Skip to end of banner
Go to start of banner

Vertic's IT Policy

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 11 Next »

Purpose 

The purpose of this document is to provide clarity to all employees on Vertic’s expectations around how Information, Communication and Devices (“ICD”) should be appropriately used in the workplace.  Employees are defined as anyone working as a Vertic representative for any duration.

Employees should recognise that this is an evolving area and as such, this policy will be updated from time to time.  It is an employee’s responsibility to make themselves aware of Vertic’s policies and procedures, and where unsure to ask for assistance. 

Introduction

Vertic recognises that devices, data, e-mail usage and access to the internet are valuable in business which, when used wisely, can provide significant benefits to Vertic. However, it is important to note that there are legal, ethical, security and productivity issues involved when accessing applications, the internet and in using e-mail.

For these reasons, all ICD (including by telephone, facsimile and computer facilities) should reflect the standard of professional conduct and ethics that the person would otherwise maintain as a member of Vertic.

Vertic POLICY – IT CONTROLS  

Vertic has developed this IT policy and procedure document under the standard IT protocols to manage the risk associated with ICD. Our goal is to fundamentally protect and deter incidents from occurring, but to also instigate appropriate actions to detect, respond and recover should an incident occur.

Risk Area  

Protect

Deter

Detect

Respond

Recover

Secure offices

X

 

 

 

 

Physical assets

X

 

 

 

 

Client security & Confidential Data

X

X

X

 

 

Client Access

X

 

 

 

 

Monitoring

 

X

X

 

 

System Audits

 

X

X

 

 

Incident Management & Reporting

 

 

 

X

X

Disciplinary Action

X

X

 

 

 

Procedures

X

 

 

 

 

Secure Offices /Work areas

When working in Vertic offices, employees must maintain physical protection of IT equipment and premises, so as to avoid unauthorised access and loss or damage.  Employees should ensure:

  • Offices/Homes are locked at all time when employees are not present

  • Avoiding placement of assets in eye sight from external facing doors or windows

  • Locking up any physical assets eg laptops that are not required in the day to day activities

  • Air-conditioning/heating is switched off at the conclusion of the day’s work

  • Minimised used of power adaptors that could cause power surges or overloads

  • Whiteboards are cleared down of any client confidential information

When working from non Vertic offices including your home, the same care should be applied where practical.  

Supporting Utilities

All of Vertic’s employee use laptops and mobile that independently charge in case of power outages; this ensures that we have continued service. All of Vertic’s online services, like Salesforce and Atlassian, have their own data centres (and/or rely on Amazon AWS); this means that we are protected by multiple safeguards against utility and power failures.

Privileged Utility Programs

In cases where specialist supporting utilities are required to be managed, only the following authorised employees are able to do so:

  • Jan Tenenberg

  • Stephen Kent

  • Matt Romeo

This might include virus scanning software, specialist source code scanning software among others.

Accepting Deliveries (Physical)

When accepting physical deliveries, all Vertic employees must exercise care to not expose their working environment, must accept the delivery, once deemed appropriate, and store securely inside the home/office in accordance with the physical security policies within this document.

Equipment Siting and Protection

All equipment issued by Vertic to its employees must be handled with care and a focus on protecting information. These actions include, but are not limited to, the following:

  • When working in public spaces, ensure a non-transparent wall is behind the employee

  • Ensure that any person walking past can be seen and therefore the environment managed

  • When equipment is unattended or an employee leaves their workstation, they must ensure that:

    • They either enter the lock screen function on their laptop

    • Have an active screensaver which will activate in no more than 3 minutes to lock the screen

    • Close the lid of the laptop to place the equipment in Sleep Mode

Physical Assets and Cable Management

Employees should take care to ensure that Vertic physical assets are in appropriate working order to avoid the risk of any OH&S issue.

All employees are provided a Vertic laptop as part of their employment and are expected to take appropriate means to safeguard this asset at all times, both in and outside working hours. All physical assets are recorded in Vertic’s Asset Register.  

In the scenario of working from home, the following must be place:

  • Lockable Doors

  • Lockable Windows

  • Blinds or Curtains to shut off external visibility

We recognise that any cables coming into the home office environment (like Telstra Internet) is not within the control of Vertic employees, but as soon as the cables enter the home, the following care must be taken:

  • Ensure cables are secure and not damaged

  • Ensure that cables can’t be damaged, for example by dogs, young kids, etc

  • Ensure the length of the cable is as short as it needs to reasonably be to accomodate the need

VIRUS PROTECTION  

Viruses have the potential to disrupt Vertic business and access sensitive Vertic and client data.  Controls are required to prevent, detect and correct the effects of malicious code.

