Security guidelines

Content

This page is intended to help (future) employees as well as subcontractors of the company to comply with Anwert’s safety guidelines. Data security in general and IT security in particular are indispensable for corporate success. Corporate data must be protected in the best possible way. This applies both to attempts to spy on this data and to the risk of data loss due to technical infirmities.

Anwert follows the recommendations of the WKO; published in the IT Security Handbook and the IT Security Handbook for Employees. All measures are summarized in a separate internal document (“Technical and Organizational Measures”) as well as the data protection provisions.

1. secure handling of personal data

Personal data is all information that relates or can at least be related to a natural person and thus allows conclusions to be drawn about that person’s personality.

Special personal data includes information about ethnic and cultural origin, political, religious and philosophical beliefs, health, sexuality and trade union membership. They are particularly worthy of protection.

Above all, data subjects have the right to informational self-determination. The storage and processing of personal data is only permitted with the consent of the data subject.

Please note the following points:

  • Personal data must be kept secret. Only with written consent may this data be disclosed to third parties.
  • When passing on data, care must be taken to ensure a secure communication channel. An unencrypted email does NOT meet this requirement.
  • After leaving the company or changing jobs, you may not pass on personal data that was made available to you in the course of your work or use it for other purposes.

2. social media

Social media such as Facebook, Instagram, Twitter, Snapchat and the like are becoming increasingly popular. Social media brings with it many benefits. You can find out about recipes, or how an electronic device works, and you can talk about it with other people right away. However, social media also has some disadvantages.

Especially for companies, social media are increasingly becoming a problem in terms of security. This security problem is usually caused unintentionally by employees who just post a quick photo from the workplace, or only briefly disclose when the entire company is going on a skiing vacation. In general, you should keep in mind that ANY information, no matter how unimportant, can be important for someone – this should also be taken into account in the private sphere. A photo of your workplace can, for example, show folders where customer names are visible. The information that the entire company is going on a ski weekend could show a hacker the window of opportunity needed to gain digital access. You should therefore be particularly careful with the information you disclose.

Please consider the following points (unless you have been instructed to do so):

  • Do not post photos of your workplace
  • Do not post status information that concerns the company
  • Do not disclose information about the company you work for in any forums or social media
  • Use pseudonyms for absolutely necessary questions in forums or social media that concern the company
  • Do not mention any names. Neither your own nor the name of the company.

3. clear desk policy

The Clear Desk Policy means that employees lock all confidential documents that are located at their workplace. Unauthorized persons (cleaning staff, unauthorized colleagues, or visitors) must not have access to it.

Please note the following points:

  • When leaving the workplace, all printouts, copies or the like must be stowed away in such a way that these documents are not accessible to third parties (desk, lockable boxes, data media safe).
  • Do not leave any printouts in the printer/copier.
  • Do not keep password notes at your workstation under any circumstances.
  • Lock your computer when you leave your workplace (e.g. under Windows with “Windows key + L”)! Unattended, unlocked computers are a high security risk. Unauthorized persons could thus gain access to confidential data.

4. passwords

Think of a password as a key to your apartment or house. At home, you also want to have a good lock that protects against unauthorized access. Passwords behave in the same way. Passwords protect against unauthorized access.

Please note the following points:

  • Use 1Password as your password manager and only create passwords that are classified as “Fantastic” by 1Password.

5. encrypted communication

Please make sure to use encrypted communication. Your browser, for example, signals this with a lock. All transmitted data and all data that you enter into a form on this website, for example, are therefore encrypted.

Encrypted communication via e-mail is a bit more difficult, because nobody thought about secure/encrypted communication when e-mail was developed. Please note that a normal email is NOT a secure communication.

Nevertheless, to breathe some security into these emails, there are extensions that encrypt the email before sending it and automatically decrypt it at the recipient’s end. This technology also allows sensitive data to be sent by mail. Common extensions are PGP or S/MIME. Please contact the IT department to evaluate this technology.

6. dispose of documents and data carriers correctly

Carelessly discarded documents pose a serious security problem if this data falls into the wrong hands. For this reason, documents, data carriers (USB stick, hard disk, SD card, CD/DVD …) must be disposed of safely. For secure disposal, a document shredder or a service company that specializes in secure disposal is suitable. The service company will then issue them with a certificate confirming that the waste has been disposed of properly.

Please note the following points:

  • Do not throw data media or important documents in the trash under any circumstances! If the content must not be made accessible to outsiders, the data carriers and documents must be disposed of securely. Note that this procedure must also be followed for archive material.
  • Hand over the data media you no longer need to the person responsible in your IT department or to a person specifically designated for this purpose who is responsible for their safe disposal.

7. handling mobile IT devices

Mobile IT devices (notebooks, smartphones, etc.) pose an increased security risk due to their mobile use. Portable devices are an attractive target for thieves.

