IT security is hard. As Futurice has grown, we have had our (very small) share of security related incidents. Shifting financial responsibility with contracts is easy, but that is not helping with lost trust and reputation. For our own employees, we have extensive multi-day onboarding, which includes security training. Also, all laptops are installed and configured by the IT team, including disk encryption, backups and antivirus.
However, when we employ subcontractors, they usually use their own laptops and phones, and they don’t participate in our onboarding sessions. We tell our clients when we have subcontractors in the project, but we also carry full responsibility for oursubcontractors’ actions. If the subcontractor messes something up, from our client’s perspective it’s same as if it would have been a Futurice employee – we will do our best to fix the damages, and take the financial and reputation hit. Obviously, we have formal contracts and NDAs with subcontractors, and afterwards we can figure out damages and compensation with them.
Even if Futurice wouldn’t take any financial hit, being trustworthy is important. Just writing a solid contract and having good insurance do not compensate for lost time, confidence and confidentiality.
Formal contracts tend to be hard to follow and relatively abstract, so we created more informal IT security 101 and intellectual property rights (IPR) 101 agreements, which detail practical rules and guidelines in human-readable form. Below are our current IT security 101 guidelines. And to reiterate, the point with these is to push people towards good practices, and not to be legally binding – which is why we didn’t include anything about damages or other legal details.
- Use reasonably strong passwords. Do not write down your passwords (but using a password safe such as OS X Keychain), 1Password or LastPass is a good idea).
- Think before using unknown networks (for example, use VPN when you’re in a coffee shop) or USB sticks. (Found one on the ground right next to office door? Never plug it in.)
- Use encryption everywhere, whenever possible. Do not use FTP or telnet. Use sftp and ssh instead. Run everything over HTTPS, whenever possible. Ask help from IT for certificates, if needed.
Handling data (backups)
- Always back up all the project related files (source code, graphics, plans etc.) to a place provided by Futurice (or the customer). Often GitHub for source code, Confluence or Google Drive for docs. Ask your project lead or Futurice IT.
- Never create any unencrypted backups of project files anywhere. This includes personal USB disks, USB sticks, home server, unencrypted backups in the cloud etc.
- Never upload project files to your personal Dropbox/Google Drive/etc.
- You must delete all project-related files/resources from your devices when the project or your contract ends, whichever comes first. You may not keep a personal copy of the code/graphics/plans/…
- You are not allowed to share your laptop with others, especially when unattended. Do not let your children, friends or anyone else install anything on your laptop.
- Do not install any software from untrusted sources.
- Do not install any pirated software.
- Use full-disk encryption on your laptop. If in doubt, ask Futurice IT for help.
- Screen lock for your laptop. When you leave your laptop (or put it to standby), it needs to lock itself, and require a password to unlock.
- Up-to-date OS. You need to regularly run security updates to your OS, web browser etc.
- Your laptop must have firewall and antivirus running.
- Do not allow remote management of your devices (except when configured by IT department).
I hereby declare that I’ve understood and will follow what is stated above: