Glucode Glucode Handbook

Information Technology

General

Glucode’s IT Policy provides the policies and procedures for selection and use of IT software and equipment, systems, software and services within the Company (Glucode) which must be followed by all employees of Glucode. This policy document also provides guidelines, Glucode will use to administer these policies, with the correct procedures to follow.

This policy is supported by a range of security controls documented within operating procedures, technical controls embedded in information systems and other controls that will be advised to employees from time to time by the IT Department through information security standards, procedures and guidelines.

Any suggestions, recommendations and or feedback on the policies and procedures specified in this document are welcome.

Info

This policy is applicable to all computer systems including, but not limited to, personal computers (“Desktop Computers”), servers, networks, cloud infrastructure, printers, fax machines, mobile telephones, programmes etc.

This policy was created to:

  • protect Glucode and its clients information by safeguarding its confidentiality, integrity and availability
  • establish safeguards to protect the information resources from theft, abuse, misuse and any form of damage
  • establish responsibility and accountability for Information Security within Glucode
  • encourage you to maintain an appropriate level of awareness, knowledge and skill to allow you to minimise the occurrence and severity of Information Security incidents.

Warning

Security education, training and awareness programmes will be conducted to ensure that you are aware of security threats and concerns and are equipped to apply the security principles at all times.

Recording of Communications

Employees are prohibited from recording conversations, video meetings, and telephone calls without the consent of all participants involved. Additionally, any recorded information cannot be shared with anyone else without obtaining explicit written consent from all parties involved. This is to ensure the confidentiality and integrity of all communications within Glucode.

Hardware

Info

Computer hardware (internal and external) refers to all physical parts of a computer and related tangible devices.

This policy provides guidelines for the usage of hardware for Glucode to ensure that all hardware technology is appropriate and up to date.

All hardware acquired by Glucode shall remain the company’s property at all times.

You are expected to:

  • check out any of Glucode’s hardware through our equipment checkout process
  • keep your equipment in a clean and neat state (including all adapters, cables and/or chargers)
  • enroll all Glucode’s equipment (laptops, test devices etc) on our MDM profiles under the supervision of our IT department
  • report any hardware failures to the IT Department immediately

You are prohibited from

  • setting up and enrolling your equipment yourself, only the IT department may setup and enroll our equipment.
  • tampering with your hardware in any way
  • leaving your equipment unattended at your work space (your work desk at home and/or at the office)
  • leaving your equipment unattended in your vehicle
  • connecting personal or unsolicited hardware to the company network
  • connecting any external storage devices such as USB’s, Hard Drives or Solid State Drives into your computer at anytime for any reason
  • cleaning your screen with rubbing alcohol and may only use a damp cloth
  • using any liquids to clean your keyboard
  • adding any stickers and/or vinyls to your equipment

Danger

In the event of loss, damage and/or theft to your equipment, you must report it immediately to your Head of Department.

Any loss, damage and/or theft due to your negligence and/or non-compliance with our IT policy will result in you being held liable to replace the equipment.

Test Devices

Test devices should be used to test features related to the product you are working on. Their primary function is to debug or verify. At times, some features cannot be tested in the simulator and here having actual hardware is vital. In most cases having a test device serves as hardware verification for a feature, bug and/or update.

Info

Test devices are issued out on a needs basis and aligned with project requirements.

When checking out a test device, you accept all responsibility for this device and all the same rules on usage, confidentiality and storing of your device remains applicable.

You are prohibited from:

  • tampering with your test device in any way
  • leaving your test device unattended at your work space (your work desk at home and/or at the office)
  • leaving your test device unattended in your vehicle
  • connecting or installing any personal, unsolicited or unauthorised software/hardware to the test device
  • using the test device for any and all personal use
  • using the test device for any reason other than executing your duties
  • requesting a test device for any other reason other than to test the software

Warning

Any damage to the test device as a result of your negligence, usage outside of executing your duties, personal use, misconduct and/or any prohibited use will result in you being held liable for the repairs or replacement of the device.

Breach

Any existing damage to any company equipment needs to be listed in the checkout form before the device is taken out. In the event of any damage to the any company equipment, you need to submit proof along with the equipment checkout form.

In the event where a breach is detected by you due to unauthorised access, intentional or accidental damage or interference, the IT department will be tasked with conducting a thorough investigation and an incident report will be compiled.

Your Head of Department will then take the necessary disciplinary action against you and if found guilty, you will be dismissed. Management may be held accountable for the protection of assets under their authority.

Should you have knowledge of any breach of this policy, and/or fail to disclose information pertaining to the said breach to the relevant IT Department, you will be considered to be complicit in the breach and the necessary disciplinary action will apply to you as well.

