Internal Use

Acceptable Use Policy

Dispel

Document Control

1. PURPOSE AND SCOPE

1.1 Purpose

This policy specifies acceptable use of end-user computing devices and technology. Additionally, training is imperative to assuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.

1.2 Scope

This policy applies to all Dispel workforce members and any user of Dispel-managed computing devices and technology resources.

Background

Dispel is committed to ensuring all workforce members actively address security and compliance in their roles at Dispel. We encourage self-management and reward the right behaviors.

2. POLICY STATEMENTS

2.1 Management Commitment

Dispel management is committed to enforcing this Acceptable Use Policy, communicating expectations clearly to all workforce members, and allocating sufficient resources to support training, monitoring, and corrective actions where needed.

4. ROLES AND RESPONSIBILITIES

Users of this document are all employees of Dispel.

The owner of this document is the Chief Executive Officer, who must check and, if necessary, update the document at least once every six months.

2.2 General Acceptable Use Requirements

Dispel policy requires all workforce members to accept and comply with the Acceptable Use Policy. Dispel policy requires that:

• Background verification checks on all candidates for employees and contractors should be carried out in accordance with relevant laws, regulations, and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risk.
• Employees, contractors and third party users must agree and sign the terms and conditions of their employment contract, and comply with acceptable use.
• Employees will go through an onboarding process that familiarizes them with the environments, systems, security requirements, and procedures Dispel has in place. Employees will also have ongoing security awareness training that is audited.
• Employee offboarding will include reiterating any duties and responsibilities still valid after terminations, verifying that access to any Dispel systems has been removed, as well as ensuring that all company owned assets are returned.
• Dispel and its employees will take reasonable measures to ensure no corporate data is transmitted via digital communications such as email or posted on social media outlets.
• Dispel will maintain a list of prohibited activities that will be part of onboarding procedures and have training available if/when the list of those activities changes.
• A fair disciplinary process will be utilized for employees that are suspected of committing breaches of security. Multiple factors will be considered when deciding the response, such as whether or not this was a first offense, training, business contracts, etc. Dispel reserves the right to terminate employees in the case of serious cases of misconduct.

5. PROCEDURES

5.1 Acceptable Use Procedures

Dispel requires all workforce members to comply with the following acceptable use requirements and procedures, such that:

• All workforce members are primarily considered as remote users and therefore must follow all system access controls and procedures for remote access.
• Use of Dispel computing systems is subject to monitoring by Dispel IT and/or Security teams.
• Employees may not leave computing devices (including laptops and smart devices) used for business purposes, including company-provided and BYOD devices, unattended in public.
• Device encryption must be enabled for all mobile devices accessing company data, such as whole-disk encryption for all laptops.
  • For macOS, this means FileVault 2. For Windows, this means BitLocker. BitLocker uses AES-128 by default at the time of writing, so you may choose to switch it over to AES-256. Instructions here.
• Employees may not post any sensitive or confidential data in public forums or chat rooms. If a posting is needed to obtain technical support, data must be sanitized to remove any sensitive or confidential information prior to posting.
• All data storage devices and media must be managed according to the Dispel Data Classification specifications and Data Handling procedures.
• Employees may only use photocopiers and other reproduction technology for authorized use.
• Media containing sensitive/classified information should be removed from printers immediately.
• The PIN code function will be used on printers with such capability, so that the originators are the only ones who can get their print-outs and only when physically present at the printer.
• If on a BYOD, Employees should create a separate user account specifically for Dispel if possible. This separates work activities from personal, and allows users to keep their personal lives apart from Dispel if the company needs access to the device. Sometimes this may not be possible–on iOS for example.
• Company information must be backed up regularly to a cloud service such as the Dispel file share, or on local hardware. If local backups are used, they must be encrypted.
• Computers must require a password immediately after sleep or screen saver begins.
• Computers must require a password to unlock the device on bootup. (For the avoidance of doubt, we’re not requiring a firmware password).
• When using computing devices outside of company premises, they must not be left unattended and, if possible, should be physically locked away.
• When using computing devices in public places, the owner must take care that data cannot be read by unauthorized persons.
• All wireless network connections must be encrypted. Users may not accept invalid certificates when connecting to an unknown network.

3.1 Protection Against Malware

Dispel protects against malware through malware detection and repair software, information security awareness, and appropriate system access and change management controls. This includes:

• Anti-malware or equivalent protection and monitoring must be installed and enabled on all endpoint systems that may be affected by malware, including workstations, laptops and servers. Regular scans will include:
  • Any files received over networks or via any form of storage medium, for malware before use;
  • Electronic mail attachments and downloads for malware before use; this scan should be carried out at different places, e.g. at electronic mail servers, desktop computers and when entering the network of the organization;
  • Web pages for malware.
• Restrictions on Software Installation
  • Only legal software with a valid license installed through a pre-approved application store or as decided with reasonable judgement by the employee will be used. Use of personal software for business purposes and vice versa is prohibited.
  • The principle of least privilege will be applied, where only users who have been granted certain privileges may install software.
  • Dispel will identify what types of software installations are permitted or prohibited.
• Controls that prevent or detect the use of unauthorized software (e.g. application whitelisting)
• Controls that prevent or detect the use of known or suspected malicious websites (e.g. blacklisting)
• Vulnerabilities that could be exploited by malware will be reduced, e.g. through technical vulnerability management.
• Dispel will conduct regular reviews of the software and data content of systems supporting critical business processes; the presence of any unapproved files or unauthorized amendments should be formally investigated.
• Malware detection and repair software will be installed and regularly updated to scan computers and media as a precautionary control, or on a routine basis; the scan carried out will include:
  • Any files received over networks or via any form of storage medium, for malware before use;
  • Electronic mail attachments and downloads for malware before use; this scan should be carried out at different places, e.g. at electronic mail servers, desktop computers and when entering the network of the organization;
  • Web pages for malware.
• Defining procedures and responsibilities to deal with malware protection on systems, training in their use, reporting and recovering from malware attacks.
• Preparing appropriate business continuity plans for recovering from malware attacks, including all necessary data and software backup and recovery arrangements.
• Implementing procedures to regularly collect information, such as subscribing to mailing lists or verifying websites giving information about new malware.
• Implementing procedures to verify information relating to malware, and ensure that warning bulletins are accurate and informative; managers should ensure that qualified sources, e.g. reputable journals, reliable Internet sites or suppliers producing software protecting against malware, are used to differentiate between hoaxes and real malware; all users should be made aware of the problem of hoaxes and what to do on receipt of them.
• Auto-run feature must be disabled on Windows for removable storage media. Mac OS X doesn’t allow auto-run.
• Isolating environments where catastrophic impacts may result.

Policy Review

This policy must be reviewed at least annually by the CEO or delegate and updated as needed to reflect changes in technology, risk, and regulatory obligations.

Accessibility

This policy is available to all personnel via the company’s policy management system.

Exceptions

Exceptions to this policy must be formally requested and approved by Executive Management, with compensating controls documented where appropriate.

Enforcement

Violations of this policy may result in disciplinary action up to and including termination, consistent with HR policies and applicable law.

Revision History (Human-Readable)