Bramble Internal Acceptable Use Policy
SOC 2 Criteria: CC1.1, CC1.4, CC1.5, CC2.2, CC5.2
ISO 27001 Annex A: A.8.1.3, A.11.2.9, A.12.2.1, A.12.6.2
Keywords: Background Checks, Security Awareness Training, Hard Drive Encryption, Anti-Virus Software
Purpose
This policy specifies requirements related to the use of Brmbl.io resources and data assets by Bramble team members so as to protect our customers, team members, contractors, company, and other partners from harm caused by both deliberate and inadvertent misuse. Our intention in publishing this policy is to outline information security guidelines intended to protect Bramble assets, not to impose restrictions.
It is the responsibility of every member of our Community to interact with Brmbl.io resources and data in a secure manner and to that end we provide the following acceptable use standards related to computing resources, company and customer data, mobile and tablet devices, and removable and external media storage devices.
Additionally, training is imperative to assuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.
Roles and Responsibilities
Bramble’s Privacy Officer is responsible for updating, reviewing, and maintaining this policy.
Scope of Acceptable Use Policy
This policy applies to all Bramble team-members, contractors, advisors, and contracted parties interacting with Brmbl.io resources and accessing company or customer data.
Policy
Bramble policy requires all workforce members to accept and comply with the Acceptable Use Policy. Bramble policy requires that:
- Background verification checks on all candidates for employees and contractors should be carried out in accordance with relevant laws, regulations, and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risk.
- Employees, contractors and third party users must agree and sign the terms and conditions of their employment contract, and comply with acceptable use.
- Employees will go through an onboarding process that familiarizes them with the environments, systems, security requirements, and procedures Bramble has in place. Employees will also have ongoing security awareness training that is audited.
- Employee offboarding will include reiterating any duties and responsibilities still valid after terminations, verifying that access to any Bramble systems has been removed, as well as ensuring that all company owned assets are returned.
- Bramble and its employees will take reasonable measures to ensure no corporate data is transmitted via digital communications such as email or posted on social media outlets.
- Bramble will maintain a list of prohibited activities that will be part of onboarding procedures and have training available if/when the list of those activities changes.
- A fair disciplinary process will be utilized for employees that are suspected of committing breaches of security. Multiple factors will be considered when deciding the response, such as whether or not this was a first offense, training, business contracts, etc. Bramble reserves the right to terminate employees in the case of serious cases of misconduct.
Procedures
Bramble requires all workforce members to comply with the following acceptable use requirements and procedures, such that:
- All workforce members are primarily considered as remote users and therefore must follow all system access controls and procedures for remote access. Use of Bramble computing systems is subject to monitoring by Bramble IT and/or Security teams.
- Employees may not leave computing devices (including laptops and smart devices) used for business purposes, including company-provided and BYOD devices, unattended in public.
- Device encryption must be enabled for all mobile devices accessing company data, such as whole-disk encryption for all laptops.
- All email messages containing sensitive or confidential data will be encrypted.
- Employees may not post any sensitive or confidential data in public forums or chat rooms. If a posting is needed to obtain technical support, data must be sanitized to remove any sensitive or confidential information prior to posting.
- All data storage devices and media must be managed according to the Bramble Data Classification specifications and Data Handling procedures.
Acceptable Use and Security Requirements of Computing Resources at Bramble
Bramble-managed assets are provided to conduct Bramble business with consideration given for limited personal use. Our company uses global electronic communications and resources as routine parts of our business activities. It is essential that electronic resources used to perform company business are protected to ensure that these resources are accessible for business purposes and operated in a cost-effective manner, that our company’s reputation is protected, and that we minimize the potential for legal risk.
Those receiving Bramble-provided assets are responsible for exercising good judgment when using Bramble-managed computers and accessing Bramble-managed data.
As per the onboarding issue procedures outlined in our handbook, evidence of device encryption and device serial number must be provided to IT Ops prior to the completion of onboarding period.
Security and Proprietary Information
All Bramble data is categorized and must be handled in accordance with the Data Classification Standard. All computing assets that connect to any part of the Bramble network, or 3rd party services that are used by Bramble, must comply with the applicable standards.
Freeware, Browser Extensions, Add-ons and Plugins
Freeware, browser extensions, add-ons and plugins can pose a risk to Bramble as they may contain viruses, spyware or adware. The use of freeware could result in the loss of Bramble data and the inability to protect the data in accordance with Bramble security and privacy requirements. Not all freeware contains malware, but team members should carefully consider the terms of service and types of data that will be shared before installing anything on your computer.
