Electronic Devices and Passwords Policy
At Handcrafted, we are dedicated to supporting our staff and service users in line with our Christian ethos and values. We recognise that safe and responsible use of electronic devices is essential to protecting both personal data and organisational integrity.
This policy sets out how electronic devices and passwords should be used to protect Handcrafted Projects' systems and data, including guidance for personal and organisational devices, password creation and protection, and offboarding procedures.
This policy will be reviewed as required and at least annually by the group or individual responsible for review and authorised by the Trustees as below:
| Group or individual responsible for review | The Support Systems Officer |
|---|---|
| Last review and approval | 26/03/2025 |
Handcrafted Projects: Electronic Devices and Passwords Policy
This policy is intended to protect the security and integrity of Handcrafted Projects’ data, including the personal data of trainees in accordance with General Data Processing Regulations (GDPR). It applies to mobile phones, tablets, laptops and any device that is used to access or store Handcrafted Projects' data, as well as any cloud services and accounts used on those devices which access organisational data.
Acceptable Use
Employees may use electronic devices to access the following company-owned resources: email, calendars, contacts, documents and cloud services used by the organisation such as Google Workspace and Airtable.
Handcrafted has a zero-tolerance policy for texting or emailing while driving and only hands-free talking while driving is permitted.
Keeping Devices Secure
In order to prevent unauthorised access, devices must be password or pass-code protected using the features of the device and in accordance with the Passwords section of this policy.
Employees should lock devices if leaving them unattended for any amount of time.
Contact details of trainees stored on a device must not be personally identifiable to the trainee. i.e. Use first names only, nicknames or initials.
Laptops/computers/desktops should have antivirus and firewall installed and switched on at all times.
Devices must run on operating systems/software supported by the manufacturer.
All day-to-day work on laptops should be done using standard user accounts, with administrator accounts and passwords only being used for tasks where this is strictly necessary.
Employees should make sure that any organisation-owned devices they use only have necessary apps and software installed on them and uninstall any software or apps they are not using. Unnecessary apps will be uninstalled during initial set up.
Employees should avoid the use of USB drives.
Employees should make sure that autoplay settings are turned off for their devices.
Employees should keep automatic device updates switched on, and install any updates as soon as is practicable, and within 14 days of their release.
Employees should remain aware of their surroundings and be cautious when accessing sensitive data when in public places.
Handcrafted currently uses the Active Protect/Cybersmart app to monitor secure configuration on all electronic devices accessing organisational data. Before using any electronic device to access organisational data, employees should make sure that this app has been installed on the device.
Employees should make any other reasonable updates to maintain device security, as directed to do so by the organisation.
Keeping Accounts, Apps and Software Secure
Cloud services such as Airtable, Google Workspace and MS 365, should have MFA/2FA set up. This will be enforced via the service’s admin settings where possible. It is recommended that staff use an authenticator app such as Google Authenticator for logging in, rather than SMS.
Employees should only use software that is supported by the manufacturer. This can usually be ensured by only downloading apps from official sources like device app stores.
Employees should ensure that they install any app updates made available by the app provider as soon as is practicable, and within 14 days. Auto updates for software should be enabled where possible.
Administrative users for all accounts including cloud services should be approved first by contacting the Support Systems Officer. Administrative users should only be set up for users where this is strictly necessary.
Account access will be reviewed whenever an employee’s job role changes, to ensure that account access is appropriate to the user’s role.
Phone apps should only be downloaded from official apps stores (e.g. Play Store on Android devices and App Store on Apple devices).
Bring Your Own Devices (BYOD)/Use of Personal Devices
Handcrafted provides electronic devices to employees that they require to carry out their day-to-day work, and maintain an inventory of devices to ensure that these are repaired and replaced in a timely manner. However, any employees wishing to use their own devices for work purposes should do the following:
- Seek prior approval for use of the device with the Support Systems Officer
- Ensure the device fully complies with the sections on Securing Devices and Passwords (including installation of the Cybersmart app to monitor secure device configuration)
- Access organisational data via cloud services where possible, and make sure that any files that do need to be downloaded to the device are deleted after use.
- Stop using the device for work purposes when the OS is no longer supported by the manufacturer.
- Stop using the device for work purposes if directed to do so by Handcrafted.
