Module 4 - IT Policies

MODULE 4: IT POLICIES


 

Objectives of Module 4:

By the end of this module, the participant will be able to

 

Topics covered:




 

4 Lessons:

 

You will now start with Lesson 1: IT Policies.

 

Understand the IT policies and acceptable use policies at Gainsight

Lesson 1: IT Policies

Objectives:

By the end of this lesson, you will be able to

  • Understand the IT policies of Gainsight

 

The purpose of this policy is to outline the acceptable use of IT resources at Gainsight. This policy rules is effective immediately and is in place to protect the employees and Gainsight intellectual property.

Inappropriate use exposes the company to risks including virus attacks, compromise of network systems and services, loss of intellectual property and legal issues.

Enforcement: Compliance is required and  expected by our staff.

 

Acceptable Use

 

 

 

General Use and Ownership

 

  • Caution should be exercised while working with Gainsight source code, documentation, design/functional specifications, customer requirements, images and other files/data which constitute Gainsight Intellectual Property. These should never be transferred to personal equipment (USB sticks, CD's, personal computers etc.) or uploaded to other public/personal resources (like internet email, storage etc.)
  • Employees are responsible for exercising good judgment regarding the reasonableness of personal use of IT resources. If there is any uncertainty employees should consult their manager or IT.
  • Employee are requested to ensure they used authorized software and  are responsible for all license non-compliance consequences on his/her system.
  • Employees are prohibited to use personal computing machines ( laptops/computers).

 

Security and Proprietary Information

  • User login names and passwords should not be revealed to anyone else – including colleagues, co-workers, superiors etc. Appropriate delegation/access may be provided to those who need-to-know based on proper ACL mechanism. 
  • Secure all PCs, laptops and workstations by "Locking" them when you are away.
  • Do not open email attachments from unknown senders as they may contain viruses, e-mail bombs, malware, or Trojan horse code.

 

 

 

Unacceptable Use

 

 

 

 

 

The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities 

 

  • Under no circumstances is an employee of Gainsight authorized to engage in any activity that is illegal under local, state, national or international law while utilizing Gainsight-owned resources.

The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use.

Systems and Network: 

The following activities are strictly prohibited without exceptions and non-conformity is liable for disciplinary/legal action including but not limited to termination of services:

  • Unauthorized copying of all that constitutes Gainsight Intellectual Property – including, but not limited to, Gainsight source code, documentation, design and test specifications, installers, builds etc.
  • Installation of pirated and unauthorized[We might need to publish a list of authorized software and a guideline around what licenses we can permit - no means as mentioned exhaustive but to provide a guideline, e.g., we definitely do not want GPLV3 licensed s/w in our tech stack.] software.
  • Downloading and use of port scanners, password crackers, and network sniffers is prohibited. (unless  this is required for legitimate purpose ).
  • Providing information about, or lists of, Gainsight employees to parties outside Gainsight  unless authorized exclusively. 
  • Online pornography, gambling, trading, hacking and all such activities which are either legally/socially.
  • Local administrator password and other user/group accounts related information on laptops, desktops and servers should not be altered without prior consultation with and permission of the IT.

 

Email and Communication:

Employees should not:

 

  • Send unsolicited email messages, including "junk mail" or advertising materials to individuals who did not specifically request such material. There is a DL by name of 'Loonies' which you can make use of while sending 'light hearted' material for fun and recreation. You should not send out sexually explicit / offensive material, or religious and politically sensitive content etc. to the Loonies group. 
  • Resort to unauthorized use, or forging, of email header information.

 

Care of IT Assets

  • Login scripts and other system startup tasks initiated automatically should be allowed to run and never be interrupted.
  • Any problems with antivirus software, desktop firewall, patch updates etc. should be brought to the notice of IT .
  • Patch updates should not be postponed beyond a day (24 hours) – as there is considerable threat from zero-day exploits.
  • Run check disk and disk de-fragmentation once in a fortnight/as needed to keep the file system at optimum performance level.
  • Any suspected virus/spyware infection should be immediately brought to the notice of IT.

