IT and Data Security

Objective

Simulanis IT and Data Security Policy aims to:

Safeguard sensitive information and digital assets.
Ensure the confidentiality, integrity, and accessibility of data.
Mitigate cybersecurity risks and threats.
Define roles and responsibilities for data security.
Foster a culture of cybersecurity awareness and best practices.

Scope

This policy applies to all employees, interns, contractors, and third-party vendors who access, use, or handle our organization's IT resources and data. It encompasses data protection, access controls, incident response, and compliance with relevant laws and regulations. Additionally, it covers the secure usage of company-provided devices, remote work, and third-party data sharing. This policy ensures a comprehensive approach to IT and data security across our organization.

General Guidelines

Use company-provided computer systems and devices solely for work-related tasks.
Keep system passwords confidential, sharing them only with authorized managers or IT personnel when necessary.
Exercise caution and skepticism when receiving emails with suspicious links or requests for personal information.
Report any suspected phishing emails or security incidents promptly to the IT department or designated authorities.
Adhere to data classification guidelines and handle sensitive information with care, employing encryption as needed.
Maintain up-to-date software on your devices, including regular installation of security patches.
Secure company devices and access badges, ensuring they are not left unattended in public areas.
Follow remote work security protocols, including the use of secure Wi-Fi connections and VPNs.
Lock your computer when not in use and avoid leaving devices unattended in public spaces.
Regularly back up essential data and files to prevent data loss.
Familiarize yourself with and comply with data protection laws and company policies.
Participate in cybersecurity awareness and training programs provided by the company to enhance your knowledge and skills in data and IT security.
Using office computers or servers for personal businesses or gaming is not allowed. This includes running personal websites or game servers. Such activities pose security risks and put company resources at risk.
Employees are strictly prohibited from using personal hard drives or any external storage devices for data storage or transfer on company systems or networks

System/Laptop & Email Usage

Authorized Usage: Company-provided computer systems, software, and email accounts are to be used exclusively for work-related tasks and in accordance with your job responsibilities.
Email Etiquette: Use professional language and tone when sending and receiving emails. Avoid personal or offensive content in company emails.
Data Protection: Do not send sensitive or confidential company information through personal email accounts. Use company-approved and secure methods for data sharing.
Phishing Awareness: Be cautious of emails with suspicious links or requests for personal information. Do not click on unfamiliar links or download attachments from unknown sources.
Attachments: Scan email attachments for malware before opening them. Do not open attachments from unknown or unverified sources.
Data Classification: Apply data classification guidelines to email correspondence. Encrypt sensitive data when sending it via email.
Reply to All: Use the "Reply to All" function sparingly. Only include recipients who need to be informed or involved in the conversation.
Personal Use: Keep personal use of email to a minimum during work hours. Personal email accounts should not be used for company-related correspondence.
Password Protection: Secure your email account with a strong, unique password. Do not share your email password with anyone, including colleagues

Data Storage and Sharing

Primary Storage: All company data, regardless of classification, must be stored on designated network drives or servers provided by the organization.
Backup: Maintain a backup copy of critical data on a secure Network-Attached Storage (NAS) device within the company premises. Additionally, back up this data to a secure cloud storage solution approved by the organization.
Access Control: Implement strict access controls on all data storage locations, ensuring that only authorized personnel can access, modify, or delete data.
Data Classification: Categorize data based on its sensitivity and ensure that access controls are aligned with its classification level.
Encryption: Encrypt all data stored on network drives, servers, NAS, and in the cloud to protect it from unauthorized access.
Regular Backup: Establish a regular backup schedule, and verify the completeness and accuracy of backups periodically.
Data Retention: Adhere to data retention policies that define how long data should be retained on primary storage and backups.
Cloud Storage: When using cloud storage, ensure that data is encrypted, and access is controlled following the same principles as on-premises storage.
Monitoring: Implement continuous monitoring of data storage locations to detect and respond to any unauthorized access or unusual activities.
File Deletion: Accidental file deletion can cause major issues. Employees must be careful while deleting files and should immediately notify the IT department in case of accidental deletion. Regular backups are maintained to retrieve lost files if needed.

Data Security with Client/Vendors

Client Confidentiality: Treat all client information as confidential and sensitive. Do not disclose or discuss client data with unauthorized individuals.
Access Control: Implement strict access controls to ensure that only authorized personnel can access client data. Use role-based access if possible.
Data Encryption: Encrypt client data both in transit and at rest to protect it from unauthorized access or interception.
Data Classification: Categorize client data based on its sensitivity and importance. Apply security measures accordingly.
Secure Communication: Use secure channels for communication when sharing client information, such as encrypted email or secure file transfer protocols.
Authorization for Data Sharing: Obtain explicit consent or authorization from clients before sharing their data with third parties or other departments within the organization.
Data Retention: Retain client data only for the duration necessary to fulfill the intended purpose. Dispose of it securely when no longer needed.
Training: Provide employees with training on handling client data securely and in compliance with data protection laws and industry regulations.
Incident Response: Establish a clear protocol for reporting and responding to data security incidents involving client information. Notify clients of any breaches promptly and in accordance with legal requirements.
Third-party Vendors: If third-party vendors are involved in handling client data, ensure they adhere to the same high data security standards as the organization. Perform due diligence on their security practices.
Compliance: Strictly adhere to data protection laws, industry-specific regulations, and contractual agreements related to client data.
Regular Auditing: Conduct regular audits and assessments to ensure compliance with data security guidelines and to identify and address potential vulnerabilities.

Platforms for Data Sharing

Google/Teams

FMS/CFSP

Encrypted HDD/PD

Page updated

Report abuse