Security reserves the right to execute security reviews against this software and disallow use if they do not meet Bramble’s security and privacy expectations.
Protection Against Malware
Bramble protects against malware through malware detection and repair software, information security awareness, and appropriate system access and change management controls. This includes:
- Anti-malware or equivalent protection and monitoring must be installed and enabled on all endpoint systems that may be affected by malware, including workstations, laptops and servers. Regular scans will include:
- Any files received over networks or via any form of storage medium, for malware before use;
- Electronic mail attachments and downloads for malware before use; this scan should be carried out at different places, e.g. at electronic mail servers, desktop computers and when entering the network of the organization;
- Web pages for malware.
- Restrictions on Software Installation
- Only legal, approved software with a valid license installed through a pre-approved application store will be used. Use of personal software for business purposes and vice versa is prohibited.
- The principle of least privilege will be applied, where only users who have been granted certain privileges may install software.
- Bramble will identify what types of software installations are permitted or prohibited.
- Controls that prevent or detect the use of unauthorized software (e.g. application whitelisting)
- Controls that prevent or detect the use of known or suspected malicious websites (e.g. blacklisting)
- Vulnerabilities that could be exploited by malware will be reduced, e.g. through technical vulnerability management.
- Bramble will conduct regular reviews of the software and data content of systems supporting critical business processes; the presence of any unapproved files or unauthorized amendments should be formally investigated.
- Malware detection and repair software will be installed and regularly updated to scan computers and media as a precautionary control, or on a routine basis; the scan carried out will include:
- Any files received over networks or via any form of storage medium, for malware before use;
- Electronic mail attachments and downloads for malware before use; this scan should be carried out at different places, e.g. at electronic mail servers, desktop computers and when entering the network of the organization;
- Web pages for malware.
- Defining procedures and responsibilities to deal with malware protection on systems, training in their use, reporting and recovering from malware attacks.
- Preparing appropriate business continuity plans for recovering from malware attacks, including all necessary data and software backup and recovery arrangements.
- Implementing procedures to regularly collect information, such as subscribing to mailing lists or verifying websites giving information about new malware.
- Implementing procedures to verify information relating to malware, and ensure that warning bulletins are accurate and informative; managers should ensure that qualified sources, e.g. reputable journals, reliable Internet sites or suppliers producing software protecting against malware, are used to differentiate between hoaxes and real malware; all users should be made aware of the problem of hoaxes and what to do on receipt of them.
- Isolating environments where catastrophic impacts may result.
Unacceptable Use
Team members and contractors may not use Bramble-managed resources for activities that are illegal or prohibited under applicable law, no matter the circumstances.
Unacceptable System and Network Activities
Prohibited system and network activities include, but are not limited to, the following:
- Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations.
- Unauthorized copying, distribution, or use of copyrighted material.
- Exporting software, technical information, encryption software, or technology in violation of international or national export control laws.
- Intentional introduction of malicious programs into Bramble networks or any Bramble-managed computing device.
- Intentional misuse of any Bramble-managed computing device or Bramble networks (e.g. for cryptocurrency mining, botnet control, etc.).
- Sharing your credentials for any Bramble-managed computer or 3rd party service that Bramble uses with others, or allowing use of your account or a Bramble-managed computer by others. This prohibition does not apply to single-sign-on or similar technologies, the use of which is approved.
- Using a Brmbl.io asset to procure or transmit material that is in violation of sexual harassment policies or that creates a hostile workplace.
- Making fraudulent offers of products, items, or services originating from any Bramble account.
- Intentionally accessing data or logging into a computer or account that the team member or contractor is not authorized to access, or disrupting network communication, computer processing, or access.
- Executing any form of network monitoring that intercepts data not intended for the team member’s or contractor’s computer, except when troubleshooting networking issues for the benefit of Bramble.
- Circumventing user authentication or security of any computer host, network, or account used by Bramble.
- Tunneling between network segments or security zones (e.g.,
live
,non-live
,ops
,ci
), except when troubleshooting issues for the benefit of Bramble. - Given the potential sensitivity of the data contained in screenshot images, the use of tools that capture and share screenshots to hosted sites online is prohibited without the explicit approval of the Security and Legal Departments.
