Commit 4966b771 authored by Gavriel Amira's avatar Gavriel Amira

fix conflict

parents 2ccb70e3 51151861
# Ignore build artefacts
handbook.md
*.html
*.html # rendered markdown
.DS_Store # MacOS desktop data
# 20% project
20% of your time (effectively one day a week) is OlinData time to develop and working on on-going projects in the company & employee development
#### 20% of your time (effectively one day a week) is OlinData time to develop and working on on-going projects in the company & employee development
20% projects will be managed like any other project
#### 20% projects will be managed like any other project
- will have a project manager
It is important to us that you take the maximum advantage of the 20% rule and we are very interested in helping you to achieve this. Before you can get started with your project, we ask that you write up a small proposal on what you aim to work on. Discuss that with your direct lead for approval so we can determine together if and how this would work. We do this using periodic meetings where we discuss your next 20% project or follow up on your current progress. These meetings are used to set short-term goals regarding the 20% project. The meeting frequency is open to personal preference but we advise to have, at least, one each trimester.
- defined goals and sub-goals
- will have a project manager
- defined goals and sub-goals
- Clearly defined time for task and subtask
- Clearly defined time for task and subtask
#### so how to start a project?
......@@ -23,3 +26,8 @@ In this situation and assuming there is a large project that you want to impleme
the project manager job is to give you the freedom and move out the way all the approvals you need (like budget and free time )
(For now we have only one project manager....Gavriel Amira)
# Content production
One of the greatest overall perks of the 20% project is to have a shareable outcome, perhaps in the form of blog content. This content can also be a knowledge sharing session, a mini-project or even internal wiki track about the topic.
>>>>>>> origin
SRCS= 20percent.md LICENSE README.md \
benefits.md branding.md \
coc.md companycar.md culture.md \
finance.md first-day.md \
history.md joining.md laptop.md media.md \
onboarding/* recruitment.md \
security-policy.md software-and-saas.md \
time-off.md travel.md \
whoswho.md
all: handbook.md handbook.html
handbook.md: ${SRCS}
cat ${SRCS} > handbook.md
handbook.html: handbook.md
markdown handbook.md > handbook.html
clean:
rm -f handbook.md handbook.html
......@@ -15,7 +15,7 @@ This repository contains the OlinData handbook that should explain anything that
* [Recruitment process](recruitment.md)
* [Dealing with the Media](media.md)
* [Software and Saas products we use](software-and-saas.md)
* [OlinData Security Policy](security-policy.md)
* [OlinData Security Policy](security-policy/README.md)
* [Taking time off](time-off.md)
* [A company car](companycar.md)
* [20 percent project](20percent.md)
......
......@@ -8,17 +8,16 @@ the way.
We encourage everyone to share their stories from their work out in
the wild as a post on [OlinData's blog][odblog].
Here are some example topcis that could guide you on telling your
Here are some example topics that could guide you on telling your
next story:
* Making a particular script/playbook/class truly idempotent
* Experiences containerising large software
* How gathering and visualing data finally led to fixing that one
* How gathering and visualising data finally led to fixing that one
thing that was being ignored
* Why changing from tool X to tool Y led to significant decrease in build
times
[odblog]: https://olindata.com/blog
* Why changing from tool X to tool Y led to significant decrease in build times
* Experiences in conferences and relevant events
* Reviews on books, certifications and training material
As a company dedicated to open source software we recognise the
importance of contributing to projects' documentation. We don't want
......@@ -31,5 +30,12 @@ Some topics which are suited to real technical documentation:
* How to install and configure a computing cluster using tool 'X'.
* How to integrate a certain CI system with a certain cloud provider
We try to have one blog post per month. The current maintainer of
olindata.com/blog is oliver at olindata.com.
Articles are put into the queue every second Friday. An article from
the queue is posted every second Tuesday. For the current schedule see this
Google calendar:
<https://calendar.google.com/calendar/embed?src=olindata.com_al1t8ln0iqmolkkd9diqi4jm3c%40group.calendar.google.com>
The current maintainer of olindata.com/blog is oliver at olindata.com.
See [internal/www](https://gitlab.olindata.com/internal/www) for more
tech detail on how articles are posted, formatted etc.
