Social Workshop Ltd is committed to ensuring all workforce members actively address security and compliance in their roles. We encourage self-management and reward the right behaviours.
The purpose of this Policy is to outline the acceptable use of Social Workshop Ltd information and computing assets in order to protect both workers and Social Workshop Ltd. Inappropriate use of assets could expose Social Workshop Ltd to risks including virus attacks, compromise of network systems and services, and wider legal or regulatory issues.
Roles and Responsibilities
The Compliance Team will facilitate and maintain this policy and ensure all employees have reviewed and read the policy.
Use of Computers
All information system users of desktops, PCs, endpoints, smartphones and tablet devices (collectively referred to from here as endpoint devices) must lock access to their endpoint by using a password protected screensaver or log off when it is not being used.
All user devices must have their default administrator password changed to comply with the password policy. Where the device runs a software firewall as its boundary to untrusted networks, all default passwords must be changed, and firewall rules must be reviewed to ensure they provide suitable protection.
Where users make use of their own device for work purposes (BYOD), this device will be equipped with endpoint management software which allows the Company to secure a portion of the device for work purposes only. This ensures that business data is kept safe whilst, at the same time, preserving a user’s privacy to use their own device however they wish. Our endpoint management solution supports Windows, MacOS, iOS and Android devices and provides centralised control over the business portion of any device and prevents the transfer of data outside the Company.
All devices must have Malware protection software installed.
All users of the information systems must save their work regularly to prevent corruption or loss through system or power malfunction.
Social Workshop Ltd workers are not permitted to load non-approved screen savers or software which is not required by the business onto the organisation’s endpoint devices.
All operating systems, firmware and firewall rules are to be checked periodically to ensure that all are up to date and not running any end of life software. By default firewalls will be configured to deny all incoming traffic unless an exception for a business case has been documented in the ISMS review timetable document.
Family and friends are not permitted to use Social Workshop Ltd equipment.
Use of Email
Workers are not permitted to access mailboxes other than their own, without specific approval from the owner of the mailbox, or the Compliance Team.
When a worker leaves Social Workshop Ltd, their Line Manager must ensure that an appropriate Out of Office message is set on the leaver’s email mailbox. The Out of Office message must give an alternative name and email address, and must be tested by the Line Manager.
When a worker leaves Social Workshop Ltd, their mailbox is automatically archived, and the mailbox hidden for a period of 90 days, at which point it is deleted. Access to this hidden mailbox may be granted at the discretion of the Compliance Team.
Personal email use is not exempt from monitoring, disclosure or any of the Social Workshop Ltd Information Security policies.
- Change their password if it is disclosed to another party, or if it is suspected someone else knows it;
- Report the receipt of emails containing racial, sexual, religious or otherwise offensive remarks or media immediately to their line manager and Compliance Team who will treat this as an incident;
- Remember that emails which refer to any client must be written in terms which would be acceptable for the client to see;
- Take care to only send email to people who need to see it;
- Be careful when sending mass mailings and / or large messages / attachments to avoid potential network utilisation problems;
- Confirm in writing to their line manager who, if anyone, can access their email accounts in their absence.
Users must not:
- Send unencrypted sensitive and / or confidential email, which includes, but is not limited to, payment card data, financial information and personal or sensitive information;
- Send work related email to personal email addresses, unless this is part of a business requirement;
- Auto-forward email to external addresses;
- Share their password with anyone. Passwords must be changed as soon as the users suspects someone else knows it;
- Open email or attachments if the source is unknown;
- Send emails containing racial, sexual, religious, political or otherwise offensive remarks or media;
- Forward chain letters etc.;
- Use their Social Workshop Ltd email account to post messages on non-business related discussion forums or subscribe to non-business related mailing lists;
- Send emails which contain material which is incriminating, including in relation to admissions of fault or liability, unless expressly authorised by a line manager for the purposes of formal communication to a concerned party;
- Reply to SPAM email or click on web links contained in unsolicited email;
- Use the email account to run or engage in any form of personal or private business for hire or reward;
- Use email excessively for personal use. Reasonable but limited personal use of email may be possible with the prior agreement of your line manager;
- Access non-Social Workshop Ltd email accounts e.g. Hotmail, Gmail etc unless approved by their line manager to meet specific business needs;
- Use instant messaging / chat applications, other than those provided by Social Workshop Ltd.
Use of the Internet
Access to the Internet on Social Workshop Ltd provided endpoints must only be through approved network connections, which must have a suitable firewall configuration installed. Where staff or contractors own device is used for work purposes, access to the Internet will be controlled by and routed through Social Workshop Ltd’s endpoint management software.
Use of the Internet includes access to social media sites. Use of these must comply with this policy.
- Only use the Internet for business purposes, though occasional personal use is acceptable provided it is reasonable. Any personal use must not interfere with normal business activities, must not involve solicitation, must not be associated with any ‘for-profit’ outside business activity and must not potentially embarrass the company or bring it into disrepute;
- Disconnect immediately from any site accidentally accessed that contains sexually explicit or offensive material, regardless of whether the site had previously been deemed acceptable and notify your line manager if you inadvertently visit an unacceptable site;
- Notify your manager immediately if you receive any inappropriate material;
- Comply with copyright law and all applicable licences may apply to software, files, graphics, documents, messages and other material you wish to download or copy;
- Use Internet systems with the same integrity as in face-to-face, video- conference or audio-conference business operations.