 

Laptops:

You should:

  • Take reasonable and prudent care to maintain and protect the laptops from loss, theft, or damage, take minimum care to clean and dust the laptop with a dry cloth regularly.
  • While handling laptops at home, take care not to allow access to kids, pets, etc.

Lesson 2: Collaboration Tools

Objectives:

By the end of the lesson, you will be able to

  • Understand the details of the Collaboration Tools and work with them

 

Collaboration Tools:

Before learning about the collaboration tools that we use at Gainsight, it is good to know a few email etiquette:
 

Email Etiquette:

Love it or hate it, we live in a world of email.  And though we're trying to introduce other tools to complement it, email is a big part of collaborating here, and nearly everywhere.

But email, like any tool, is as much about how you use it as anything else.  Put another way, either email is a tool, or you're a tool.  Just kidding.

To that end, we have the following norms around email:

 
  • FYI: Make it clear that an email requires no action by putting "FYI: " at the beginning of the subject line.

  • Rename Subjects: If you're forwarding a thread that says something generic like "Question" in the subject line, rename it to explain what's in the email.

  • Everything Can't Be A Priority: Whoever invented the high priority flag in email needs to be slapped; use the flag sparingly if it's truly an emergency.

  • Use CC: If someone on a thread just needs to read a note with no action, put them on the CC line.  Don't ever put someone on the CC line if they need to take action.

  • Sneaky BCC Is Evil (Internally): Don't be "that person" that emails someone and secretly BCCs someone else.  Use BCC where it's intended (mass mailing people, taking people off a thread).

  • Summarize Threads: If you're forwarding a long thread to someone, do them a favor and put a summary in bold at the top of the email thread explaining what it's about and what you want from them.

  • Mind the Mindless Reply All: Expand recipients when others will value the information (CC) and shrink the recipients for more poignant, off-thread side bars. Indicate your changes to the thread so at the top of the message gives everyone a nice heads-up (e.g., "+ John").

  • TL;DR: On that note, if your note is longer than a page, make the first line a "TL;DR" with a summary and desired action like "TL;DR: This note covers our roadmap for the next few months; let me know if you have any concerns."

Respond

Response to all emails within 24 hours on weekdays.  It's not good to miss an email.  It's unacceptable to miss an email from a client or prospect.

Call 

If it's urgent, call the person.

Lists 

We are believers in email lists to ensure consistent communication.  We currently have [email protected] (entire company) and [email protected] (leadership team) and will add more.  Use them.

Chatter

We use Chatter to share information broadly so if you have an article, update, FYI, etc. share it through Chatter.

Chat

Many of us are on calls (making our customers successful) all day, so stay online in Google Chat when you're at your computer so people can reach you.  Try to do as much via chat (versus email) as possible.

Calendar

Maintain your calendar in Google Calendar so people can see when you're free/busy.  If you accept a meeting invite, show up and show up on time.

Box

We use Box for file sharing.  It's great because files are available to the right people and are always up-to-date.  When possible, upload a file you want to share to Box and send a link.  For Word-style documents and Excel-style spreadsheets, you can use the embedded Google Docs feature in Box.

Zoom

We use Zoom for internal meetings.  Make sure you have an account if you're hosting meetings.

Clearslide

We use Clearslide for sharing docs and PPTs with clients.  Make sure every client-facing doc is sent via Clearslide. IT will load this on your computer upon request.

GoToMeeting

We use Citrix GoToMeeting for web conferencing with clients and prospects. IT will load this on your computer upon request.

 

https://docs.google.com/document/d/1NtdgjN5v7_ggW2HrP6c80yzbKsQ7Uh3JO2A8g3e5NnU/edit

 

Use of Social Media

Company understands that social media can be a fun and rewarding way to share your life and opinions with family, friends and co-workers around the world. However, use of social media also presents certain risks and carries with it certain responsibilities. To assist you in making responsible decisions about your use of social media, we have established these guidelines for appropriate use of social media.

