Introduction
Tax Goddess Business PC, IT Policy and Procedure Manual provides the procedures and policies for the selection and use of IT within the organization. These procedures and policies must be followed by all the employees within the organization. The Policy and Procedure Manual also includes guidelines that will be used by Tax Goddess Business PC, to administer all the policies within the organization and make sure that the correct procedure is followed.
All IT policies will be kept current and relevant by Tax Goddess Business PC. Therefore, there can be a need to update and modify existing sections of the procedures and policies along with adding new methods on specific intervals depending upon the requirement.
All the policies and procedures mentioned in this manual are open for feedback, suggestions, and recommendations.
The policies and procedures mentioned in this manual applies to all employees.
Policy for Getting Software
Purpose of the Policy
This policy includes guidelines required to purchase the software for the organization to make sure that the software used within the organization is relevant, cost-effective, and safe and, where applicable, can integrate with other technology used within the organization. This policy is applicable to software obtained in a hardware package or as the pre-loaded software.
Procedures
Request for Software
All software including the non-commercial ones (freeware, open-source, etc.) needs to be authorized either by the Company Owner or by the Tech Team before downloading or using it within the organization.
Purchase of software
- All software purchases must be as per this policy.
- All the software purchases must be approved by the Tech team.
- All the software purchases must either happen direct or from ‘reputable software sellers’.
- All the software purchased must be compatible with the server of the organization along with the other hardware used. Also, all the software purchased must be supported by a guarantee and/or warranty.
- Any of the changes in the above requirements must be authorized by the Tech team.
- All software purchases must adhere to the purchasing policy
Policy for Use of Software
Purpose of the Policy
This policy will include guidelines to ensure that the software use is appropriate and that it is used efficiently by all the employees within the organization. In accordance with this Policy, all the freeware and the open source software will be used as per the procedures defined for the commercial software.
Procedures
Software Licensing
Every employee within the organization will abide by all the copyrights of the computer software and software license terms and conditions.
If licensing terms states limited usage of the software with respect to the number of users, computer systems, etc., then the Tech team is responsible to ensure that the software licensing terms and conditions are followed within the organization.
Tech team is responsible for completing the software licenses audit to ensure that only those appropriate employees are using the software licenses.
Software Installation
As per the requirement, the supplier should register all the software appropriately.
The registered owner of all the software will be Tax Goddess Business PC.
During the working hours, only the company software/apps will be used by the employees on the organization’s hardware.
It is strictly advised to take authorisation from Tech Team to install company-used apps on mobile devices
All software installation is to be carried out by the Tech team.
If a computer system does not have the original copy of the software installed on it, the software upgrade will not be loaded or installed on that system.
Software Usage
During the working hours, only the software and apps approved by the Tech Team are should run on the machine of an employee.
The employee shall be provided with directions on any software licensing arrangements, including any limitations to use the software, before actually using the software.
For all new software, all employees should be trained well. New employees will also be the part of the training as they should be educated to use the existing software. This is the Tech Team’s responsibility.
While working within the organization, employees should not be allowed to use non-org software and apps.
The software cannot be used by any employee for his/her personal work, unless approved by the Owner or VP Operations.
If an employee needs to use software at home, an evaluation should be carried out in the first instance to provide an employee with a portable computer. If the software is found compatible to be used on the personal computer of an employee, then the Owner needs to authorize the purchase of the separate software, if there are copyright restrictions and licensing on the software. If the software is purchased in such circumstances, the organization shall retain the ownership of the software and it shall be registered by the Tech Team in the software register.
The software which are not authorized will not be allowed to be used within the Organization. This will even include the software that has been owned by an organization’s employee and wanted to use it within the Organization.
It is prohibited to purchase or use the unauthorized copies of the software. Any employee who purchases or uses unauthorized software shall be referred for further consultation to the owner. Any unlawful software duplication or other copyrighted works shall not be condoned by the Organization and a disciplinary action, if such an event occurs shall be taken by the Owner/VP of Operations/Tech Team.
Breach of Policy
If an employee will breach this policy, he/she will be referred for further consultation to the owner.
If an employee inside and organization is aware of a breach under this policy with respect to the use of the software, then he/she should inform the Owner/VP of Operations/Tech team immediately for further actions. If in case the Owner/VP of Operations/Tech team determines that an employee who was aware of the breach failed to report it to the management then that employee shall be referred for further consultation to the owner.
Working On Your Device Policy
Purpose of the Policy
This policy holds guidelines regarding how employees can use their personal laptops, tablets, smartphones, and SmartWatches for organizational purposes. The terms & conditions mentioned in this policy are for all the staff and the employees who use and access the hardware equipment or services provided by Tax Goddess Business.
Procedures
Current mobile devices are approved to be used for organization purposes.
Personal mobile devices including Desktop, Notebooks, Smartphone and Smartwatch are approved to be used for organization purpose.
Registration of personal mobile devices for organizational use
Employees who are using personal mobile devices for organizational purpose agrees to the following:
- The organization or client’s sensitive personal information should not be downloaded or transferred on the personal device.
