1. Introduction
This IT Security Policy is designed to protect company, client, and personal data, reduce the risk of IT problems, and ensure compliance with the General Data Protection Regulation (GDPR) and other relevant laws. By following this policy, we aim to prevent security issues before they arise, minimize potential disruptions, and safeguard critical information related to our operations.
Prevention is key: adhering to this policy will help us avoid IT problems and maintain smooth business operations.
2. Responsibilities
Lukasz Wiatrak, as the sole operator and Data Administrator, is responsible for the day-to-day implementation of this security policy. He ensures that appropriate measures are in place to protect company and client data, as well as comply with legal and regulatory requirements.
All individuals involved in the business must adhere to this policy and take personal responsibility for the secure handling of any data they interact with. Lukasz Wiatrak also remains responsible for addressing and resolving any reported security incidents or breaches.
3. Information Classification
All data processed is categorized to ensure appropriate security measures are applied. The classification system includes:
Public: Information available to the general public with no legal restrictions. Public data may be accessed by anyone, both within and outside the business.
Internal: Data that must be protected due to privacy or proprietary concerns but does not fall under specific legal restrictions. Internal data is accessible only to those who have legitimate reasons for access.
Confidential: Sensitive data with restricted access, requiring explicit authorization from the Data Administrator. Confidential data is only shared on a strict need-to-know basis due to legal, contractual, or privacy obligations.
Regulatory: Data governed by regulatory bodies and legal statutes. Access to regulatory data is strictly limited, and it requires specific handling and reporting in case of incidents.
4. Security Software and Tools
To protect all data and systems, the following security measures and tools are in place:
- Anti-Malware: Laptop and desktop systems are protected by Malwarebytes.
- Anti-Virus: Windows Defender is used for continuous protection against viruses and other threats on laptops and desktops.
These tools are regularly updated and monitored to ensure the security of all devices used for business purposes.
5. Device Security and User Responsibilities
All users are responsible for the secure handling of any device they use for work, including laptops, phones, and tablets. To ensure device security:
- Software Updates: Regularly update your operating system and applications to ensure protection from vulnerabilities.
- Firewall: Keep your computer’s firewall switched on.
- Anti-Malware: Ensure anti-malware software is installed and up to date (e.g., Windows Defender or Malwarebytes).
- Account Security: Use separate user accounts for different users (e.g., family members) on shared devices. Avoid using an administrator account for everyday use.
- Automatic Logout: Set devices to log out automatically after 15 minutes of inactivity and require a password to log back in.
If your devices are lost, stolen, or compromised, report this immediately to Lukasz Wiatrak.
6. Password Guidelines
To ensure strong protection for user accounts and sensitive data:
Change Default Passwords: Always change default passwords and PINs on computers, phones, and network devices.
- Enable Two-Factor Authentication (2FA): Use 2FA on all services you access, such as Office 365, GitHub, Atlassian, and Gmail.
- Use Strong, Unique Passwords: Ensure passwords are complex and avoid using the same password for multiple critical systems.
- Password Management Software: Consider using password management tools to securely store and manage your passwords.
- Do Not Share Passwords: Never share your passwords or disclose them to others. If you need to collaborate, use secure access methods like role-based permissions.
- Avoid Written Passwords: Don’t write passwords down, especially near computers or phones.
By following these guidelines, you help protect sensitive data and reduce the risk of unauthorized access.
7. Be Alert to Other Security Risks
While technology provides protection, personal habits and actions also play a key role in maintaining security. Follow these practices to stay vigilant:
- Stay Informed: Regularly educate yourself about potential security threats. Resources like Get Safe Online offer helpful guidance on general IT security awareness.
- Exercise Caution with Emails: Be careful when opening email attachments from unknown senders or unexpected attachments, even from known contacts.
- Report Suspicious Activity: If you suspect any phishing attempts, malware, or other security threats, report them immediately to Lukasz Wiatrak.
- Use Secure Internet Practices: Avoid accessing sensitive company information over unsecured public networks. Use VPNs or encrypted connections when necessary.
Being proactive and informed significantly reduces the risk of IT security incidents.