Guidelines

In the rapidly expanding world of electronic communication, social media can mean many things. Social media includes all means of communicating or posting information or content of any sort on the Internet, including to your own or someone else’s web log or blog, journal or diary, personal web site, social networking or affinity web site, web bulletin board or a chat room, whether or not associated or affiliated with Company, as well as any other form of electronic communication.

Ultimately, you are solely responsible for what you post online. Before creating online content, consider some of the risks and rewards that are involved. Keep in mind that any of your conduct that adversely affects your job performance, the performance of your co-workers or otherwise adversely affects others who work on behalf of Company or Company’s legitimate business interests may result in disciplinary action up to and including termination to the extent consistent with applicable law.

Know and follow the rules

You should ensure that you do not violate any Company policies with material that you post online. Inappropriate postings that may include discriminatory or harassing remarks based on protected classes, and threats of violence or similar inappropriate or unlawful conduct will not be tolerated and may subject you to disciplinary action up to and including termination.

Be Professional

Always be fair and courteous to your co-workers and others who work on behalf of Company.  If you decide to post complaints or criticism, do not use statements, photographs, video or audio that reasonably could be viewed as malicious, obscene, threatening, intimidating, or would constitute violation of the Company’s workplace policies against discrimination or harassment based on protected classes. Examples of such conduct might include posts that could contribute to a hostile work environment on the basis of race, sex, disability, religion or any other status protected by law or Company policy.

Be honest and accurate

Make sure you are always honest and accurate when posting information or news, and if you make a mistake, correct it quickly. Be open about any previous posts you have altered. Remember that the Internet archives almost everything; therefore, even deleted postings can be searched. Never post any information or rumors that you know to be false about Company, your co-workers or others working on behalf of Company.

Post only appropriate and respectful content

Maintain the confidentiality of Company trade secrets and private or confidential information. Trades secrets may include information regarding the development of systems, processes, products, know-how and technology. Do not post internal reports, policies, procedures or other internal business-related confidential communications.

Respect financial disclosure laws 

Do not create a link from your blog, website or other social networking site to a Company website without identifying yourself as a Company employee.

Express only your personal opinions

Never represent yourself as a spokesperson for Company. If Company is a subject of the content you are creating, be clear and open about the fact that you are an employee and make it clear that your posts reflect your personal views and opinions, and do not represent those of Company. If you do publish a blog or post online related to the work you do or subjects associated with Company, make it clear that you are not speaking on behalf of Company. 

 

 

Using Social Media at Work

Refrain from using social media while on work time or on equipment that Company provides, unless such use is work-related as authorized by your manager. Do not use Company email addresses to register on social networks, blogs or other online tools utilized for personal use.

Other guidelines 

This policy is not intended to interfere with any rights employees may have under applicable laws.  “Protected concerted activity” occurs when two or more employees take action for their mutual aid or protection regarding terms or conditions of their employment.  A single employee may also engage in “protected concerted activity” if he or she is acting on the authority of other employees, bringing group complaints to the employer’s attention, trying to induce group action, or seeking to prepare for group action.  “Protected concerted activity” does not include individual concerns.  Comments made solely by and on behalf of a single employee are not concerted.  For example, expressions of personal anger with an employer made solely on an employee’s own behalf, not involving the sharing of common concerns, would not be “protected concerted activity.”  Reckless or malicious behavior may also cause concerted activity to lose its protection.  

If you have questions or need further guidance, please contact Human Resources.

Lesson 3: Information Security and SOC2

Objectives:

By the end of this lesson, you will be able to

  • Understand about Information Security and SOC2

What is SOC2?

SOC 2 compliance is part of the AICPA Service Organization Control (SOC) reporting platform. In an effort to dramatically revamp reporting on service organizations (and to align with the growing trend of globally accepted accounting principles), the American Institute of Certified Public Accountants (AICPA) launched the SOC reporting platform, for which there are three (3) reporting options: SOC 1, SOC 2, and SOC 3.