- Do not use the registered mobile device as the sole repository for information from Tax Goddess Business PC. Back up all the client and organization information that is stored on the mobile devices.
- Make all the required efforts to make sure that the information from Tax Goddess Business PC should not be compromised following the use of the registered mobile devices in public places. Unauthorized people are not allowed to view sensitive or critical information displaying screens and password protection should be applied on all registered devices.
- To keep the registered mobiles devices safe and securing by installing Avast Antivirus or any similar antivirus that has been approved by the Tech team.
- The registered mobile devices should not be shared with other individuals to ensure that nobody else is able to access the organization’s data through the device.
- To follow all the internet policies set by Tax Goddess Business, to ensure safe and proper use and access to websites, webpages, etc.
- To immediately inform Tax Goddess Business PC if in case the registered mobile device is lost or has been stolen.
- Do not plug any USB memory stick to Tax Goddess Business PC hardware or equipment that has been taken from an unknown or untrusted source.
- Antivirus software must be installed on the employee workstation (Desktop/Laptop). The Tech Team is responsible for the installation and maintenance of the anti-virus software on all the technologies used by the organization.
Keeping mobile devices secure
While handling the mobile computing devices including Notebooks and iPads, the following points must be noted:
- Never ever left the mobile computing devices in a public place unattended. Do not even left the device unattended in an unlocked/locked house, or in an unlocked/locked vehicle.
- The mobile computing devices should always be kept close to the person or should securely be locked away.
- While using laptop and computers in public places, for instance in a seminars and conferences, cable locking devices should also be considered even when laptops and computers are attended.
- While traveling with flight or an aircraft, the mobile devices should be kept in hand bags and not in the check in luggage.
- Mobile devices should be carried as hand luggage when traveling by aircraft.
Exemptions
Unless an exemption is granted by the Owner, this policy is mandatory to be followed. If exemptions is requested for any of these directives, it should straightaway be referred to the VP Operations/Tech team.
Breach of this policy
The Owner/Tech Team shall review and identify adequate consequences, including termination of employment, in the event of any breach of this policy.
Information Technology Administration Policy
Purpose of the Policy
This policy includes guidelines for the management of IT assets and resources within the organization.
The Tech team is responsible for maintaining and managing all organizational technology service agreements. Any service requirements must first be approved by the owner.
The Tech team shall carry out an annual staff workstation audit to ensure that all IT policies are followed within the organization.
The Tech team should be informed about any of the unspecified technology management requirements.
Website Policy
Purpose of the Policy
The guidelines for maintaining all relevant technical issues associated with the organization’s website are included in this policy.
Procedures
Website Register
To register website the following details must be recorded:
- List of all the domain names that are registered to the organization
- Domain names renewal dates
- List of all the hosting service providers
- Hosting expiry dates
Webmaster will be responsible to keep the master sheet up to date.
It will be the responsibility of the webmaster to renew the items listed in the register.
Websites to Share Documents
- It will be the responsibility of the webmaster to secure the access to the information stored on the site.
- It will be the responsibility of the webmaster to grant the necessary permissions when needed.
The Webmaster will be responsible to appoint a representative who will control the site in contingencies, and allocate the required permissions at the time when the former is not available.
Website Content
It will be the responsibility of the Tech Team to ensure that the content available on the organization’s website is accurate, appropriate, and up to date.
Emergency Management of Information Technology
Purpose of the Policy
This policy holds the guidelines that will be responsible for all the emergency management of the information technology within the Organization.
Procedures
IT Hardware Failure
If any of the hardware inside the organization fails, then the concern should be immediately reported to the Owner/Tech Team.
- In the event of the IT hardware failure, Owner/Tech team will be responsible to take the relevant actions.
- Tech Team will be responsible to regularly undertake tests on planned emergency procedures to make sure that all the procedures are accurate and appropriate. Tech Team will also be responsible to minimize disruption to the operations of the organization.
Virus or other security breaches
The actions listed below must be taken immediately if the information technology of the organization is breached in any case:
- If the information technology of the organization is compromised by any of the possible security breaches including software viruses, then such breaches should be reported immediately to the Owner/Tech Team.
- It is the responsibility of the Tech Team to deal with any sort of security breach within 2 hrs to minimize disruption to the operations of the organization.
- Tax Goddess Business Services PC has the right to remote wipe phone, emails, smartwatch, and other electronic data.
Data protection policy
Purpose of the Policy
The data protection policy of our company represents our commitment to handle our client’s, employee’s and stakeholder’s information with the utmost confidentiality and care.
We ensure by using this policy that we are transparent and fair in collecting, storing and handling information with respect to the individual rights.
Scope
This policy will be applicable to all the job candidates, employees, vendors, clients, etc. who will be provide the information to us.
Who is covered under the Data Protection Policy?
