🎉  Userflow joins forces with Beamer to create all-in-one growth toolkit

Read more
Policies
icon

Acceptable Use Policy

Acceptable Use Policy

SOC 2 Criteria: CC1.1, CC1.4, CC1.5, CC2.2, CC5.2

ISO 27001 Annex A: A.8.1.3, A.11.2.9, A.12.2.1, A.12.6.2

Keywords: Background Checks, Security Awareness Training, Hard Drive Encryption, Anti-Virus Software


Background

Userflow is committed to ensuring all workforce members actively address security and compliance in their roles at Userflow. We encourage self-management and reward the right behaviors.

Purpose

This policy specifies acceptable use of end-user computing devices and technology. Additionally, training is imperative to assuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.

Roles and Responsibilities

The acting information security officer and team will facilitate and maintain this policy and ensure all employees have reviewed and read the policy.

Policy

Userflow policy requires all workforce members to accept and comply with the Acceptable Use Policy. Userflow policy requires that:

  • Background verification checks on all candidates for employees and contractors should be carried out in accordance with relevant laws, regulations, and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risk.
  • Employees, contractors and third party users must agree and sign the terms and conditions of their employment contract, and comply with acceptable use.
  • Employees will go through an onboarding process that familiarizes them with the environments, systems, security requirements, and procedures Userflow has in place. Employees will also have ongoing security awareness training that is audited.
  • Employee offboarding will include reiterating any duties and responsibilities still valid after terminations, verifying that access to any Userflow systems has been removed, as well as ensuring that all company owned assets are returned.
  • Userflow and its employees will take reasonable measures to ensure no sensitive corporate data is transmitted via digital communications such as email or posted on social media outlets.
  • Userflow will maintain a list of prohibited activities that will be part of onboarding procedures and have training available if/when the list of those activities changes.
  • A fair disciplinary process will be utilized for employees that are suspected of committing breaches of security. Multiple factors will be considered when deciding the response, such as whether or not this was a first offense, training, business contracts, etc. Userflow reserves the right to terminate employees in the case of serious cases of misconduct.

Procedures

Userflow requires all workforce members to comply with the following acceptable use requirements and procedures, such that:

  • All workforce members are primarily considered as remote users and therefore must follow all system access controls and procedures for remote access.
  • Use of Userflow computing systems is subject to monitoring by Userflow IT and/or Security teams.
  • Employees may not leave computing devices (including laptops and smart devices) used for business purposes, including company-provided and BYOD devices, unattended in public.
  • Device encryption must be enabled for all mobile devices accessing company data, such as whole-disk encryption for all laptops.
  • All email messages containing sensitive or confidential data will be encrypted.
  • Employees may not post any sensitive or confidential data in public forums or chat rooms. If a posting is needed to obtain technical support, data must be sanitized to remove any sensitive or confidential information prior to posting.
  • All data storage devices and media must be managed according to the Userflow Data Classification specifications and Data Handling procedures.
  • Employees may only use photocopiers and other reproduction technology for authorized use.
  • Media containing sensitive/classified information should be removed from printers immediately.
  • The PIN code function will be used on printers with such capability, so that the originators are the only ones who can get their print-outs and only when physically present at the printer.

Protection Against Malware

Userflow protects against malware through malware detection and repair software, information security awareness, and appropriate system access and change management controls. This includes:

  • Anti-malware or equivalent protection and monitoring must be installed and enabled on all endpoint systems that may be affected by malware, including workstations, laptops and servers. Regular scans will include:
    • Any files received over networks or via any form of storage medium, for malware before use;
    • Electronic mail attachments and downloads for malware before use; this scan should be carried out at different places, e.g. at electronic mail servers, desktop computers and when entering the network of the organization;
    • Web pages for malware.
  • Restrictions on Software Installation
    • Only legal, approved software with a valid license installed through a pre-approved application store will be used. Use of personal software for business purposes and vice versa is prohibited.
    • The principle of least privilege will be applied, where only users who have been granted certain privileges may install software.
    • Userflow will identify what types of software installations are permitted or prohibited.
  • Controls that prevent or detect the use of unauthorized software (e.g. application whitelisting)
  • Controls that prevent or detect the use of known or suspected malicious websites (e.g. blacklisting)
  • Vulnerabilities that could be exploited by malware will be reduced, e.g. through technical vulnerability management.
  • Userflow will conduct regular reviews of the software and data content of systems supporting critical business processes; the presence of any unapproved files or unauthorized amendments should be formally investigated.
  • Malware detection and repair software will be installed and regularly updated to scan computers and media as a precautionary control, or on a routine basis; the scan carried out will include:
    • Any files received over networks or via any form of storage medium, for malware before use;
    • Electronic mail attachments and downloads for malware before use; this scan should be carried out at different places, e.g. at electronic mail servers, desktop computers and when entering the network of the organization;
    • Web pages for malware.
  • Defining procedures and responsibilities to deal with malware protection on systems, training in their use, reporting and recovering from malware attacks.
  • Preparing appropriate business continuity plans for recovering from malware attacks, including all necessary data and software backup and recovery arrangements.
  • Implementing procedures to regularly collect information, such as subscribing to mailing lists or verifying websites giving information about new malware.
  • Implementing procedures to verify information relating to malware, and ensure that warning bulletins are accurate and informative; managers should ensure that qualified sources, e.g. reputable journals, reliable Internet sites or suppliers producing software protecting against malware, are used to differentiate between hoaxes and real malware; all users should be made aware of the problem of hoaxes and what to do on receipt of them.
  • Isolating environments where catastrophic impacts may result.

Revision History

 Version Date Editor Description of Changes
V1 October 20th, 2021 Userflow Initial Creation