Electronic Devices and Passwords Policy: Difference between revisions

From Handcrafted Policy
← Older editNewer edit →
VisualWikitext
Updated entire policy to most recent version
update approval date
Line 10: Line 10:
|-
|-
|'''Last review and approval'''
|'''Last review and approval'''
|26/03/2025
|31/12/2025
|}
|}
----
----

Revision as of 11:02, 6 January 2026

At Handcrafted, we are dedicated to supporting our staff and trainees in line with our Christian ethos and values. We recognise that safe and responsible use of electronic devices is essential to protecting both personal data and organisational integrity.

This policy sets out how electronic devices and passwords should be used to protect Handcrafted Projects' systems and data, including guidance for personal and organisational devices, password creation and protection, and offboarding procedures.

This policy will be reviewed as required and at least annually by the group or individual responsible for review and authorised by the Trustees as below:

Group or individual responsible for review The Support Systems Officer
Last review and approval 31/12/2025

1. Purpose

This policy is intended to protect the security and integrity of Handcrafted Projects’ data, including the personal data of trainees in accordance with General Data Processing Regulations (GDPR).

It applies to mobile phones, tablets, laptops and any device that is used to access or store Handcrafted Projects' data, as well as any cloud services and accounts used on those devices which access organisational data.

2. Scope

This policy applies to:

  • All paid workers, volunteers, trustees.
  • All information held by the charity, whether:
    • Digital or paper
    • Stored, processed, or shared internally or externally
  • All devices used for charity work (including personal devices where permitted)

3. Information Classification

Information must be handled according to its sensitivity:

3.1 Public

Information intended for public release (e.g. website content).

3.2 Internal

Operational information not intended for the public (e.g. internal procedures).

3.3 Confidential

Information that could cause harm if disclosed, for example:

  • Trainee records containing sensitive information such as health and offending history
  • Contact notes
  • Safeguarding records

Confidential information requires the highest level of protection.

4. Roles and Responsibilities

4.1 Trustees and Senior Management

  • Ensure appropriate measures are in place to mitigate security risks

4.2  CEO

  • Approve changes to this policy

4.3 All Paid Workers and Volunteers

  • Follow this policy at all times
  • Complete required data protection and security training
  • Report security incidents immediately

4.4 Support Systems Officer

  • Oversee information security and data protection compliance
  • Act as the point of contact for incidents and advice
  • Review this policy at least annually

5. Acceptable Use

5.1 Internet Safety

Users are expected to:

  • Act respectfully and ethically in all online activities.
  • Use the internet primarily for approved professional and organisational purposes.
  • Comply with all applicable laws and regulations.
  • Protect login credentials and not share passwords with others.

Users must not:

  • Access, create, download or distribute inappropriate, offensive or illegal content.
  • Engage in cyberbullying, harassment, hate speech or threats.
  • Attempt to bypass security controls and monitoring systems.
  • Share confidential, personal, or sensitive information without authorisation.
  • Engage in activities that could compromise network security, including malware distribution or hacking.

5.2 Electronic Devices

  • Paid workers and volunteers may use electronic devices to access the following company-owned resources: email, calendars, contacts, documents and cloud services used by the organisation such as Google Workspace and Airtable.
  • Handcrafted has a zero-tolerance policy for texting or emailing while driving and only hands-free talking while driving is permitted.

6. IT Security

6.1 Electronic Devices

  • In order to prevent unauthorised access, devices must be password or pass-code protected using the features of the device and in accordance with the Passwords section of this policy.
  • Users should lock devices if leaving them unattended for any amount of time.
  • Contact details of trainees stored on a device must not be personally identifiable to the trainee. i.e. Use first names only, nicknames or initials.
  • Laptops/computers/desktops should have antivirus and firewall installed and switched on at all times.
  • Devices must run on operating systems/software supported by the manufacturer.
  • All day-to-day work on laptops should be done using standard user accounts, with administrator accounts and passwords only being used for tasks where this is strictly necessary.
  • Users should make sure that any organisation-owned devices only have necessary apps and software installed on them and uninstall any software or apps they are not using. Unnecessary apps will be uninstalled during initial set up.
  • The use of USB drives should be avoided.
  • Users should make sure that autoplay settings are turned off for their devices.
  • Users should keep automatic device updates switched on, and install any updates as soon as is practicable, and within 14 days of their release.
  • Users should remain aware of their surroundings and be cautious when accessing sensitive data when in public places.
  • Handcrafted currently uses the Active Protect/Cybersmart app to monitor secure configuration on all electronic devices accessing organisational data. Before using any electronic device to access organisational data, users should make sure that this app has been installed on the device.
  • Users should make any other reasonable updates to maintain device security, as directed to do so by the organisation.

