Cyber Security Policy

1         Introduction

 

1.1         The risk of data theft, scams, and security breaches can have a detrimental impact on a company's systems, technology infrastructure, and reputation. As a result, OVACtech has created this policy to help outline the security measures put in place to ensure information remains secure and protected.

 

2         Purpose

 

2.1          The purpose of this policy is to:

 

(a) protect OVACtech data and infrastructure

(b) outline the protocols and guidelines that govern cyber security measures

(c) define the rules for company and personal use, and

(d) list the company's disciplinary process for policy violations.

 

3         Scope

 

3.1         This policy applies to all of OVACtech’s remote workers, permanent, and part-time employees, contractors, volunteers, suppliers, interns, and/or any individuals with access to the company's electronic systems, information, software, and/or hardware.

 

4         Confidential data

 

4.1         OVACtech defines "confidential data" as:

 

  • Unreleased and classified financial information

  • End user organisation, customer, supplier, and shareholder information

  • Customer leads and sales-related data

  • Patents, business processes, and/or new technologies

  • Employees' passwords, assignments, and personal information

  • Company contracts and legal records

5         Device security

 

5.1         Personal devices

 

5.1.1     As OVACtech adopt Bring Your Own Device which allows its employees to use their personal devices for work purposes, all employees are required to:

 

  • keep all devices password-protected following the company’s password policy (minimum of 8 alphanumeric characters).

  • ensure all personal devices used to access company-related systems are password and or PIN protected.

  • install full-featured antivirus software.

  • regularly upgrade antivirus software.

  • lock all devices if left unattended.

  • ensure all devices are protected at all times.

  • always use secure and private networks.

  • avoid the use of public WiFi.

  • avoid sharing your devices with others where possible.

  • not access company systems with a borrowed device.

 

6         Email security

 

6.1         Protecting email systems is a high priority as emails can lead to data theft, scams, and carry malicious software like worms and bugs. Therefore, OVACtech requires all employees to:

 

  • avoid opening attachments or clicking on links from any email not expected without independently verifying the source with the claimed sender.

  • verify the legitimacy of each email, including the email address and sender name.

  • avoid opening suspicious emails, attachments, and clicking on links.

  • look for any significant spelling errors in the email address and body of text.

  • avoid clickbait titles and links.

  • contact the IT department regarding any suspicious emails.

 

7         Transferring data

 

7.1         OVACtech recognises the security risks of transferring confidential data internally and/or externally. To minimise the chances of data theft, we instruct all employees to:

 

  • refrain from transferring classified information to employees and outside parties.

  • only transfer confidential data over OVACtech networks (eg Sermegon workflow).

  • obtain the necessary authorisation from senior management.

  • verify the recipient of the information and ensure they have the appropriate access rights.

  • adhere to OVACtech’s data protection policy.

  • alert the IT department of any near misses, breaches, malicious software, and/or scams.

 

8         Disciplinary action

 

8.1      Violation of this policy can lead to disciplinary action, up to and including termination of employment.  OVACtech’s disciplinary protocols are based on the severity of the violation. Unintentional violations only warrant a verbal warning, frequent violations of the same nature can lead to a written warning, and intentional violations can lead to suspension and/or termination of employment, depending on the case circumstances.

Revision date: 10 June 2023