Policies index

• Acceptable Use Policy
• Abuse Policy
• CVD Policy
• Peering Policy
• Operating Policies

Acceptable Use Policy

VERSION 2014-01-01

Through this document Tuxis Internet Engineering (hereinafter Tuxis) means to point out the responsibilities accompanying Tuxis’s services to clients and users of Tuxis’s services (hereinafter user[s]). When provisions of this Acceptable Use Policy are violated, Tuxis can take measures, as defined in the Abuse Policy, to counter the continuation or repetition of the offence.

Purpose
The objectives of the Acceptable Use Policy include:

• offering users safe and reliable internet services.
• contributing to the open nature of the internet and the value of the internet as a platform for freedom of speech.
• promoting the responsible use of the internet and counteracting practices that negatively affect the value of the internet.
• protection the rights, privacy and (internet) security of individuals and organisations.
• indicating the rights and obligations, in addition to statutory rights and obligations, Tuxis provides users with.

Rules of Conduct

• The starting point is that users behave as proper and careful internet users and do not cause any inconvenience to the other users and/or networks on the internet.
• The user shall follow reasonably formulated instructions from Tuxis regarding the offered internet services
• The user shall refrain from transmitting any material through or posting any material, of any form, on the internet, which can be regarded as illegal, unlawful, threatening, discriminatory, libellous, encouraging or triggering conducts that can be considered criminal, which could give civil liability to, or could otherwise result in a conflict with the Dutch law or international laws and regulations.
• The user will do everything reasonably possible to prevent a computer virus or other malicious program from being posted on or transmitted through the internet or Tuxis’s infrastructure.
• The user will do everything reasonably possible to only connect systems with adequate security to the internet.
• Tuxis is extremely careful with their users’ confidential information (including passwords) and expect the same degree of care from its users.
• The users will inform Tuxis as soon as possible if any confidential data from or provided by Tuxis has come into the hands of unauthorised parties, or in case of suspicion thereof.
• The user will inform Tuxis as soon as possible when unauthorised parties have had access to the services, or in case of suspicion thereof.

Abuse
The user shall refrain from any attempt, in any way whatsoever, to:

• invade third party systems or using third party accounts without authorisation.
• gain access to data not intended for the user.
• carry out any denial of service attacks.
• intercept or manipulate third party network traffic without consent.
• send spam.
• manipulate electronic messages (including email headers).

Revision
Tuxis reserves the right to revise this Acceptable Use Policy unilaterally in accordance with social and technological developments.

 

Abuse Policy

VERSION 2014-01-01

Through this document Tuxis B.V. (hereinafter Tuxis) wants to point out the consequences of violating the Acceptable Use Policy (AUP) to clients and users of Tuxis’s services (hereinafter user[s]). This document also describes how internet users can report a breach of the AUP at Tuxis.

For reports of AUP violations regarding unlawful and/or illegal content on the internet, Tuxis uses a separate Notice and Take Down (NTD) procedure, as described below. Below that, the procedure applicable to other types of AUP violations is stipulated.

Notice and Take Down
Tuxis uses a specific Notice and Take Down (NTD) procedure for reporting violations of the Acceptable Use Policy regarding unlawful and/or illegal content on the internet. This procedure is based on, and thus endorses, the 2008 NTD code of conduct. We distinguish between reports by companies and individuals on the one hand, and actions, interventions and request from/by (government) authorities on the other. We use the NTD procedure described here to handle reports. In case of actions and requests of authorities, we act solely on the basis of a strong, legal underpinning such as a judgment or order.

Submitting reports
o The detector should first contact the content provider to come to an agreement.
o A report to Tuxis must contain the following information for it to be taken into consideration:

• indication that the report concerns an NTD request, detectors contact information
• description of the failed attempt to come to an agreement with the content provider
• the data Tuxis needs to assess the content, including at least the location of the illegal and/or criminal content (URL)
• a description of why the content is illegal and/or criminal according to the detector
• an explanation as to why Tuxis is approached as the most suitable agent to act
• an explicit indemnity against claims by the content provider as a result of taking measures for dealing with the report
• the report should be mailed to abuse@tuxis.nl
• the detector is responsible for a correct and complete notification

Handling reports
After Tuxis has received the NTD report, Tuxis will respond substantively within to working days of the notification and indicate which of the following options applies. Tuxis may decide to ask a third party to evaluate the content of the report in cases that exposure to the content is suspected to be harmful to Tuxis or the assessing employee. The personal data of the detector and content provider will not be provided to the third party in these cases. When providing information to the detector and/or content provider, the personal data of the detector or content provider will not be shared without permission. If either Tuxis or the third party finds that the report is:
•    unmistakably illegal and/or undoubtedly punishable and Tuxis knows that an investigation is important for the content to be accessible, Tuxis will not proceed to make the content inaccessible. Tuxis will inform the detector of this.
•    unmistakably illegal and/or undoubtedly punishable and there is an emergency that warrants no further delay, Tuxis will immediately proceed to disabling the access to the content when proportionally possible. Tuxis will inform the content provider and detector of this.
•    unmistakably illegal and/or undoubtedly punishable, Tuxis will inform the content provider about the report and request to have the content made inaccessible within two working days. Tuxis will inform the detector of this. If the content provider:

o has made the content inaccessible within two working days, Tuxis will inform the detector of this.
o has not made the content inaccessible within two working days and informs Tuxis of an investigation requiring the content to remain accessible, Tuxis will not proceed to make the content inaccessible. Tuxis will inform the detector of this.
o has not made the content inaccessible within two working days, Tuxis will do that when proportionally possible. Tuxis will inform the content provider and detector of this.

•    not unmistakably illegal and/or undoubtedly punishable, Tuxis will inform the content provider of the report. Tuxis will inform the detector of this.