6.2 Accounts, Apps and Software

  • Cloud services such as Airtable, Google Workspace and MS 365, should have MFA/2FA set up. This will be enforced via the service’s admin settings where possible. It is recommended that users install an authenticator app such as Google Authenticator for logging in, rather than SMS.
  • Users should only install software that is supported by the manufacturer. This can usually be ensured by only downloading apps from official sources like device app stores.
  • Users should ensure that they install any app updates made available by the app provider as soon as is practicable, and within 14 days. Auto updates for software should be enabled where possible.
  • Administrative users for all accounts including cloud services should be approved first by contacting the Support Systems Officer. Administrative users should only be set up for users where this is strictly necessary.
  • Account access will be reviewed whenever a user’s job role changes, to ensure that account access is appropriate to the user’s role.
  • Phone apps should only be downloaded from official apps stores (e.g. Play Store on Android devices and App Store on Apple devices).

6.3 Routers

  • Routers should have firewall turned on at all times.
  • Router admin passwords must be changed from the default password immediately upon setup.
  • The Support Systems Officer has responsibility for ensuring Handcrafted’s routers are compliant with this policy.

6.4 Bring Your Own Devices (BYOD)/Use of Personal Devices

Handcrafted provides electronic devices to paid workers and volunteers to carry out their day-to-day work, and maintains an inventory of devices to ensure that these are repaired and replaced in a timely manner. However, any paid workers and volunteers wishing to use their own devices for work purposes should do the following:

  • Seek prior approval for use of the device with the Support Systems Officer
  • Ensure the device fully complies with the sections on Securing Devices and Passwords (including installation of the Cybersmart app to monitor secure device configuration)
  • Access organisational data via cloud services where possible, and make sure that any files that do need to be downloaded to the device are deleted after use.
  • Stop using the device for work purposes when the OS is no longer supported by the manufacturer.
  • Stop using the device for work purposes if directed to do so by Handcrafted.

6.5 Procurement and Setup of Devices

  • Purchase of new organisational devices should be approved via the normal finance process, with the model approved beforehand by the Support Systems Officer to make sure it is in line with any requirements for the job role for which it will be used.
  • The Support Systems Officer should log any new devices purchased in the IT inventory so that the organisation is able to keep track of devices.
  • The Support Systems Officer is responsible for initial setup and configuration of the device before it is used, and ensuring that setup is done in a timely manner.

6.6 Patch Management/Antivirus Procedures

  • Handcrafted uses the Cybersmart/Active Protect app installed on all user devices to monitor device security.
  • The Support Systems Officer should monitor software security using Active Protect to alerts users to any software patches and updates that need to be installed. Users must install updates within 14 days of release, in line with this policy.
  • The Support Systems Officer should ensure all devices have antivirus software installed as part of device setup and onboarding.
  • The Support Systems Officer should monitor antivirus software using Active Protect to alerts users to any updates that need to be installed. Users must install updates within 14 days of release, in line with this policy.
  • Noncompliance with the policy will result in device access to organisational data being revoked, or may result in disciplinary action for the user.

7. Email and Communication

  • Personal and sensitive information must only be shared when necessary
  • Email recipients must be checked carefully before sending
  • Personal email accounts should not be used for handling confidential information.

8. Passwords

Users must access a variety of IT resources, including computers and other hardware devices, data storage systems, and other accounts. Passwords are an important part of our strategy to make sure only authorized people can access those resources and data.

An individual who has access to any of those resources is responsible for choosing strong passwords and protecting his or her login information from unauthorized use.

