Care for Children IT – Security & Policy New member of staff


September 2024 Updated 9/9/24

Full-time

  • Issued with a new or suitably refurbished Windows PC laptop.
  • Allocated a Microsoft 365 license and a careforchildren.com email address.

Part-time (but not Intern)

If the part-time employee is working 14 hours or more per week and is expected to be with the organisation for 12 months or more:

  • Issued with a new or suitably refurbished Windows PC laptop.
  • Allocated a Microsoft 365 license and a careforchildren.com email address.

If the part-time employee is working less than 14 hours per week or is expected to be with the organisation for less than 12 months:

  • Treat as contractor.

Contractor

A 'contractor' refers to someone who is not employed by Care for Children but carries out work for the organisation on a regular basis.

  • A contractor will be expected to use their own computer.
  • A contractor will not be issued with a Microsoft licence or careforchildren.com email address.

Requirements for contractor's computer:

  • The contractor will be required to have available and use the Microsoft Teams app.
  • S/he will be added to a suitable Team/Channel and be required to ensure that all files relating to Care for Children are located in the Team/Channel.
  • If the Contractor has their own licenced copy of Microsoft Office can use their licenced copy to create and read Care for Children Microsoft documents.
  • If the Contractor does not have their own licenced copy of Microsoft Office ##GH

Intern

If the intern is working for one day per week or more for the agreed period:

  • Issued with a new or suitably refurbished Windows PC laptop.
  • Allocate a Microsoft 365 license and a careforchildren.com email address
    • ##GH is that really appropriate?

Device Security

All users of CFC owned computer are required to observe the following in regard to security of their PC:

  1. Update Software and Devices: Keep your operating system, browsers, and other software up to date to protect against vulnerabilities.
  2. Be familiar with the Windows Update and Security Settings and ensure these are regularly checked. (Use the Windows Firewalls and Security Software to ensure your device has an active firewall and updated security software to protect against malware and unauthorised access.)
  3. Run a full system scan on a regular basis (a minimum of every three months).
  4. Ensure a suitably secure password/code, required to access the computer, is in place.
  5. Be aware of any changes in behaviour regarding the operation of the computer. This could indicate the presence of malware/virus.
  6. Be familiar with phishing and similar practices and have a clear understanding of how to spot these types of attack, and what to do when an attempt is detected.
  7. Do not share or disclose password.
  8. Do not download/install unauthorised software, applications or similar.

Device Maintenance

All defects to be reported. A decision will be made as to whether we attempt to cure the issue in-house or recommend external repairer.

Taking PC for repair

In the event that a CFC device has to be taken to a computer repair service, the user must be aware of the potential risks and ensure that confidential data is protected as per guidelines outlined below. Consideration needs to be given to the security/reliability/suitability of the proposed repairer. Guidelines:

  1. Assess the risk, taking into account the content on the device; knowledge of and relationship of/to the repairer.
  2. Log out of 365 and Teams.
  3. Consider unlinking PC from OneDrive*
  4. Ensure all files are in the local OneDrive folder; ensure that all files have the 'free up space' option enabled; choose the 'unlink device' setting from within OneDrive. When the PC is returned from repair, the link/files can be re-stablished.

Letting someone else use your device

Do not allow other users to physically use your CFC device. This includes colleagues as well as family and friends. It is the responsibility of the user to keep the devices safe.

Software usage.

All users of CFC owned computer are required to observe the following in regard to software on their PC:

Microsoft 365 and Office, Microsoft Teams, Microsoft OneDrive Microsoft Outlook is the required email client. Do not download/install unauthorised software, applications or similar.

Process of a user changing/relinquishing device

If a user finishes with a PC either because they leave CFC or because they are getting a replacement device, the existing files will need to be removed from the old device and if appropriate, be made available to the new device. If OneDrive has been operated correctly, this is a straightforward process.

  1. Ensure that any CFC files that are not in OneDrive are moved to the local OneDrive folder (the OneDrive folder on the device itself).
  2. Check that OneDrive syncing is up to date.
  3. Check to see whether there is any other software apps used on the device that may need to be reinstated on a future device.

When the old device is ready to be reset for the next user, go to Start > Settings > Update & Security > Recovery > Reset this PC > Get Started. (Win 10)

Install Office on new device and sync email and files.

When the new device is setup and ready to use, the existing email and files will need to be made available on the new device. This can be achieved through three apps: OneDrive, Teams; Outlook.

  1. Launch OneDrive on the local machine and login using the appropriate CFC email and password.
  2. Sync the files from the cloud OneDrive to the local OneDrive.
1. Download and install the 'Teams for Work or School' app and sign in using the appropriate CFC email and password.

If the user's Microsoft account includes a local version of Office, then download from the user's online 365 account.

  1. Login to 365 online
  2. Go to https://portal.office.com/account
  3. Choose 'Install Office'
  4. The .exe file will download automatically.
  5. Locate and launch the .exe file. Office will install (can take 20 mins or so.)

