Employee Handbook

View the Project on GitHub cuesoftinc/employee-handbook

Cybersecurity policy

Introduction

At Cuesoft, protecting our data, systems, and intellectual property is a top priority. Every employee, contractor, and external collaborator has a responsibility to follow cybersecurity best practices to safeguard company resources, client information, and personal data entrusted to us.

TL;DR

  1. Authentication and Access Control
    • Strong Passwords: All users must create strong passwords with a mix of upper and lowercase letters, numbers, and special characters. Passwords should be changed regularly and never reused across multiple platforms.
    • Two-Factor Authentication (TFA): TFA is mandatory for all company accounts, including email, project management tools, cloud storage, and financial systems.
    • Access Levels: Access to company systems and data will be granted based on role and necessity (“least privilege” principle). Team members should only access data required for their work.
  2. Data Protection and Storage
    • Secure Storage: Confidential files, client data, and internal documents must only be stored on approved company systems (e.g., company cloud servers, encrypted drives).
    • Prohibited Storage: Storing company data on personal cloud accounts (Google Drive, Dropbox, iCloud, etc.) or personal USB devices is strictly prohibited.
    • Data Encryption: Sensitive files must be encrypted during storage and transfer.
  3. Communication and File Sharing
    • Official Channels: Only company-approved communication platforms (e.g., Whatsapp group, Teams, company email) should be used for business correspondence.
    • Confidentiality: Employees must ensure that sensitive information is not shared outside the company without authorization.
    • Third-Party Tools: Any third-party software or platform must be vetted and approved before use.
  4. Threat Awareness and Reporting
    • Phishing Awareness: All team members must exercise caution when opening links, attachments, or requests from unknown or suspicious sources.
    • Reporting Incidents: Any suspected phishing attempt, malware, data breach, or unusual activity must be reported immediately to the IT/Security Team via the designated incident reporting channel.
    • No Delay: Prompt reporting ensures that threats can be contained before causing wider harm.
  5. Device Security
    • Company Devices: Employees must keep company-issued laptops and devices updated with the latest security patches and antivirus software.
    • Personal Devices (BYOD): If personal devices are used for work, they must comply with company security requirements (password-protected, updated OS, antivirus installed).
    • Lost or Stolen Devices: Any lost or stolen device containing company data must be reported immediately so access can be revoked.
  6. Internet and Network Usage
    • Secure Networks: Employees must connect only through secure Wi-Fi networks. Public Wi-Fi should only be used with a company-approved VPN.
    • Prohibited Activities: Downloading unauthorized software, accessing malicious sites, or using company devices for illegal activities is strictly forbidden.