Other Abuse
Violations of the AUP other than unlawful and/or illegal content on the internet is subject to the following procedure.

Abuse with complaint

Submitting abuse complaints
A complaint is expected to contain the following information to be taken into consideration by Tuxis:

•    an indication that the report is an abuse complaint
•    the contact information of the detector
•    a description of the abuse
•    the data Tuxis requires to confirm the abuse, such as IP addresses, logs, etcetera

The abuse complaint should me emailed to abuse@tuxis.nl

Handling complaints
After Tuxis has received the abuse complaint, Tuxis will respond substantively within two working days. Tuxis gives as much cooperation as possible from the complaining party to be able to investigate the complaint as best as possible. No confidential information will be provided. If a complaint proves to be justified, Tuxis may decide to suspend a service to the causing party, until consultations between the affected user and a Tuxis employee have been concluded. In case this consultation does not result in a satisfactory solution for Tuxis, Tuxis may decide to discontinue the service to the user and terminate the contract with immediate effect.

Abuse without complaint
When Tuxis registers conducts in conflict with the AUP, Tuxis may decide to suspend a service to the causing party, until consultations between the affected user and a Tuxis employee have been concluded. In case this consultation does not result in a satisfactory solution for Tuxis, Tuxis may decide to discontinue the service to the user and terminate the contract with immediate effect.

Revision
Tuxis reserves the right to revise this Abuse Policy unilaterally in accordance with social and technological developments.

Peering Policy

We will peer with anyone who wants us.
Peering on multiple locations and with all available routers is preferred.
Tuxis does not require MNDA’s or written peering agreements, but if your company does, we will be happy to sign them (if we agree to the content).
Tuxis prefers to setup peerings on both IPv4 and IPv6

For more information: http://www.peeringdb.com/view.php?asn=197731

---

Version 28-11-20241

Operating Policies

Introduction

Below are the procedures and policies that result in the practical application of our information security policies. It is a practical document that, combined with work instructions, ensures that they can quickly find how Tuxis wants things implemented and used so that information security is not compromised.

Responsibility

The ISMS Manager is responsible for all aspects of the implementation and management of the content of this document, unless noted otherwise.

Managers and supervisors are responsible for the implementation of policies from this document, within the scope of their responsibilities, and must ensure that all staff under their control understand and undertake their responsibilities accordingly.

User Responsibilities

All users of information and ICT systems for which Tuxis is responsible must agree to, and abide by these Operating Policies and all other requirements as set out in our information security management system (ISMS).

Breaches of policy

Where a failure to apply Tuxis’ policies is due to deliberate misconduct by an employee or supplier, this will be dealt with in accordance with our Disciplinary procedure for information security breach.

Terms and definitions

• Mobile device: A portable computing or telecommunications device that can execute programs or store digital data. Examples: PC, laptop, tablet, PDA, smart phone, smart watch and other wearable computers, digital camera, CD, DVD, external/removable hard drive, USB memory stick or flash drive.
• ISMS: Information Security Management System, is a systematic approach to managing sensitive company information to ensure its confidentiality, integrity, and availability. It encompasses policies, procedures, and controls that help organizations identify, manage, and reduce information security risks.
• Policy: a formal statement or guideline that outlines an organization’s principles, rules, and procedures regarding specific issues or areas of operation. It serves as a framework for decision-making and establishes expectations for behavior and actions within the organization.
• Password manager: The approved passwordmanager.
• Git: Our GIT environment.
• Portal: Our customer portal that can be found at https://portal.tuxis.cloud.
• File Management System: We use Filesonline.eu for storing of files and not ISMS related documents.
• Legal Request: A formal request from a data subject for access to, rectification of, erasure of, or restriction of processing of their personal data, as described in the GDPR.
• cloud computing, services or storage or software as a service (and variants thereof): The use of third party remote servers and software that allows centralised data storage and online access to computer services or resources, or information technology hosting of any type that is not controlled by, or associated with Tuxis.
• CVE: Common Vulnerabilities and Exposures

Password Policy

General

To ensure the continuing security and integrity of all Tuxis’s system/access logon accounts the following procedures and practices must be followed:

• Passwords must not be shared with anyone. All passwords are to be treated as sensitive, confidential information.
• Passwords may never be written down.
• Passwords may not be re-used.
• Passwords may not be stored, sent, shared in a readable format.
• The “Remember Password” feature of applications may not be used.
• Any user suspecting that his/her password may have been compromised must report the incident and change all compromised passwords.
• Automatically generated temporary passwords should be changed at the earliest opportunity.
• Default passwords should be changed at the earliest opportunity.
• All user-level and system-level passwords must conform to the Password Construction Guidelines.

All ICT systems should:

• Support individual user authentication.
• Prevent the storing of passwords in clear text or in any easily reversible form.
• Provide for management of specific roles and functions within a system enabling delegation of tasks to individuals.
• Not contain or utilise embedded (hard-coded) passwords.

Exceptions for the rules above

• If an appliance of software does not accomodate multiple users, a password may only be shared throught the passwordmanager from Tuxis by the manager of the applicable department.
• If an application requires a password stored in a config file, access to that file should be restricted as much as possible.