\ No newline at end of file
# OlinData currency
## The flipper
In order to encourage certain behaviours within our company we are using a currency called the Flipper. The Flipper is not directly tied to monetary value but instead can be used for different things which you get to choose over time.
The shorthand sign for the Flipper is Fl.
The origin of the choice for the word flipper is the '80's tv show: https://www.youtube.com/watch?v=azEOeTX1LqM
## Earning Flippers
You can earn Fl for a number of things. Some Fl will be gained by everyone for certain group achievements. You can also donate FL to each other to show appreciation.
| Activity | Reward |
| --- | --- |
| Pull request to a third party open source project | 1 |
| Open an issue that gets accepted in a third party project | 1 |
| Speaking on a (free) community meetup | 10 |
| Speaking at a conference | 50 |
| Publishing a blog post on the OlinData blog | 5 |
| Completing a 20% project | 25 |
| Speaking on our meetup | 15 |
| Tribe project completion | 35 |
## Spending Flippers
From time to time we will publish a list of things you can spend Fl on. These can be experiences, gadgets or other non-monetary things
## All time high
We will not only allow purchases but also keep track of how many flipper someone has gathered over the years so we can provide incentives based on all time goals.
## Keeping track
Score is being tracked here: https://docs.google.com/spreadsheets/d/1kJXCnR19rNgXxP1VJHiCTWXBBJ5wPfSX_4Y2KvtKRfs/edit#gid=0
\ No newline at end of file
# First day checklist
Check that you have a Google account -> alias@olindata.com
## Please make sure that:
Then, check that you can log in to
[services used by OlinData](software-and-saas.md).
Most importantly, check that you can log in to these using your
@olindata.com Google account:
- you have a company Google account -> alias@olindata.com
- you have access to [Slack](https://olindata.slack.com), our collaboration tool -> SSO with Google account alias@olindata.com
- you have access to [BambooHR](https://olindata.bamboohr.co.uk) for requesting time off and other HR related info -> SSO with Google account alias@olindata.com
- you have access to [Trello](https://trello.com/), our project management tool -> SSO with Google account alias@olindata.com
- you create an account on OD's [Gitlab](https://gitlab.olindata.com) using alias@olindata.com -> then request access or fork the needed repo's
- [Slack][slack]
- [BambooHR][bamboo]
- [OD Gitlab][gitlab]
If you encounter issues with any of the above please feel free to contact Walter or Mine.
## Profiles
There's a few places we want to make sure have up-to-date personal information.
## Extra:
### BambooHR
[Sign in][bamboo] and click "My info". Please make sure this
information is as complete as possible; it makes our HR people love
you.
- because we are using Google Calendar for events and meetings, you can [integrate your OD Google Calendar with Slack](https://get.slack.help/hc/en-us/articles/206329808-Connect-Google-Calendar-to-Slack),
for being able to receive personal notifications about your events directly in Slack:
- please make sure to update your BambooHR profile with your latest info (BSN, personal information, etc.)
\ No newline at end of file
### OlinData website
1. [Sign in](https://www.olindata.com/user/login) using your account given and create your own password
1. Click "Edit". You will be directed to a page to fill in your basic information in each column accordingly, upload your photo and write a short biography about yourself.
1. Click “Save” at the bottom left
### Professional Profile
In order to offer your skills to our customers, we need you to create your professional profile. The profile is composed by a model CV we use and a small slides presentation. You can find the templates at OD Google Drive. For more information ask Jonah or Mine
### Contact directory
Update your contact information in our
[Google address book](https://mail.google.com/mail/u/0/#contacts).
## Problems?
If you can get on [Slack][slack], send a message to us in our #general
channel, and any one of us will happily help you out. Otherwise, get
in touch with Walter or Mine.
[slack]: https://olindata.slack.com
[bamboo]: https://olindata.bamboohr.co.uk
[gitlab]: https://gitlab.olindata.com
\ No newline at end of file
<<<<<<< HEAD
# Introduction
Since most of us are away on engagements, we don’t always get to see each other a lot. We feel that it is important for us as a team to spend time together to bond, learn and inspire each other. If we’re going to spend time together we need to make sure this is done in a meaningful manner because time is a commodity that should be well spent. This page explains a few of the things we’re doing to achieve this.
