1. Purpose
This IT Policy establishes the framework for the responsible use, management, and security of the company’s IT resources. It applies to all employees and aims to increase awareness, streamline IT operations, and ensure robust security across the organization. Employees are required to comply with all relevant laws, regulations, and internal policies regarding IT usage and development.
2. Scope
This policy applies to all technology and electronic information systems used within the organization, including hardware, software, networks, and communication systems. It covers:
IT resource management and usage.
Security protocols for safeguarding company and customer data.
Procedures for handling IT incidents.
3. IT Resource Management and Usage
Information and Equipment
All software must be approved and installed by the Chief Product Officer (CPO) or IT Department.
Employees must ensure all installed software has valid licenses.
Lost or stolen equipment, or any suspicion of unauthorized access, must be reported immediately to the CPO.
Internet Usage
Internet access is a work tool and should align with the company’s objectives.
Employees must not visit offensive, inappropriate, or illegal websites, nor use the Internet for unethical purposes.
Downloading unauthorized files or software is prohibited and may result in disciplinary action.
Good security practices, such as avoiding unauthorized downloads or accessing suspicious links, must be adhered to.
Email Usage
Employees must manage their company email accounts responsibly, reviewing and organizing them regularly to prevent storage overload.
For extended absences, employees must set up an out-of-office reply redirecting emails to a designated colleague.
In exceptional cases (e.g., suspected misconduct), the company reserves the right to access employee emails, balancing privacy and organizational interests.
4. IT Security
Network and System Security
The network must be protected against unauthorized access and intrusion.
All major IT changes require a pre-implementation risk analysis.
Backups must be securely maintained to protect against data loss or damage.
Suspicious emails or files must not be opened and should be reported to the IT team or CPO.
The CPO is responsible for the operation, maintenance, and regular review of security systems.
Account Security
Employees are assigned unique usernames and must create strong passwords that are confidential and updated regularly.
Two-factor authentication (2FA) is mandatory for applications supporting it and must be enabled wherever available.
5. Monitoring and Compliance
Internet and System Use Monitoring
The organization monitors Internet usage to ensure compliance with this policy, including logging visited pages and conducting random checks.
Certain websites or domains may be blocked without prior notice if deemed non-compliant with company policy.
File Management
The company reserves the right to delete unauthorized files such as music or video content from systems without prior notice.
Abuse and Misuse
Misuse of IT resources may result in inspections of network and computer use.
Violations of this policy may lead to disciplinary actions, ranging from warnings to termination of employment, depending on the severity of the violation.
6. Incident Management
Purpose of Incident Management
The goal of incident management is to prevent recurrence, improve processes, and enhance security. Employees must report incidents promptly and follow established procedures to mitigate risks.
Incident Reporting and Handling
Employees must immediately report security-related incidents to the CPO.
The company will investigate incidents and determine corrective actions, including:
Conducting root cause analysis.
Revising processes to address vulnerabilities.
Implementing necessary protective measures.
Post-Incident Evaluation
Incident outcomes are documented to improve the organization’s ability to prevent, detect, and respond to future incidents.
7. Employee Responsibilities
Employees are responsible for adhering to this policy and safeguarding IT resources.
They must actively participate in training and remain informed about IT security protocols.
8. Roles and Accountability
CPO and IT Department
Oversee IT operations, resource management, and security measures.
Regularly review and update IT policies to address evolving security and business requirements.
CEO
Ultimately accountable for the company’s IT strategy and compliance with this policy.
9. IT Incident Policy
Incident Objectives
The IT Incident Policy outlines actions to prevent, address, and learn from incidents affecting IT resources. Goals include:
Enhancing the company’s information security posture.
Supporting informed decision-making to implement protective measures.
Preventing similar incidents through improved processes.
Key Steps in Incident Management
Support Information Security: Respond promptly to incidents to contain and mitigate risks.
Improve Situational Awareness: Maintain clear visibility of potential threats and vulnerabilities.
Prevent Recurrence: Update processes based on lessons learned from incidents.
10. Review and Updates
This policy is reviewed and updated annually or in response to significant changes in technology, regulatory requirements, or operational needs. Feedback from employees and incident evaluations informs updates to strengthen compliance and security.