Security Assurance at CN Group

As you have probably noticed we are very open and informal company. We try to empower free exchange of information to support development. However, we do not live in a perfect and safe world and therefore, we cannot forget security. 

This basic course will provide you basic information about security assurance in our company and will instruct you how to decrease probability of having a security incident. So please, take this course and whole security assurance seriously, it is not fun!

What happened in our company in the past:

Case 1: In 1999, a PC was stolen by a nasty thief from an employee's desk during lunch break. Unfortunately, the employee did not use his Kensigton lock so he had to pay part of the cost.

Case 2: In 2001, another employee was robbed on a Brussels bus station. It was covered by insurance company but the employee saved lots of data locally including very sensitive information. Fortunately, no data were revealed.

Case 3: In 2002, a laptop was stolen from the desk of an employee after he left the office. Again, Kensington key was not used.

Case 4: In 2003, a laptop was stolen from an employee in a train during his travel home from the office.

 

 

IT security

Introduction

IT security is the key area of our company, please pay special attention to that. We have some policies and rules (e.g. passwords for Exchange & VPN account must be minimum 8 characters length and has to be changed every 180 days) and we know that it could bother you. But the only reason for having it is decreasing probability and impact of a security incident. 

You must always inform responsible people in a case of

  • IT security incident (e.g. virus, suspicious e-mail, person in the server room, etc.)

​Following people are defined to be informed for such events:

  • Prague : Ben Rothbauer
  • Zlín: Petr Franta
  • Bratislava: Štefan Majerníček
  • Bucuresti: Daniela Iancu

Software

The rules for using software at CN Group are defined as follows:

  • It is mandatory to create strong passwords for all company systems.
  • It is prohibited to save passwords to any company system at local drives in a decrypted form.
  • It is prohibited to write passwords to any company system on boards, sheets of papers, desks, tables, etc.
  • Usage of hacking and cracking tools is strictly prohibited; in a case of need such a tool because of education or testing purpose, approval by project and line manager must be provided.
  • All workstations must be protected against unauthorized use. The easiest way is a password-protected screen-saver.

Please note that purchase and management software licenses usage is the responsibility of the IT department. You are allowed to use only the software that has been assigned to you. You are allowed to install free software for company business purposes, but read carefully EULA (End User Licence Agreement) before installation. 

Regular check of installed software on your workstations is being performed. In a case of violating the licensing rules and not removing potential issues within one week, you will be brought to account with your line manager.

Hardware

The rules for using hardware at CN Group are defined as follows:

  • Never manipulate any hardware except your laptop or monitor. 
  • All laptops must be secured against theft by a physical laptop-lock, unless located in locked rooms.

Please note that all computer devices, printers, copiers, projectors, phones, printing paper and other equipment and material owned and/or funded by CN Group must be used for business purposes only. In a case you wish to use them for private purposes, you must beforehand obtain permission from your line manager. 

Mobile devices

Company owns a set of mobile devices for development and testing purposes. Any manipulation with operating systems of these devices is prohibited. In a case you want to use any of those devices in your projects, ask following people:

  • Prague : Jan Černý
  • Zlín: Jan Fleischer
  • Bratislava: Milan Piskla

It is allowed to use your own mobile devices using public company WiFi spots. 

Access to company e-mails using your personal phones is allowed under following conditions:

  • your mobile device is protected by fingerprint or at least with PIN or gesture
  • it is protected by antivirus system with anti-theft feature

Contact above mentioned responsible people if:

  • your personal mobile with such access had been  stolen or lost
  • company mobile device assigned to you had been stolen or lost
  • antivirus system in a company mobile device is turned off

What are the conditions to have access to company e-mail system using personal mobile device?

  • access through not-easy-to-guess PIN or fingerprint or gesture
  • WiFi disabled
  • antivirus with antitheft system installed
  • having a cover

Can a CN employee install free software for business purposes?

  • Yes, but EULA has to be considered.
  • Yes, but an authorization by IT department has to be provided.
  • No.
  • No.

How should laptops be secured against a theft?

  • physical laptop locks (e.g. Kensigton key)
  • a protection against unauthorized usage (e.g. password protected screensaver)
  • encryption of hard-drive

Who are the responsible persons to inform in a case IT security incident?

  • Ben Rothbauer
  • Petr Franta
  • Jiří Šošolík
  • Štefan Majerníček
  • Mireček
  • Daniela Iancu

Office security

Introduction

Office security is a part of general security assurance, kindly do not underestimate them. You have to always inform responsible people in a case of

  • an office security incident (e.g. unattended suspicious baggage, suspicious person, etc.)
  • business visit
  • personal visit

Following people are defined to be informed in case of above mentioned events:

  • Prague, Smečky 20, Smečky 20a: Sandra Mullerová
  • Prague, Krakovská: Lucie Krobová
  • Zlín: Veronika Bezděková
  • Bratislava: Janka Chlebanová
  • Bucuresti: Daniela Iancu

General office security rules

Following rules for office security are defined:

  • ​Always follow security instructions for usage of electricity devices.
  • It is prohibited to leave security items unattended on desk, e.g. sensitive documentation (contracts, proposals, designs), removable media (flash discs, CD/DVDs), access items (keys, cards).
  • Do not let in any external people. Always ask whom these people are visiting and call these persons.
  • Do not modify premises in any way.
  • When leaving the office
    • Close windows firmly.
    • Switch off the lights, printers, copy machine, kitchen equipment etc.

​Security rules specific for PRG Smečky 20 and Smečky 20a

Ve Smečkách 20 is guarded by JABLOTRON Security, phone number: 267 267 267, 257 014 154-7, 257 014 100 or mobile: 602 378 783, 602 160 652. In case of a false alarm Ve Smečkách 20:

  1. First stop the beep sound by entering the usual deactivation code.
  2. Call JABLOTRON Security, tell them the address you are calling from and the password „JIRKA".

REMEMBER If you do not call JABLOTRON Security after a false alarm, their security patrol will arrive, kick your buttocks and send CN a bill for this service. CN will then bill you.

When a notice "zasah spravce" appears on the alarm box (or call directly the OPTISERVIS dispatching centre at 603 441 743)

  • Close backyard and glass door in the basement whole day.
  • When entering the office
    • Make sure that alarm is switched off.
  • When leaving the office
    • Lock the door and activate alarm (only if you are last on the floor).
    • Lock backyard, glass door and external door after 18h.
  • Do not tell your door code to anybody else. To not write this code to anywhere.

Should I report a visit (either personal or business) to a responsible person?

  • Yes.
  • No.

What is the password that should be told to security agency in a case of false alarm in Prague?

  • Pepa
  • Jirka
  • Vašek

After when the external door should be locked in Smečky?

  • 16:00
  • 18:00
  • 19:00

Who are the responsible persons to inform in a case of any office security incident?

  • Sandra Mullerová
  • Steen Nielsen
  • Jaromír Kohlíček
  • Janka Chlebanová
  • Lucie Krobová
  • Veronika Bezděková
  • Daniela Iancu
  • Josef Chroustal