Password requirements

Passwords must be generated by the password manager. Users must make sure that the generator creates passwords that comply with the requirements below. If that password too complex for the application or manual entry of the password is inevitable, a fitting password must be made up. Such a password must meet the following requirements:

• Minimum password length 10 characters
• Passwords must contain at least one type of the following elements:
  • Contain both upper and lower case letters
  • Contain at least one number (for example, 0-9)
  • Contain at least one special character (for example,!$%^&*()_+|~-=`{}[]:”;’?,/).
• Cannot be found in a dictionary when less than 20 characters are used, including foreign language, or exist in a language slang, dialect, or jargon.
• Must not contain personal information such as birthdates, addresses, phone numbers, or names of family members, pets, friends, and fantasy characters.
• Must not contain work-related information such as building names, system commands, sites, companies, hardware, or software
• Must not contain number patterns such as aaabbb, qwerty, zyxwvuts, or 123321
• Must not contain common words spelled backward, or preceded or followed by a number (for example, terces, secret1 or 1secret)
• May not be some version of “Welcome123” “Password123” “Changeme123”

Examples of password misuse

• Share business passwords with anyone, including administrative assistants or secretaries
• Reveal a password over the phone to anyone
• Write passwords down and store them anywhere in your office
• Reveal a password in an email message
• Reveal a password to your line manager
• Talk about a password in front of others
• Hint at the format of a password (e.g., “my family name”)
• Reveal a password on questionnaires or security forms
• Share a password with family members
• Reveal a password to co-workers while on holiday
• Reveal a password to someone who demands it – refer them to this document
• Use the “Remember Password” feature

Password Storage and Handling

The storage of passwords within Tuxis is ONLY done in the password manager.

The following applies when storing passwords in te password manager:

• A password may only be shared when personal passwords can’t be used. Examples are vendor websites and webshops that do not support multiple users.
• Passwords may only be shared via the password sharing function in the password manager
• Username, passwords and URL must be submitted when storing a password
• When possible, prevent copying and pasting of passwords. Use the autofill option when possible.
• If 2FA is available, store the 2FA key in the password manager.

Providing customers with login information

Since Tuxis delivers services to customers, a customer might need credentials supplied by Tuxis. The following applies in order of preferred method:

1. Use the password vault in Portal
2. Mail the username and supply the password through an other medium than e-mail. This might be a SMS or Signal message.
3. Mail the username and password but force a password change by the application on first login.
4. Email the login name and password and mention that the password must be changed before commissioning.

By default, credentials for customers are not stored by Tuxis longer that 30 days. If permanent storage is needed, for support reasons, the password storage must meet the Password Storage And Handling policy

Compromised passwords

If an account or password is suspected to have been compromised, report the incident as soon as possible to IT Service Desk and Immediately change any/all passwords which may have been compromised.

End User Encryption Key Protection Policy

This policy outlines the requirements for protecting encryption keys that are under the control of end users. These requirements are designed to prevent unauthorized disclosure and subsequent fraudulent use. The protection methods outlined will include operational and technical controls, such as key backup procedures, encryption under a separate key and use of tamper-resistant hardware.

This policy applies to any encryption keys listed below and to the person responsible for any encryption key listed below. The encryption keys covered by this policy are:

• Encryption keys issued by Tuxis.
• Encryption keys used for Tuxis business.
• Encryption keys used to protect data owned by Tuxis.

The public keys contained in digital certificates are specifically exempted from this policy.

General

Encryption Key Management, if not done properly, can lead to compromise and disclosure of private keys use to secure sensitive data and hence, compromise of the data. While users may understand it’s important to encryption certain documents and electronic communications, they may not be familiar with minimum standards for protection encryption keys.

All encryption keys covered by this policy must be protected to prevent their unauthorized disclosure and subsequent fraudulent use.

Secret Key Encryption Keys

Keys used for secret key encryption, also called symmetric cryptography, must be protected as they are distributed to all parties that will use them. During distribution, the symmetric encryption keys must be encrypted using a stronger algorithm with a key of the longest key length for that algorithm authorized in Tuxis’s Acceptable Encryption Policy. Symmetric encryption keys, when at rest, must be protected with security measures at least as stringent as the measures used for distribution of that key.

Public Key Encryption Keys

Public key cryptography, or asymmetric cryptography, uses public-private key pairs. The public key is passed to the certificate authority to be included in the digital certificate issued to the end user. The digital certificate is available to everyone once it issued. The private key should only be available to the end user to whom the corresponding digital certificate is issued.

Tuxis’s Public Key Infrastructure (PKI) Keys

The public-private key pairs used by the Tuxis’s public key infrastructure (PKI) are generated by the IT Servicedesk for each user. The private key associated with an end user’s identity must have a password that complies with the Password Policy. The user is responsible for storing their private key in a safe place that complies with our Information handling procedure.

Commercial or Outside Organization Public Key Infrastructure (PKI) Keys

In working with business partners, the relationship may require the end users to use public-private key pairs that has to be sent to this partner. Use the supplied tools like the portal from Tuxis that generates keys. If that is not possible make sure that you:

• Use secure storage
• Set a password on the private key if possible
• Store that password in the password manager
• Make sure you do not lose the key

PGP Key Pairs

If the business partner requires the use of PGP, the public-private key pairs can be stored in the user’s key ring files on the computer hard drive or on a hardware token, for example, a USB drive or a smart card. Since the protection of the private keys is the passphrase on the secret keying, it is preferable that the public-private keys are stored on a hardware token. PGP will be configured to require entering the passphrase for every use of the private keys in the secret key ring.

Hardware Token Storage

Hardware tokens storing encryption keys will be treated as sensitive company equipment, as described in Tuxis’s User Endpoint Devices Policy, when outside company offices. In addition, all hardware tokens, smart cards, USB tokens, etc., will not be stored or left connected to any end user’s computer when not in use. For end users travelling with hardware tokens, they will not be stored or carried in the same container or bag as any computer.

Personal Identification Numbers (PINs), Passwords and Passphrases

All PINs, passwords or passphrases used to protect encryption keys must meet complexity and length requirements described in Tuxis’s Password Policy.

Loss and Theft

The loss, theft, or potential unauthorized disclosure of any encryption key covered by this policy must be reported immediately to The Infosec Team. Infosec personnel will direct the end user in any actions that will be required regarding revocation of certificates or public-private key pairs.