- Screenshots should be stored locally or within Google drive folders associated with your Brmbl.io account.
- Access to these drives and files should be managed in accordance with our Access Control policy, and
- handled according to our Data Classification Policy.
- Tools such as Lightshot, where upload functionality cannot be disabled and could result in inadvertant uploads, should not be used.
Unacceptable Email and Communications Activities
Forwarding of confidential business emails or documents to personal external email addresses is prohibited.
Note: Bramble may retrieve messages from archives and servers without prior notice if Bramble has sufficient reason to do so. If deemed necessary, this investigation will be conducted with the knowledge and approval of the Security, People Business Partners, and Legal Departments.
In addition to following the Social Media Guidelines, when utilizing social media think about the effects of statements that you make. Keep in mind that these transmissions are permanent and easily transferable, and can affect our company’s reputation and relationships with team members and customers. When using social media tools like blogs, Facebook, Twitter or wikis, ensure that you do not make comments on behalf of Bramble without proper authorization. Also, you must not disclose our company’s confidential or proprietary information about our business, our suppliers, or our customers.
Return of Bramble-Owned Assets
All Bramble-owned computing resources must be returned upon separation from the company.
Bring-Your-Own-Device (BYOD)
As a general rule, non-company devices are not permitted to access company assets. While there are some exceptions listed below, access to RED classified data is, as defined by the Bramble Data Classification Policy, still prohibited.
The exceptions are as follows:
Personal Mobile Phone and Tablet Usage
All personal mobile computing devices used to access Bramble-managed data, including but not limited to email and GitLab.com, must be passcode-enabled. 2FA will be enforced by the Security team for all employee and contractor GitLab.com and Google Workspace accounts. Mobile computing best practices dictate that these devices should be running the latest version of the operating system available, and all new patches applied. For assistance with determining the suitability of your mobile device, please contact the Security Team.
Unable to Use Company Laptop
For new employees who have not received a company laptop, there are exception processes for using non-company devices.
The same exception processes apply in the case of a corporate laptop being unavailable due to loss, theft or disrepair. See lost or stolen procedures for additional information. While the exception processes are considered a temporary solution, you still need to make sure the non-company system meets basic configuration standards, and a Microsoft Windows system is still not allowed access under any circumstances.
Mobile Messaging
All Bramble-related conversations need to take place in Slack. It is strongly recommended that the official Slack application, or Slack web application, are used for mobile messaging. Downloads are available for iOS and Android. While it may be more convenient to use an integrated chat application that puts all of your conversations in one place, the use of these applications can unintentionally lead to work-related conversations crossing platforms, or being sent to external contacts. The use of Slack for all work communications assists with our security and compliance efforts. For example, in the case of an incident response issue, it may be necessary to review a conversation to understand the order in which events occurred, or to provide evidence that the chain of custody has been maintained for forensic evidence during a handoff.
For video calls, and as a back-up to Slack, we prefer Zoom. Zoom chats are an acceptable alternative to Slack when in a video call. If the conversation is interesting to others or may be needed for a retrospective, consider recording the call.
Use of External Media on Company Assets
The use of removable and external storage devices such as USB flash drives and external backup drives on company-managed devices is not officially sanctioned. If there is a business need for the use of an external storage device, such as a flash drive or an external hard drive on company devices, please contact the Security Team to determine the most suitable encryption-enabled device. All external and removable storage devices must be encrypted and protected by a passcode.
Lost or Stolen Procedures
Bramble provides a panic@brmbl.io
email address and a lost or stolen
procedure for team members to use in
situations that require an immediate security response. Should a team member
lose a device such as a thumb drive, Yubikey, mobile phone, tablet, laptop, etc.
that contains their credentials or other Bramble-sensitive data, they should
send an email to panic@brmbl.io
right away. When the production and security
teams receive an email sent to this address it will be handled immediately.
Using this address provides an excellent way to limit the damage caused by a
loss of one of these devices.
Policy Compliance
Compliance with this policy will be verified through various methods, including but not limited to, automated reporting, audits, and feedback to the policy owner.
Any team member or contractor found to be in violation of this policy may be subject to disciplinary action, up to and including termination of employment, or contractual agreement.
Exceptions to this policy must be approved by Security, Legal and PeopleOps Departments.
Consultations
To consult with the Security Team, use the appropriate contact:
security@brmbl.io
, or create an issue in the Security Compliance
tracker.