Software

Info

Software is a general term for the various kinds of programs used to operate computers and related devices.

This policy provides guidelines for software usage by all within Glucode. This is to ensure that all software use is appropriate.

All software:

  • must be appropriately registered with the supplier where this is a requirement
  • installations may only be carried out by IT
  • may only be downloaded from our Concierge app and/or with written permission by IT
  • downloads and web downloads must be authorised by IT before the app is downloaded and installed

Passwords

You are expected to download and use 1Password to generate and store passwords used to login to work related applications.

The selection of passwords, their use and management must be in accordance with best practice guidelines. It is your responsibility to ensure the secrecy and safeguarding of your passwords.

You will be required to use a password that has a minimum length of 14 characters.

This is the only requirement, there is no need for complexity focused additions like uppercase, digits, etc.

The minimum length adds enough strength for this to be deemed secure and is inline with the latest NIST (National Institute of Standards and Technology) password recommendations.

Danger

Under no circumstances whatsoever may you, for any reason, share your password with any other person, including the internal IT staff and technicians or other employees of any third-party service providers.

Re-using of passwords for multiple services

Reusing the same password with multiple services is typically heavily discouraged, as the compromise of a service with weak security could put all of your accounts into a compromised stage at the same time.

In an ideal scenario, we’d protect all 3 of the above mentioned accounts with the same set of corporate credentials. Unfortunately, this is not currently possible due to platform and vendor incompatibilities. That being said, we would have no objection for you to use the same password / passphrase for these three accounts.

Please note that this DOES NOT extend beyond these three accounts:

  1. Your Mac’s local user account
  2. Your Azure AD account (user@glucode.com)
  3. Your 1Password account

For all other passwords you should be using secure random passwords generated and stored within your 1Password vault.

Passwords vs Pass phrases

A passphrase is a string of unrelated words that you use as a password. Because they’re made of words, pass phrases are often easier to remember than conventional passwords. It’s the sheer length of a good passphrase, as well as the randomness of the words in it, that makes it so secure.

Good passphrase examples and passphrase ideas

Good pass phrases are easy for you to remember and hard for hackers to guess. And since they’re so long, they’re very difficult for hackers to crack via brute-force attacks.

Here are a few good passphrase ideas created with 1Password:

  • console-shrubbery-bronchial-various-squatter
  • Broadways\&Swimmer\&Argue7\&Pursuant\&Dramatize
  • Rickety Output Oxidant Deem Spotless
  • unguarded3 superglue evacuee paddling gloomy shuffling
  • seclusion.roast.chop.unrated9.quarrel.morbidly.planner

Info

Please do not use the above examples as your passwords.

How to remember a passphrase

The best way to remember your passphrase is to create a story that ties all the words together. This story can be as simple or as complex as you like — so long as you can remember it, then it’s done its job.

Let’s consider the first passphrase in the previous section:

console-shrubbery-bronchial-various-squatter

The story here might be that, while playing my video game console, I noticed the shrubbery outside was causing bronchial distress for the various squatters living nearby. If I need to remember my passphrase, I can just look at my video game console, and the rest of the story will fall into place.

Multi-factor/Two-factor Authentication (MFA/2FA)

You must:

  • enable and use Multi-factor Authentication when signing in to applications
  • use of the Microsoft authenticator application to authenticate your log-ins

Danger

If any suspicious activity, such as unexpected or unrequested authenticator requests are being received, you must be reported to IT immediately.

Internet Usage

Glucode accepts that the use of the Internet is a valuable business tool, however, misuse of this facility can have a negative impact upon your productivity as well as departmental efficiency.

Therefore, the IT Department maintains the right to monitor and log the volume of Internet and network traffic, including but not limited to Internet sites visited, files downloaded by users, etc.

The specific content of any transactions will not be monitored unless there is a suspicion of improper use or policy violation.

Danger

You are responsible, accountable and liable for all your activities while browsing the internet.

Prohibited use

The list below constitutes but does not limit what shall be deemed as abuse of internet resources under this policy.

You are granted access to internet-connected resources needed to use that access in a way which is consistent with your job function, even when the access is after hours:

You are prohibited from:

  • playing online games unless permission is given
  • downloading of copyrighted material including videos, music, software and/or any intellectual property
  • accessing web sites and material that may be offensive to other employees. This includes but not limited to pornography, hate speech web sites
  • using the internet to conduct criminal or fraudulent activities;
  • using the internet to illegally monitor, gather information about any individual, entity or organization
  • using the internet to conduct any personal business operations at the expense of the department’s bandwidth and resources
  • using the internet such that it interferes with your productivity, this includes WIFI
  • sharing of usernames and passwords used to access the internet with other people including employees
  • distributing of passwords or any sensitive user account information through the internet
  • impersonating, misrepresenting or suppressing a user’s identity when accessing the internet
  • using profanity, obscenities or derogatory, sexist, racist, highly sensitive, offensive or defamatory remarks while using the internet
  • using the internet to access malicious sites and download illegal material
  • sharing of Glucode’s Wi-Fi password to anyone outside without written approval from the IT department.

