Introduction
This policy applies to all employees who may use or access novi.digital’s applications or information remotely. ‘Remote working’ applies to any/all instances where novi.digital work is being actioned outside the main offices. This can either be as part of the Working From Home Policy, or as a result of visiting client locations. It applies to information in all formats, including manual records and electronic data.
Purpose
- To ensure that employees are aware of their individual responsibilities around information security when working remotely.
- To ensure employees work in accordance with novi.digital’s information compliance policies
- To provide policy and guidance for employees on secure remote working and so minimise the risk of unauthorised access to, and loss of, data.
Remote working presents both significant risks and benefits for novi.digital. Employees may have access to information held on cloud-based servers, but without the physical protections available in the main offices and the network protections provided by firewalls and access controls there are much greater risks of unauthorised access to, and loss or destruction of, data. There are also greater risks posed by information ‘in transit’.
The risks posed by remote working with novi.digital’s information can be summarised under three headings:
- reputational: the loss of trust or damage to the business’s relationship with its clients, partners or suppliers;
- personal: unauthorised loss of, or access to, data could expose employees to identity theft, fraud or significant distress
- monetary: some regulators, whether in the UK or overseas, can impose penalties of up to £500k for breaches of data.
This policy sets out policy and guidance on how staff can work remotely in a secure and low risk fashion.
Roles and Responsibilities
If employees fail to follow the guidelines set out in this policy, the business will consider this to be a breach of their employment contract and disciplinary action will be enforced.
Any employee working remotely is responsible for ensuring that they work securely and protect both information and novi.digital-owned equipment from loss, damage or unauthorised access.
Management are responsible for supporting their employee’s adherence with this policy wherever possible.
Key Principles
Employees working remotely must ensure that they work in a secure and authorised manner as set out in the following key principles:
- Do not use IT equipment where it can be overlooked by unauthorised persons, and do not leave it unattended in public places.
- Ensure IT equipment is locked when left unattended.
- Avoid saving electronic versions of documents locally and instead take advantage of our secure, cloud-based systems.
- Ensure that the master copy of any documents, whether paper or electronic, are not removed from the main novi.digital offices, or from agreed virtual locations such as Drobox.
- Where possible, IT equipment must be encrypted.
- You should not work remotely if there is a risk to your health or safety, for example: during building work at home or in unsanitary conditions, or if there is not a satisfactory work space for you to use. It is the responsibility of the employee to ensure that the working environment and space is suitable for remote working.
- Access to certain systems and services by those working remotely may be deliberately restricted or may require additional authentication methods. Any attempt to bypass these restrictions may lead to disciplinary action.
- Employees can only work remotely if they have been authorised to do so by the MD.
- An assessment should be conducted using the guidance provided below under ‘Remote Working Risk Assessment’ before the remote working begins. Paperwork does not need to be produced for every instance, but employees must be aware of the factors at play. The risk is taken onto the individual.
- Should the business provide IT equipment to employees, it will supply devices which are appropriately configured to ensure that they are as effectively managed as devices in the secure office environment. Unlike personally-owned devices which are managed by their owners, novi.digital devices will be managed by the Technical team. Employees that have been provided with business-owned IT equipment to work remotely must:
- only use this equipment for legitimate business purposes;
- not modify it unless authorised by the MD;
- return the equipment at the end of employment
- not allow non-employees (including family and friends) to use the equipment.
- Users who process novi.digital’s information on personally-owned equipment are responsible for the security of the device and must ensure its security matches that of office-based equipment.
- Employees working remotely must adhere to novi.digital’s records retention policy and guidelines.
- Check the licensing provision for dedicated or specialist software to ensure that it covers remote working in the country or region where remote working is to be performed.
- Employees must report any loss or suspected loss, or any unauthorised disclosure or suspected unauthorised disclosure, of any novi.digital-owned IT equipment or data immediately Management so that appropriate steps may be taken quickly to protect data. Failure to do so immediately may seriously compromise novi.digital’s security and, for staff, may lead to investigation and potentially action under the disciplinary procedures.
Remote Working Risk assessment
Prior to working remotely, employees must consider the following. Employees are responsible for ensuring that their work environment is suitable for the type of work they are undertaking. The list below is to help you use your judgement on whether or not it is safe or appropriate for you to work in a remote location, and what sort of work can be undertaken.
- the sensitivity of the information to be processed:
- if remote working is the only option, can you access the information you need via a secure mechanism, eg VPN?
- can you reduce the amount of data you are using and avoid locally storing any high-risk data?
- is the information encrypted when stored and in transit? If not, it should be.
- the security of the equipment and system to be used:
- can the device be encrypted? If so, how are encryption keys, ie passwords, managed?
- Passwords must adhere strong password best practice rules:
- At least eight characters.
- One or more of each of the following:
- lower-case letter
- upper-case letter
- number
- punctuation mark
- Lookalike characters to protect against password glimpses. Examples:
- O as in Oscar and the number 0.
- Lower-case l and upper-case I.
- The letter S and the $ sign.
- can the device be configured to “auto-wipe”?
- can you enable remote lock/erase/locate features?