......@@ -12,9 +13,50 @@ By doing this we hope to create an atmosphere where people can easily collaborat
We are an incredibly diverse and highly experienced team. While on assignment, and during our OD-days we learn, and create amazing things. To inspire and teach each other we will organize a sharing activity every week. We all have something to share! So everyone is required to present something once every cycle.
We will publish a schedule here: <insert link>. In preparation of this event we’d like you to come up with a subject at least a week in advance. If you have any trouble thinking of something, or need help preparing a talk don’t hesitate to ask for help from any of your colleagues.
There aren’t much restrictions to what you can present, but the talk should preferably be at least 15 minutes unless there is good reason not to. A good session should take 30-45 minutes in total, with a maximum of an hour.
=======
Since most of us are away on engagements, we don’t always get to see
each other a lot. We feel that it is important for us as a team to
spend time together to bond, learn and inspire each other. If we’re
going to spend time together we need to make sure this is done in a
meaningful manner because time is a commodity that should be well
spent. This page explains a few of the things we’re doing to achieve
this.
# Doing OD-day work
At OlinData we have the 20% [policy](./20percent.md) , which allows
you discretionary time to spend on things that are valuable to your
professional development, the company or otherwise. Unless the nature
of this work prevents you from doing so, we’d like you to do your
OD-day work at the office. By doing this we hope to create an
atmosphere where people can easily collaborate and ask each other for
help while building a team feeling by being physically in the same
space.
# Knowledge sharing
We are an incredibly diverse and highly experienced team. While on
assignment, and during our OD-days we learn, and create amazing
things. To inspire and teach each other we will organize a sharing
activity every week. We all have something to share! So everyone is
required to present something once every cycle.
The schedule is managed in this shared google calendar:
https://calendar.google.com/calendar/embed?src=olindata.com_al1t8ln0iqmolkkd9diqi4jm3c%40group.calendar.google.com&ctz=Europe%2FAmsterdam
In preparation of this event we'd like you to come up with a subject
at least a week in advance. If you have any trouble thinking of
something, or need help preparing a talk don’t hesitate to ask for
help from any of your colleagues. There aren’t much restrictions to
what you can present, but the talk should preferably be at least 15
minutes unless there is good reason not to. A good session should take
30-45 minutes in total, with a maximum of an hour.
>>>>>>> origin
# Weekly overview
<<<<<<< HEAD
As a company, we are growing there is more- and more going on in the company every month.
While we are at assignments it is hard to keep track of what everyone is working on and what we are achieving as a company.
With so much going on, it is easy to miss out on learning moments and things to celebrate.
......@@ -43,8 +85,71 @@ We should come up with a way to celebrate our victories, let’s come up with so
If we’re in the office together at the same time, we might as well have lunch together.
Groceries are bought on Wednesday, so if you’re not going to be in on Friday, please let us know before then. Otherwise we’re assuming that you’ll be there.
If you have any food allergies or preferences please let us know before than so we can take these into account.
=======
As a company, we are growing there is more- and more going on in the
company every month. While we are at assignments it is hard to keep
track of what everyone is working on and what we are achieving as a
company. With so much going on, it is easy to miss out on learning
moments and things to celebrate. To increase transparency within the
company and create a shared feeling of progress we are having a weekly
company overview.Even though initially this might sound boring, that
is the opposite of what we want to achieve.
## Standup
To ensure that we spend our time effectively we should keep the
conversation short- and to the point. A tool that we could benefit
from greatly is the standup form. By having a standup that is limited
to a maximum of 15 minutes we are forced to focus on what’s important.
During this stand up everyone has a short timespan to talk about what
they’ve achieved since the last time; What they are going to do, and
anything that is hindering them from achieving their goal. This can be
anything:
- Something you’re working on at a client.
- What you’re working on during your OD-day.
- What you’re trying to learn.
- Some internal project.
- Anything you find relevant.
Keep in mind that we have a total of 15 minutes, so asking a question
is fine, but if this goes too far in depth you will be asked to
discuss it after the meeting.
## Celebrating achievements
By beginning the process of talking about what we’re doing and
achieving in- and for the company, we will discover many reasons for
celebration. Be it big- or small! We should come up with a way to
celebrate our victories, let’s come up with something together!
