By IT means all the technology used to communicate, store and process electronic information. All employees have an obligation to comply in all respects with the laws, regulations and government regulations that exist regarding the use and development of IT.
Purpose
This policy applies to employees within the company and aims to create a clear structure of how IT should be handled and used in the company. It will increase knowledge about IT, streamline the flow of information and use and increase security in the business.
Guidelines
Information and equipment
All programs must be installed by the CPO and be approved by the immediate supervisor. Each computer must have approved software licenses for the programs that are installed. If any equipment is lost or if unauthorized access to equipment is suspected, this must be reported immediately to the CPO.
Internet
Access to the Internet in the workplace should be seen as a work tool. When you use the Internet at your workplace, you represent the company’s organization. In all communication on the Internet, you leave traces on the websites you visit. It is therefore not permitted to visit offensive or otherwise inappropriate places or to use the Internet for illegal, offensive or unethical purposes.
The use of the company’s IT resources must not conflict with the company’s business goals and create badwill. In the company’s organization, the company assumes that all communication on the Internet follows good practice.
It is important to keep the security aspects in mind when using the Internet. It is not permitted to download files, software or for that matter copy protected digital material if it is against the law.
All employees have a personal email address, are responsible for it and make sure that it is reviewed daily and sorts of email so that the storage capacity does not become overcrowded.
In the event of a longer absence or leave, there must be a system for handling incoming e-mail. The employee must ensure that an automatic message responds to incoming mail and refers to a colleague who is on site.
In exceptional cases, the employer may receive the employees' e-mails. However, this only applies when there are strong reasons to do so, for example in case of suspicion of disloyalty, serious breaches of the employment contract or criminal conduct. The employer always makes a balance of interests regarding the suitability of receiving the employees' e-mails.
IT security
Information security must have an established structure with clear routines where the level of security is weighed against accessibility and efficiency. The following guidelines apply:
The network must be well protected against intrusion. All software installation must be performed by the CPO.
A risk analysis must be prepared before major changes are implemented.
Information must be protected against damage and loss through a secure backup system.
E-mails where the content is unknown or where files are attached should be handled with care as it may be a virus. Suspicious messages must not be opened.
The CPO must be responsible for maintenance and operation and regularly check the security system.
Account security, username and password etc
In order to be able to identify employees and minimize the risk of data breaches, each employee has their own username and password. The employee is assigned the username but must choose a password himself.
In order to protect the business against unauthorized persons, the password of each employee must be kept secret, but also changed at regular intervals. It must be used for all occasions when two-step verification is supported.
For some of the company’s used applications, two- step verification is a requirement.
Control
When using the Internet, the technical system notes which pages you have visited. The organization's Internet use is monitored in order to ensure that the use follows the company’s policy. Thus, there may be random checks on your Internet use. the company reserves the right to block certain Internet addresses or domains that are contrary to IT policy without notice.
The company reserves the right to check and delete music, video (and similar) files from both the network and users' computers without notice.
Abuse
In the event of abuse or suspicion of abuse, checks on the use of computers, networks and the Internet can be carried out. In the long run, the employment of the individual may be questioned in the event of a breach of this policy. If the inspections show that the guidelines have been violated, the matter may be investigated by the human resources manager. The employer will primarily try to bring about correctness through remarks or similar procedures. In the case of more serious abuse, disciplinary action may be taken. If there is a suspicion of anything security-related, the CPO must always be contacted.
Responsability
The company's CEO is ultimately responsible for the company's IT strategy and this IT policy. The IT department or the CPO is responsible for operations and security.
IT Incident Policy
The main purpose of an IT incident is to make events visible to teach us how and
what the company needs to change in the processes so that it does not happen again. However, every employee needs to ensure that they can benefit from new or changed processes in development, without creating safety risks for the equipment and the organization. See also “Incident communication”
This is done by following the following points (where applicable):
Support the company's information security.
Enable an improved status picture of information security
Create conditions for taking the right protective measures
Develop the company’s ability to prevent, detect and manage any IT incidents