Purpose

This procedure is created to enforce a focus on the importance of IT security, both in Omega 365's offices or when working remotely.

Scope

This policy applies to the use of electronic and computing devices, Omega 365 software information, and network resources. All employees, contractors, consultants, temporary, and other workers, at Omega 365 and our subsidiaries, are responsible for exercising good judgement regarding the appropriate use of information, computing devices, and network resources when accessing Omega 365 systems, software or any other systems.

Cyber Security Awareness training course

Our Cyber Security Awareness training course is available for all employees and can be found on the Omega 365 Academy portal.

All employees are required to complete the Cyber Security Awareness training annually. 

General use and ownership

Client's proprietary information stored on electronic computing devices, whether owned or leased by Omega 365, remains the sole property of the client.

Omega 365's proprietary information stored on any electronic computing devices, remains the sole property of Omega 365.

All Omega 365 employees have a responsibility to promptly report the theft, loss or unauthorized disclosure of information, regardless of whether the information in question is Omega 365's or the client's.

Omega 365 employees shall not access, use or share any client's proprietary information unless authorization is given by the client, and only to the extent necessary to fulfill their work duties. 

Unacceptable use

The following list presents activities that are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities.

Under no circumstances is an employee of Omega 365 authorized to engage in any activity that is illegal under local, state, federal or international law while accessing Omega 365 software or clients' resources.

The following activities are strictly prohibited, with no exceptions:

• Accessing data, a server or an account for any purpose other than conducting Omega 365 business, even if employee has authorized access.
• Violations of the rights of any person, or company, protected by copyright, trade secrets, patenting or other intellectual property, or similar laws or regulations.
• Viewing or distributing pornography or other adult content on Omega 365 or clients electronic/computing devices.
• The introduction of malicious programs into the network or server (e.g. viruses, worms, Trojan horses, etc.).
• Providing access to another individual, either deliberately or through failure to secure access, unless explicit permission is provided; this must be documented.
• Revealing any account password to others, or allowing others to use your account. This includes family and other household members when work is being performed from home.
• Effecting security breaches or disruptions to network communication. Security breaches include, but are not limited to, accessing data where the employee is not the intended recipient or logging on to a server or account that the employee is not expressly authorized to access, unless these actions are within the scope of regular work duties.
• Providing information about client's services to parties outside Omega 365.
• Copying client's data out of the environment where the data is stored without the client's written approval.

Clean desk

There should be no physical removable devices/analogue data (papers, reports, notes, USB memory sticks, etc.) that may contain sensitive information available on your desk if you are not present.

Laptop/Workstation security

• To prevent unwanted access to Omega 365's systems, your workstations should be locked if you leave the workplace.
• Computers must utilize their operating system's built-in storage encryption features, such as BitLocker for Windows and FileVault for macOS, to ensure that data stored on the device is securely encrypted.
• Always keep software on your workstation or laptop up to date.

Portable/mobile devices

• Portables must be password protected. There must be no hint as to what your password might be attached to the physical phone/machine or written anywhere on the portable device.
• The devices should be secured with a pin code and/or lock pattern.
• Don't download confidential information or access unsecured networks with the device unless you have written approval from the client.
• Avoid installing any security software that isn't reputable or any known malware on your device to ensure its safety.
• If possible, the device shall be protected with anti-malware software.

Antivirus/spam

• All Omega 365 workstations and laptops must have an anti-virus software installed.
• If the antivirus software detects that there is a virus or malware on the device, contact the IT department immediately.
• This also applies if it appears that there is an error with the software, or other problems that prevent the software from protecting the workstation.

Credential Security

Omega 365 user account policy defined as: 

• Multi-factor authentication enabled where possible. 
• Omega 365 Azure Active Directory user accounts require multi-factor authentication.
• Credentials are not stored in an unencrypted format. Reversible encryption is not used to encrypt credentials.
• Account sharing is strictly forbidden. All employees shall have and use their own user account only, and shall not share their credentials with anyone. 

Social engineering

• Be alert about third parties that you do not know trying to get confidential work-related information from you. Be aware that this can happen under informal circumstances outside office hours.
• Always gain confirmation from a manager in Omega 365 who can verify the action you are asked to do by the unknown. 

Phishing mail/phone calls

• Avoid opening attachments and clicking on links when the content is not adequately explained (e.g. “watch this video, it’s amazing”).
• Be suspicious of click-bait titles (e.g. offering prizes, advice).
• Check the email and names on received messages to ensure they are legitimate.
• Look for inconsistencies or giveaways (e.g. grammar mistakes, capital letters, excessive number of exclamation marks).
• If you are unsure, call the sender or your IT support/security center, or your manager.

Confidential data

Confidential data is secret and valuable. Common examples are:

• Unpublished financial information.
• Data of clients/partners/vendors.
• Client lists (existing and prospective).

All employees are obliged to protect this data.

Transfer of confidential information

It is your responsibility to risk assess how legal and necessary what you are intending to do is, ensure that all associated risks are adequately understood and covered, and make sure that the transfer is properly authorized.

Public Wi-Fi/Remote/Home network

Always use VPN when using public or remote networks (café, airport, clients' offices or public spaces), and if you don't have VPN access or are not sure if the network you're connected to is sufficiently secured, use your phone's hotspot. When working from home, it's important to ensure that the network is sufficiently secured with firewall and a strong Wi-Fi password.

VPN connection

If you are going to use a workstation outside of Omega 365's network to connect to Omega 365 VPN, you are responsible for ensuring that the workstation you use has antivirus and anti-malware enabled, and is not infected. If you are in doubt about this or need help with resetting 2FA, you can contact the IT department who will be able to guide you through the procedure.

Theft of Omega 365 equipment

• Any theft of Omega 365 equipment shall be reported to the employee's manager who will then coordinate with the IT department.
• In case of the theft of a mobile phone, this should be reported to the IT department, the contents of the mobile will then be deleted by the IT department if the phone is available online.

Use of a PC in a meeting room

• When using a meeting room PC it's important to remember that other users of this PC may be able to access downloads, saved passwords in the browser and other sensitive information you have stored on the device.
• Don't accept any software's request to save user account information, including passwords.
• Ensure that you log out of all open sessions (browser, applications, etc.) after you are done using the meeting room.
• Delete any files downloaded.

Non-compliance

• Use of systems that conflict with established routines, as well as security breaches, will be treated as non-conformities.
• Non-conformities must be documented in Omega 365's Incident Register.

If the discrepancy has led to the unauthorized disclosure of confidential data, the Omega 365 IT Department and your Manager will be notified.
An employee who is found to have violated this policy may be subject to disciplinary action, up to and including the termination of their employment.

Report events

- Any suspect e-mail, SMS or call should be reported to phishing@omega365.com
- Any suspect user activity within our system should be reported to hosting@omega365.com
- Any information security related event should be reported to hosting@omega365.com