Information handling procedure

We ensure the proper handling of all information included in the information asset inventory by handling it in accordance with the classification of the information and the nature of the transaction being conducted. You can read in the chapter Classification of Information what information has what classification.

Rules for information handling

In general, the following applies:

• All documents should be created and stored electronically whenever possible.
• Documents should be stored in our secure central document management system.
• Documents must be stored in the correct folders.
• All documents must be appropriately labelled and versioned.
• All documents should be dated and updated as necessary.
• Access to documents should be restricted to those who need them.
• Working copies of documents should be kept to a minimum.
• Access to documents should be tracked to ensure compliance.
• All documents must be disposed of properly.
• Hard copies should be printed only when absolutely necessary.
• All hard copies must be stored securely when not in use.
• In case of loss or theft of hardcopy, report it to your manager/supervisor and the owner of the information resource as soon as possible.
• In case of loss or theft of digital documents: report as soon as possible to the IT Service Desk, your manager/supervisor and the owner of the information asset.
• Check the recipient’s name and address before sending.

What do you want to do with the information?

I want to carry electronic information out of the office or datacenter on a server, laptop, tables, smart phone or memory stick or similar

• Classification Low – Very Low:
  • Only use your own device or a Tuxis Provided device
  • Do not let unauthorized people use your device.
  • When using in a public place be aware of being overlooked.
  • If lost or stolen, report as soon as possible to your supervisor/manager, It Service Desk and information asset owner.
• Classification High – Medium:
  • Only use Tuxis’s provided device.
  • Do not let unauthorized people use your device.
  • When using in a public place be aware of being overlooked.
  • If lost or stolen, report as soon as possible to your supervisor/manager, It Service Desk and information asset owner.
• Classification Very high:
  • Don’t do it.
  • If you must, obtain authorization from the information owner and follow the strict requirements set out in our Mobile Device Policy.
  • If lost or stolen, report as soon as possible to your supervisor/manager, It Service Desk and information asset owner.

I want to share or send hardcopy information to a Tuxis’s colleague

• Classification Low – Very Low:
  • No additional security measures required.
• Classification Medium – High:
  • Wherever possible, avoid sending hardcopy. Alternativly, scan the document and upload it to our document management system in the appropiate folder.
  • Use the postal system.
  • If lost or stolen hardcopy, report as soon as possible to your manager/supervisor.
  • if lost or stolen digital, report as soon as possible to the IT Service Desk.
  • If lost or stolen, report as soon as possible to the IT Service Desk.
• Classification Confidential:
  • Don’t do it.
  • if you must, obtain authorization from the information owner. The informormation owner may descide to sent it by Registered mail.

I want to share or send hardcopy information to someone inside or outside of Tuxis

• Classification Low – Very Low:
  • No additional security measures required
• Classification Medium – High:
  • Wherever possible, avoid sending hardcopy. Alternativly, scan the document and upload it to our document management system in the appropiate folder.
  • Use the postal system
  • If lost or stolen hardcopy, report as soon as possible to your manager/supervisor
  • if lost or stolen digital, report as soon as possible to the IT Service Desk
  • If lost or stolen, report as soon as possible to the IT Service Desk
• Classification Very High:
  • Don’t do it.
  • If you must, obtain authorization from the information owner. The informormation owner may descide to sent it by Registered mail.

I want to share or send electronic information to someone outside of Tuxis

• Classification Very Low:
  • No additional security measures required
• Classification Low – Medium:
  • Never send the document but use our document management system to create a share link.
  • Email to external recipient only where there is an approved business need or other justification.
  • Ensure that the external recipient is aware that the information must only be used for the declared purpose and forwarded only with the approval of the originator/information asset owner.
• Classification: High – Very High:
  • Don’t!
  • If you must, obtain authorization from the information owner. The informormation owner may descide to sent it via a secure link from our File Management System.

I want to post information on a social networking or collaboration website

• Classification Very Low:
  • This is allowed after approval by the senior management team.
• All other classifications:
  • This is not allowed under any circumstance.

I want to discuss with someone (face to face / phone call)

• Classification Very Low:
  • No additional security measures required
• Classification Medium – Low:
  • Ensure the conversation cannot be overheard by non-Tuxis staf.
• Classification High – Very High:
  • Ensure the conversation cannot be overheard by those with no ‘need to know’.
  • Do not leave confidential information on voicemail systems.

I want to dispose of hardcopy

• Classification Very Low:
  • No additional security measures required.
• Classification Low – Medium – High – Very High:
  • Check to confirm that the information does not require to be retained.
  • Use the shredder supplied by Tuxis to dispose of the hardcopy.

Backup and Restore Policy

This policy sets out Tuxis’s requirements for the backup and timely recovery of our electronic and physical information and data.

Requirements

When working, creating, configuring backups, the following applies:

• Where backup arrangements are automated, these automated solutions shall be adequately tested before implementation.
• Where confidentiality is important, backups shall be secured, if supported, by encryption and all encryption keys shall be kept secure at all times with clear procedures to ensure that backup media can be immediately decrypted if necessary.
• Copies of backup media should be removed from devices as soon as possible when a backup or restore is completed.
• Backup media kept on site before being sent to a remote location for storage should be stored securely at a sufficient distance from the original data to ensure that both the original data and the backups are not compromised. -Access to the stored backup media should be restricted to authorised personnel.
• When backups fail, the owners of the data and systems should be notified and the actions taken recorded.
• Backup data and media that are no longer needed should be clearly marked and recorded for safe and environmentally friendly disposal.
• Backup retention for data that is used for our services should be the same or better than mentioned in our Sensible Use Policy
• If no backup retention is set, given or known, use the following retention: keep last 3, 7 daily, 2 weekly, 3 monthly.