# Shared lunches
> There is little man bonds over more, than having a shared meal
Jonah, 2018
If we’re in the office together at the same time, we might as well
have lunch together. Groceries are bought on Wednesday, so if you’re
not going to be in on Friday, please let us know before then.
Otherwise we’re assuming that you’ll be there. If you have any food
allergies or preferences please let us know before than so we can take
these into account.
>>>>>>> origin
# Being present
<<<<<<< HEAD
We assume everyone to be there on Fridays, but if you can’t make it this is totally fine. We do expect this to be for good reason. We’re all responsible adults, so we trust you to make the right decision.
It is important that you communicate your availability if you’re not coming.
=======
We assume everyone to be there on Fridays, but if you can’t make it
this is totally fine. We do expect this to be for good reason. We’re
all responsible adults, so we trust you to make the right decision. It
is important that you communicate your availability if you’re not
coming.
>>>>>>> origin
......@@ -15,11 +15,10 @@ If you're moving to the Netherlands as part of joining OlinData, please read onb
When you start with OlinData, we'll assign you a buddy from the existing team. This person will be your first point of contact for the first month so you have a specific person to ask whatever question you have.
### Setup Personal Profile
All employees have to setup their personal profile in BambooHR and OlinData website.
* BambooHR: you'll receive an invite for BambooHR, which is where we keep all HR related information. Please make an effort to fill your information out as complete as possible.
* [OlinData Website](http://www.olindata.com/user/login):
1. Sign in using your account given and create your own password
2. Click on “Edit” button. You will be directed to a page to fill in your basic information in each column accordingly, upload your photo and write a short biography about yourself.
3. Click “Save” at the bottom left after complete.
### First day
On your first day, go through the the [first day checklist](first-day.md).
### Extra:
You can
[integrate your OD Google Calendar with Slack](https://get.slack.help/hc/en-us/articles/206329808-Connect-Google-Calendar-to-Slack),
to receive notifications about your events directly in Slack
......@@ -18,6 +18,8 @@ The office is a space we will have to share so it is important to be mindful of
- No smoking inside the office
- Make sure you don´t have an overpowering odor (good or bad)
- Be weary with loud or smelly food
- Be careful with playing music loudly. If you want to listen to loud music please use headphones.
- Be careful with the oven. Seriously.
### Etiquette
- Respect co-worker´s and company´s property
......@@ -27,11 +29,9 @@ The office is a space we will have to share so it is important to be mindful of
### Handeling Conflicts
As said before the office is a shared space. We hope no conflicts will arise. If there are any issues that could cause conflicts to arise, please try to resolve the issue in a mindful manner. If this does not work talk to Walter, Jonah or Mine.
## Suggesting changes or improvements
The office is a new environment for all of us. If you have any idea´s to improve the workspace or want to see change in something go and talk to Walter, Mine or Noor.
## Requesting Equipment
We are arranging an IT asset management program in which we can see what assets we have and where you can request or maybe already find the items you need. Until that is arranged go to Walter, Mine or Noor to request equipment.
......
# Security policy
## OD Account and Password policy:
- for your company Google account, and all the other accounts that do not support federated access with Google, please make sure that you use secure, **unique** passwords, and keep them safe
using a password manager software ([LastPass](https://www.lastpass.com/), [Dashlane](https://www.dashlane.com/), [KeepPass](https://keepass.info/), etc.)
- passwords complexity:
- min 10 characters long (need to check with the Gsuite admin if this actually enforced, if not it should be enforced to 10 or better 12)
- contain uppercase characters
- contain lowercase characters
- contain base 10 digits (0 through 9)
- contain nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/
- can't begin or end with a whitespace character
- [Google 2-step verification](https://www.google.com/landing/2step/) is enabled
on all OlinData Google accounts by default.
# Welcome to OlinData's Security Policy
Please keep in mind that we will consistently update this policy to make our practices on par with the most recent security trends and compliance standards.
We are open to listen to your suggestions and you are free to send contributions via merge requests.
All changes should be reviewed before commit.
--
OlinData SecOps Team
# Purpose
The purpose of this policy is to define web application security assessments within OlinData BV. Web application assessments are performed to identify potential or realised weaknesses as a result of inadvertent mis-configuration, weak authentication, insufficient error handling, sensitive information leakage, etc. Discovery and subsequent mitigation of these issues will limit the attack surface of OlinData BV services available both internally and externally as well as satisfy compliance with any relevant policies in place.
