Commit 4966b771 authored by Gavriel Amira's avatar Gavriel Amira

fix conflict

parents 2ccb70e3 51151861
# Ignore build artefacts
handbook.md
*.html
*.html # rendered markdown
.DS_Store # MacOS desktop data
# 20% project
20% of your time (effectively one day a week) is OlinData time to develop and working on on-going projects in the company & employee development
#### 20% of your time (effectively one day a week) is OlinData time to develop and working on on-going projects in the company & employee development
20% projects will be managed like any other project
#### 20% projects will be managed like any other project
- will have a project manager
It is important to us that you take the maximum advantage of the 20% rule and we are very interested in helping you to achieve this. Before you can get started with your project, we ask that you write up a small proposal on what you aim to work on. Discuss that with your direct lead for approval so we can determine together if and how this would work. We do this using periodic meetings where we discuss your next 20% project or follow up on your current progress. These meetings are used to set short-term goals regarding the 20% project. The meeting frequency is open to personal preference but we advise to have, at least, one each trimester.
- defined goals and sub-goals
- will have a project manager
- defined goals and sub-goals
- Clearly defined time for task and subtask
- Clearly defined time for task and subtask
#### so how to start a project?
......@@ -23,3 +26,8 @@ In this situation and assuming there is a large project that you want to impleme
the project manager job is to give you the freedom and move out the way all the approvals you need (like budget and free time )
(For now we have only one project manager....Gavriel Amira)
# Content production
One of the greatest overall perks of the 20% project is to have a shareable outcome, perhaps in the form of blog content. This content can also be a knowledge sharing session, a mini-project or even internal wiki track about the topic.
>>>>>>> origin
SRCS= 20percent.md LICENSE README.md \
benefits.md branding.md \
coc.md companycar.md culture.md \
finance.md first-day.md \
history.md joining.md laptop.md media.md \
onboarding/* recruitment.md \
security-policy.md software-and-saas.md \
time-off.md travel.md \
whoswho.md
all: handbook.md handbook.html
handbook.md: ${SRCS}
cat ${SRCS} > handbook.md
handbook.html: handbook.md
markdown handbook.md > handbook.html
clean:
rm -f handbook.md handbook.html
......@@ -15,7 +15,7 @@ This repository contains the OlinData handbook that should explain anything that
* [Recruitment process](recruitment.md)
* [Dealing with the Media](media.md)
* [Software and Saas products we use](software-and-saas.md)
* [OlinData Security Policy](security-policy.md)
* [OlinData Security Policy](security-policy/README.md)
* [Taking time off](time-off.md)
* [A company car](companycar.md)
* [20 percent project](20percent.md)
......
......@@ -8,17 +8,16 @@ the way.
We encourage everyone to share their stories from their work out in
the wild as a post on [OlinData's blog][odblog].
Here are some example topcis that could guide you on telling your
Here are some example topics that could guide you on telling your
next story:
* Making a particular script/playbook/class truly idempotent
* Experiences containerising large software
* How gathering and visualing data finally led to fixing that one
* How gathering and visualising data finally led to fixing that one
thing that was being ignored
* Why changing from tool X to tool Y led to significant decrease in build
times
[odblog]: https://olindata.com/blog
* Why changing from tool X to tool Y led to significant decrease in build times
* Experiences in conferences and relevant events
* Reviews on books, certifications and training material
As a company dedicated to open source software we recognise the
importance of contributing to projects' documentation. We don't want
......@@ -31,5 +30,12 @@ Some topics which are suited to real technical documentation:
* How to install and configure a computing cluster using tool 'X'.
* How to integrate a certain CI system with a certain cloud provider
We try to have one blog post per month. The current maintainer of
olindata.com/blog is oliver at olindata.com.
Articles are put into the queue every second Friday. An article from
the queue is posted every second Tuesday. For the current schedule see this
Google calendar:
<https://calendar.google.com/calendar/embed?src=olindata.com_al1t8ln0iqmolkkd9diqi4jm3c%40group.calendar.google.com>
The current maintainer of olindata.com/blog is oliver at olindata.com.
See [internal/www](https://gitlab.olindata.com/internal/www) for more
tech detail on how articles are posted, formatted etc.
\ No newline at end of file
# OlinData currency
## The flipper
In order to encourage certain behaviours within our company we are using a currency called the Flipper. The Flipper is not directly tied to monetary value but instead can be used for different things which you get to choose over time.
The shorthand sign for the Flipper is Fl.
The origin of the choice for the word flipper is the '80's tv show: https://www.youtube.com/watch?v=azEOeTX1LqM
## Earning Flippers
You can earn Fl for a number of things. Some Fl will be gained by everyone for certain group achievements. You can also donate FL to each other to show appreciation.
| Activity | Reward |
| --- | --- |
| Pull request to a third party open source project | 1 |
| Open an issue that gets accepted in a third party project | 1 |
| Speaking on a (free) community meetup | 10 |
| Speaking at a conference | 50 |
| Publishing a blog post on the OlinData blog | 5 |
| Completing a 20% project | 25 |
| Speaking on our meetup | 15 |
| Tribe project completion | 35 |
## Spending Flippers
From time to time we will publish a list of things you can spend Fl on. These can be experiences, gadgets or other non-monetary things
## All time high
We will not only allow purchases but also keep track of how many flipper someone has gathered over the years so we can provide incentives based on all time goals.
## Keeping track
Score is being tracked here: https://docs.google.com/spreadsheets/d/1kJXCnR19rNgXxP1VJHiCTWXBBJ5wPfSX_4Y2KvtKRfs/edit#gid=0
\ No newline at end of file
# First day checklist
Check that you have a Google account -> alias@olindata.com
## Please make sure that:
Then, check that you can log in to
[services used by OlinData](software-and-saas.md).
Most importantly, check that you can log in to these using your
@olindata.com Google account:
- you have a company Google account -> alias@olindata.com
- you have access to [Slack](https://olindata.slack.com), our collaboration tool -> SSO with Google account alias@olindata.com
- you have access to [BambooHR](https://olindata.bamboohr.co.uk) for requesting time off and other HR related info -> SSO with Google account alias@olindata.com
- you have access to [Trello](https://trello.com/), our project management tool -> SSO with Google account alias@olindata.com
- you create an account on OD's [Gitlab](https://gitlab.olindata.com) using alias@olindata.com -> then request access or fork the needed repo's
- [Slack][slack]
- [BambooHR][bamboo]
- [OD Gitlab][gitlab]
If you encounter issues with any of the above please feel free to contact Walter or Mine.
## Profiles
There's a few places we want to make sure have up-to-date personal information.
## Extra:
### BambooHR
[Sign in][bamboo] and click "My info". Please make sure this
information is as complete as possible; it makes our HR people love
you.
- because we are using Google Calendar for events and meetings, you can [integrate your OD Google Calendar with Slack](https://get.slack.help/hc/en-us/articles/206329808-Connect-Google-Calendar-to-Slack),
for being able to receive personal notifications about your events directly in Slack:
- please make sure to update your BambooHR profile with your latest info (BSN, personal information, etc.)
\ No newline at end of file
### OlinData website
1. [Sign in](https://www.olindata.com/user/login) using your account given and create your own password
1. Click "Edit". You will be directed to a page to fill in your basic information in each column accordingly, upload your photo and write a short biography about yourself.
1. Click “Save” at the bottom left
### Professional Profile
In order to offer your skills to our customers, we need you to create your professional profile. The profile is composed by a model CV we use and a small slides presentation. You can find the templates at OD Google Drive. For more information ask Jonah or Mine
### Contact directory
Update your contact information in our
[Google address book](https://mail.google.com/mail/u/0/#contacts).