Staff Responsibilities

• Staff must ensure that data is securely maintained and is available for backup. When using the supplied equipment, a user will never have to make a backup. If a Staff member thinks that his device does not backup data, he most contact the IT Servicedesk immediatly.
• Staff must store any data/files that require backup on their allocated network storage area, not on their local hard drives / non-volatile memory

Engineering Responsibilies

The situation may arise than the regular backup systems no longer work but a backup is necessary. In that case, the engineer should consider the following:

• If the allocated storage area becomes unavailable, an engineer may temporarily save the data locally on their hard drive / non-volatile memory or on an USB data stick and, once the allocated storage area becomes available, promptly transfer such locally stored data to the allocated storage area. This device may not be used as a workstation from then on. Connection to a network or other device may only be done to transfer the data from the device.
• Where sensitive data has been stored locally and then transferred to allocated network storage later, the user must ensure that the local copy is deleted after transfer

Data Restores

Data (file) restores are only to be made by the IT Servicedesk:

• Staff must request data restoral by contacting the IT Service Desk
• The IT Service Desk must verify that the user has permission or authorisation to view or obtain restored data prior to restore
• The IT Service Desk will require various information from the user to facilitate the restore, including:
  • the reason for the restore
  • the names of files or folders to be restored
  • the original location of files or folders
  • the user’s best estimation of the date and time when the user noticed the deletion/corruption
  • the user’s best estimation of the date and time when the user recalls the files or folders being accessible and intact
• Requests from third party software/hardware vendors for file or system restores for the purpose of system support, maintenance, testing or other unforeseen circumstance should be made to the IT Service Desk
• Staff accessing backup media for the purpose of a restore must ensure that any media used is returned to a secure location when no longer required
• A log must be maintained to record the use of backup media whenever it has been requested and/or removed from secure storage

Email Policy

The purpose of this email policy is to ensure the proper use of Tuxis email system and make users aware of what Tuxis deems as acceptable and unacceptable use of its email system. This policy outlines the minimum requirements for use of email within Tuxis Network.

You must not use the email system in any way that is offensive or involves deliberately viewing, copying or circulating any material that:

• Is a sexually explicit or obscene.
• Is racist, sexist, homophobic, harassing or in any other way discriminatory or offensive.
• Contains material the possession of which would constitute a criminal offence.
• Promotes any form of criminal activity.
• Contains unwelcome propositions.
• Contains images, cartoons or jokes that will cause offence.
• Appears to be a chain letter.

Furthermore, the following applies:

• Your personal Tuxis email account should be used primarily for communinicating with other employees of Tuxis. Customer related communication must be done via the Tuxis Ticketing System.
• Personal communication is permitted on a limited basis, but non-Tuxis related commercial uses are prohibited.
• All sensitive data contained within an email message or an attachment must be secured according to the Data Protection Policy.
• Users are prohibited from automatically forwarding Tuxis email to a third party email system.
• Individual messages which are forwarded by the user must not contain Tuxis confidential or above information.
• Users are prohibited from using third-party email systems and storage servers such as Google, Yahoo, and MSN Hotmail etc. to conduct Tuxis business, to create or memorialize any binding transactions, or to store or retain email on behalf of Tuxis.
• Tuxis employees shall have no expectation of privacy in anything they store, send or receive on the company’s email system.
• Tuxis may monitor messages without prior notice. Tuxis is not obliged to monitor email messages. Note that we routinely produce monitoring information which summarises email use and may lead to further investigation where appropriate.

Intellectual Property Rights Policy

All staff and all third parties under contract to us are required to:

• Comply with laws on intellectual property rights and legal use of software and information products
• Acquire software only through known and reputable sources
• Maintain appropriate asset registers, and identify all assets with requirements to protect intellectual property rights
• Maintain evidence of ownership of licenses, master copies etc.
• Implement controls to ensure that, where a maximum number of users (or simultaneous users) is permitted, that limit is not exceeded
• Monitor that only authorised software and licensed products are installed
• Maintain appropriate license conditions
• Control the disposal or transfer of software to others in accordance in accordance with legal and contractual requirements
• Comply with terms and conditions for software and information obtained from public networks
• Do not duplicate, convert to another format or extract from commercial recordings and images other than permitted by copyright law
• Do not copy in full, or in part, books, articles, reports or other documents, other than permitted by copyright law

BYOD policy

General

Tuxis remains committed to enabling staff to do their jobs as efficiently as possible through the use of technology. This policy sets out requirements for the use of personally-owned smart phones and/or tablets by staff to access Tuxis’s information, resources and/or services.

We respect the privacy of your personal device and will only request access to the device by technicians to implement security controls or to respond to legitimate discovery requests arising out of administrative, civil, or criminal proceedings. This differs from our policy for the equipment and/or services that we provide, where staff do not have the right, nor should they have the expectation, of privacy while using our equipment and/or services.

This policy is intended to protect the security and integrity of our data and technology infrastructure. Limited exceptions to the policy may be authorised by the IT Manager due to variations in devices and platforms.

Policy

All staff who use personal mobile devices to access company information and / or systems must first have them approved and registered in accordance with our BYOD policy.

BYOD personal devices are subject to all of our information security related policies and procedures.