# Scope
This policy covers all web application security assessments requested by any individual, group or department for the purposes of maintaining the security posture, compliance, risk management, and change control of technologies in use at OlinData BV.
All web application security assessments will be performed by delegated security personnel either employed or contracted by OlinData BV. All findings are considered confidential and are to be distributed to persons on a “need to know” basis. Distribution of any findings outside of OlinData BV is strictly prohibited unless approved by Marcello, our Internal Security Officer.
Any relationships within multi-tiered applications found during the scoping phase will be included in the assessment unless explicitly limited. Limitations and subsequent justification will be documented prior to the start of the assessment.
# Policy
1. Web applications are subject to security assessments based on the following criteria:
* New or Major Application Release – will be subject to a full assessment prior to approval of the change control documentation and/or release into the live environment.
* Third Party or Acquired Web Application – will be subject to full assessment after which it will be bound to policy requirements.
* Point Releases – will be subject to an appropriate assessment level based on the risk of the changes in the application functionality and/or architecture.
* Patch Releases – will be subject to an appropriate assessment level based on the risk of the changes to the application functionality and/or architecture
* Emergency Releases – An emergency release will be allowed to forgo security assessments and carry the assumed risk until such time that a proper assessment can be carried out. Emergency releases will be designated as such by the Chief Information Officer or an appropriate manager who has been delegated this authority.
1. All security issues that are discovered during assessments must be mitigated based upon the following risk levels. The Risk Levels are based on the OWASP Risk Rating Methodology. Remediation validation testing will be required to validate fix and/or mitigation strategies for any discovered issues of Medium risk level or greater.
* High – Any high risk issue must be fixed immediately or other mitigation strategies must be put in place to limit exposure before deployment. Applications with high risk issues are subject to being taken off-line or denied release into the live environment.
* Medium – Medium risk issues should be reviewed to determine what is required to mitigate and scheduled accordingly. Applications with medium risk issues may be taken off-line or denied release into the live environment based on the number of issues and if multiple issues increase the risk to an unacceptable level. Issues should be fixed in a patch/point release unless other mitigation strategies will limit exposure.
* Low – Issue should be reviewed to determine what is required to correct the issue and scheduled accordingly.
1. The following security assessment levels shall be established by the InfoSec organisation or other designated organisation that will be performing the assessments.
* Full – A full assessment is comprised of tests for all known web application vulnerabilities using both automated and manual tools based on the OWASP Testing Guide. A full assessment will use manual penetration testing techniques to validate discovered vulnerabilities to determine the overall risk of any and all discovered.
* Quick – A quick assessment will consist of a (typically) automated scan of an application for the OWASP Top Ten web application security risks at a minimum.
* Targeted – A targeted assessment is performed to verify vulnerability remediation changes or new application functionality.
1. The current approved web application security assessment tools in use which will be used for testing are:
* Nessus
* OpenVas
* Burp Suite
* OWASP Zap
# Policy Compliance
1. Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
1. Exceptions
Any exception to the policy must be approved by the Infosec team in advance.
1. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
# Revision History
Please check the commit history for this file.
# Purpose
The purpose of this document is to serve as a guideline to all upcoming audits and it should be enforced at every assessment.
# Scope
This policy applies to all OlinData BV employees and affiliates.
# Policy
1. Periodic Audits
Twice a year a full audit will happen under the effort to maintain a sane ISMS and a safe environment. The periodic audits will also be used as an assessment point of the current state of the Business Continuity Plan and, if needed, serve as evidence of changes.
The Periodic Audits will cover the following:
1. State of the current active assets.
This assessment involves:
* Self-assessment and reporting of individual assets provided by OlinData BV or used to fulfil work in behalf of the company.
1. State of hosted applications and infrastructure.
This assessment involves:
* Evaluation of the current applied technology.
* Applied patches and corrections.
* Automated scanning/port-scanning.
* Manual testing.
1. State of vendors technology.
This assessment involves:
* Evaluation of the current vendors regarding recent incidents, breaches and 0-days.
* Evaluate the current environment and check which solutions could/should be removed from the ecosystem.
