Policies & Procedures
Security Staff Policy
The security staff policy provides guidelines to the security personnel of AGBI to prevent unauthorized people get inside the office.
Visitor’s Policy contains details regarding proper guidelines on how to deal with visitors of AGBI such as what the visitor must provide to the guard, things they are not allowed to do and protocol they must follow at all times.
Sleeping Quarter’s Policy
Sleeping Quarter’s Policy provides details on the proper usage of AGBI’s sleeping quarters.
The Office Policy provides guidelines on how to what an employee or client must do and not do inside the office. The Office Policy was established to ensure the confidentiality and privacy of data being processed in the office.
The Clean as You Go or CLAYGO Policy instructs employees and clients to ensure and maintain the cleanliness and hygiene of a workplace at the highest standards.
The E-waste Policy is implemented in order to provide clear guidelines on how to deal with e-wastes, lessen the production of e-waste of the organization. The Policy includes the Collection and Awareness Plan to educate its employees with regards to handling e-waste.
Appropriate IT Use Policy
Preserving the access to information resources is a system-wide effort that requires each department to act responsibly and guard against abuses. Therefore, the AGBI and its users have an obligation to abide by the following standards of appropriate and ethical use:
- Use only those IT resources for which you have authorization
- Protect the access and integrity of IT resources
- Abide by applicable local, federal laws, company policies and respect the copyrights and intellectual property rights of others, including the legal use of copyrighted material
- Use IT resources only for their intended purpose
- Respect the privacy and personal rights of others
- Zero tolerance to piracy
- Do no harm
Failure to comply with the appropriate use of these resources threatens the atmosphere for the sharing of information, the free exchange of ideas, and the secure environment for creating and maintaining information property, and subjects one to discipline. Any user of any AGBI system found using IT resources for unethical and/or inappropriate practices has violated this policy and is subject to disciplinary proceedings including suspension of system privileges, termination of employment and/or legal action as may be appropriate. Although all members of the AGBI have an expectation of privacy, if a user is suspected of violating this policy, his or her right to privacy may be superseded by the AGBI’s requirement to protect the integrity of IT resources, the rights of all users, and the property of the AGBI.
AGBI reserves the right to examine material stored on or transmitted through its resources if there is cause to believe that the standards for appropriate use are being violated by a participant organization, user, or a trespasser onto its systems or networks.
Computing Devices Hardware and Software Guidelines
- All computing devices will run Company-approved antivirus software and its auto updating agent, if available.
- Every computing device will run an official operating system that is updated at the regular defined cycle, unless there is reason not to upgrade to the latest patches. This will be Windows 7 for all operations and Windows 10 for newly deployed workstations and laptops.
- It is unacceptable to run unlicensed copies of software on any Company machine. Non-compliance will lead to disciplinary action.
- Because not everyone is technically knowledgeable to ensure that computers are properly maintained, automatic processes and/or designated personnel may be dispatched to perform these updates.
- Every computer will be protected by an operating system password, and password protected computer lock that activates after 3 minutes of inactivity. Passwords must be changed every 45 days.
- Computer workstations and network resources shall be used only for work-related activities. Non-work-related usage of the computing device is prohibited. Websites and Social media sites may be blocked by management if deemed unnecessary for work.
Operating system and anti-virus updates must be automated so they require minimal input from the end user.
All machines that are compromised must have their disks reformatted and the operating system and other programs reinstalled from scratch. When the machine is rebuilt, it must not be deployed until all software patches have been applied. Rebuilding computers from scratch is the only way to guarantee that all hacker-written software is removed.
The Company employs various measures to protect the security of its computing resources and its user’s accounts. Users should be aware, however, that the Company cannot guarantee the absolute security and privacy of data stored on Company computing facilities. Users should therefore engage in safe computing practices including, but not limited to establishing appropriate access restrictions to their accounts and not leaving their account logged on after they leave their station.
Users should not share any login information nor writing them down on any support. The password confidentiality will be preserved. Users will change their password regularly and make sure the passwords used are strong. They will as well encrypt and back up critical files when appropriate.
When disposing of computers, servers or other hardware, AGBI will totally wipe out all data on these devices. In as much as possible, a complete reformat is to be executed. If no major financial drawbacks, the data carriers should be physically destroyed.
Removable media, portable storage devices
Unauthorized USB drives, portable storage devices are not allowed inside the production area. Authorized USB drives and other storage devices (CD/DVD) are only allowed to be handled by IT personnel. Non-IT personnel shall request the assistance of IT personnel when they require the use of portable storage devices.
When no longer required, USB drives will be formatted, and CDs, DVDs, disposable media shall be destroyed.