Approval, registration and support of devices

Devices that are EOL (End Of Live) are never allowed. The following devices are supported:

• All Apple mobile products.
• All Android mobile products.
• All Windows mobile products.
• Connectivity issues are supported by the IT Servicdesk – employees should contact the device manufacturer or their carrier for operating system or hardware-related issues
• Devices must be presented to the IT Service Desk for the proper configuration of standard apps, such as browsers, office productivity software and security tools, and to be formally approved before they can access our ICT systems

Acceptable use personal devices

• Acceptable business uses are those activities that directly or indirectly support our business.
• Acceptable personal use during the working day is limited to reasonable personal communication or recreation.
• Staff maybe blocked from accessing certain websites during work hours/while connected to the corporate network at our discretion.
• Devices’ camera and/or video capabilities are/are not disabled while on-site.
• Only apps from the official appstore of the Operating system may be used.
• Devices must not be used at any time to:
  • Store or transmit illicit materials.
  • Store or transmit proprietary information.
  • Harass others.
• Staff may use their mobile device to access and store our assets, such as:
  • email
  • calendars
  • Contacts
• Staff may use their mobile device to access, but not storem, our assets, such as:
  • Documents
  • Web applications

Security

• In order to prevent unauthorised access, personal devices must be password protected in accordance with ourPassword Policy.
• The registered device must lock itself with a password, face recognision, fingerpring or PIN if it’s idle for five minutes.
• After ten failed attempts to enter a password the device will be automatically locked.
• Rooted (Android) or jailbroken (iOS) devices are strictly forbidden.
• Smartphones and tablets that are not on the company’s list of supported devices are not permitted to connect to our ICT systems.
• Staff access to our information is automatically limited as set out in our Access Control Policy.
• Staff must take all reasonable steps to prevent the theft or loss of personal devices.
• Staff are expected to maintain the registered device themselves and to ensure that its systems are regularly updated and patched.
• Staff are expected to be aware of, and comply with, any regulatory or other requirements regarding the handling of personal data.
• Lost or stolen devices must be reported to the IT Servicedesk as soon as is practicable and in every case within 24 hours.

Staff are responsible for notifying their mobile carrier immediately upon loss of a registered device.

A registered device may be remotely wiped if:

• The device is lost or stolen.
• The person ceases to be a member of staff.
• IT Servicedesk detects a data or policy breach.
• IT Servicedesk detects a virus or similar threat to the security of our information or technology infrastructure.

Risks, Liabilities and Disclaimers

• While the IT Servicedesk will take every precaution to prevent any personal data from being lost in the event that a registered device must be remotely wiped, all staff are responsible for take additional precautions, such as backing up their own data such as email, contacts, etc.
• We reserve the right to disconnect personal devices or disable services without notification.
• Staff are expected to use their personal devices in an ethical manner at all times and to adhere to ourDevice and Resource Acceptable Use Policy.
• Staff are personally liable for all costs associated with their personal devices.
• The Security Officer may check your device for a correct configuration.

Workstation Use Policy

All workstations and registered mobile device users must ensure that:

• Only access the computers they have been authorised to use by using the username and password provided by the IT Servicedesk.
• Sensitive and personal data is not saved to unencrypted hard drives / non-volatile memory.
• Data and Information may never bet transfered to a portable storage device unless that data is publicly available or has a very low classification.
• Desktop computers are not moved from their location without managerial approval.
• Screens/computers are locked when they are away from the computer.
• An automatic screen lock with a maximum of 10 minutes timeout period is enabled to ensure that workstations that were left unsecured will be protected.
• Unauthorized or non-standard equipment is not attached to the computer or network.
• While mobile computing devices such as digital cameras and digital dictation devices are not generally treated as data storage devices, their contents may be classed as data and such data should be transferred to our network as soon as is practicable.
• Software is only installed on computer equipment by staff with the appropriate administrative access and authority.
• Software is only installed on computer equipment if it is approved by the IT Manager.
• Tuxis’s computer equipment is not used to store personal data such as photos, music, personal documents etc.
• Any suspicious or unknown equipment or persons near or around desktop computers / laptops is reported to the IT Servicedesk
• Computers are logged off and shut down when not in use for extended periods and monitors are powered off. Running applications must be exited en documents saved and closed.
• Computers are not mishandled or tampered with in any way.

Internet Use

• You may use the internet for personal purposes before you start work, during your lunchtime, or after work but not during normal working hours.
• You must not use Tuxis’s internet or email systems for trading or personal business purposes.
• If you use the internet to buy personal goods or services, goods must not be delivered to our business address and we will not accept liability for payment or for security of any personal information that you provide.
• Downloading of illegal video, music files, games, software files and other computer programs for non-work related purposes is strictly prohibited.

No internet sites that contain “unacceptable” content are blocked by our systems. You should not deliberately view, copy or circulate any material that:

• Is sexually explicit or obscene.
• Is racist, sexist, homophobic, harassing or in any other way discriminatory or offensive.
• Contains material the possession of which would constitute a criminal offence
• Promotes any form of criminal activity.
• Contains images, cartoons or jokes that will cause offence.

Note that we may record the details of all internet traffic to protect Tuxis and our staff from security breaches, including hacking, and to ensure that ‘unacceptable’ sites are not being visited.

Security

Our computer systems are under continuous threat from hackers, virus/malware infections, data and equipment theft. You must remain vigilant at all times in order to safeguard information and data and to protect the security and integrity of our ICT systems.

All users must ensure that our computers and devices:

• Are not given to any unauthorized persons for safe keeping.
• Are not left discarded or unattended in public places or vehicles.
• Are adequately protected from physical damage.
• Are not hired or lent to others without authorization from the IT Servicedesk.
• Which are no longer required or which have reached the end of useful life are returned to the IT Servicedesk for disposal.

Additional security requirements for BYOD registered devices are set out in ourBring Your Own Device (BYOD) Policy.

Antivirus/Malware

For desktops

Desktop users

Whenever you see any on-screen warnings regarding threats from viruses/malware, you should stop what you are doing and report the details to the IT Servicedesk immediately.

The following rules apply for workstations:

• Do not install unauthorised software. Get authorisation from de ICT department.
• Make sure your browser is securily configured and ask assistance from the IT department while configuring
• Keep the Social Engineering and Scam Awareness Policy in mind.