8.1 Password creation

  • Passwords should be reasonably complex and difficult for unauthorised people to guess.
  • Passwords should be at least twelve characters long and contain a combination of upper- and lower-case letters, and numbers.
  • Users should use common sense when choosing passwords to avoid using basic combinations that are easy to crack, such as passwords which use common phrases (e.g. “password,” “1password” and “Pa$$w0rd”). Further guidance on avoiding common passwords is available in the Further Resources section at the end of the policy.
  • It is recommended that users use methods to create strong passwords such as:
    • Pick a phrase, take its initials, replace some of those letters with numbers and other characters, and mix up the capitalization. For example, the phrase “This may be one way to remember” can become “TmB0WTr!”.
    • Combining three random words and a number (e.g. ‘HeartTorchBrick538’)
  • Users must choose unique passwords for all Handcrafted accounts and may not use a password that they are already using for a personal account.
  • Default passwords — such as those created for new users when they start or those that protect new systems when they’re initially set up — must be changed as quickly as possible.
  • These requirements will be enforced with software where possible.

8.2 Protecting passwords

  • Users may never share their passwords with anyone else in the charity, including co-workers, managers or administrative assistants. Everyone who needs access to a system must create his or her own unique password.
  • Users may never share their passwords with any outside parties, including those claiming to be representatives of an organisation with a legitimate need to access a system.
  • Users should take steps to avoid phishing scams and other attempts by hackers to steal passwords and other sensitive information. All users will receive guidance on how to recognize these attacks.
  • Users must refrain from writing passwords down and keeping them at their workstations. See above for advice on creating memorable but secure passwords.
  • Shared accounts should be avoided where possible. If a shared email account is needed, this should be set up by the Support Systems Officer using Gmail’s delegated access function, so that the login credentials can still be owned by a single user and not shared.
  • If the security of a password is in doubt – for example, if it appears that an unauthorized person has logged in to the account – the password must be changed immediately.

9. Paper Records

Paper records containing confidential information must be:

  • Stored securely (e.g. in locked filing cabinets)
  • Accessed only by authorised individuals
  • Confidential records must not be left unattended in public or shared spaces
  • Confidential waste must be shredded securely

10. Incident Management

Users should be vigilant for any possible compromise of their devices or accounts. This could include:

  • A device that accesses organisational data has been lost or stolen.
  • Emails not being sent or received correctly
  • A staff member gets notifications that someone has attempted to change one of their passwords
  • An account/device appears to have been hacked
  • A device has a virus or malware
  • Any other suspicious activity
  • Loss or theft of devices or files
  • Suspected cyber attacks or phishing

All incidents must be reported immediately to the Support Systems Officer.

Incidents will be:

  • Logged in the internal IT Incidents Log
  • Managed in line with safeguarding and data protection obligations
  • Reported to the ICO where legally required

11. Offboarding

Users must surrender any Handcrafted-owned devices and account access to the organisation when they stop working for Handcrafted.

The Support Systems Officer will ensure that access to all accounts (e.g. Airtable, Gmail) has been revoked on the user’s leaving date, and then delete accounts in a timely manner. Users should make sure that they have copies of important documents such as payslips before their leaving date, and that they have set up email forwarding where appropriate.

12. Training and Awareness

All users must receive:

  • Information security training
  • Data protection and safeguarding awareness

Refresher training should take place regularly.

13. Risks and Liabilities

Handcrafted Projects provides work devices (e.g. laptops, phones, tablets) to users for business use. Users are expected to:

  • Use work devices responsibly and only for appropriate, work-related purposes;
  • Take reasonable care to prevent loss, theft, or damage;
  • Immediately report any loss, theft, malfunction, or suspected security breach to their line manager and the Support Systems Officer.

Devices remain the property of Handcrafted Projects at all times and must be returned upon termination of employment or volunteering, or on request.

Users will not be held personally liable for accidental damage or loss incurred in the normal course of work, provided they have complied with this policy and have not acted negligently or recklessly.

Where there is evidence of negligence, wilful damage, or failure to follow security protocols (e.g. leaving devices unattended in an unsecured vehicle), the organisation reserves the right to investigate and may seek to recover the cost of repair or replacement. Disciplinary action may also be taken in line with the organisation’s disciplinary procedures.

14. Compliance and Breaches

Failure to follow this policy may result in:

  • Disciplinary action
  • Termination of volunteer or staff roles
Retrieved from "https://policy.handcrafted.org.uk/index.php?title=Electronic_Devices_and_Passwords_Policy&oldid=545"