## Problems?
If you can get on [Slack][slack], send a message to us in our #general
channel, and any one of us will happily help you out. Otherwise, get
in touch with Walter or Mine.
[slack]: https://olindata.slack.com
[bamboo]: https://olindata.bamboohr.co.uk
[gitlab]: https://gitlab.olindata.com
\ No newline at end of file
<<<<<<< HEAD
# Introduction
Since most of us are away on engagements, we don’t always get to see each other a lot. We feel that it is important for us as a team to spend time together to bond, learn and inspire each other. If we’re going to spend time together we need to make sure this is done in a meaningful manner because time is a commodity that should be well spent. This page explains a few of the things we’re doing to achieve this.
......@@ -12,9 +13,50 @@ By doing this we hope to create an atmosphere where people can easily collaborat
We are an incredibly diverse and highly experienced team. While on assignment, and during our OD-days we learn, and create amazing things. To inspire and teach each other we will organize a sharing activity every week. We all have something to share! So everyone is required to present something once every cycle.
We will publish a schedule here: <insert link>. In preparation of this event we’d like you to come up with a subject at least a week in advance. If you have any trouble thinking of something, or need help preparing a talk don’t hesitate to ask for help from any of your colleagues.
There aren’t much restrictions to what you can present, but the talk should preferably be at least 15 minutes unless there is good reason not to. A good session should take 30-45 minutes in total, with a maximum of an hour.
=======
Since most of us are away on engagements, we don’t always get to see
each other a lot. We feel that it is important for us as a team to
spend time together to bond, learn and inspire each other. If we’re
going to spend time together we need to make sure this is done in a
meaningful manner because time is a commodity that should be well
spent. This page explains a few of the things we’re doing to achieve
this.
# Doing OD-day work
At OlinData we have the 20% [policy](./20percent.md) , which allows
you discretionary time to spend on things that are valuable to your
professional development, the company or otherwise. Unless the nature
of this work prevents you from doing so, we’d like you to do your
OD-day work at the office. By doing this we hope to create an
atmosphere where people can easily collaborate and ask each other for
help while building a team feeling by being physically in the same
space.
# Knowledge sharing
We are an incredibly diverse and highly experienced team. While on
assignment, and during our OD-days we learn, and create amazing
things. To inspire and teach each other we will organize a sharing
activity every week. We all have something to share! So everyone is
required to present something once every cycle.
The schedule is managed in this shared google calendar:
https://calendar.google.com/calendar/embed?src=olindata.com_al1t8ln0iqmolkkd9diqi4jm3c%40group.calendar.google.com&ctz=Europe%2FAmsterdam
In preparation of this event we'd like you to come up with a subject
at least a week in advance. If you have any trouble thinking of
something, or need help preparing a talk don’t hesitate to ask for
help from any of your colleagues. There aren’t much restrictions to
what you can present, but the talk should preferably be at least 15
minutes unless there is good reason not to. A good session should take
30-45 minutes in total, with a maximum of an hour.
>>>>>>> origin
# Weekly overview
<<<<<<< HEAD
As a company, we are growing there is more- and more going on in the company every month.
While we are at assignments it is hard to keep track of what everyone is working on and what we are achieving as a company.
With so much going on, it is easy to miss out on learning moments and things to celebrate.
......@@ -43,8 +85,71 @@ We should come up with a way to celebrate our victories, let’s come up with so
If we’re in the office together at the same time, we might as well have lunch together.
Groceries are bought on Wednesday, so if you’re not going to be in on Friday, please let us know before then. Otherwise we’re assuming that you’ll be there.
If you have any food allergies or preferences please let us know before than so we can take these into account.
=======
As a company, we are growing there is more- and more going on in the
company every month. While we are at assignments it is hard to keep
track of what everyone is working on and what we are achieving as a
company. With so much going on, it is easy to miss out on learning
moments and things to celebrate. To increase transparency within the
company and create a shared feeling of progress we are having a weekly
company overview.Even though initially this might sound boring, that
is the opposite of what we want to achieve.