Please note the following points:

  • Do not leave the appliance unattended.
  • Do not leave the appliance to other people.
  • When entering your password on the device, make sure you are protected from view – similar to an ATM.
  • Do not use your private cloud storage for corporate data.
  • Only install applications that you know to be trustworthy and secure and that have been approved by your IT department.
  • Report any theft or loss immediately.
  • Pay attention to any data and call package volumes to avoid additional costs for the company.

8. internet usage

Even when surfing the Internet normally, dangers lurk that are not immediately recognized as such. It is their own responsibility to recognize such threats and respond accordingly.

Please note the following points:

  • Use your common sense! If you do not have a cell phone contract with A1 or T-Mobile, for example, the e-mails you receive from A1 or T-Mobile are usually fraudulent.
  • Do not transmit personal data, especially if the connection is not marked as secure (HTTPS).
  • Websites that lure users with downloads of free additional software or dubious sweepstakes should always be distrusted.
  • Downloading files – apart from the risk of introducing malware – can also lead to licensing and copyright problems. This also applies to software that has not been installed or executed and is only stored on the office computer.
  • Do not access websites with pornographic content, content that glorifies violence, or content that is questionable under criminal law. This can cause serious legal problems – also for your company.

9. logging

It should be noted that all data traffic with the company’s systems is subject to logging and evaluation in order to be able to detect and prevent any data breaches or malicious code propagation at an early stage. The evaluation is only carried out in conjunction with the management and in compliance with data protection.

10. e-mail usage

E-mail is almost standard equipment in a workplace. This also makes it worthwhile for criminals to use this form of communication. However, this also means that spam or phishing emails and messages contaminated with malware end up in your inbox. Such unsolicited messages – with more or less dangerous content – account for about two-thirds of the world’s e-mail traffic.

Please note the following points:

  • Do not open any e-mails if the sender or subject line seem suspicious.
  • Never open file attachments that seem suspicious to you. Even with supposedly known and trustworthy senders, check: Does the text of the e-mail match the sender (English text from German-speaking sender, nonsensical text, missing reference to current events, etc.)? Are you expecting the enclosed files and do they match the sender, or are they completely unexpected?
  • Do not open any e-mails with fun programs, as these may contain malware.
  • So-called phishing e-mails that request the transmission of personal online banking data or passwords (e.g. PIN or TAN) must be deleted. Under no circumstances may you pass on the confidential information requested.
  • Often, a link can be clicked in an email to go to a web page. Be careful: in fraudulent e-mails, these links often have a completely different Internet address than the one shown in the e-mail.
  • Do not reply to spam mails! Replying only confirms to the spammer that your email address is valid, thereby increasing your risk of receiving further mailings. Unsubscribing from emails only makes sense with reputable deliverers.
  • Also notify your colleagues about suspicious mailings. Discuss the current emails that you have recognized as phishing attempts or virus emails in order to get to know the typical characteristics together. You can train and improve your recognition skills very quickly this way.
  • When you go on vacation or are absent, remember to use the out-of-office assistant to inform the sender of your absence.

11. social engineering

Social engineering is the manipulation of people to gain unauthorized access to confidential information or IT systems. Predominantly, this attack is carried out by phone or e-mail. A current example is the attack on the FACC company. Several million euros were captured through a fake e-mail address. To date, the attacker has not been caught.

Social engineers like to pose as employees. You may also claim to represent a public authority or an important client company or be part of their IT department. Your victims are deceived by internal company knowledge or knowledge of special technical terms that you have previously acquired through telephone calls or conversations with other colleagues. When attacked, you then appeal to your willingness to help as a “stressed colleague” or threaten to lose an order as a “customer”. If a social engineer does not reach the target with an employee, the attack is repeated with the next contact person – until it is successful.

Please note the following points:

  • Be skeptical of phone calls or e-mails, especially if the colleague’s request or assignment is unusual.
  • If possible, discuss the matter with your colleague in person.
  • Keep in mind that social engineering is used very often, but most often goes undetected for a long time.
  • Do not share confidential information by phone or email.

12. removable media

All external data carriers such as USB sticks, SD cards, external hard disks, CDs, DVDs, smartphones that are connected via USB are considered removable media. The deployment poses a major safety risk. Especially if these data carriers were from an external source. Malware can hide on these removable media, which can paralyze the entire company network. In general, the use of removable media is prohibited.

13. expiration of a contractual relationship

In the event of resignation from the company or the expiry of a contractual relationship, the employer reserves the right to continue using e-mail addresses so as not to disrupt the company’s operations. Furthermore, the employee undertakes to make all documents, IT equipment and records available to the company without being asked to do so upon leaving. In an employment relationship, the employer is usually the owner of the intellectual property generated. Especially with regard to documents, calculations or the like, this is an essential point.

🍪 Accept cookies?

Cookies allow us to control campaigns and optimize the website. By clicking “Accept all” you agree to the use of all cookies and enter the website. More about this in the privacy policy.

💸💸💸 Get up to € 61,300 in funding for your marketing project now |