1. State of guidelines adherence.
This assessment involves:
* Check how compliant the company is to the general guidelines and assess possible improvements.
# Policy Compliance
1. Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
1. Exceptions
Any exception to the policy must be approved by the Infosec team in advance.
1. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
# Revision History
Please check the commit history for this file.
# Purpose
The purpose of this policy is to provide guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively.
# Scope
This policy applies to all OlinData BV employees and affiliates.
# Policy
1. Algorithm Requirements
1. Ciphers in use must meet or exceed the set defined as "AES-compatible" or "partially AES-compatible" according to the IETF/IRTF Cipher Catalog, or the set defined for use in the United States National Institute of Standards and Technology (NIST) publication [FIPS 140-2](https://csrc.nist.gov/publications/detail/fips/140/2/final), or any superseding documents according to the date of implementation. The use of the Advanced Encryption Standard (AES) is strongly recommended for symmetric encryption.
1. Algorithms in use must meet the standards defined for use in NIST publication FIPS 140-2 or any superseding document, according to date of implementation. The use of the RSA and Elliptic Curve Cryptography (ECC) algorithms is strongly recommended for asymmetric encryption.
1. Signature Algorithms
| Algorithm | Key (min) | Additional Comment |
| ------------- |:-------------:| -----:|
| ECDSA | P-256 | Check the compliances involved before |
| RSA | 2048 | Must use the a secure padding |
| LDWM | SHA256 | Check the internal standard of usage |
1. Hash Function Requirements
In general, OlinData BV adheres to the [NIST Policy on Hash Functions](https://csrc.nist.gov/Projects/Hash-Functions/NIST-Policy-on-Hash-Functions).
1. Key Agreement and Authentication
1. Key exchanges must use one of the following cryptographic protocols: Diffie-Hellman, IKE, or Elliptic curve Diffie-Hellman (ECDH).
1. End points must be authenticated prior to the exchange or derivation of session keys.
1. Public keys used to establish trust must be authenticated prior to use. Examples of authentication include transmission via cryptographically signed message or manual verification of the public key hash.
1. All servers used for authentication must have installed a valid certificate signed by a known trusted provider.
1. All servers and applications using SSL or TLS must have the certificates signed by a known, trusted provider and completely avoid the usage of RC4-based certificates.
1. Key Generation
1. Cryptographic keys must be generated and stored in a secure manner that prevents loss, theft, or compromise.
1. Key generation must be seeded from an industry standard random number generator (RNG). For examples, see NIST Annex C: Approved Random Number Generators for FIPS PUB 140-2. For more information see [cipherli.st][cipherlist]
# Policy Compliance
1. Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
1. Exceptions
Any exception to the policy must be approved by the Infosec team in advance.
1. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
# Revision History
Please check the commit history for this file.
[cipherlist]: https://cipherli.st
This diff is collapsed.
# Purpose
The purpose for this policy is to establish the minimum requirements for maintaining a “clean desk” – where sensitive/critical information about our employees, our intellectual property, our customers and our vendors is secure in locked areas and out of sight. A Clean Desk policy is not only ISO 27001/17799 compliant, but it is also part of standard basic privacy controls.
# Scope
This policy applies to all OlinData BV employees and affiliates
# Policy
1. Employees are required to ensure that all sensitive/confidential information in hardcopy or electronic form is secure in their work area at the end of the day and when they are expected to be gone for an extended period.
1. Computer workstations must be locked when workspace is unoccupied.
1. Computer workstations must be restarted at the end of the work day.
1. Any Restricted or Sensitive information must be removed from the desk and locked in a drawer when the desk is unoccupied and at the end of the work day.
1. File cabinets containing Restricted or Sensitive information must be kept closed and locked when not in use or when not attended.
1. Keys used for access to Restricted or Sensitive information must not be left at an unattended desk.
1. Laptops must be either locked with a locking cable or locked away in a drawer.
1. Passwords may not be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location.
1. Printouts containing Restricted or Sensitive information should be immediately removed from the printer.
1. Upon disposal Restricted and/or Sensitive documents should be shredded in the official shredder bins or placed in the lock confidential disposal bins.
