Information Security Code of Conduct

Transcription

1 Information Security Code of Conduct IT s up to us >Passwords > Anti-Virus > Security Locks > & Internet >Software >Aon Information >Data Protection >ID Badges

2 > Contents Aon Information Security Policy...1 Information Security Awareness...2 Eight Steps to Security Passwords...4 Anti-Virus...5 Security Locks...6 Internet & Software...9 Aon Information...10 Data Protection ID Badges...12

3 > Aon Information Security Policy Chief Executive Officer s Introduction Aon relies on its information processing systems to conduct business. In order to ensure that these are adequately protected from unauthorised access or use, all employees, contractors, temporary employees and business partners must abide by these policies, procedures, and guidelines. Failure to do so may result in disciplinary action, including possible termination of employment and legal action. It is every user s responsibility to use Aon Limited and its associated companies computer resources and facilities responsibly, ethically, lawfully, and professionally. >Aon IT Security Policy Robert Brown Chief Executive Officer, Aon Limited It is every user s responsibility to use Aon Limited and its associated companies computer resources and facilities responsibly, ethically, lawfully, and professionally 1

4 >Inormation Security Awareness > Information Security Awareness 1 Always 2 Ensure 3 Laptops 4 Internet 5 Never 6 7 Protect 8 Eight Steps to Security select strong, secure passwords (a mix of alpha and numeric minimum 8 characters). Never share or write down your passwords. that anti-virus protection software is installed, up to date and operational on your PC or laptop. must be securely locked at all times by using security locking cables. Information which is highly confidential to Aon and stored on Aon laptops must be encrypted. and are to be used for business purposes only. Always delete any unsolicited (spam/junk) from unknown recipients. Never open non business-related attachments and don t distribute non business-related to anyone. install unauthorised software on Aon s PCs or laptops. Never attach unauthorised devices to Aon s IT networks, PCs or laptops. Never disclose Aon information without validating the identity of the requester. Ensure you are authorised to disclose the information. Aon s information in all its forms. Classify information. Lock away confidential material. Shred unwanted printed information. Operate a clear desk policy. Always wear your ID badge. Politely challenge those without Aon ID badges who are in Aon offices. Keep Aon premises secure and report any suspicious activity to Premises Security. 2

5 Warning regarding Monitoring of Aon Systems Aon monitors its IT systems. Abuse of Aon IT systems and information assets and failure to comply with company policy is a disciplinary offence which may result in termination of employment and/or legal action against the offender. >Information Security Awareness Storage of Personal Information on Aon IT Systems or Resources Aon s systems are for Aon business use and not for personal, non-business activities. If employees store personal information on Aon IT resources then Aon cannot guarantee that it will remain confidential. Employees are advised not to store this type of personal information on Aon s systems or resources. 3

6 >Eight Steps to Security > Eight Steps to Security Always select strong, secure passwords. Never share or write 1down your passwords. Why? Weak passwords are easy to crack. A weak password means our security can be broken and information disclosed, changed or deleted. You are issued with a personal user-id and password for your exclusive use. Aon s system audit trails makes you personally accountable for the use of your user-id. For this reason, you must never give your password to anyone, including IT staff*. Watch out for password scams when you receive an looking authentic requesting you to disclose your password. These are hoaxes but many Internet banking customers have been caught out by their own gullibility. 4 Make your password easy for you to remember but difficult for others to guess. To create a strong password : It must have at least 8 characters and a mix of alpha and numeric characters eg M0use#12 (using zero not the letter O in Mouse) Mix upper and lower cases Avoid using words in dictionaries or names or things which others may associate with you, eg children s names or dates of birth * Note: If you do have to disclose your pasword for IT support purposes then please change it afterwards to minimise risk of exposure Watch out for password scams when you receive an looking authentic requesting you to disclose your password.

7 Ensure that anti-virus protection software is installed, up to date and 2operational on your PC or laptop. Why? Virus and other malicious code is the most common source of major disruption to IT systems. Prevention is better than cure. Aon invests a lot of money and effort in anti-virus controls. It is imperative that employees help to maintain the effectiveness of these controls by doing the following: >Eight Steps to Security Never tamper with anti-virus software controls. These are normally locked down (ie cannot be edited) but please don t attempt to make changes if this is not the case Laptop users must check their anti-virus definitions are up to date on a regular basis (at least monthly). Visit the IT Intranet for instructions. ( Always read and act upon Information Security Services UK notifications regarding new virus threats Never stop the automatic download of new anti-virus definition files to your PC or laptop. Laptop users are advised to update these files when they are in Aon offices rather than via remote access Virus and other malicious code is the most common source of major disruption to IT systems. 5

8 >Eight Steps to Security Laptops must be securely locked at all times by using security locking cables. Information which is highly confidential to Aon and stored on laptops must be protected using the 3Aon encryption product. Why? Laptops are easy to steal or lose and contain lots of intellectual capital and Aon information, some of which may be confidential to our clients. All of our employees have a duty to protect Aon s information. Laptops must be protected in the following ways: Always lock the device using the locking cable provided. If you do not have a cable then order one immediately via the IT service desk (Extn 199 internal) Lock the laptop away at night in a secure cabinet if it is not required. Out of sight is out of mind Never leave laptops unattended in cars or hotels, while travelling. Secure them or keep them with you All of our employees have a duty to protect Aon s information. Always use PointSec encryption product if you have Aon highly confidential information on the laptop (that is information which could cause significant damage to Aon if it were disclosed (medical records, kidnap/ransom, merger and other Aon stock-related information not in the public domain). PointSec must be purchased from the IT Procurement Catalogue 6

