS Teams), social media or another electronic messaging application either via mobile device, PC/laptop or tablet users must not:
- Download or access any unapproved software from the internet; all software downloads and access to software services must be approved by the Chief Technology & Investment Officer.
- Accept any file or folder execution requests while on the internet.
- Open emails from unexpected sources or click on links or attachments from untrusted sources. Do take care to check the email addresses of unexpected emails to see if they look legitimate and think about the content of emails, the request, type, tone and formality of language used, especially if purporting to come from an UMi colleague.
- Access auction, gaming, or gambling websites; these sites will be blocked.
- Access, download, send, or circulate any indecent, obscene, pornographic, sexist, racist, defamatory, discriminatory or other inappropriate materials. This is a dismissible offence with potential criminal liabilities.
- Use the internet, email or social media for personal gain or profit.
- Post or download messages that contain political views.
- Post or download messages that contain inappropriate, obscene, inflammatory, intimidatory, harassing, defamatory, discriminatory, disruptive, or otherwise offensive language and anything that will reflect poorly on UMi and professional reputation.
- Make inappropriate comments in relation to UMi in social media.
- Advertise or otherwise support unauthorised or illegal activities.
- Represent themselves as someone else.
- Provide lists or information about UMi’s employees or stakeholders to others and/or to send classified information without approval.
- Spend unreasonable or unwarranted time on the Internet, email or social media for personal use. Reasonable personal use is permitted, provided it does not interfere with the performance of duties.
- Share their network login and password with others; all users will have responsibility for illicit use of their login where they have not followed this policy, for example by sharing their password or writing them down in an easily accessible place disciplinary action could result.
When using the internet, email, video conferencing and messaging apps (e.g. MS Teams), social media or another electronic messaging application either via mobile device, PC/laptop or tablet Employees all users must represent UMi in a professional manner at all times.
When sending emails all users must:
- Include their UMi email signature on external emails; this includes various legal requirements with regards to sending company emails.
- Take time to check that the content is appropriate and professional and in no way defamatory or likely to bring UMi into disrepute; emails can have a wider audience than originally intended, which can have serious consequences.
- Pay due care and attention to email content and addresses they are sending to.
- Be aware that emails can be accessible under Data Protection Legislation. Take care when sending commercially sensitive or confidential information, if in doubt seek advice from a manager.
- Wherever possible send files as links to OneDrive or SharePoint. If it is not possible to do then send the file as a email attachment as read only or in pdf format and password protected if the data content warrants it.
- Ensure that any links to UMi SharePoint or OneDrive files or folders have the appropriate access restrictions set, to reduce the possibility of data breaches associated with inappropriate sharing.
- Always use bcc when sending bulk emails to lists of recipients.
- Be aware that attachments to emails, or email threads/discussion may be confidential or belong to others resulting in copyright implications or data breaches in sending or receivIng them without permission, particularly considering the ease with which files can be downloaded from the internet or content cut and pasted.
- Be aware that in certain circumstances an email message may legally bind UMi without the proper authority being obtained internally.
- Inform their manager immediately if they receive any offensive, unpleasant, harassing, or intimidating messages via email or other means. It is important that such messages are traced as quickly as possible.
Users must not enter into paid for or unpaid subscriptions or other contracts on behalf of UMi without express authority. Only those managers with delegated authority are permitted to enter into agreements for paid for subscriptions or any other binding commitment on UMi’s behalf via the email or the Internet. If this subscription relates to software and software services then the Chief Technology & Investment Office must approve, as described above.
UMi will monitor internet usage at a user level and reserves the right to review, audit, intercept, access and disclose all messages created, received, or sent over the electronic mail system for any purpose.
8. MALICIOUS CODE
In line with the IT Security Administration Policy, UMi will take all necessary steps to protect the integrity of its software and information against the introduction of malicious code (malware), including spyware, Trojans, worms, viruses, which may arise from the download or accessing of unauthorised software or mobile code, spam, email, Messaging applications, websites, web applications, software, notebook computers, PDAs, mobile phones, portable memory media, or other means.
In addition to these measures, it is important that all users are vigilant and comply with the following:
- Never knowingly introduce a computer virus into UMi’s computer systems.
- CDs, diskettes, memory sticks, software and files from cloud storage or file transfer services of unknown origin must not be loaded on to computers.
- Where any incoming CDs/diskettes/memory sticks are from trusted sources (including from home) they must be scanned for viruses by the IT Technology Team / ITPS before they are read.
- Emails from unknown or untrusted sources must not be opened and all users must be wary of all emails, even from colleagues and known sources, as many viruses use UMi’s address books to propagate themselves. If in doubt, do not open the email and do not click on any links contained within the email
- Emails that are suspected as malicious or phishing must not be opened; they should be attached (not forwarded) to an email and sent to the IT Service Desk (firstname.lastname@example.org). You are also able to block the email address by using Outlook.
- In the event that it is suspected that a virus has infected a PC, ITPS and the Chief Technology and Investment Officer should be informed immediately. ITPS will tell you what to do. This could include removing all network connections going into the PC and turning off your PC. This is to stop the suspected virus from spreading onto other PCs using the network and any servers that may be linked with that PC. The PC will then need to be kept switched off until an engineer has cleared the PC of anything suspected or has given an OK.
- If you receive any warning regarding viruses on your device (Hoax or not), you must take a screen shot of the message and report it to the ITPS Help desk straight away. The help desk will then be able to advise on any further actions to be taken.
It is UMi’s policy to protect all computer hardware, software, data and documentation from misuse, theft, unauthorised access, and environmental hazards. As well as the technical measures employed by the Business, it is expected that all users will also take responsibility for security.
All users must:
- Protect their PCs, laptops, printers and other devices from spillages (e.g. food and drink) and all equipment should be cleaned at regular intervals. Cleaning materials are available from Facilities on request.