Breach

In the event where a breach is detected, the IT department will be tasked with conducting a thorough investigation and an incident report will be compiled.

Attempts to undermine/sabotage network security, to impair functionality of the network, or to bypass restrictions set by IT, assisting others in violating these rules is unacceptable behaviour.

Contravention of the above shall constitute a case of misconduct in terms of this policy and disciplinary action shall be instituted against the person concerned.

The relevant manager of such an employee will then take the necessary disciplinary action against such mentioned employee and if found guilty the employee will be dismissed.

The procedures to be issued by the manager responsible for information technology management in relation to this policy shall make specific provision for the registration or deregistration of any changes to the details of registered users.

Should you have knowledge of any breach of this policy, and/or fail to disclose information pertaining to the said breach to the IT Department, you will be considered to be complicit in the breach and the necessary disciplinary action will apply to you as well.

Email

Glucode makes email available to you where relevant and useful for your work. Glucode also recognises that email is a key communication tool with our clients.

When used inappropriately, email can be a source of security problems for the company.

You must not:

  • open email attachments from unknown sources, in case they contain a virus, Trojan, spyware or other malware.
  • disable security and/or email scanning software. These tools are essential to protect Glucode from security threats.
  • access another employee’s company email account. If you require access to a specific message in another employees’ inbox (for instance, while the employee is off sick or on leave), the IT department should be approached for assistance.

Email is the most frequently-used method for transmitting computer viruses. Files and documents containing viruses can be transmitted via e-mail. These files and documents, which may be attached to e-mail messages, must always be checked for viruses before they are accessed, executed, or distributed to other users. Unsolicited email must be treated with caution, not responded to and computer files received from unknown senders deleted without being opened and reported immediately to IT.

Warning

Report all unsolicited emails to phishing@glucode.com immediately.

You need to use emails in a way which is consistent with your job function, even when the access is after-hours.

Email etiquette

You need to be aware that each email communication sent from our domain affects the Glucode’s image and reputation. The rules below shall apply as good email etiquette.

You must:

  • always use a meaningful subject line rather than leaving the subject line blank or using a single word like ‘hello’
  • only use the ‘important message’ setting sparingly, for messages that are of importance
  • avoid unnecessary use of ALL CAPITAL LETTERS in messages or subject lines which can be perceived as rude and impolite
  • be sparing with group messages, only adding recipients who will find the message genuinely relevant and useful
  • ensure the correct recipients have been added to the email
  • use the ‘CC’ (carbon copy) field sparingly. Should there be need for an employee to receive a message, they should be included in the ‘To’ field.
  • Use the ‘BCC’ (blind carbon copy) field to send group messages where appropriate. It stops an email recipient from seeing the other email recipients on the email.

You must not:

  • pornography, racial or religious slurs
  • gender-specific comments
  • information encouraging criminal skills or terrorism
  • materials relating to cults
  • gambling and illegal drugs
  • any text, images or other media that could reasonably offend someone on the basis of race, age, sex, religious or political beliefs, national origin, disability, sexual orientation, or any other characteristic protected by law.
  • forward chain emails or ‘humorous’ messages. These unnecessarily clog up inboxes
  • forward and/or share any personal information which is not encrypted and password protected
  • write or send emails that might be defamatory or incur liability for the company
  • create or distribute any inappropriate content or material via email.
  • use email for any illegal or criminal activities
  • transmit threatening, offensive or harassing information (messages or images) which contains derogatory, defamatory, abusive, obscene, pornographic, profane, sexually oriented, threatening, racially offensive, or otherwise biased, discriminatory, or illegal material
  • send messages or material that could damage Glucode’s image or reputation
  • Private or personal for-profit activities are prohibited. This includes use of email services for private purposes such as marketing or business transactions, private advertising of products or services, and any activity meant for personal gain or of a personal nature
  • use our email for private and/or personal profit activities which includes the use of email services for private purposes such as marketing or business transactions, private advertising of products or services, and any activity meant for personal gain and/or of a personal nature.

Inappropriate email content and use

Glucode’ email system must not be used to send or store inappropriate content or materials.