Users must not:
- Access, display, store or send material which is discriminatory, harassing, obscene, pornographic, libelous, defamatory, breaches any obligations of confidentiality or is otherwise deemed by the company to be inappropriate in the workplace;
- Illegally copy material protected under copyright law or make material available to others for copying;
- Use Social Workshop Ltd computing resources to overload any computer system or network or to circumvent any system intended to protect the privacy or security of another user;
- Use Internet services to obtain unauthorised information or information which is personal or private to another individual or organisation. If such material is accidentally received or obtained its content must not be discussed or disseminated to any other person or organisation, other than the sender;
- Make excessive use of the Internet (as deemed by the company) for personal or non-business purposes;
- Download music or games or play games against opponents over the Internet;
- Download any software, including freeware, shareware or public domain software, without prior authorisation from the Compliance Team. Software with direct business use must be properly licensed and registered in advance;
- Download images or videos unless there is an express business-related use for the material;
- Attempt to circumvent the firewall, or other inherent controls, (for example by amending the browser configuration), without explicit authorisation from the Social Workshop Ltd Compliance Manager;
- Reveal confidential company information, customer data, trade secrets and other material covered by existing company security policies on public forums such as chat rooms and newsgroups;
- Speak or write in the name of the company on any newsgroup or chat room unless explicitly authorised to do so;
- Deliberately post false information to any newsgroup or chat room;
- Commit Social Workshop Ltd to any form of contract through the Internet without prior authorisation;
- Provide links to inappropriate non-business related websites or other resources which access, display, store or send material that is discriminatory, harassing, obscene, pornographic, libelous, defamatory, breaches any obligations of confidentiality or is otherwise deemed by the company to be inappropriate in the workplace.
Social Workshop Ltd personnel are responsible for any activity performed under their user credentials (i.e. login name and password). Inappropriate use of endpoint devices, systems, applications, email, the Internet and other services provided by Social Workshop Ltd may lead to disciplinary action.
When the Company is deciding to provide a user with administrative permissions it will be the decision of the Compliance team to approve and add the required permissions to devices and applications following least privilege principles to only allow administrative access that is required for the role of the specific individual. The user will be added to the ISMS review timetable under the administrative access section to record the employee has administrative permissions and this will be reviewed regularly.
Either every 6 months, or following any changes to employees roles, all employees roles and permissions will be reviewed including administrative permissions by the Compliance team and amended according to the administrative requirements within the Company at that time.
Social Workshop Ltd reserves the right to utilise software and systems to monitor and record all email and Internet usage. These security systems are capable of recording (for each and every user) each Internet site visit, each chat, or email message, and each file transferred into and out of our networks.
Social Workshop Ltd may use independently supplied software and data to identify inappropriate or sexually explicit Internet sites based on category, and will block access to such sites as necessary.
Computer resources are not unlimited. Network bandwidth and storage capacity have finite limits and all users connected to the network have a responsibility to use these resources wisely.
All email and Internet activity may be reviewed and usage patterns may be analysed.
Social Workshop Ltd will block access to other sites as necessary, where these sites constitute a threat to the normal running of Social Workshop Ltd business, or where there is no valid business reason for access. These include, but are not limited to:
- Criminal activity;
- Illegal drugs;
Social Workshop Ltd reserves the right to inspect any and all files stored on any server or endpoint device which it owns or manages, or which sits on the corporate infrastructure, and including remote users, in order to ensure compliance with this policy. This right may be exercised for the purposes of, for example:
- Record keeping;
- Determining whether communications are relevant to the business;
- Preventing or detecting crime;
- Ensuring the effective operation of the system.
In addition, Social Workshop Ltd reserves the right to monitor communications to determine the existence of facts, detecting unauthorised use of its systems and to ascertain the standards which ought to be achieved by workers using its systems.
Use of any Social Workshop Ltd owned or managed connection to the Internet is inappropriate when use:
- Compromises the privacy of users and their personal data;
- Damages the integrity of a computer system or the data or programs stored on a computer system;
- Disrupts the intended use of a system or network resource;
- Wastes resources which are needed for business use (including the resources required to resolve issues).
Internet messages must be treated as ‘public’ by all Social Workshop Ltd workers. Anything sent through the Internet passes through a number of different computer systems, all with different levels of security. Unless they are encrypted, messages may be compromised at any point.
All Social Workshop Ltd workers must treat any information obtained via the Internet with caution, as it may be factually incorrect.
All Social Workshop Ltd workers must be aware downloading items from the Internet could result in unwanted items ‘piggy-backing’ onto the request, potentially causing corruption of your data or the installation of malware, spyware or other viruses. To minimise these dangers workers must consider carefully the nature and reputation of the website from which information is to be downloaded and report any suspicious activity (such as spurious messages or over-long downloads) immediately to their IT support team.
All acceptable use detailed in this policy document apply to homeworkers.
Data must be backed up on a regular, daily or weekly basis if possible, depending on the risk of not having the data.
Unauthorised software must not be installed on Social Workshop Ltd equipment.
The Homeworker must keep all Social Workshop Ltd owned equipment and data secure when it is not in use.
Use of removable storage is controlled and not permitted on Social Workshop Ltd owned devices without approval from Social Workshop Ltd’s Compliance Team.
Social Workshop Ltd operates a paperless office approach, and so printing sensitive customer data is not allowed unless explicitly authorised by the Compliance Team.
If any printed material is sent to any person working with Social Workshop Ltd, it should be scanned using appropriate software, and stored using Google Drive (using a company supplied Google Workspace login). The original document must be securely destroyed.
|Version||Date||Editor||Description of Changes|
|V1||August 15th, 2022||Social Workshop Ltd||Initial Creation|
|V1.1||August 30th, 2022||Social Workshop Ltd||Minor tweaks and publication|