All Vertic laptops should have the latest corporate virus protection running on them.  Employees are responsible for ensuring that this is active on their pc at all times. 

AUTHORISED SOFTWARE   

Employees are only to download authorised software to Vertic computers.  This will usually be provided by IT on a self-service basis, in the form of a hyperlink.

TIME CLOCK MANAGEMENT

Vertic uses several mechanisms to manage a synchronised clock which ensure all Vertic employees work within the parameters, including the following mechanisms:

DATA STORAGE

All Vertic employees have been assigned an Office 365 account and as such have access to the Vertic SharePoint site. All work related material must be stored within this environment. If you are not sure where specifically to store data within this environment, please consult your LOB Manager.

Client Security & Confidential Data

By virtue of the nature of our work, we have access to highly confidential information of both our clients and Vertic with respect to performance, processes, clients etc.  This data must be kept confidential at all times during and after your employment (as per your employment agreement).    

At all times Vertic employees are responsible in understanding any client or prospect’s specific IT policy and protocols and must adhere to those at all times.


SHARING DATA/PUBLIC DOMAIN

Only data that is “public domain” data ie that has been released via formal channels by Vertic/Client can be shared. If you are unsure about whether data is public domain, you must consult your LOB Manager or Regional Director for clarification before accessing or transmitting that data.

Any data that is not public domain is typically only authorised to be shared to other authorised Vertic employees on that project.


DATA STORAGE

All employees have been assigned an Office 365 account and as such have access to the Vertic SharePoint site. All work related material must be stored within this environment. If you are not sure where to store data within this environment, please consult your LOB Manager.

 

DATA TRANSMISSION

Client data should never be taken off a client site without written permission from the client in advance.  You must advise what the data is, the purpose for taking it offsite, how it will be managed and stored, how long it will be in our possession and how it will be subsequently removed from Vertic systems. 

Client data should never be emailed or saved to hard drives, personal computers, shared boxes (eg Dropbox) outside of the authorised client protocols.

Employees need to understand that this requirement extends beyond Vertic policy, and could be deemed a criminal offence under Sovereignty legislation.  

 

Access to Client Systems

At all times Vertic employees are responsible for appropriate access to systems they are working on at client’s sites. Vertic can only access systems in a manner prescribed by the client and using their own login and passwords.  Employees are never to share logins, unless written authorisation is provided by the client eg a group login on development environment to the Vertic Directors in advance.

TOKENS

LOB Managers/Regional Directors are responsible for organising appropriate security ids/tokens for clients.  Employees are to take due care of such client items in their possession.  At the conclusion of projects employees are to hand back any items, and advise Vertic management that they have done so.

PASSWORDS

Employees are to use care in selecting appropriate passwords.  Consideration should be given to choosing passwords that are:

  • Reasonable complex and difficult to guess

  • Not name related

  • Should be at least 8 characters long

  • Combination of alpha and numeric

  • Using combination of upper and lower case

  • Changed regularly  

Employees are not to disclose password details to anyone else.

E-mail and Internet Usage

BUSINESS RELATED

E-mail and Internet activities are to be confined to Vertic business related activities.  The Internet and e-mail system is Company property and therefore all messages sent or received on the e-mail system are and remain Company property. They are not the private property of any employee/representative.

EMAIL ACCOUNTS  

When communicating with clients or business partners via email, employees /representatives must use their assigned Vertic email account and not a personal account.


CONFIDENTIAL DATA 

Employees must be aware of security issues in their email communications, and must ensure that they do not disclose any confidential or Company material to any unauthorised person/s – to do so would breach their Confidentiality Agreement and / or their Contract of Employment with Vertic. Employees are not to transmit sensitive or confidential client materials via the Internet or e-mail, take client data offsite, unless authorised to do so. 

INAPPROPRIATE USE /CONTENT

When communicating with clients or business partners, employees /representatives must ensure that correspondence does not contain information that would damage Vertic’s reputation or its relationships with clients, business partners, or the general public.

Vertic will not tolerate E-mail usage or Internet access for inappropriate or illegal purposes. Inappropriate e-mail messages may place employees in an embarrassing or even legally compromising position. All Vertic employees/representatives should understand that internal and external E-mail messages are records of Vertic that may be required for business or legal reasons. Moreover, transactions using e-mail or the Internet reflect the person's identification with Vertic.

E-mail and Internet communication originating from Vertic employees or representatives must never contain inflammatory, harassing or defamatory language, and must not be disruptive to the operations, or convey any material which would reflect poorly on Vertic’s reputation or its general public image.