- has the security of the device been undermined (e.g. by “jail breaking” or “rooting” a smartphone)?
- can you configure your device not to connect automatically to unknown networks?
- the suitability of the location for remote working:
- what is the risk of theft?
- can devices be left unattended and still be secure?
- can you protect yourself against “shoulder surfing”?
- are you using an open/unsecured wireless networks?
- if a personally owned device needs to be repaired, is the company you use subject to a contractual agreement which guarantees the secure handling of any data stored on the device?
- Are external doors lockable?
- are your windows lockable while at the same time appropriate in terms of fire safety?
- can your device or hard-copy high-risk information be locked away when not in use?
- have you checked with your insurer that your policy covers you for working at home?
- does the location enable you to work in the most secure way of working in the context, eg VPN?
- have you done a DSE (or equivalent) assessment and ensured that you can work without risk to your health from poor ergonomics ? Please note that novi.digital is not responsible for your remote working environment or desk and screen equipment.
Do not work remotely if:
|
Caution if you are working remotely:
|
OK to work remotely (providing the conditions of this policy and any referenced are met):
|
· On a device without adequate protection (antivirus, encryption, etc.)
· In non-risk assessed areas
· In a public area (train or café)
· On public/unsecured WiFi
· Without Management authorisation
· The work/data being processed fits into a highly sensitive category. I.e., does it contain financial information, confidential business information about novi or its clients, etc.
|
· Using personally-owned devices (tablet, smartphone, etc.)
· Using any Wi-Fi connection
· Working outside novi.digital main offices
· Working in an area that has been identified as having issues
|
· Working in novi.digital premises using novi.digital equipment
· Device is directly connected to a secure Internet connection
· Device and/or data are encrypted
· The key principles below are observed.
|
In choosing to work in a remote location, the employee agrees that they have taken the above into consideration and, using their best judgement, believe it to be a suitably safe and secure environment, and that the tools they are using are appropriate for the work.
Working From Home
In order to combat instances of absence and its impact on the business, employees will be permitted to work from home (WFH) under certain circumstances. As this requires working off-site, it falls under the same requirements as Remote Working.
WFH is primarily applicable to employees with chronic/recurrent illness, or dependents that require infrequent assistance.
Who is eligible?
Certain criteria must be met in order for an employee to be eligible for WFH:
- The employee must agree in advance of any absence with the MD that they are eligible to WFH. This cannot be agreed after the fact. I.e., an employee cannot call in sick, and when returning to work declare that they were working.
- There are no strict limits to what constitutes a “valid” WFH day. Physical and mental health causes are equally as valid, as is care of dependents.
- The MD will judge eligibility consistently and fairly. In order to uphold employee confidentiality, the MD and individual employees are not required to divulge what criteria they have submitted, and employees are asked to respect the privacy of colleagues.
- Employees who are eligible to WFH must be treated equally in accordance with novi.digital’s Equality and Diversity statement.
- The opportunity to WFH may be extended by the MD to employees who find themselves on long-term sick. For example: in the case of unexpected illness that might result in an operation and require recovery time.
Please note: Employees who have pre-existing commitments such as external meetings cannot take a WFH day instead of a sick day/Other day. By not attending the meeting they are not fulfilling their responsibilities.
Requirements
Equipment
The employee must have access to any/all tools necessary for working from home. This includes, but is not limited to:
- A PC or laptop
- Microsoft Office
- An adequate Internet connection
- A working telephone that will enable them to make and receive calls
- Secure access to Slack, Teamwork, DropBox, and other tools/systems used by novi.digital.
The business is not responsible for providing any of the above and is not financially liable to compensate the employee for any tools used or costs generated in fulfilling their role whilst WFH. Should any of the above become unusable for the employee in such a way that they are unable to fulfil their responsibilities, their day will be marked as standard sick leave/Other.
The location in which the employee works must be safe and secure as outlined in the Remote Working policy.
Data Protection
WFH raises potential data security issues. Employees that WFH must acknowledge our Remote Working policy declaring that they will undertake all necessary steps to ensure that information pertaining to novi.digital and its clients, partners, suppliers, and other contacts will be protected and that any/all measures stated by novi.digital to protect that data are followed. This also extends to novi.digital’s services, processes, structure, and other intellectual/operational property.
Logging Work
Use of Teamwork to log work is essential. It is expected that employees working from home will produce the same quantity and quality of work as they would within the office. If an employee is unable to provide this, the day will be marked as sick leave or Other.
When can WFH rights be invoked?
If an employee is eligible to WFH, it is not mandatory that they do so. Management will not encourage employees to WFH if they are unwell and employees should understand that if they choose to WFH rather than use the time for recuperation, it is their choice alone. In the first instance, having an employee work standard hours within the office is preferable and if WFH will affect the employee’s return to health, then it is actively discouraged.
WFH should only be taken if it will not harm the employee and if the quality of their work is not impacted by their sickness (i.e. if they might do more harm than good to the business by attempting to work).
Employees who are eligible to WFH are permitted a maximum of 2 days WFH a month. Any additional days must be taken as sick.