To sync emails, launch Outlook:

  1. Sign in using the appropriate CFC email and password.
  2. Emails should start to sync and appear.

Disposal of old devices

When a device comes to its end of life with CFC, it is the responsibility of the Office Manager to ensure that the device is adequately de-commissioned and disposed of securely.

Office Practise

Each CFC office is required to have available a Windows laptop computer in the event that a member of staff doesn't have their normal PC available. This may be, for example, because their computer is not in the office, faulty, or away for repair. The spare device can be new or used. It must be:

  1. free of any personal or private files.
  2. have Teams installed so that it's ready to use when required.
  3. have a readily available password that is known to the location manager.

External Repairer

Each CFC office location needs to be aware of the location/availability of local PC repair centres and acquire recommendations where possible in readiness for use.

IT Security Precautions

These are covered in Induction and ongoing support. The list below is not exhaustive:

  1. Be aware and alert to social engineer techniques.
  2. Be aware of phishing / spoof emails in pa
  3. Always be prepared to check any email or text instruction independently.
  4. Assume someone is viewing which websites you visit when using insecure networks such as hotels, cafes etc.

Tips for spotting phishing attacks

  1. Check the email address: Legitimate organizations won't use public email domains like @gmail.com. Look for official domain names (e.g., @google.com for Google).
  2. Inspect domain spelling: Be wary of misspelled domain names. Scammers often create addresses that closely resemble legitimate ones.
  3. Review email copy: Poor grammar, misspellings, and bad punctuation are red flags. Legitimate communications are usually well-written.
  4. Avoid urgent requests: Scammers create urgency to pressure you. Don't rush; verify the email's legitimacy.
  5. Watch for suspicious links: Hover over links to see where they lead. If they don't match the claimed organization, it's likely a scam.
  6. Be cautious with attachments: Verify the source before opening attachments. Legitimate emails rarely send unsolicited files.

Tips for spotting smishing attacks

Smishing, which is a form of phishing that specifically targets users through text messages. Here are some key tips to help you recognize smishing attempts:

  1. Check the tone: Be cautious if the message creates a sense of urgency or pressure to act immediately. Scammers often use fear tactics to make you click without thinking.
  2. Verify the phone number: If you receive a suspicious text, don't respond directly. Instead, verify the sender's phone number independently before taking any action.
  3. Avoid clicking links: Hover over any links in the text to see where they lead. If the link seems suspicious or doesn't match the claimed organization, it's likely a smishing attempt.

Request for monies

Any text or email request for monies must always be independently verified. The recommended method is to telephone the person requesting a payment or for a payment to be made in order to verify (a) that the request is genuine and (b) that the payee details have been double checked.

Password Policy

  1. Never share your password with others.
  2. Use different passwords for each account.
  3. Use a password manager. ##GH
  4. Don't log in from public computers.
  5. Don't login to any password protected site when using insecure networks such as hotels, cafes etc?
  6. Check whether your passwords have been compromised. (https://haveibeenpwned.com/)
  7. Always ensure that any passwords are sufficiently complex as to be considered 'secure'. See how below.

Here are five steps to help you create a secure password:

  1. Length Matters: Aim for at least 12 characters. Longer passwords are better because they're harder to crack. For instance, a 12-character password with a mix of uppercase letters, lowercase letters, numbers, and special characters has over 475 quintillion possible combinations
  2. Mix It Up: Use a combination of letters, numbers, and symbols. Don't just capitalize the first letter; mix upper and lower case. Break up the sequence with special characters (like punctuation) to enhance security.
  3. Avoid Personal Data: Refrain from using easily discoverable personal information (such as your name, birthdate, or address) in your password.
  4. Combine Unrelated Words: When using full words, combine unrelated ones. Avoid using common phrases or dictionary words.
  5. Steer Clear of Dictionary Words: Don't use words exactly as they appear in the dictionary. Hackers often try common words first.

Multi-factor authorisation (MFA)

Using MFA, as opposed to just a username and password, dramatically improves online security. Always opt for MFA where available.
Note: Even MFA can be overcome by hackers IF they have access to your device so all elements of cyber security need to be adhered to.

Logging in/out of 365

When accessing 365 online, these procedures are required:

  1. Login from the cfcglobal.net webpage, using the '365 Home' link.
  2. You should be requested to provide an access code (via SMS, or authenticator app). If you are not requesting to provide 2 factor (MFA) input, advise CFC admin.
  3. When you finish your online session, ensure that you physically logout of 365 by choosing the 'Log out' link.

Mobile phone protection

If using your personal mobile phone for CFC business, ensure that mobile phone has antivirus software installed and switched on. Android Spoof emails can cause the same problems on a phone as on a computer. Be alert to text messaging scams. These texts can cause the same problems as spoof emails. Psychologically, users may be less aware of the possibility of scam texts (as opposed to spoof emails). Therefore, be aware of this, and be vigilant when viewing/responding to text messages.