SOC 2 compliance is conducted in accordance with AT 101. AT 101 is a little-known professional standard that has now been given the spotlight, thanks in part to the requirement that SOC 2 reports utilize this "attestation standard" for purposes of reporting.

Understand the differences between SOC 1, SOC 2 and SOC 3.

While SOC 1 (SSAE 16) compliance is generally tailored for service organizations who have a credible nexus with the ICFR concept: Internal Control over Financial Reporting, SOC 2 compliance is designed for the growing number of technology and cloud computing entities that are becoming very common in the world of service organizations.  SOC 3, on the other hand, (much like SOC 2) utilizes the five (5) Trust Services Principles (TSP) as the general framework for conducting this type of engagement (SysTrust | WebTrust).  And while SOC 2 allows for reporting on any number of the TSPs, SOC 3 requires that all five (5) TSPs be included for issuing a report.

The five (5) TSPs are the following:

•    Security: The system is protected, both logically and physically, against unauthorized access.

•    Availability: The system is available for operation and use as committed or agreed to. 

•    Processing Integrity:  System processing is complete, accurate, timely, and authorized. 

•    Confidentiality:  Information that is designated “confidential” is protected as committed or agreed. 

•    Privacy: Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).

The objective of the standard itself is to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System" especially for companies offering cloud software and services.

 

What is Information?

Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected

Information exists in many forms:

  • Printed or written on paper
  • Stored electronically
  • Transmitted by post or electronic means ( email )
  • Visual e.g. videos, diagrams
  • Published on the Web
  • Verbal/aural e.g. conversations, phone calls , Gossips!
  • Intangible e.g. knowledge, experience, expertise, ideas

Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected.

Information security is what keeps valuable information ‘free of danger’ (protected, safe from harm)

It is not something you buy, it is something you do. It’s a process not a product

It is achieved using a combination of suitable strategies and approaches:

 

  • Determining the risks to information and treating them accordingly (proactive risk management)
  • Protecting CIA (Confidentiality, Integrity and Availability)
  • Avoiding, preventing, detecting and recovering from incidents
  • Securing people, processes and technology … not just IT!

It involves  

 

  • People ( staff and management)
  • Processes ( business activities)
  • Technology ( IT , Network)

People:

People who use or have an interest in our information security include:

  • Shareholders / owners
  • Management & staff
  • Customers / clients, suppliers & business partners
  • Service providers, contractors, consultants & advisors
  • Authorities, regulators & judges

Our biggest threats arise from people (social engineers, unethical competitors, hackers, fraudsters, careless workers, bugs, flaws …), yet our biggest asset is our people (e.g. security-aware employees who spot trouble early)

Process:

Processes are work practices or workflows, the steps or activities needed to accomplish business objectives. 

  • Processes are described in procedures.
  • Virtually all business processes involve and/or depend on information making information a critical business asset.

Information security policies and procedures define how we secure information appropriately and repeatedly.

Technology:

Information technologies

  • Cabling, data/voice networks and equipment-Internet
  • Telecommunications services (PABX, VoIP, ISDN, videoconferencing)
  • Phones, cellphones, PDAs
  • Computer servers, desktops and associated data storage devices (disks, tapes)
  • Operating system and application software
  • Paperwork, files
  • Pens, ink

Security technologies 

  • Locks, barriers, card-access systems, CCTV

For more information, please click here.

State whether the following statement is either True or False. "Caution should be exercised while working with Gainsight source code, documentation, and design/functional specifications, which constitute Gainsight Intellectual Property."

  • True
  • False

Which of the following are the correct while using Social Media at office?

  • Be Professional
  • Post all pictures from your mobile
  • Disclose financial details

State whether the following statement is either True or False: "The 5 Trust Service Principles are Security, Availability, Processing Integrity, Confidentiality and Privacy."

  • False
  • True