Cybersecurity policy
Introduction
At Cuesoft, protecting our data, systems, and intellectual property is a top priority. Every employee, contractor, and external collaborator has a responsibility to follow cybersecurity best practices to safeguard company resources, client information, and personal data entrusted to us.
TL;DR
- Authentication and Access Control
- Strong Passwords: All users must create strong passwords with a mix of upper and lowercase letters, numbers, and special characters. Passwords should be changed regularly and never reused across multiple platforms.
- Two-Factor Authentication (TFA): TFA is mandatory for all company accounts, including email, project management tools, cloud storage, and financial systems.
- Access Levels: Access to company systems and data will be granted based on role and necessity (“least privilege” principle). Team members should only access data required for their work.
- Data Protection and Storage
- Secure Storage: Confidential files, client data, and internal documents must only be stored on approved company systems (e.g., company cloud servers, encrypted drives).
- Prohibited Storage: Storing company data on personal cloud accounts (Google Drive, Dropbox, iCloud, etc.) or personal USB devices is strictly prohibited.
- Data Encryption: Sensitive files must be encrypted during storage and transfer.
- Communication and File Sharing
- Official Channels: Only company-approved communication platforms (e.g., Whatsapp group, Teams, company email) should be used for business correspondence.
- Confidentiality: Employees must ensure that sensitive information is not shared outside the company without authorization.
- Third-Party Tools: Any third-party software or platform must be vetted and approved before use.
- Threat Awareness and Reporting
- Phishing Awareness: All team members must exercise caution when opening links, attachments, or requests from unknown or suspicious sources.
- Reporting Incidents: Any suspected phishing attempt, malware, data breach, or unusual activity must be reported immediately to the IT/Security Team via the designated incident reporting channel.
- No Delay: Prompt reporting ensures that threats can be contained before causing wider harm.
- Device Security
- Company Devices: Employees must keep company-issued laptops and devices updated with the latest security patches and antivirus software.
- Personal Devices (BYOD): If personal devices are used for work, they must comply with company security requirements (password-protected, updated OS, antivirus installed).
- Lost or Stolen Devices: Any lost or stolen device containing company data must be reported immediately so access can be revoked.
- Internet and Network Usage
- Secure Networks: Employees must connect only through secure Wi-Fi networks. Public Wi-Fi should only be used with a company-approved VPN.
- Prohibited Activities: Downloading unauthorized software, accessing malicious sites, or using company devices for illegal activities is strictly forbidden.