Device Location

Ensure that you can locate/secure your device in the event of losing it.

  1. Windows 10: Select Start > Settings > Update & Security > Find my device.
  2. Ensure 'Find my device' is ON.

Storing personal files on CFC devices and in CFC licenced OneDrive accounts.

Any personal files stored on a CFC device will automatically be added to the Microsoft storage and to an independent backup system. Any personal files stored on a device belonging to the organisation may be deleted from both the device and or the back up. Therefore, it makes sense not to keep personal files on a device that belongs to the organisation.

Leaving CFC

Mobile phones:
In the event of leaving CFC, all products that use a CFC licence, paid or unpaid, must be removed from personal phone. If the Outlook email client is not tied to a CFC licence, then the CFC account within Outlook must be removed.

Browser usage

When using a CFC owned device, please set your default web browser to Microsoft Edge and use Edge for web browsing activities. Ensure that you quit out of and restart Edge regularly as by default, Microsoft Edge automatically updates when you restart your browser.

Back Up

Be aware that whilst OneDrive synchronises data, this process only provides a partial back up. If you leave your PC on a bus, you will be able to download your files from your online OneDrive. In that sense, it's a backup. But if you delete a file from either the device or from OneDrive, then the sync process will remove both versions of the file. In this example, the file could be retrieved from the online OneDrive Trash bin for up to 89 days from the day it was deleted. If files were deleted a few months ago, they will not be recoverable from Microsoft.

To recover files have been accidentally or deliberately deleted further back than the Microsoft cut off point, please contact Admin and it may be possible to retrieve files up to 12 months from the deletion date.

Sharing files

Share links - not attachments

Traditionally, users would share files by emailing a file as an attachment. Today, this should be the exception and instead, be aware of the benefits of share links to files, and how to do this. Sharing a link is more secure. You have some choice as to who can view the file, and what they can do with it. You can 'unshare' the file. or make it available for a limited period only. Overall, sharing a link is more secure both from a traditional security point of view and from the point of view of having more than one copy of the same document floating around, each with different data.

USB devices / external hard disks

Ensure that any USB /external hard disks are suitably password protected.

Important advice concerning open networks

Using open Wi-Fi networks, such as those found in cafes, airports, and other public places, can expose users to several significant threats. These threats arise mainly because open Wi-Fi networks lack proper encryption and security measures, making it easier for malicious actors to intercept and manipulate data. Here are some realistic threats when using open Wi-Fi:

  • Man-in-the-Middle (MitM) Attacks: In a MitM attack, an attacker intercepts the communication between your device and the internet. This allows them to eavesdrop on your activities, capture login credentials, or inject malicious content into your data stream.
  • Eavesdropping and Packet Sniffing: Attackers can use packet sniffing tools to capture data being transmitted over the network. This can include sensitive information such as usernames, passwords, and credit card numbers.
  • Rogue Hotspots: Attackers can set up rogue Wi-Fi hotspots with names similar to legitimate networks. Unsuspecting users may connect to these rogue hotspots, allowing attackers to monitor their traffic and steal sensitive information.
  • Malware Distribution: Open Wi-Fi networks can be used to distribute malware. Attackers can exploit vulnerabilities in your device's software or use techniques like drive-by downloads to install malicious software without your knowledge.
  • Session Hijacking: In session hijacking, an attacker steals your session cookies, which can allow them to impersonate you on websites where you are logged in. This can lead to unauthorized access to your accounts.
  • Data Theft: Without proper encryption, any data transmitted over an open Wi-Fi network can be easily intercepted and read by attackers. This includes emails, instant messages, and files.
  • Unencrypted Connections: Many websites still do not use HTTPS, or they use it inconsistently. When connected to open Wi-Fi, any unencrypted HTTP traffic can be intercepted and manipulated.
  • Privacy Compromise: Even if the data is not outright stolen, your browsing habits, personal preferences, and other private information can be monitored and logged by malicious actors.

How to Protect Yourself on Open Wi-Fi Networks:

  • Use a VPN: A Virtual Private Network (VPN) encrypts all the data transmitted between your device and the VPN server, providing a secure tunnel and making it difficult for attackers to intercept your data.
  • Enable HTTPS: Ensure that the websites you visit use HTTPS. Browser extensions like HTTPS Everywhere can help enforce this.
  • Avoid Sensitive Transactions: Refrain from conducting sensitive transactions, such as online banking or shopping, while connected to open Wi-Fi.
  • Forget the Network After Use: Configure your device to forget the open Wi-Fi network after you disconnect to prevent automatic reconnection.
  • Disable Sharing: Turn off file sharing, printer sharing, and other network sharing features when connected to public Wi-Fi.
  • By understanding these threats and taking appropriate precautions, you can significantly reduce the risks associated with using open Wi-Fi networks.