## Standup
To ensure that we spend our time effectively we should keep the
conversation short- and to the point. A tool that we could benefit
from greatly is the standup form. By having a standup that is limited
to a maximum of 15 minutes we are forced to focus on what’s important.
During this stand up everyone has a short timespan to talk about what
they’ve achieved since the last time; What they are going to do, and
anything that is hindering them from achieving their goal. This can be
anything:
- Something you’re working on at a client.
- What you’re working on during your OD-day.
- What you’re trying to learn.
- Some internal project.
- Anything you find relevant.
Keep in mind that we have a total of 15 minutes, so asking a question
is fine, but if this goes too far in depth you will be asked to
discuss it after the meeting.
## Celebrating achievements
By beginning the process of talking about what we’re doing and
achieving in- and for the company, we will discover many reasons for
celebration. Be it big- or small! We should come up with a way to
celebrate our victories, let’s come up with something together!
# Shared lunches
> There is little man bonds over more, than having a shared meal
Jonah, 2018
If we’re in the office together at the same time, we might as well
have lunch together. Groceries are bought on Wednesday, so if you’re
not going to be in on Friday, please let us know before then.
Otherwise we’re assuming that you’ll be there. If you have any food
allergies or preferences please let us know before than so we can take
these into account.
>>>>>>> origin
# Being present
<<<<<<< HEAD
We assume everyone to be there on Fridays, but if you can’t make it this is totally fine. We do expect this to be for good reason. We’re all responsible adults, so we trust you to make the right decision.
It is important that you communicate your availability if you’re not coming.
=======
We assume everyone to be there on Fridays, but if you can’t make it
this is totally fine. We do expect this to be for good reason. We’re
all responsible adults, so we trust you to make the right decision. It
is important that you communicate your availability if you’re not
coming.
>>>>>>> origin
......@@ -15,11 +15,10 @@ If you're moving to the Netherlands as part of joining OlinData, please read onb
When you start with OlinData, we'll assign you a buddy from the existing team. This person will be your first point of contact for the first month so you have a specific person to ask whatever question you have.
### Setup Personal Profile
All employees have to setup their personal profile in BambooHR and OlinData website.
* BambooHR: you'll receive an invite for BambooHR, which is where we keep all HR related information. Please make an effort to fill your information out as complete as possible.
* [OlinData Website](http://www.olindata.com/user/login):
1. Sign in using your account given and create your own password
2. Click on “Edit” button. You will be directed to a page to fill in your basic information in each column accordingly, upload your photo and write a short biography about yourself.
3. Click “Save” at the bottom left after complete.
### First day
On your first day, go through the the [first day checklist](first-day.md).
### Extra:
You can
[integrate your OD Google Calendar with Slack](https://get.slack.help/hc/en-us/articles/206329808-Connect-Google-Calendar-to-Slack),
to receive notifications about your events directly in Slack
......@@ -18,6 +18,8 @@ The office is a space we will have to share so it is important to be mindful of
- No smoking inside the office
- Make sure you don´t have an overpowering odor (good or bad)
- Be weary with loud or smelly food
- Be careful with playing music loudly. If you want to listen to loud music please use headphones.
- Be careful with the oven. Seriously.
### Etiquette
- Respect co-worker´s and company´s property
......@@ -27,11 +29,9 @@ The office is a space we will have to share so it is important to be mindful of
### Handeling Conflicts
As said before the office is a shared space. We hope no conflicts will arise. If there are any issues that could cause conflicts to arise, please try to resolve the issue in a mindful manner. If this does not work talk to Walter, Jonah or Mine.
## Suggesting changes or improvements
The office is a new environment for all of us. If you have any idea´s to improve the workspace or want to see change in something go and talk to Walter, Mine or Noor.
