Policies
      Back to home
      1. Knowledge Center
      2. Policies

      ManoByte, Inc. Information Security Policy

      1. Purpose

      This policy provides comprehensive guidelines to ensure the security and protection of ManoByte, Inc.'s data, systems, and devices, particularly in a remote work environment. It covers best practices for data encryption, incident reporting, access control, and device management.

      2. Scope

      This policy applies to all employees, contractors, and third-party vendors who have access to ManoByte’s systems, data, and networks. It covers all digital assets, company-issued devices, and remote work environments.

      3. Data Protection Guidelines

      • Clean Desk Policy: Employees must ensure that no sensitive company or client data is visible on their workstations when stepping away from their workspace. This applies to both physical and digital documents.

      • Computer Lock Policy: Employees are required to lock their computers when stepping away from their workspace, even for short periods. Automatic locking after a specified inactivity period (e.g., 5-10 minutes) must be enabled.

      • External Storage Media Security: Employees are prohibited from using unauthorized external storage devices (such as USB drives or external hard drives) without approval. Approved media must be encrypted, and sensitive data must comply with security protocols.

      • Password Management: All corporate-managed devices must follow password security standards, including strong passwords and multi-factor authentication (MFA). Passwords must not be reused across different systems.

      4. Remote Work Security

      • Secure Wi-Fi: Employees must use secure, password-protected Wi-Fi networks when working remotely. Public or unsecured Wi-Fi must not be used unless a VPN is active.

      • Private Work Environment: Employees must ensure they work in a secure, private environment, avoiding public spaces where screens can be seen by unauthorized individuals.

      • Device Security: All devices used for remote work must be encrypted, have up-to-date antivirus software, and be regularly updated.

      5. Incident Reporting and Response

      • Immediate Reporting: Employees must report any suspected security incidents (e.g., unauthorized access, lost devices, phishing attempts) to IT or the VP of Operations immediately.

      • Incident Types:

        • Unauthorized access to systems or sensitive data.
        • Loss or theft of company devices.
        • Phishing, malware, or other security threats.

      • Response Procedures:

        • IT will initiate containment measures (e.g., disabling accounts or isolating systems) to mitigate risks.
        • The incident will be fully documented, including the response and outcome.
        • Leadership will be notified in cases involving sensitive data or major security threats.

      6. Data Encryption

      • Google Workspace Encryption: All data stored in Google Workspace, including email, documents, and files, is automatically encrypted both at rest and in transit using industry-standard encryption methods (e.g., AES-256 for data at rest and TLS/SSL for data in transit). This meets ManoByte's encryption requirements for data stored in Google services.

      • Other Systems Encryption: For any systems outside of Google Workspace that store or transmit sensitive data (e.g., HubSpot, third-party tools), encryption must be implemented. This includes:

        • Data at Rest: Sensitive data must be encrypted using industry-standard encryption (e.g., AES-256).
        • Data in Transit: Data must be transmitted over secure, encrypted channels such as HTTPS or TLS/SSL.

      • Backup Encryption: Backups of sensitive data, even if stored in third-party services, must be encrypted to protect against unauthorized access.

      7. Access Control and Permissions

      • Role-Based Access Control (RBAC): Access to systems, tools, and data will be based on employee roles and responsibilities. Employees will only be given the minimum level of access necessary to perform their job functions.

      • Quarterly Access Review: Access permissions will be reviewed quarterly to ensure they align with employees’ current roles, and unnecessary access will be revoked.

      • Multi-Factor Authentication (MFA): MFA must be used for systems containing sensitive or critical information, particularly client data.

      8. Device Management

      • Encryption: All company-issued devices must be encrypted to protect data in the event of loss or theft.

      • Updates: All employees must ensure that security patches are regularly applied.

      • Device Return: Employees must return all company-issued devices upon termination of employment or contract. IT will securely wipe the devices before reuse.

      9. Compliance and Review

      • Quarterly Audits: The VP of Operations or IT will conduct quarterly audits to ensure compliance with this policy, including access control reviews and encryption checks.

      • Incident Documentation: All security incidents will be logged and reviewed to identify areas of improvement in security practices.

      • Policy Review: This policy will be reviewed and updated annually to ensure compliance with the latest security standards and regulatory requirements.

      10. Disciplinary Actions

      Failure to comply with this policy may result in disciplinary action, up to and including termination of employment. All employees are expected to report potential security risks and breaches as outlined.