Savvi Technologies, Inc. Updated 2023-01-11
Edit this page at https://github.com/savvi-legal/security-policy/blob/main/general-employee-security-policy.md.
This policy includes information relevant to all Savvi Employees. Programmers, IT staff and other relevant employees should also see the Information Security Policy (ISP).
Due to the nature of our business, we need to have a fair number of policies and procedures in place, especially in regard to the security of customer data and legal agreements.
HOWEVER, We want you to be comfortable at work and feel empowered to get done the things you want to do.
To strike a nice balance between “locked down” and “wide open” we take the position of “audit and allow”. Whether you need access to systems or tools, budget for equipment or software, or whatever else, all you need to do in most cases is ask and you’ll get it - within some bounds of reason.
We’d much rather have you go through the proper channels and get what you want and need to feel comfortable and productive than to have policy and procedure incidents incited by going around red tape.
Security Awareness training is required for all employees.
See Security Awareness Training.
tags: inf_sec_hr_screening
Due to the sensitive nature of our business and regulatory compliance, all employees shall be subject to identity verification and criminal background checks.
“Never not be afraid” - Grug, The Croods
“Never not be highly skeptical” - AJ, Savvi Legal
Managers and C-suite execs will not text or email you for tasks outside of your normal duties. The same goes for customers.
Never take action on seemingly urgent (and especially expensive) requests via Email or Text message - that’s how the Nigerian Princes get you. Always call via a known-good phone number.
Report suspicious activity to your manager / lead, as it may point to a data breach (e.g. company contacts leaked via internally hacked email, malware app on a phone) or a bug or misconfiguration in one of our services (e.g. misconfigured email filter, ability to place arbitrary text in an outgoing message).
Each employee shall have their own building access code and shall not share it with others.
Video recording is used at the entry to Savvi OfficesThe building access codes are not sufficient to Since the building codes
Incident Response: If you need to rotate your door access code for any reason, contact your supervisor, and the building manager (Anders).
Tags: inf_sec_endpoint_visibility, inf_sec_network_segmentation
This policy applies to employee and guest networks.
All network activity shall be monitored by a network security gateway device.
Both broad analytics and device-specific analytics and logs shall be kept, including Domain Names through TLS SNI and Host headers (such as example.com), IP and Port addresses (such as 192.168.1.100:8080), location (such as Salt Lake City, US), and app traffic (such as WhatsApp, Netflix, Facebook, etc). This includes encrypted connections.
If you need to use an external Proxy or VPN for any reason, just ask your supervisor. This generally shouldn’t be a problem, we just need to know what’s happening on our network and why.
In the case of a security incident, all device traffic personal, work, or otherwise may be inspected to help identify possible entrypoints.
All employees shall use (separate) password managers for personal and work email accounts.
For work accounts we presently use LastPass. Due to recent repeated security incidents we may switch to another provider.
All employees shall have their personal and work email accounts and phone numbers monitored for credential disclosure (e.g. password hacks, account breaches).
At the time of this writing and until further notice this includes the use of https://haveibeenpwned.com.
Employees shall not unsubscribe from security notices for any service that is used personally or at work for authentication and identification (primarily email account, such as gmail or phone account, such as AT&T, or specialty identity services such as Authy or Global ID).
tags: inf_sec_malicious_code, inf_sec_governance, inf_sec_encrypt_at_rest
All real and virtual electronic devices and servers must have automatic security updates enabled:
Daily use devices (e.g. not old phones kept around for flappy bird) must be upgraded before reaching end-of-life for security updates (typically 5-6 years). See also:
Computer-like devices shall also have active Virus and Malware protection.
macOS (https://www.apple.com/macos/security/)
Windows
Linux (Desktop)
All applications should be signed.
Applications that require disabling security features of the OS to run - such as admin access, bypassing signature checks, or installing system-level components - simply need to be reported.
It is recommended to NOT install OS upgrades until a minimum of 3, and preferably 6 months after release - so that we don’t end up as beta testers for beta software.
tags: inf_sec_personal_devices, inf_sec_vendor_management
Employees may use their personal devices at work, and may use work devices remotely so long as they have been audited and adhere to the Device Policy.
However, personal devices may not have direct access to production environments, data, or assets, and may not have indirect access to such (e.g. through a jumpbox) without an additional factors of security, such as VPN access and passphrase-protected SSH keys.
Brave is the preferred browser.
Safari and Firefox are viable alternatives.
Edge is right out.
At present Google Chrome should be avoided due to its lack of industry standard security features. Likewise, Microsoft Edge violates industry standard security features in different ways from Chrome.
Brave is a good alternative for sites that “only work in Chrome” (not Safari or Firefox) because it’s essentially a patched version of Chrome that includes industry standard security policies that Google is slow to adopt due to the effect on its advertising revenue and that Microsoft has not yet adopted.
Brave Search and DuckDuckGo are the suggested search engines.
Due to its lax security policy, Google is not recommended (but sometimes you gotta
use it).
Where possible, Jitsi (https://meet.jit.si) shall be used for video conferencing.
Zoom has proven to be irresponsible year after year, exposing multiple high-risk 0-day vulnerabilities.
If possible do not install Zoom, but use the web version instead.
If installed Zoom must be restarted to allow updates to run before each use.
If Zoom is not to be used for more than 14 days, Zoom should be uninstalled.
Be cautious of showing passwords, names, phone numbers, account balances, and other PII when screen sharing.
Be aware that, just like a touch tone phone, each keypress on a keyboard creates a unique sound. Acoustic forensics can be used by hackers to reverse recorded audio into keypresses, such as passwords, as part of audio phishing attack.
Edit this page at https://github.com/savvi-legal/security-policy/blob/main/general-employee-security-policy.md.