## Requesting Equipment
We are arranging an IT asset management program in which we can see what assets we have and where you can request or maybe already find the items you need. Until that is arranged go to Walter, Mine or Noor to request equipment.
......
# Security policy
## OD Account and Password policy:
- for your company Google account, and all the other accounts that do not support federated access with Google, please make sure that you use secure, **unique** passwords, and keep them safe
using a password manager software ([LastPass](https://www.lastpass.com/), [Dashlane](https://www.dashlane.com/), [KeepPass](https://keepass.info/), etc.)
- passwords complexity:
- min 10 characters long (need to check with the Gsuite admin if this actually enforced, if not it should be enforced to 10 or better 12)
- contain uppercase characters
- contain lowercase characters
- contain base 10 digits (0 through 9)
- contain nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/
- can't begin or end with a whitespace character
- [Google 2-step verification](https://www.google.com/landing/2step/) is enabled
on all OlinData Google accounts by default.
# Welcome to OlinData's Security Policy
Please keep in mind that we will consistently update this policy to make our practices on par with the most recent security trends and compliance standards.
We are open to listen to your suggestions and you are free to send contributions via merge requests.
All changes should be reviewed before commit.
--
OlinData SecOps Team
# Purpose
The purpose of this policy is to define web application security assessments within OlinData BV. Web application assessments are performed to identify potential or realised weaknesses as a result of inadvertent mis-configuration, weak authentication, insufficient error handling, sensitive information leakage, etc. Discovery and subsequent mitigation of these issues will limit the attack surface of OlinData BV services available both internally and externally as well as satisfy compliance with any relevant policies in place.
# Scope
This policy covers all web application security assessments requested by any individual, group or department for the purposes of maintaining the security posture, compliance, risk management, and change control of technologies in use at OlinData BV.
All web application security assessments will be performed by delegated security personnel either employed or contracted by OlinData BV. All findings are considered confidential and are to be distributed to persons on a “need to know” basis. Distribution of any findings outside of OlinData BV is strictly prohibited unless approved by Marcello, our Internal Security Officer.
Any relationships within multi-tiered applications found during the scoping phase will be included in the assessment unless explicitly limited. Limitations and subsequent justification will be documented prior to the start of the assessment.
# Policy
1. Web applications are subject to security assessments based on the following criteria:
* New or Major Application Release – will be subject to a full assessment prior to approval of the change control documentation and/or release into the live environment.
* Third Party or Acquired Web Application – will be subject to full assessment after which it will be bound to policy requirements.
* Point Releases – will be subject to an appropriate assessment level based on the risk of the changes in the application functionality and/or architecture.
* Patch Releases – will be subject to an appropriate assessment level based on the risk of the changes to the application functionality and/or architecture
* Emergency Releases – An emergency release will be allowed to forgo security assessments and carry the assumed risk until such time that a proper assessment can be carried out. Emergency releases will be designated as such by the Chief Information Officer or an appropriate manager who has been delegated this authority.
1. All security issues that are discovered during assessments must be mitigated based upon the following risk levels. The Risk Levels are based on the OWASP Risk Rating Methodology. Remediation validation testing will be required to validate fix and/or mitigation strategies for any discovered issues of Medium risk level or greater.
* High – Any high risk issue must be fixed immediately or other mitigation strategies must be put in place to limit exposure before deployment. Applications with high risk issues are subject to being taken off-line or denied release into the live environment.
* Medium – Medium risk issues should be reviewed to determine what is required to mitigate and scheduled accordingly. Applications with medium risk issues may be taken off-line or denied release into the live environment based on the number of issues and if multiple issues increase the risk to an unacceptable level. Issues should be fixed in a patch/point release unless other mitigation strategies will limit exposure.
* Low – Issue should be reviewed to determine what is required to correct the issue and scheduled accordingly.
1. The following security assessment levels shall be established by the InfoSec organisation or other designated organisation that will be performing the assessments.