ACCESS TO OTHER PEOPLES PCS/EMAIL

Employees must not use another person’s personal computer (PC) or access code / password to access the Internet, on-line services, client data and or networks. Employees must not retrieve or read any E-mail messages that are not sent to them without prior authorisation.

MOBILE ASSETS

It is now common practice for employees to access to email and applications via mobile devices.  Care should be taken in securing these devices both physically and electronically eg password access. 

Prohibited Behaviours

For avoidance of doubt, the following list provides examples of behaviour that are prohibited. Note that prohibited behaviours are not limited to these listed below. Vertic employees, or other representatives authorised to use Company-supplied computing and communications facilities, must not use the Company hardware or software to:

  • Access client systems and/or distribute client data in an unauthorised manner

  • Generate, transmit or store potentially offensive material

  • Access or download material or send messages or material, which would breach Vertic company policy. This could include material, which is pornographic or sexually explicit, contains comments or innuendo (including jokes) of a discriminatory, sexual or racist nature, or makes inferences about a person’s sexual preference. In addition, other offensive material includes content or messages that are fraudulent, defamatory, embarrassing, obscene, harassing, abusive, intimidating, derogatory and/or other unlawful material

  • Originate or distribute chain letters, junk E-mail, broadcast mailings or other electronic material which is for political (e.g. elections for private or other organisations) or other non-work related purpose

  • Solicit money, personal gain, or operate a personal business, or any other use that results in personal profit

  • Gain unauthorised access to any other computer system of the Company or any other organisation or engage in deliberate attempts to impair the integrity of Vertic computing and communication networks in any way

  • Breach any Company policy or any law or regulation governing data transmission and copyright. Employees are not to duplicate copyrighted or licensed software unless they have prior written approval from the company secretary

Monitoring of Vertic’s Communication Networks

Employee use of Vertic’s computers, information technology resources (including computer related software) and computer network may be monitored, either in real time or through the collection and storage of data and information on the individual computers and/or the network. This includes all internet and email usage. Most commonly, this data and information is recorded through normal computer operations (including the storage of temporary files, cache memory and usage logs) but may also include other forms of software installed by Vertic (or on Vertic’s behalf) from time to time.

When using a Vertic computer, information technology resources and the computer network, all employees should at all times assume that usage is being monitored and/or recorded and that such data and information may be reviewed by Vertic.

Vertic, in its sole discretion, will determine what constitutes acceptable use of its computer and communication networks. Vertic reserves the right to block or limit access to any service or activity that affects or diminishes the effectiveness of its networks by whatever means necessary.

System Audits

Periodically IT will conduct system audits on access and security levels of applications to ensure only necessary access.

Incident Management

Where a employees member is aware of an actual or perceived potential incident, breaching Vertic ICD policy and procedure, they must immediately:

  • Report the incident verbally to their LOB Manager

  • Email their LOB Manager and Regional Director (NSW/NZ) with details of:

  • Nature of the Incident

  • Client details (where client related)

  • Parties involved 

  • Regional Director should email IT and Directors

  • Regional Director/ LOB Manager should investigate 

  • Nature of the incident

  • Emergency actions

  • Client communications

  • Follow up procedures

  • Regional Director/ LOB Manager should update IT and Directors

  • Outcome including any disciplinary actions

  • Recommended action/s in respect of prevention 

Disciplinary Action for Breaches of Policy

If a complaint is made about or material discovered reflecting inappropriate use of computer and communication facilities, it will be investigated.

Depending on the nature of the inappropriate use of Vertic ICD, non-compliance with this Policy may constitute:

  1. A breach of employment obligations;

  2. Serious misconduct;

  3. A criminal offence;

  4. A threat to the security of the company’s ICD;

  5. An infringement of the privacy of employees and other persons; and/or

  6. Exposure to legal liability.

Non-compliance with this Policy will be regarded as a serious matter and appropriate action will be taken.

Where there is a reasonable belief that illegal activity may have occurred the company will report the suspected illegal activity to the police.

TERM OF EMPLOYMENT 

Employees are provided with relevant information and a copy of this policy as a Term in their Employment Agreement.

POLICY STORAGE /UPDATES

Current employees who already have system access will also be given a copy of this policy. Any future updates to this policy document will be re-distributed when they become available, but the latest copy will be on Sharepoint in the Employees directory for access at anytime by employees.


TERMINATION OF EMPLOYMENT 

Upon termination of employment, employees are to return all physical assets, token, ids.   Line of Business Managers and/or Regional Directors must notify clients to remove access to any client systems and Vertic IT to remove Vertic systems access on their final day.

  • No labels