Passwords
Employees at Handcrafted Projects must access a variety of IT resources, including computers and other hardware devices, data storage systems, and other accounts. Passwords are an important part of our strategy to make sure only authorized people can access those resources and data.
An individual who has access to any of those resources is responsible for choosing strong passwords and protecting his or her login information from unauthorized use.
The purpose of this policy is to make sure all Handcrafted Projects' resources and data receive adequate password protection. It covers all employees who are responsible for one or more accounts or have access to any resource that requires a password.
Password creation
Passwords should be reasonably complex and difficult for unauthorised people to guess.
Passwords should be at least twelve characters long and contain a combination of upper- and lower-case letters, and numbers.
Employees should use common sense when choosing passwords to avoid using basic combinations that are easy to crack, such as passwords which use common phrases (e.g. “password,” “1password” and “Pa$$w0rd”). Further guidance on avoiding common passwords is available in the Further Resources section at the end of the policy.
It is recommended that employees use methods to create strong passwords such as:
- Pick a phrase, take its initials, replace some of those letters with numbers and other characters, and mix up the capitalization. For example, the phrase “This may be one way to remember” can become “TmB0WTr!”.
- Combining three random words and a number (e.g. ‘HeartTorchBrick538’)
Employees must choose unique passwords for all Handcrafted accounts and may not use a password that they are already using for a personal account.
Default passwords — such as those created for new employees when they start or those that protect new systems when they’re initially set up — must be changed as quickly as possible.
These requirements will be enforced with software where possible.
Protecting passwords
Employees may never share their passwords with anyone else in the charity, including co-workers, managers or administrative assistants. Everyone who needs access to a system must create his or her own unique password.
Employees may never share their passwords with any outside parties, including those claiming to be representatives of an organisation with a legitimate need to access a system.
Employees should take steps to avoid phishing scams and other attempts by hackers to steal passwords and other sensitive information. All employees will receive guidance on how to recognize these attacks.
Employees must refrain from writing passwords down and keeping them at their workstations. See above for advice on creating memorable but secure passwords.
Shared accounts should be avoided where possible. If a shared email account is needed, this should be set up by the Support Systems Officer using Gmail’s delegated access function, so that the login credentials can still be owned by a single employee and not shared.
If the security of a password is in doubt – for example, if it appears that an unauthorized person has logged in to the account – the password must be changed immediately.
Compromised Devices and Accounts
Employees should be vigilant for any possible compromise of their devices or accounts. This could take the form of a variety of different situations, including:
- A device that accesses organisational data has been lost or stolen.
- Emails not being sent or received correctly
- A staff member gets notifications that someone has attempted to change one of their passwords
- An account/device appears to have been hacked
- A device has a virus or malware
- Any other suspicious activity
Employees should report any possible device/account compromise to the Support Systems Officer and their line manager immediately upon noticing an issue, by phone where possible. The Support Systems Officer will help the employee to assess the cause of the issue and advise on any next steps.
Offboarding
Employees must surrender any Handcrafted-owned devices and account access to the organisation when they stop working for Handcrafted.
The Support Systems Officer will ensure that access to all accounts (e.g. Airtable, Gmail) has been revoked on the employee’s leaving date, and then delete accounts in a timely manner. Employees should make sure that they have copies of important documents such as payslips before their leaving date, and that they have set up email forwarding where appropriate.
Routers
Routers should have firewall turned on at all times.
Router admin passwords must be changed from the default password immediately upon setup.
Procurement/Setup
Purchase of new organisational devices should be approved via the normal finance process, with the model approved beforehand by the Support Systems Officer to make sure it is in line with any requirements for the job role for which it will be used.
The Support Systems Officer should log any new devices purchased in the IT inventory so that the organisation is able to keep track of devices.
The Support Systems Officer is responsible for initial setup and configuration of the device before it is used, and ensuring that setup is done in a timely manner.
Risks/Liabilities/Disclaimers
Employees must report lost or stolen devices to their line manager and the Social Impact and Support Systems Officer within 24 hours. Employees are responsible for notifying their mobile carrier immediately upon loss of a device.
The employee is expected to use his or her devices in an ethical manner at all times and adhere to the company’s acceptable use policy as outlined above.
The employee is personally liable for all costs associated with his or her device.
The employee assumes full liability for risks including, but not limited to, the partial or complete loss of company and personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable.
Handcrafted Projects reserves the right to take appropriate disciplinary action up to and including termination for noncompliance with this policy.