* Full – A full assessment is comprised of tests for all known web application vulnerabilities using both automated and manual tools based on the OWASP Testing Guide. A full assessment will use manual penetration testing techniques to validate discovered vulnerabilities to determine the overall risk of any and all discovered.
* Quick – A quick assessment will consist of a (typically) automated scan of an application for the OWASP Top Ten web application security risks at a minimum.
* Targeted – A targeted assessment is performed to verify vulnerability remediation changes or new application functionality.
1. The current approved web application security assessment tools in use which will be used for testing are:
* Nessus
* OpenVas
* Burp Suite
* OWASP Zap
# Policy Compliance
1. Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
1. Exceptions
Any exception to the policy must be approved by the Infosec team in advance.
1. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
# Revision History
Please check the commit history for this file.
# Purpose
The purpose of this document is to serve as a guideline to all upcoming audits and it should be enforced at every assessment.
# Scope
This policy applies to all OlinData BV employees and affiliates.
# Policy
1. Periodic Audits
Twice a year a full audit will happen under the effort to maintain a sane ISMS and a safe environment. The periodic audits will also be used as an assessment point of the current state of the Business Continuity Plan and, if needed, serve as evidence of changes.
The Periodic Audits will cover the following:
1. State of the current active assets.
This assessment involves:
* Self-assessment and reporting of individual assets provided by OlinData BV or used to fulfil work in behalf of the company.
1. State of hosted applications and infrastructure.
This assessment involves:
* Evaluation of the current applied technology.
* Applied patches and corrections.
* Automated scanning/port-scanning.
* Manual testing.
1. State of vendors technology.
This assessment involves:
* Evaluation of the current vendors regarding recent incidents, breaches and 0-days.
* Evaluate the current environment and check which solutions could/should be removed from the ecosystem.
1. State of guidelines adherence.
This assessment involves:
* Check how compliant the company is to the general guidelines and assess possible improvements.
# Policy Compliance
1. Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
1. Exceptions
Any exception to the policy must be approved by the Infosec team in advance.
1. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
# Revision History
Please check the commit history for this file.
# Purpose
The purpose of this policy is to provide guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively.
# Scope
This policy applies to all OlinData BV employees and affiliates.
# Policy
1. Algorithm Requirements
1. Ciphers in use must meet or exceed the set defined as "AES-compatible" or "partially AES-compatible" according to the IETF/IRTF Cipher Catalog, or the set defined for use in the United States National Institute of Standards and Technology (NIST) publication [FIPS 140-2](https://csrc.nist.gov/publications/detail/fips/140/2/final), or any superseding documents according to the date of implementation. The use of the Advanced Encryption Standard (AES) is strongly recommended for symmetric encryption.
1. Algorithms in use must meet the standards defined for use in NIST publication FIPS 140-2 or any superseding document, according to date of implementation. The use of the RSA and Elliptic Curve Cryptography (ECC) algorithms is strongly recommended for asymmetric encryption.
1. Signature Algorithms
| Algorithm | Key (min) | Additional Comment |
| ------------- |:-------------:| -----:|
| ECDSA | P-256 | Check the compliances involved before |
| RSA | 2048 | Must use the a secure padding |
| LDWM | SHA256 | Check the internal standard of usage |
1. Hash Function Requirements
In general, OlinData BV adheres to the [NIST Policy on Hash Functions](https://csrc.nist.gov/Projects/Hash-Functions/NIST-Policy-on-Hash-Functions).
1. Key Agreement and Authentication
1. Key exchanges must use one of the following cryptographic protocols: Diffie-Hellman, IKE, or Elliptic curve Diffie-Hellman (ECDH).
1. End points must be authenticated prior to the exchange or derivation of session keys.
1. Public keys used to establish trust must be authenticated prior to use. Examples of authentication include transmission via cryptographically signed message or manual verification of the public key hash.
