Field Quick Guide
Use this one‑pager for everyday decisions. For definitions, exceptions, and full RACI, open the full policy sections via the links below.
Essentials
- Scope: Company-wide (employees, contractors, third-parties).
- Mandatory compliance: All users must follow applicable policies at all times.
- Review cadence: Annual review or as needed based on business/risks.
Do & Don’t
Do
- Use strong, unique passwords and the approved password manager (Password Policy).
- Apply patches and updates promptly (Patch Management).
- Encrypt sensitive data and follow classification labels (Cryptography, Data Classification).
- Grant least-privilege access and review regularly (Access Control).
- Install software from authorized sources only (License Compliance).
Don’t
- Don’t share passwords or MFA tokens (y) Password Management Policy).
- Don’t disable antivirus or firewall (Antivirus, Firewall).
- Don’t store company data on unapproved apps/devices (IT Assets, Information Exchange).
- Don’t bypass change procedures for production systems (Change Management).
- Don’t ignore suspicious emails or activities—report immediately (Incidents).
Security Incidents – What to Do
- Report immediately: Escalate via the official channel per Incident Management.
- Preserve evidence: Don’t delete emails/files; disconnect compromised device from network if instructed.
- Follow guidance: Cooperate with IT investigation; change credentials if requested (y) Password Management Policy).
- Document: Note time, systems impacted, symptoms; attach screenshots/logs where possible.
Access Control & Accounts
- Provisioning/de-provisioning must follow approvals & HR triggers (n) Logical Access Control Policy).
- Use MFA where available; review privileged access regularly.
- Shared accounts are prohibited unless explicitly approved and controlled.
Data Protection
- Handle personal and confidential data per Data Privacy & Protection and Data Classification.
- Encrypt data at rest/in transit and manage keys per Cryptographic Controls.
- Follow secure exchange rules for external sharing (Information Exchange).
Devices, Software & Updates
- Register and protect company devices; report loss/theft immediately (IT Asset Management).
- Install approved, licensed software only (Software License Compliance).
- Keep AV, firewall, and patches current (Antivirus, Firewall, Patch Management).
- Maintain backups and verify restores (Backup & Recovery).
Vendors & Third Parties
- Due diligence and contractual controls per Third-Party Management.
- Right-to-audit and data protection obligations (e) Data Privacy and Data Protection Policy, x) Information Exchange Policy).
Continuity & Resilience
- Follow Business Continuity & DR for RTO/RPO and testing cadence.
- Backup, recovery, and alternate procedures per h) Backup Management and Recovery Policy.
Passwords & Authentication
- Comply with Password Management and MFA requirements.
- Rotate secrets as required; don’t reuse across systems.
Linked Outline (Searchable)
- a) IT Governance Policy
- b) Business Continuity and Disaster Recovery Policy
- c) Information Security Policy
- d) IT Asset Management Policy
- e) Data Privacy and Data Protection Policy
- f) Information Security Event and Incident Management Policy
- g) Database Management Policy
- h) Backup Management and Recovery Policy
- i) Acceptable Usage Policy
- j) E-Mail & Communication Policy
- k) Usage of Cryptographic Controls Policy
- l) Third-Party Management Policy
- m) Software License Compliance Policy
- n) Logical Access Control Policy
- o) Physical and Environmental Security Policy
- p) Patch Management Policy
- q) System Development and Acquisition Policy
- r) Antivirus Management Policy
- s) Change Management Policy
- t) Firewall Management Policy
- u) Data Classification Policy
- v) Clear Screen and Clear Desk Policy
- w) Disciplinary Action Policy
- x) Information Exchange Policy
- y) Password Management Policy
- z) Cyber Security Policy