Use of AGBI IT resources is granted based on acceptance of the following specific responsibilities:
Use only those computing and IT resources for which you have authorization. For example, it is a violation:
- To use resources, you have not been specifically authorized to use
- To use someone else’s account and password or share your account and password with someone else
- To access files, data, or processes without authorization
- To purposely look for or exploit security flaws to gain system or data access
Protect the access and integrity of computing and IT resources. For example, it is a violation:
- To use excessive bandwidth
- To release a virus or a worm that damages or harms a system or network
- To prevent others from accessing an authorized service
- To send email that may cause problems and disrupt service for other users
- To attempt to deliberately degrade performance or deny service
- To corrupt or misuse information
- To alter or destroy information without authorization
Abide by applicable laws and AGBI policies and respect the copyrights and intellectual property rights of others, including the legal use of copyrighted software. For example, it is a violation:
- To download, use or distribute copyrighted materials, including pirated software or music or videos or games
- To make more copies of licensed software than the license allows
- To operate and participate in pyramid schemes
- To upload, download, distribute, or possess pornography
Use computing and IT resources only for the intended purposes. For example, it is a violation:
- To use computing or network resources for advertising or other commercial purposes
- To distribute copyrighted materials without express permission of the copyright holder
- To send forged email
- To misuse communications software to allow users to hide their identity, or to interfere with other systems or users
- To send terrorist threats or “hoax messages”
- To send chain letters
- To intercept or monitor any network communications not intended for you
- To attempt to circumvent security mechanisms
- To use privileged access for other than official duties
- To use former privileges after transfer or termination, except as stipulated by the AGBI Policies and Procedures
Respect the privacy and personal rights of others. For example, it is a violation:
- To use electronic resources for harassment or stalking other individuals
- To tap a phone line or run a network sniffer or vulnerability scanner without authorization
- To access or attempt to access other individual’s password or data without explicit authorization
- To access or copy another user’s electronic mail, data, programs, or other files without permission
- To disclose information about employees in violation of AGBI Guidelines
System and Network Administrator Responsibilities
System Administrators and providers of AGBI computing and IT resources have the additional responsibility of ensuring the confidentiality, integrity, and availability of the resources they are managing. Persons in these positions are granted significant trust to use their privileges appropriately for their intended purpose and only when required to maintain the system. Any private information seen in carrying out these duties must be treated in the strictest confidence, unless it relates to a violation or the security of the system.
Be aware that although computing and IT providers throughout the AGBI are tasked with preserving the integrity and security of resources, security sometimes can be breached through actions beyond their control. Users are therefore urged to take appropriate precautions such as:
- Safeguarding their account and password
- Taking full advantage of file security mechanisms
- Backing up critical data on a regular basis
- Promptly reporting any misuse or violations of the policy
- Using virus scanning software with current updates
- Using personal firewall protection
- Installing security patches in a timely manner
Every user of AGBI IT resources has an obligation to report suspected violations of the above guidelines or of the Appropriate Use Policy for Computing and IT Resources. Reports should be directed to IT Management.
Bring Your Own Device Policy
Personal-owned devices are not allowed unless approval has been granted by the AGBI management. This policy establishes the standards and procedures for end users who are connecting personally-owned devices to AGBI network for business purposes.
The purpose of this standard is to prevent AGBI data from being deliberately or inadvertently stored unsecurely on a device or carried over an unsecure network where it could potentially be accessed by unauthorized resources. Therefore, all users employing a personally-owned device connected to a AGBI network, and/or capable of backing up, storing, or otherwise accessing AGBI data of any type, must adhere to AGBI-defined policies, standards, and processes.
This standard applies to all AGBI employees. Such access to these data is a privilege, not a right, and forms the basis of a trust the AGBI has built with its clients, vendor partners and other constituents. Consequently, AGBI employment does not automatically guarantee the initial or ongoing ability to use these devices to gain access to AGBI networks and information. This standard applies to any hardware and related software that is not owned or supplied by AGBI, but could be used to access AGBI resources. This includes devices that employees have acquired for personal use, but also wish to use in the business environment. It includes any personally-owned device capable of inputting, processing, storing and outputting AGBI data.
Employees using personally-owned devices, software, and/or related components to access AGBI data will ensure such devices employ some sort of device access protection such as, but not limited to, passcode, facial recognition, card swipe, etc. This approval should be granted by the IT Management with sign off from the General Operations Manager and acknowledgement from the employee’s direct supervisor. This will require furnishing of the BYOD Employee Declaration Form.
- Employees using prior-approved personally-owned devices and related software shall make every attempt to keep these devices and related software protected.
- Passwords and/or other sensitive data will not be stored unencrypted on devices.
- Employees acknowledge and confirm to have all AGBI-sensitive data permanently erased from their personally-owned devices once their use is no longer required.
