IT Security Policy for Work Equipment and Users

IT Security Policy for Work Equipment and Users

The term “coworker” in this policy refers to an employee or subcontractor working for Regent.

1. Virus Protection & Phishing

  • All computers connected to Regent’s network, or handling any of Regent’s critical information assets, must have updated antivirus software installed.
  • Antivirus definitions must be regularly updated to ensure protection against the latest threats.
  • Scheduled virus scans should be conducted on all systems to detect and remove malware.
  • Browsers must have web filtering plugins installed that prevent the user from visiting unsafe websites where viruses or malware is spread or phishing is conducted.

2. Device Encryption

  • All portable devices (laptops, smartphones, tablets) used for work purposes must have disk encryption enabled.
  • Encryption keys need to be stored securely.
  • Coworkers must ensure that their devices are password-protected and set to lock automatically after a maximum of 15 minutes of inactivity.
  • Lost or stolen devices must be immediately reported to the CISO and/or the nearest supervisor who can assist in taking appropriate action.

3. Password Management

  • Employees must use strong, complex passwords that include a mix of uppercase and lowercase letters, numbers, and special characters (at least 3 of these types, at least 8 characters long).
  • Passwords must not be shared with others.
  • If a password is to be written down or saved, it needs to be done securely, such as in a safe or password manager with strong encryption. If there is suspicion that someone else has gained access to a password, it must be changed immediately and reported as a security incident.
  • Passwords must be unique for each account or system, meaning it is not allowed to use the same password for multiple accounts.
  • SSO through Regent’s Active Directory is the default login method to be applied regardless of whether the current system contains sensitive information assets or not. If SSO cannot be implemented due to economic or technical limitations, multi-factor authentication (MFA) must be activated. If that is also not possible to implement, an evaluation should be carried out to see if the current system support can be replaced. As a last resort, strong passwords as described above should be used.
  • All secrets written in source code in any way must be handled securely so that unauthorized individuals do not gain access to them. This includes using .gitignore files to avoid checking in passwords, handling connection strings so that they do not contain passwords in readable format, and managing various environment files to name a few.

4. Administrative Rights

  • Coworkers are assigned the lowest level of access rights required to perform their job duties.
  • Access rights must be regularly reviewed, and unnecessary privileges must be revoked.
  • For administrative tasks, a separate, secure account should be used and should not be used for regular activities.
  • As a rule, two individuals should have administrative privileges to a system for redundancy in case one of them becomes unavailable. At the same time, no more than this should be administrators, as Regent applies the principle of least privilege.
  • Individuals with administrative rights should use Regent’s password manager to ensure that unique passwords of sufficient complexity are used.

5. Data Protection and Confidentiality

  • Sensitive and confidential data must be encrypted both during transmission and at rest.
  • Sensitive and confidential information must not be sent through unencrypted emails. This includes that documents must not be attached to emails if they contain such information. Regent’s system tool for document sharing should be used for such purposes.
  • Coworkers must not share sensitive information with unauthorized individuals or external entities.
  • Personal data about coworkers and customers must be handled in accordance with applicable data protection laws and regulations.
  • Sensitive and confidential data should only be processed when necessary to perform job duties.

6. Software and System Updates

  • Operating systems, applications, and software must be regularly updated with the latest security patches and bug fixes from their respective manufacturers.
  • Automatic updates should be enabled where possible, and manual updates should be performed promptly if automatic updates are not available or feasible, considering operational perspectives.

7. Security Awareness and Training

  • Unless otherwise communicated in writing, it is mandatory to participate in all competence development regarding information security.

8. Incident Handling

  • Incidents are handled according to the current incident management process.
  • Coworkers must immediately report all security incidents, breaches, or suspected activities to the CISO or the nearest supervisor for assistance in managing the incident.
  • Incidents can also be reported anonymously through Regent’s whistleblower function.

9. Network Security

  • All portable devices (laptops, smartphones, tablets) used for work purposes must have continuous active firewall protection (enabled by default on Windows, MacOS, Android, and iOS).
  • Access to the organization’s network resources from external locations should occur through secure VPN connections.

10. Physical Security

  • Physical access to IT infrastructure, servers, and network equipment must be restricted to authorized personnel only.

11. Rules for working at Regent’s office

  • Regent applies a clear desk and clear screen policy. This means that at the end of each workday, any notes and other information that have been worked on during the day must be removed.
  • Computers, storage media of various kinds, and other confidential information assets such as notebooks must be locked in the security cabinet when not in use.
  • Physically noted information that is no longer needed must be destroyed in the document shredder if it contains sensitive data.
  • During meetings in the conference room with display windows facing the street, the blinds should be closed if confidential information is displayed on the screen or noted on the whiteboard.

12. Backup

  • Users are encouraged to use the organization’s approved cloud-based storage solution where backups are performed regularly.
  • Users are responsible for ensuring that their work-related data on local devices is regularly backed up to avoid data loss in case of device failure, theft, or other incidents.

13. Device Decommissioning

  • All devices taken out of service, including computers, mobile devices, and storage media, must undergo a secure deletion process to ensure that all data is permanently erased and cannot be restored.
  • Before devices are decommissioned, all data and software must be backed up if there is a need to preserve the information for future use or documentation purposes.
  • Contact the “Office and Admin Manager” for assistance in carrying out this process.

14. Management of secrets in source code

  • All secrets, including API keys, passwords, and certificates, should be classified as confidential information and managed accordingly.
  • Direct entry of secrets into the source code in readable format is not allowed.
  • .gitignore files should be configured to automatically exclude files and folders containing sensitive information from being checked into version control systems.
  • Environment variables should be used to inject secrets into the application at startup. These variables should be managed outside of the source code and protected by appropriate measures in development, testing, and production environments.
  • Secrets should be stored in encrypted form, both at rest and in transit. Strong encryption should be used and keys should be managed securely.
  • Automatic processes should be established to rotate secrets regularly and after each suspected security incident.

15. AI tools, translation tools, and other public cloud services

  • Data must be anonymized. For example, names and personal identification numbers.
  • Classified information must not be entered. For example, passwords, connection strings, or other data sensitive to Regent’s or our customers’ operations.
  • Ensure that Regent’s and our customers’ rules, procedures, and policies regarding the use of these services are followed.
  • Apply the precautionary principle. Do not paste source code or data if you are unsure whether it may pose a security risk.

16. Compliance and Audit

  • Regular security audits and compliance checks will be conducted to ensure that the organization’s IT security policies and procedures are followed.
  • Any compliance deficiencies will be addressed immediately, and corrective actions will be taken.

17. Enforcement

  • Non-compliance with IT security policies may result in disciplinary actions, including but not limited to suspension, termination, legal actions, and financial penalties.

This IT security policy is designed to protect the organization’s digital assets, ensure the confidentiality and integrity of data, and minimize security risks. Coworkers are expected to familiarize themselves with this policy and adhere to its guidelines at all times.

All coworkers must sign to acknowledge that they have read, understood, and will follow the content of this policy. Subsequently, Regent needs to distribute this policy at least once a year to remind and educate about the rules that apply and what the individuals involved have committed to following.