This policy must be followed by the employees of our organizations and the entities covered under this policy will be consultants, partners, contractors, including all other external entities. Our policy generally refers to any person with whom we collaborate or they act for us and may need occasional data access
Policy elements
We must obtain and process information as part of our operations. This information includes any information that makes a person identifiable, offline or online, such as names, addresses, usernames and passwords, digital footprints, pictures, numbers for social security, financial data, etc.
This information is collected by our organization in a transparent manner and only in full collaboration with and knowledge of stakeholders. The following rules apply once this information is available to us.
Our data will be:
- Up-to-date and accurate.
- Collected in a fair way for lawful purposes only.
- Processed by us within the moral and legal boundaries of the organization.
- Protected by internal or external parties from any unauthorized or illegal access.
Our data will not be:
- Informally communicated.
- Transferred to organizations, countries or states with insufficient data protection policies.
- Distributed to any other party than the parties to which the data owner has agreed.
The company has direct obligations towards the data owners in addition to the methods of handling the data. Specifically, we must:
- Let people know what all of their data is collected.
- Let people know how we will actually process their data.
- Let people know that who has complete access to their data.
- Let people know that we erase, reduce, modify or correct the incorrect data present in our databases.
Actions
In order to provide data protection we’re committed to the following:
- We monitor and restrict the access to the confidential and the sensitive data.
- We develop and follow transparent data collection procedures within the organization.
- We train our employees following all the online privacy and security measures.
- We protect our online data from cyberattacks by creating and developing secure networks.
- We establish clear privacy violations or data misuse reporting procedures.
Disciplinary Consequences
All guidelines outlined in this policy must be followed strictly. Disciplinary and possibly judicial action will result in a breach of the data protection guidelines
Website Disruption
If the website of the organization is interrupted, the following measures must be taken immediately:
- Notify the webmaster immediately about the situation.
- The Webmaster should check the configuration in a web hosting company. Also, if any issues are found, the provider should be contacted immediately.
- The Webmaster should contact Sitelock
Securing databases (Server)
Purpose of the Policy
This policy provides guidelines on the security of sensitive or limited data storage within the organization.
- The owner is responsible for the security of the physical machine hosting the database to ensure that it is locked, and monitored to prevent theft, access and unauthorized entry. To ensure utmost security, metal protection screens, guard dogs, alarm system, etc. will be used.
- It is the responsibility of the Tech Team to ensure that all the unnecessary/unused functions and services of the database are either removed or turned off.
- It is the responsibility of the Tech Team to ensure that all the all database software is patched to include all current security patches. Also, Tech Team will also be responsible to ensure that all the security patch levels are maintained in a timely fashion.
- It is the responsibility of the Tech Team to document tools and applications that are required to access the database.
Securing Remote Desktop
The Remote Desktop session of the organization runs on an encrypted channel. The following actions and measures are the responsibility of the Tech Team:
- Using strong password on the accounts that are accessible via Remote Desktop.
- To ensure that the client and server software running on the remote desktop is of the latest version.
Password Policy
Purpose of the Policy
Passwords are the most important aspect when it comes to computer security. A poorly selected password could end up compromising the entire network of Tax Goddess Business PC. As a consequence, all the staff of the Tax Goddess Business PC (including contractors and suppliers with access to Tax Goddess Business PC systems) are responsible for selecting and securing their passwords, using the appropriate steps as described below.
This policy is designed to set the standard for strong password generation, password protection and frequency of change. Below are the guidelines:
Guidelines
- Passwords should not be inserted into electronic communications of any form including email messages. Everything must be shared only through LastPass.
- No longer needed passwords must immediately be deleted or disabled.
- Besides deleting and disabling no longer needed passwords, reporting manager should be notified about the same.
Penalties
Any employee who will be found breaching the policy will be subject to disciplinary action that can go up to an extent of termination of the employment.
Employee and Vendor Recruitment and Selection Policy
This policy describes how we can attract and choose external employees or vendors. At every selection stage, we commit ourselves to our equality policy. Recruitment teams should be committed to an advanced hiring process without discrimination.
Scope
This recruitment and selection policy shall apply to all employees and vendors that are a part of the recruitment process of our company. The policy refers to all potential job candidates and vendors.
The recruitment and selection process:
- Identify the need for an opening.
- Decide whether to hire externally or internally.
- Review the job description and compose a job ad.
- Select appropriate sources (external or internal) for posting the opening.
- Decide on the selection stages and possible timeframe.
- Review resumes in the company database.
- Source passive candidates.
- Shortlist applications.
- Proceed through all selection stages.
- Run background checks.
- Select the most suitable candidate.
- Signed NDA.
- Signed Overseas Disclosures.
- Credit Report
- Address Proof
- Police Verification
- BYOD Between Vendor & New hire
- Vendor TechDocs policy
- Make an official offer.
Revoked offers
- If the candidate or the vendor cannot work legally on a specific site for our company.
- If the candidate or the vendor has falsified or lied regarding a serious concern.
- If the candidate or the vendor breaks any of the terms and conditions mentioned in the NDA or the Disclosure