Servers

On servers that can only be reached via SSH, anti-virus software is not part of the default installation. Therefore you should act on strange behaviour of servers or services.

Strange behavior includes:

• A server gives random overload notifications
• A server is no longer accessible
• A server does much more data traffic than usual
• A server is slow

Our controls against malicious code include:

• A strict ban on the use of unauthorised software
• Make sure installed software is clean by using the proper download channels
• Only login when nescessary

User Endpoint Devices Policy

This policy sets out Tuxis’s requirements to ensure the security of mobile devices and applies equally to information stored on or accessed via home PCs or (Mobile)devices.

(Mobile) Devices

General

We do not require staff to store or access confidential information using computing devices that we do not own or manage. Should we require a member of staff to use a mobile or home computing device to store or access confidential information, then we will provide, and maintain, a suitably configured device.

To protect against loss or unauthorised access, the removal of our information assets offsite, on laptops or other mobile devices, or to home computers, must be formally authorised by the IT-manager or Security Officer.

That authorisation will only be provided on the basis of a formal ISMS Information Handling Risk Assessment, taking into account the sensitivity/criticality of the information and the identification of appropriate risk management measures.

Working offsite

The physical, logical and technological controls that are available within our premises may not be automatically available when working outside of that environment. There is an increased risk of information being subject to loss or unauthorised access. Mobile device users must take special measures to protect sensitive/critical information in these circumstances.

When using mobile devices you must do the following:

• Ensuring that sensitive/critical information is not compromised when using mobile device and communicating facilities, e.g. notebooks, palmtops, laptops, smart cards, and mobile phones.
• Ensuring that data is not solely on the device. Use the provided tools to access data.
• Ensuring that special protection is deployed to avoid the unauthorised access to, or disclosure of, the information stored and processed by these facilities, e.g. using cryptographic techniques or a VPN.
• Avoiding the risks of overlooking by unauthorised persons in public places.
• That equipment carrying sensitive/critical information is not left unattended and, where possible, are physically locked away, or special locks are used to secure the equipment.
• Use passwords or other authentication tokens according to the Password Policy
• When working with other organisations make sure that you also comply with their guidelines relating to mobile devices.
• Remote Working Policy Following the guidelines of the

Networks not under our control

information owners and mobile device users must take account of the risks associated with using wireless networks and any other networks not under our control.

Sensitive/critical information may only be transferred across networks when the confidentiality of the information can be assured throughout the transfer, in particular:

• Wireless networks and public networks are less secure than our private, wired networks.
• Email is an inherently unsecure way of transferring sensitive/critical information and should be used with caution.

Where there is no alternative to transferring/accessing sensitive/critical information across unsecure networks or by email, advice should be sought from the IT Manager on appropriate steps to protect the information.

Laptops and Mobile Devices

Sensitive/critical information stored on laptops and other mobile devices or home personal computers, should be kept to a minimum, and that information kept for a minimum period, so as to reduce the potential impact should a breach of security occur.

Individuals must not permit others, including family or friends, to use or modify any equipment provided by us to carry out their professional duties.

Loss of any mobile device containing sensitive/critical information, or any other security breach, must be reported immediately to the IT Manager.

Sensitive/critical information held on any mobile device must be securely erased before the device is reassigned to another user or to another purpose. Where necessary, or if in doubt, advice should be sought from the IT Manager on appropriate tools for erasing information on mobile devices and home computers.

USB data sticks for temporarily storing sensitive data may never be used.

Mobile devices are vulnerable to theft, loss or unauthorised access when taken outside of our premises and must be provided with appropriate forms of access protection, including:

• Password protection.
• Time-out protection, for example screen saver or hibernation with password.
• Sensitive/critical information should be encrypted – this may best be achieved by encrypting the entire device.
• Where encryption is to be employed, seek advice on how best to achieve this from the IT Manger
• Note that information is only protected by encryption when the laptop is powered off and not in normal use.
• Access to encrypted information is lost if the encryption key is forgotten.

Remote Wipe

Supplied apps may have the possibility to remote wipe a device. In case of lost or theft, Tuxis will use this option regardless if it is a Tuxis device or personal device.

Installation of Software on Operational systems policy

The following applies when installingen software on operational systems.

• Only the IT Servicedesk is allowed to install software.
• Authorization for software installation of never used software must be obtained from the IT-manager.
• The updating of the operational software, applications, and program libraries should be performed the IT Servicedesk.
• Operational systems should only hold approved executable code, and not development code.
• Applications and operating system software should only be implemented after extensive and successful testing; the testing should include usability, security and effects on other systems, and are carried out on separate systems.
• The assigned configuration control system should be used to keep control of all implemented software as well as the system documentation.
• A rollback strategy should be in place before changes are implemented that might reduce availability or security.
• Previous versions of application software should be retained as a contingency measure.
• Vendor supplied software used in operational systems is always updated sufficiently to remain within the support regime of the supplier. Where a software vendor ceases to support operational software we consider the risks of relying on that software.
• Any decision to upgrade to a new release takes into account the usefulness of the change and the security features of the release.
• Operating systems are upgraded only when there is a clear benefit in doing so and preferably after evidence of the new release’s stability.
• We only allow suppliers to have physical or logical access to our systems for necessary support purposes. Such access requires prior management authorization and, where such authorization is granted, supplier’s activities are monitored.
• Where operational software relies on externally supplied software and modules, they are monitored and controlled to avoid unauthorized changes, which could introduce security weaknesses.

Access Control Policy

This policy sets out Tuxis’s arrangements for:

• Limiting the access to information and information processing facilities.
• Ensuring authorized user access and to prevent unauthorized access to systems and services.
• Making users accountable for safeguarding their authentication information
• Preventing unauthorized access to systems and applications.