1. Whiteboards containing Restricted and/or Sensitive information should be erased.
1. Lock away portable computing devices such as laptops and tablets.
1. Treat mass storage devices such as portable media or USB drives as sensitive and secure them in a locked drawer.
1. All printers and fax machines should be cleared of papers as soon as they are printed; this helps ensure that sensitive documents are not left in printer trays for the wrong person to pick up.
# Policy Compliance
1. Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
1. Exceptions
Any exception to the policy must be approved by the Infosec team in advance.
1. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
# Revision History
Please check the commit history for this file.
# Purpose
The purpose of this email policy is to ensure the proper use of OlinData BV email system and make users aware of what OlinData BV deems as acceptable and unacceptable use of its email system. This policy outlines the minimum requirements for use of email within OlinData BV Network.
# Scope
This policy covers appropriate use of any email sent from a OlinData BV email address and applies to all employees, vendors, and agents operating on behalf of OlinData BV.
# Policy
1. All use of email must be consistent with OlinData BV policies and procedures of ethical conduct, safety, compliance with applicable laws and proper business practices. 
1. OlinData BV email account should be used primarily for OlinData BV business-related purposes; personal communication is permitted on a limited basis, but non-OlinData BV related commercial uses are prohibited.
1. All OlinData BV data contained within an email message or an attachment must be secured according to the Data Protection Standard.
1. Email should be retained only if it qualifies as a OlinData BV business record. Email is a OlinData BV business record if there exists a legitimate and ongoing business reason to preserve the information contained in the email.
1. Email that is identified as a OlinData BV business record shall be retained according to OlinData BV Record Retention Schedule.
1. The OlinData BV email system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Employees who receive any emails with this content from any OlinData BV employee should report the matter to their supervisor immediately.
1. Users are prohibited from automatically forwarding OlinData BV email to a third party email system (noted in 4.8 below). Individual messages which are forwarded by the user must not contain OlinData BV confidential or above information.
1. Users are prohibited from using third-party email systems and storage servers such as Google, Yahoo, and MSN Hotmail etc. to conduct OlinData BV business, to create or memorialise any binding transactions, or to store or retain email on behalf of OlinData BV.  Such communications and transactions should be conducted through proper channels using OlinData BV-approved documentation. 
1. Using a reasonable amount of OlinData BV resources for personal emails is acceptable, but non-work related email shall be saved in a separate folder from work related email. Sending chain letters or joke emails from a OlinData BV email account is prohibited.
1. OlinData BV employees shall have no expectation of privacy in anything they store, send or receive on the company’s email system.
# Policy Compliance
1. Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
1. Exceptions
Any exception to the policy must be approved by the Infosec team in advance.
1. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
# Revision History
Please check the commit history for this file.
# Purpose
The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.
# Scope
The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any OlinData BV facility, has access to the OlinData BV network, or stores any non- public OlinData BV information.
# Policy
1. Password Creation
All passwords/Passphrases should meet or exceed the following guidelines:
1. Contain at least 12 alphanumeric characters.
1. Contain both upper and lower case letters.
1. Contain at least one number (for example, 0-9).
1. Contain at least one special character.
1. Should not be found in a dictionary, including foreign language, or exist in a language slang, dialect, or jargon.
1. Should not contain personal information such as birthdates, addresses, phone numbers or any other easy-to-find information.
1. Should not contain work-related information such as building names, system commands, sites, companies, hardware or software.
1. Should not contain easy alphanumeric patterns.
1. Should not contain common words spelled backwards, preceded or followed by a number.
1. Passwords/Passphrases Changes
1. Passwords/Passphrases should not be written down or shared under any circumstances. All passwords are to be treated as sensitive, confidential OlinData BV information.
1. Passwords/Passphrases must not be inserted into email messages, Alliance cases or other forms of electronic communication.
1. Passwords/Passphrases must not be revealed over the phone to anyone.
1. Passwords/Passphrases should not be revealed over questionnaires or security forms. Do not reveal a password on questionnaires or security forms.
1. Passwords/Passphrases hints should not be shared.
1. No passwords/passphrases from OlinData BV are meant to be shared internally.
1. Under suspicion of breach/leak, the occurrence should be shared with the Infosec Team and all passwords/passphrases should be changed.
# Policy Compliance
1. Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
1. Exceptions
Any exception to the policy must be approved by the Infosec team in advance.