1. All servers used for authentication must have installed a valid certificate signed by a known trusted provider.
1. All servers and applications using SSL or TLS must have the certificates signed by a known, trusted provider and completely avoid the usage of RC4-based certificates.
1. Key Generation
1. Cryptographic keys must be generated and stored in a secure manner that prevents loss, theft, or compromise.
1. Key generation must be seeded from an industry standard random number generator (RNG). For examples, see NIST Annex C: Approved Random Number Generators for FIPS PUB 140-2. For more information see [cipherli.st][cipherlist]
# Policy Compliance
1. Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
1. Exceptions
Any exception to the policy must be approved by the Infosec team in advance.
1. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
# Revision History
Please check the commit history for this file.
[cipherlist]: https://cipherli.st
# Purpose
The purpose of this policy is to outline the acceptable use of computer equipment at OlinData BV. These rules are in place to protect the employee and OlinData BV. Inappropriate use exposes OlinData BV to risks including virus attacks, compromise of network systems and services, and legal issues.
# Scope
This policy applies to the use of information, electronic and computing devices, and network resources to conduct OlinData BV business or interact with internal networks and business systems, whether owned or leased by OlinData BV, the employee, or a third party. All employees, contractors, consultants, temporary, and other workers at OlinData BV and its subsidiaries are responsible for exercising good judgment regarding appropriate use of information, electronic devices, and network resources in accordance with OlinData BV policies and standards, and local laws and regulation. Exceptions to this policy are documented at the compliance section.
This policy applies to employees, contractors, consultants, temporaries, and other workers at OlinData BV, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by OlinData BV.
# Policy
1. General Use and Ownership
1. OlinData BV proprietary information stored on electronic and computing devices whether owned or leased by OlinData BV, the employee or a third party, remains the sole property of OlinData BV. You must ensure through legal or technical means that proprietary information is protected in accordance with the Data Protection Standard.
1. You have a responsibility to promptly report the theft, loss or unauthorised disclosure of OlinData BV proprietary information.
1. You may access, use or share OlinData BV proprietary information only to the extent it is authorised and necessary to fulfil your assigned job duties.
1. Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their supervisor or manager.
1. For security and network maintenance purposes, authorised individuals within OlinData BV may monitor equipment, systems and network traffic at any time, per Infosec's Audit Policy.
1. OlinData BV reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
1. Security and Proprietary Information
1. All mobile and computing devices that connect to the internal network must comply with the Minimum Access Policy.
1. System level and user level passwords must comply with the Password Policy. Providing access to another individual, either deliberately or through failure to secure its access, is prohibited.
1. All computing devices must be secured with a password-protected screensaver with the automatic activation feature set to 3 minutes or less. You must lock the screen or log off when the device is unattended.
1. Postings by employees from a OlinData BV email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of OlinData BV, unless posting is in the course of business duties.
1. Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain malware.
1. Security patches should be applied as soon as they are made available by the hardware/application vendor. The patching routine will be closely monitored by the Infosec Team.
Unacceptable Use
The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).
Under no circumstances is an employee of OlinData BV authorised to engage in any activity that is illegal under local, state, federal or international law while utilising OlinData BV-owned resources.
The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use.
1. System and Network Activities
The following activities are strictly prohibited, with no exceptions:
1. Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by OlinData BV.
1. Unauthorised copying of copyrighted material including, but not limited to, digitisation and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which OlinData BV or the end user does not have an active license is strictly prohibited.
1. Accessing data, a server or an account for any purpose other than conducting OlinData BV business, even if you have authorised access, is prohibited.
1. Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question.
1. Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
1. Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.
1. Using a OlinData BV computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction.
1. Making fraudulent offers of products, items, or services originating from any OlinData BV account.
1. Making statements about warranty, expressly or implied, unless it is a part of normal job duties.
1. Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorised to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
1. Port scanning or security scanning is expressly prohibited unless prior notification to Infosec is made.
1. Executing any form of network monitoring which will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty.
1. Circumventing user authentication or security of any host, network or account.
1. Introducing honeypots, honey-nets, or similar technology on the OlinData BV network.
1. Interfering with or denying service to any user other than the employee's host (for example, denial of service attack).
1. Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet.
1. Providing information about, or lists of, OlinData BV employees to parties outside OlinData BV.
1. Email and Communication Activities
When using company resources to access and use the Internet, users must realise they represent the company. Whenever employees state an affiliation to the company, they must also clearly indicate that "the opinions expressed are my own and not necessarily those of the company". Questions may be addressed to the IT Department
1. Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam).
1. Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages.
1. Unauthorised use, or forging, of email header information.
1. Solicitation of email for any other email address, other than that of the poster's account, with the intent to harass or to collect replies.
1. Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type.
1. Use of unsolicited email originating from within OlinData BV's networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by OlinData BV or connected via OlinData BV's network.
1. Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).
1. Blogging and Social Media
1. Blogging by employees, whether using OlinData BV’s property and systems or personal computer systems, is also subject to the terms and restrictions set forth in this Policy. Limited and occasional use of OlinData BV’s systems to engage in blogging is acceptable, provided that it is done in a professional and responsible manner, does not otherwise violate OlinData BV’s policy, is not detrimental to OlinData BV’s best interests, and does not interfere with an employee's regular work duties. Blogging from OlinData BV’s systems is also subject to monitoring.
1. OlinData BV’s Confidential Information policy also applies to blogging. As such, Employees are prohibited from revealing any OlinData BV confidential or proprietary information, trade secrets or any other material covered by customer-specific activities when engaged in blogging.
1. Employees shall not engage in any blogging that may harm or tarnish the image, reputation and/or goodwill of OlinData BV and/or any of its employees. Employees are also prohibited from making any discriminatory, disparaging, defamatory or harassing comments when blogging or otherwise engaging in any conduct prohibited by OlinData BV’s Non-Discrimination and Anti-Harassment policy.
1. Employees may also not attribute personal statements, opinions or beliefs to OlinData BV when engaged in blogging. If an employee is expressing his or her beliefs and/or opinions in blogs, the employee may not, expressly or implicitly, represent themselves as an employee or representative of OlinData BV. Employees assume any and all risk associated with blogging.
1. Employees may also not use copyrighted material belonging to OlinData BV or any of its affiliates when engaging in personal blogging.
# Policy Compliance
1. Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
1. Exceptions
Any exception to the policy must be approved by the Infosec team in advance.
1. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
# Revision History
Please check the commit history for this file.
# Purpose
The purpose for this policy is to establish the minimum requirements for maintaining a “clean desk” – where sensitive/critical information about our employees, our intellectual property, our customers and our vendors is secure in locked areas and out of sight. A Clean Desk policy is not only ISO 27001/17799 compliant, but it is also part of standard basic privacy controls.
# Scope
This policy applies to all OlinData BV employees and affiliates
# Policy
1. Employees are required to ensure that all sensitive/confidential information in hardcopy or electronic form is secure in their work area at the end of the day and when they are expected to be gone for an extended period.
1. Computer workstations must be locked when workspace is unoccupied.
1. Computer workstations must be restarted at the end of the work day.
1. Any Restricted or Sensitive information must be removed from the desk and locked in a drawer when the desk is unoccupied and at the end of the work day.
1. File cabinets containing Restricted or Sensitive information must be kept closed and locked when not in use or when not attended.
1. Keys used for access to Restricted or Sensitive information must not be left at an unattended desk.
1. Laptops must be either locked with a locking cable or locked away in a drawer.
1. Passwords may not be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location.
1. Printouts containing Restricted or Sensitive information should be immediately removed from the printer.
1. Upon disposal Restricted and/or Sensitive documents should be shredded in the official shredder bins or placed in the lock confidential disposal bins.