9 Internet and are to be used for 4business purposes only. Why? is the preferred method for business and personal communications. However, all messages sent from Aon s systems carry the Aon name. Inappropriate damages Aon s reputation. For this reason Aon s system is for business use. Personal use is tolerated if in moderation and does not contain any inappropriate comment or material. The following rules apply: Do not send which contains inappropriate content or causes harassment (eg obscene or defamatory messages) If you receive inappropriate then delete the message preferably without opening it Only act upon information security warnings issued by Aon IT. There are many hoax warnings never forward these to anyone in Aon or externally. >Eight Steps to Security Never open non business-related file attachments. These could be new virus-infected files. Delete them immediately Do not forward jokes or chain letter s. These can cause significant waste of employee time and harassment to the recipients Only act upon Information Security warnings issued by Aon IT. Beware of hoax warnings. Never forward these to anyone in Aon or externally 7

10 >Eight Steps to Security Similarly, the Internet is a key business resource tool. The Internet must be used for business purposes and personal use must be kept to a minimum. The following rules apply: Never use the Internet in a way that may be offensive, disruptive or harmful to Aon s reputation. Personal surfing is only permitted if used in moderation, if appropriate sites only are accessed, and outside of core business hours (lunch break, before or after 18.00) Never attempt to access any offensive sites. Attempts to access inappropriate non business-related Internet sites are logged and you may have to explain your actions to your line manager Never use the Internet in a way that may be offensive, disruptive or harmful to Aon s reputation Never download any software including games and music files. This may be an infringement of copyright laws. Business tools and other applications need to be authorised by Aon IT before they may be used within Aon s environment Access to web mail/internet accounts such as hotmail and yahoo mail is prohibited. Webmail providers are considered high risk as they are often the source of virus infections 8

11 Never install unauthorised software or attach unauthorised devices to Aon IT 5resources or networks. Why? The use of unlicensed software on a computer is a criminal offence. It is easy to download software from the Internet or load personal software and not realise that the law is being broken. All software programs have terms and conditions, as set out by the software publisher or owner of the copyright and these must be adhered to and managed by Aon. Unauthorised devices may disrupt Aon s networks especially if they are infected with viruses or malicious code. >Eight Steps to Security The following rules apply: Never install any unauthorised software (including Freeware and Shareware) onto any of Aon s devices Games, music and non business related pictures must not be installed on any computer Never attach any unauthorised devices including mobile phones, PDAs (eg Palm or IPAQ) and other IT equipment. Contact your IT Helpdesk for further information Never install any unauthorised software onto any of Aon s devices. When storing data on USB hard drives you must ensure the data is secured (encrypted) to avoid exposure of company or client data eg use Winzip to encrypt data. Before connecting any USB hard drive to the Aon network ensure it is scanned for viruses Contact your IT Helpdesk for further information on how to do this or visit All software must be ordered and installed following Aon IT processes and procedures 9

12 >Eight Steps to Security Never disclose Aon information without validating the identity of the requester. Ensure it is appropriate to disclose the 6information. Why? Disclosing information to the wrong people can cause major damage to Aon. It can also be a breach of the Data Protection legislation. Please consult the Data Protection Policy on the Knowledge Exchange for further information. Disclosing information to the wrong people can cause major damage to Aon. The following rules apply: Verify the identity of the person requesting the information Ensure they have a valid reason and are authorised to obtain the information Trust your instincts. If you are suspicious, refer the request to your line manager 10

13 Protect Aon s information in all its forms. Classify information, lock away confidential material and shred unwanted information. Operate a clear 7desk policy. Why? Information comes in many forms (eg written, spoken and electronic media ) and it needs protecting as it is created, stored, utilised, communicated and finally deleted. This is the information life cycle. There is no point having expensive IT security controls to protect confidential information if our employees leave information unprotected on their desks, or throw material away without placing it in the Confidential Shredding sacks. The following rules apply: Classify information when it is created (Aon Internal, Aon Confidential, Aon Highly Confidential). Please refer to the Information Classification Matrix within the IT Security Policy ( home/info_security/policies/default.jsp) Store information appropriately. Lock away confidential material. >Eight Steps to Security Use footers to label documents, presentations and files with the Aon classifications. This helps others to know how to protect the information Operate a clear desk policy everyday Store information appropriately. Lock away confidential material Use confidential shredding facilities (bags or shredding machines). Always take personal responsibility for shredding Aon Highly Confidential information 11

14 >Eight Steps to Security Always wear your ID badge. Politely challenge those in Aon offices without Aon ID badges. Keep Aon premises secure and 8report suspicious activity. Why? Aon cannot protect your workplace if strangers are allowed into our offices without being challenged. Some Aon locations do not have ID badges but don t be afraid to ask politely who strangers are and if you can help them to verify that they are in the right place. The following rules apply: Don t let strangers in if they don t have a badge direct them to reception. If you work in a site where Aon ID badges are issued to all staff, you must wear your badge at all times. Don t let strangers in if they don t have a badge direct them to reception Report suspicious activity to Premises Security in London For the 55 Bishopsgate office call

15 It is every user s responsibility to use Aon Limited and its associated companies computer resources and facilities responsibly, ethically, lawfully, and professionally >IT Security Basics Guide For further information regarding Aon s information security controls, policies and procedures, please refer to Aon s Intranet Knowledge Exchange at:

16 Aon Limited 8 Devonshire Square London EC2M 4PL United Kingdom tel: +44 (0) fax: +44 (0) Published by Aon Limited. Registered office 8 Devonshire Square, London EC2M 4PL. Copyright Aon Limited All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any way or by any means, including photocopying or recording, without the written permission of the copyright holder, application for which should be addressed to the copyright holder. Aon Limited is authorised and regulated by the Financial Services Authority in respect of insurance mediation activities only. BC This document has been produced using a minimum of 50% recycled material from a sustainable forest.