- Employees agree to and accept that their access to AGBI networks may be monitored to identify unusual usage patterns or other suspicious activity. This monitoring is necessary to identify accounts/computers that may have been compromised by external parties.
- Employees will immediately report to their managers any incident or suspected incidents of unauthorized data access, data or device loss, and/or disclosure of system or participant organization resources as it relates to personally-owned devices.
- Managers will immediately report such incidents to the IT Helpdesk Team for incident management.
Device and Application Support
- Personally-owned devices and software are not eligible for support from AGBI departments.
- Employees will make no modifications to personally-owned hardware or software that circumvents established AGBI security protocols in a significant way; e.g., replacing or overriding the operating system or “jail-breaking.”
Mobile Device Policy
Personal mobile devices are not allowed on the operations area.
Company mobile devices are required to be secured with at least a 4-digit pin code or more advanced locking mechanism.
Also, refer to the Appropriate IT Use Policy.
The following should be observed when an employee is working and/or accessing company data outside the office premises:
- All computing devices should have the basic standard build as stated in the IT Standard Build Document.
- Users are required to sign an asset accountability form for devices that they will be bringing out of the office premises.
- It is the user’s responsibility to maintain confidentiality of information contained within his/her device. Printing, copying, sharing of company data to unauthorized personnel will result in disciplinary action.
- Upon request and approval, authorized users and devices may connect to the company network using a VPN client.
- Computing devices are not to be left unattended in public places.
- A software firewall (such as Sophos or Windows Firewall) should be turned on and configured for the minimal access necessary to perform normal work.
- Public Wi-Fi hotspots should be avoided if possible. Great caution should be used when connecting to non-AGBI operated networks.
- Refer to Appropriate IT Use Policy.
- Non-company owned devices are not allowed to connect to the organization’s network unless requested and approved by management.
System Configuration Policy
Standardized configuration settings allow information systems and information system components to be consistently deployed in an efficient and secure manner. Without standardized configuration settings the potential exists that information systems may be deployed that fail to meet the security requirements of AGBI, or that compromise the security requirements of other information systems with which they interconnect.
This Systems Configuration Policy applies to all information systems and information system components of AGBI. Specifically, it includes: Desktops, laptops and other devices that provide distributed computing capabilities.
- A standardized configuration, or baseline, will be established and maintained for all information systems. These baselines will indicate the specifications of information system components (hardware, firmware, software), their relationship, and their ownership. See Standard Build Document.
- An asset inventory of information system components will be maintained. The inventory will be updated whenever a new information system or information system component is implemented, or when an old one is retired. See Asset Management section.
Access Control Policy
Access to systems and information is controlled using an active directory with group policy management. Additional network, shared folders, and system accesses are controlled using security permissions and are managed manually by IT team and require management approval for access to be granted.
Employee’s access permissions will be configured based on the information that IT receives in the RIRO process. This information will include access and restrictions to systems, information, and physical access to office areas.
User Access Cleanup Policy
User access cleanup policy increases the chance that only authorized personnel can access appropriate systems. This policy applies to all IT systems with access rights. IT Department, on a quarterly basis shall retrieve from HR an updated list of employees and their authorized access rights.
The IT Department shall cross check this list with the current active directories and make sure that the updated list is followed. In addition, accounts that are found to have been inactive for 14 days or more will also be deactivated.
User ID and Password Policy
The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change. This policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any AGBI facility, has access to the AGBI network, or stores any non-public AGBI information.
- User IDs are designed to allow the quick identification of the account holder. The user ID of AGBI employees consist of the account holder’s first name and last name initial. All characters in the user ID would be in lowercase. As an example, a person named “John Reyes” would have the user ID of “johnr”.
- The user ID of AGBI client employees consist of the account holder’s initial of first name and last name. All characters in the user ID would be in lowercase. As an example, a person named “John Reyes” would have the user ID of “jreyes”.
- For instances wherein two or more people would end up having the same user ID, a small modification of the User Name portion of the ID is made.
- User IDs are created for every user in AGBI. IDs should never be shared among users for any reason. To do so will result in an inability to absolutely determine who was responsible for any action in the system, whether it be modifying a file or accessing the Internet
- All passwords shall be treated as sensitive, confidential information and shall not be shared with anyone including, but not limited to, administrative assistants, system administrators and helpdesk personnel.
- Passwords shall not be stored in clear text.
- Users shall not write passwords down or store them anywhere in their office or publicly. They shall not store passwords in a file on any computer system, including smart devices, without encryption.
- Administrative-level passwords shall be changed every ninety (90) days.
- User-level passwords shall be changed every forty-five (45) days.
- System-level (system-to-system or non-interactive services account) passwords shall be changed after a significant event (i.e. administrator departure, suspicion or actual compromise event.)