- Take any laptops (where issued), associated power cables and peripherals needed to perform their jobs away with them every evening for resilience purposes.
- Where portable equipment is not taken away overnight all users must ensure that any portable equipment are locked to the desk or locked away outside of office hours, where there is no specific access control to the premises, or where premises are used by people who are not UMi employees, associates, or authorised contractors.
- Ensure that equipment is not left unattended in public areas; if necessary, equipment must be locked out of sight in the boot of a vehicle if it is unattended, for short periods only and never overnight.
- In normal working hours, all users must always attempt to locate equipment in areas of the office that are always clearly visible to at least one member of staff. Users working out of 3rd party premises in particular must be extremely vigilant as access controls may not be as robust as those at UMi premises.
- Prevent equipment from being moved or removed without seeking proper authorisation from the IT Technology Team.
- Always log out of systems in the correct manner and shut down machines when they are to be left unattended, including powering off any peripherals (monitor, keyboard, mouse, etc.). If workstations/laptops/PCs are being left unattended for any period of time, then they must be locked using Ctrl+Alt+Del or windows key Wand L. Simply turning off the monitor is not acceptable.
- Ensure their data files are stored on OneDrive or SharePoint (directly or via MS Teams) or network drives (for historic data) that are automatically backed up by ITPS. You must never store data on PC/Laptop hard disk drives (desktops) or memory sticks unless it has been agreed in advance.
- Email is not the only mechanism for sharing data, files, documents etc. internally and/or externally. In fact, it is often less secure than sharing a link from a OneDrive or SharePoint folder. Sharing a link should be used where data is confidential, sensitive or secure. See annex 1 for more detailed guidance on using MS OneDrive and Sharepoint for file storage and document sharing.
- In exceptional circumstances only, (e.g. if network access is not achievable) then memory sticks and hard drives may be used as a short-term workaround until the network is accessible. At this point the locally stored files must be copied to the network and removed from the temporary storage medium. It is emphasised this is by exception as the data stored in this way is not backed up and could be easily lost.
- In the unlikely event there are laptop users who spend significant time away from the office without network access they should consult the IT Technology Team as to alternative backup methods.
Users must not:
- In any circumstances remove UMi data and use for personal gain. All UMi data is the property of the company. Unauthorised removal of UMi data can result in legal action as it is considered theft, and if any personal data is involved then the activity is also illegal under data protection laws.
- Use personal devices (unless authorised under the UMi BYOD Policy) and non-company owned devices to store company data.
Mobile Device Management (MDM) software is on all UMi issued and bring your own device (BYOD) mobile phones. This enables the business to secure the device, control access to the data it owns on the device, set passwords, disable UMi devices and remotely delete data on UMi devices and bring your own devices if they are lost, transferred, or stolen.
- Ensure that any mobile device, UMi owned or BYOD used to access Umi data, emails, messages, etc. has the MDM installed.
- The devices must at all times be password protected, with a minimum eight-digit password. Where available biometric id security features, e.g. fingerprint or face recognition can, and ideally, should be used.
- Do not disable the MDM.
- For UMi owned devices only download applications from the approved google or apple app store or listed in the MDM app catalogue.
- For BYOD devices only access UMi data, emails, messages, etc. via applications installed on the device from the MDM catalogue.
- Accept and install all operating (android and iOS) system and application updates.
- If for whatever reason you need to hard reset your device back to factory settings, then you must inform ITPS straight away so they can reinstall the MDM and connect it back to the server.
10. LOSS OR THEFT OF EQUIPMENT
The loss or theft of mobile devices presents the risk of unauthorised network access and data being compromised or stolen. It is imperative that in the event of such an incident swift action is taken in order to block the equipment and reduce the risk of any data breach.
All UMi laptops are encrypted with BitLocker, so can only be accessed with the correct username and password. In the event of loss or theft, UMi can also take steps to remove its access privileges.
Report the loss or theft of:
- Any UMi mobile devices (including mobile phones, tablets, iPads, laptops etc.).
- BYOD devices.
- Personal mobile devices where these are used to access company data e.g. email.
As soon as it is possible to do so, including out of hours:
- Contact Simon Goon on 07769 295161, or if unavailable Nicki Clark on 07710 476907.
- Contact the ITPS 24-hour helpline for laptop loss (0800 9531123).
- Provide the exact details of the incident, including:
- nature and time of the incident/loss.
- make and model of device.
- mobile number (if applicable).
- details of the type of information accessed via / stored on the device, e.g. emails, Office 365 applications, any other.
11. AUTHORITY, RESPONSIBILITY & DECISION MAKING LEVELS
All users are responsible for following the detailed procedures specified in this Policy document. The Chief Technology and Investment Officer is responsible for:
- Determining that rules are suitable, thorough, and effective in relation to changing threats and environments.
- Maintaining approved software lists.
- Monitoring internet and email usage.
- Ensuring all users are aware of how to identify viruses and the steps to follow
- Incident management (including viruses and loss/theft of equipment).
Systems Administrators (the IT Technology Team, supported by ITPS) are responsible for implementing the necessary configurations and processes to support the above, including:
- Access control / user administration.
- Installation and maintenance of selected anti-malware software, patches, and updates.
- Checking that portable media are free from viruses before authorising for use.
All users are responsible for adhering to this policy at all times; non-compliance may result in disciplinary action.
This policy will be reviewed annually, or in line with changes in legislation, technology or risks that dictate a change to procedures. Any changes to the policy will be communicated to all users.
Annex 1 Guidance on Using OneDrive and SharePoint
Please note, where an associate is asked to use a folder within SharePoint, they will be given instructions on how to access the folder. They can save documents into that folder but must never share the document with any other person outside of UMi.