Viewing or distributing inappropriate content via email is not acceptable under any circumstances.

Inappropriate content includes:

Danger

If you receive an internal email that you consider to be inappropriate, you must report it immediately.

Monitoring and enforcement

Glucode’s email system and software are provided for legitimate business use.

We reserve the right to monitor your use of email, such monitoring will only be carried out by authorised staff.

This policy, not only consist of the use of Glucode-provided e-mail systems, but also the acts of sending and receiving electronic mail via the Internet.

Additionally, all emails sent or received through the company’s email system are part of official Glucode records.

We can be legally compelled to present email communications information to law enforcement agencies or other parties. Therefore, you should always ensure that the business information sent via email is accurate, appropriate, ethical, and legal.

Personal and Mobile Devices

Glucode acknowledges the importance of mobile technologies in improving business communication and productivity.

In addition to the increased use of mobile devices, you have the option of connect your own mobile devices to our Wi-Fi network as well as have your work emails on your personal mobile devices.

If you use your mobile device for work purposes, you agree to

  • abide by our internet policy for appropriate use and access of internet sites etc
  • make every reasonable effort to ensure that our data is not compromised through the use of mobile equipment in a public place. Screens displaying sensitive or critical information should not be seen by unauthorised persons and all registered devices should be password protected
  • notify our IT department IMMEDIATELY in the event of loss or theft of any Glucode device(s) and/or any personal devices with company information on it.

You may not

  • share the device with other individuals, so as to protect the company’s data from being accessed through the device
  • connect external hard drives and USB memory sticks from an untrusted or unknown source to laptops or computers
  • download or transfer business or personal sensitive information to the device. Sensitive information includes Glucode’s intellectual property, employee details etc

Keeping devices secure

The following must be observed when handling mobile computing devices (such as notebooks, Tablets and iPads):

  • Mobile computer devices must never be left unattended in a public place, or in an unlocked house, or in a motor vehicle, even if it is locked. Wherever possible they should be kept on you or securely locked away
  • Cable locking devices should also be considered for use with laptop computers in public places, e.g. in a seminar or conference, even when the laptop is attended.
  • Mobile devices should be carried as hand luggage when travelling by aircraft.
  • Always screen lock mobile devices when stepping away from them, even for a few minutes.

Danger

This policy is mandatory unless the Glucode IO and CTO, grants an exemption in writing. Any requests for exemptions from any of these directives, should be made in writing to the IT Department via email.

Compliance

All employees and other individuals acting as volunteers and representatives on behalf of the Company must familiarise themselves with this policy.

You are required to adhere to the highest standards of excellence and morality in all your activities.

This policy is an important guideline to maintain high ethical standards in all academic activities at the Company.

All breaches of this policy may be regarded as misconduct and may result in disciplinary action up to and including dismissal as per the Company’s Disciplinary Code and Procedure.

Warning

Glucode has a zero-tolerance approach to ensure diligent compliance.

Surveillance

The company may take disciplinary action against you, and amongst others, who conduct themselves in a manner which contravenes the codes of good practice of the company like excessive use of the internet by surfing pornographic, ‘undesirable’ sites and social media platforms during working hours, as well as the excessive use of the e-mail facility in sending excessive or inappropriate personal e-mails from work during working hours or making excessive or unauthorised calls.

You are reminded that company resources, computers, and any company-issued communication devices belong to the company. You must use them strictly for work-related purposes.

The company reserves the right to track you via the internet, email and phone use and may use this right to do random checks.

The company further reserves the right and is entitled to protect its property and can install security cameras in the workplace within designated work areas and meeting rooms.

You should be aware that you do not have a legitimate expectation of privacy when using the company’s email system to communicate with friends and family and most importantly to competitors or other companies alike.

  • The Constitution gives individuals the right not to have their communications infringed, however, Section 36 of the Constitution says that if there is a law of general application, a law that applies to all citizens and not to a specific group of people, that general law may limit any rights of a citizen that is contained in the Bill of Rights.
  • The Regulation of Interception of Communications and Provision of Communication-Related Information Act No 48 of 2008 is such a law and, provides that it is not unlawful to intercept communications.
  • Lastly, the Electronic Communications and Transactions Act of 2002 states that an employer may intercept the communications of its employees where it is a party to such communications, where the employees have given their prior written consent to interception, or if the communication happens in the course of carrying on the business of the employer.

Disclosing or sharing information with third parties which is against the company’s business interests will be considered as gross misconduct which may lead to irreparable damage to the continued working relationship. If the trust relationship has been broken, either during or after working hours, the misconduct can become the basis of disciplinary action and justify an immediate dismissal.