- User accounts that have system-level privileges granted through group memberships or programs shall have a unique password from other accounts held by that user.
- Passwords shall not be inserted into email messages or other forms of electronic communication unless encrypted.
- If an account or password is suspected of being compromised, the incident must be reported to the appropriate authorities in accordance with local incident response procedures.
- Temporary or “first use” passwords (e.g., new accounts or guests) must be changed the first time the authorized user accesses the system, and have a limited life of inactivity before being disabled.
- Access to all AGBI information systems and applications used to process, store, or transfer data with a security categorization of CONFIDENTIAL or higher shall require the use of strong passwords or other strong authentication mechanisms.
Strong passwords shall be constructed with the following characteristics:
- The password contains at least eight characters
- Must contain characters from at least two of the following four types of characters:
- English upper case (A-Z)
- English lower case (a-z)
- Numbers (0-9)
- Non-alphanumeric special characters ($, !, %, ^, …)
- Must not contain the user’s name or part of the user’s name
- Must not contain easily accessible or obvious personal information about the user or user’s family, such as birthdays, children’s names, addresses, etc.
- The password is not a common usage word such as:
- Names of family, pets, friends, co-workers, fantasy characters, etc.
- Computer terms and names, commands, sites, companies, hardware, software.
- The words “Anderson”, “group”, “login”, “manila” or any derivation
- Birthdays and other personal information such as addresses and phone numbers.
- Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
- Any of the above spelled backwards.
- Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
Password history must be enabled and configured to disallow usage of the same password for a set length of change cycles greater than four (4) times. Users and administrators must not be allowed to use the same password that has been used in the past four (4) changes. Users and administrators who have changed their user password or system password must not be allowed to change passwords immediately. This will prevent users and administrators from changing their passwords several times to get back to their old passwords.
Internet Usage Policy
As part of AGBI’s commitment to the utilization of new technologies, all our employees have access to the internet. To ensure compliance with copy right law and protect us from being victimized by the threat of viruses or attacks to our server, the following is observed:
- It is AGBI’s policy to limit internet access to official business. Employees are authorized to access the internet for personal business after-hours at minimal intervals of less than an hour via the internet kiosks provided in the pantry, in strict compliance with other terms of policy. The introduction of viruses, or malicious tampering with any computer system, is expressly prohibited. Any such activity will result to immediate termination of employment.
- Employees using AGBI accounts are acting as representatives of AGBI. As such, employees should act accordingly to avoid damaging the reputation of the organization.
- Files that are downloaded from the Internet must be scanned with Sophos before installing or execution. All appropriate precautions should be taken to detect for a virus and, if necessary, to prevent it from spreading.
- The truth or accuracy of information on the Internet and in e-mail should be considered suspect until confirmed by a separate reliable source.
- Employees shall not place company material (copyrighted software, internal correspondence, etc.) on any publicly accessible internet computer without proper permission.
- Alternate Internet Service Provider connections to AGBI’s internal network are not permitted unless expressly authorized and properly protected by a firewall or other appropriate security devices.
- The internet does not guarantee the privacy and confidentiality of information. Sensitive material transferred over the internet may be at risk of detection by a third party. Employees must exercise caution and care when transferring such material in any form.
- Unless otherwise noted, all software on the Internet should be considered copyrighted work, Therefore, employees are prohibited from downloading software and/or modifying any such files without permission from the copyright holder.
- Any infringing activity by an employee may be the responsibility of the organization. Therefore, this organization may choose to hold the employee liable for the employee’s actions.
- AGBI reserves the right to inspect an employee’s computer system for violations of this policy.
Security Awareness and Training Policy
IT security controls are a vital part of our information security framework but are not in themselves sufficient to secure all our information assets. Effective information security also requires the awareness and proactive support of all workers, supplementing and making full use of the technical security controls. This is obvious in the case of social engineering attack, security breaches and frauds, for example, which specifically target vulnerable humans rather than IT and network systems.
Lacking adequate information security awareness, workers are less likely to recognize or react appropriately to information security threats and incidents, and are more likely to place information assets in danger through ignorance and carelessness.
Whereas ‘awareness’ implies a basic level of understanding about a broad range of information security matters, ‘training’ implies more narrowly-focused and detailed attention to one or more specific topics. Training tends to be delivered through classroom or online courses, while awareness tends to be delivered by multiple communications methods such as seminars, case studies, written briefing and reference materials (for self-motivated study), posters and conversations. Awareness provides the foundation level of knowledge and understanding for training to build upon. In other words, security awareness and training are complementary approaches.
In order to protect information assets, all workers must be informed about relevant, current information security matters, and motivated to fulfill their information security obligations.
RFID Issuance Policy
Only selected employee will be issued with RFID access. Most employees shall use their fingerprint for access.