This policy describes what we expect from you in the area of information security. One of the biggest risks is that an attacker gains access to our systems through the login credentials of one of us: employee, board member, or volunteer. You are therefore an important link in our security. This document explains what you yourself must do and check.
Only log in to company software using devices (laptops, tablets, or phones) that:
- Are from a .
- Run an by the manufacturer.
- Have all relevant installed promptly and no suspicious software.
- Are secured with a (fingerprint/face) to unlock. If using a PIN, always use at least 4 different digits without repetition or a fixed pattern (so no 1111, 1234, or 2468).
- Have . Your screen should lock automatically within five minutes, and you should lock your device manually any time you finish using it or take a break.
Specifically for computers:
- Install (also known as endpoint protection or antivirus) on your computer. This protects you against viruses and malware, ransomware, suspicious program behavior, and dangerous websites. Examples: Microsoft Defender (built into Windows), Malwarebytes, or Bitdefender. On a Mac, macOS offers built-in protection, but a supplementary package such as Malwarebytes or Bitdefender is recommended.
- Ensure is always enabled: Device Encryption and/or BitLocker (Windows) or FileVault (Mac).
- When working outside the office, use your or a via your own smartphone. Do not use public Wi-Fi networks (such as on a train or in a coffee shop), these are inherently insecure.
- Do not download large files for non-business use over the office network.
- Use our to store all your passwords.
- Store passwords only in the password manager (not in your browser, on paper, or in emails, for example).
- Need a new password? Don't create one yourself: always let the password manager .
- Use each password only once (never for multiple accounts).
- In principle, do not share passwords for personal accounts with colleagues or third parties. If it is ever exceptionally necessary, share passwords only via the password manager. Keep the access period as short as possible.
- Enable wherever possible on all your company software accounts. For frequently used company software (such as Google, Slack, Asana, etc.) we enforce this centrally.
- (fingerprint/face) may be used as an alternative to a password - the underlying passwords must still comply with the password policy.
- Store company information in the (cloud). Never store company information locally on your device.
- Apply the principle of: collect as little personal data as possible (in accordance with GDPR).
- Regularly check whether there are files on your devices that do not belong there. Move or delete them (think of your desktop, downloads folder, and recycle bin).
- Do not use removable storage media (USB drives, external hard drives) for company information. Also do not connect any removable storage media to company devices.
- Never share information marked as 'Internal' or 'Confidential' with external parties.
We know that a security incident will happen at some point. The faster we know about it, the more damage we can limit.
Report immediately to the XXX internal reporting point if you:
- Have clicked on a suspicious link.
- Have accidentally left login credentials somewhere.
- Suspect your account has been taken over.
- Have received a suspicious email.
- Notice your device is behaving strangely, has been stolen, or is lost.
- Are aware of a data breach, hacking attempt, or misuse of intellectual property.
- Have suggestions for improving or questions about our information security.
Have you received a phishing email? Also share it with the entire team (XXX which Slack channel), so that everyone stays alert.
By signing this document you declare that you have read the content, understand what is expected of you, and will act accordingly.
After signing, minor changes may be published without requiring a new signature. For major changes, you will be asked to sign the policy again.