Business Requirements of Access Control

Physical and environmental security

Physical security has been designed for offices, rooms and facilities. Issuance of keys / access pass / alarm code, is done by the Facility Manager who records this.

Cupboards and safes are actively managed for the storage of confidential information. Authorisations for physical access to secured areas are checked/evaluated at least once every six months.

Sharing of keys and codes is not allowed.

Access to secure areas.

With regard to services, physical security, including protection of utilities is outsourced to ISO 27001 certified hosting parties whereby protection against unauthorised access and external harmful influences have been completed.

Access to networks and network services

Users are only provided with access to the networks and services that they have been specifically authorized to use in accordance with their role and function.

User Access Management

Our user access arrangements ensure that only authorized users have access to systems and services.

User registration and de-registration and user access provisioning

A formal procedure for user registration and de-registration is in place which provides for the assignment of access rights and formal user access provisioning, involving both assignment and revocation of access rights, for all types of user to all systems and services.

• Using unique user IDs to enable users to be linked to and held responsible for their actions.
• The use of group IDs to only be permitted where they are necessary for business or operational reasons, and when permitted must be documented.
• Checking that the user has authorization from the system owner for the use of the information system or service.
• Checking that the level of access granted is appropriate to the business purpose and is consistent with organisational security policy.
• Maintaining a formal record of all persons or groups registered to use the service.
• Promptly removing or blocking access rights of users who have changed roles or jobs or left the organisation.
• Periodically checking for, and removing or blocking, redundant user IDs and accounts.
• Ensuring that redundant user IDs are not re-issued.

Each engineer manages access in accordance with this procedure.

Management of privileged access rights

A formal procedure for the allocation and use of privileged access rights is in place and each engineer manages privileged access in accordance with this procedure.

• The access privileges associated with each system product, e.g. operating system, database management system and each application, and the users to which they need to be allocated should all be identified.
• Privileges should be allocated to users on a need-to-use basis and on an event-by-event basis in line with the access control policy, i.e. the minimum requirement for their functional role only when needed.
• Authorization process and a record of all privileges allocated should be maintained – privileges should not be granted until the authorization process is complete.
• The development and use of programs / system routines which avoid the need to run with privileges should be promoted.
• Privileges should be assigned to a different user ID from that used for normal business use.

Management of secret authentication information of users

A formal procedure for allocation of secret authentication information (such as passwords) and each system administrator manages the allocation of secret authentication in accordance with this procedure.

Where passwords are deployed they are required to comply with our Password policy

• Passwords are a common means of verifying a user’s identity before access is given to an information system or service according to the user’s authorization.
• Other technologies, for example biometrics or the use of hardware tokens, e.g. smart cards, may also be employed.
• When users are required to maintain their own passwords, they may initially be provided with a secure temporary password, which they are forced to change immediately.
• The identity of a user should be verified sending a secret code to the user’s official email ID and asking him / her to confirm the secret code) prior to providing a new, replacement or temporary password.
• The use of third parties or unprotected (clear text) electronic mail messages is avoided.
• Temporary passwords should be unique to an individual and should not be guessable.
• Users should be required to acknowledge receipt of passwords, by email or reply SMS.
• Passwords must never be stored on computer systems in an unprotected form – they must always be masked / encrypted and stored.
• Default vendor passwords should be promptly changed following installation of systems or software.

Review of user access rights

Asset Owners review users’ access rights at regular intervals (not exceeding twelve months) and also after any changes of role, such as promotion, secondment or posting elsewhere within the organisation.

Those empowered to grant special privileged access rights, review those rights at regular intervals (not exceeding six months).

Removal or adjustment of access rights

The access rights of all employees and external party users to information and information processing facilities are removed upon termination of their employment, contract or agreement, or adjusted upon change.

System and Application Access Control

Users are granted the minimum level of access necessary to perform their job functions and are based on user roles within the organization. Access requests must be submitted to the Security Officer or Senior management.

Information access restriction

Access to information and application system functions are restricted in accordance with this policy.

Secure log-on procedures

Where required by this policy, access to systems and applications are controlled by secure log-on procedure

Password management system

Our password management system is interactive in nature and ensures quality passwords. Users are required to follow the Password policy. Management of lost or forgotten passwords must be undertaken with special care regarding identity checks.

Use of privileged utility programs

The use of utility programs (such as anti-virus programs) that might be capable of overriding system and application controls is restricted. If such programs are needed, the IT Servicedesk will provide them.

Access control to program source code

Tuxis does not develop software but might have access to program source code. Access to program source code and related items (such as designs, specifications, verification plans and validation plans) is strictly controlled so as to prevent the introduction of unauthorized functionality and unintentional changes. For program source code, this is achieved by controlled central storage of such code under the control of the IT-manager.

The steps taken to control access to program source code and related items include:

• Appropriate authorization is required for the updating of program source code and related items, and the issuing of program sources to programmers.
• Program listings are held in a secure environment.
• An audit log is maintained of all changes to program source code .
• Maintenance and copying of program source code is subject to strict change control procedures.

This access to program source code and related items procedure is periodically reviewed on the basis of business and security requirements.

Secure Logon Procedure

The purpose of this logon procedure is to ensure secure access to systems and applications within our organization.

Authentication

Users must do the following when login or logon in systems and services:

• Where passwords are employed they are required to comply with our Password Policy.
• Do not visit login screens by following the link from an external source like search engines, e-mail and tickets.
• Double check if you are visiting the correct place.
• Only log-on when the connection is secured by TLS, VPN or other strong encryption.
• Authenticate using strong credentials (e.g., username and password) that are supplied by the Tuxis Password Manager.
• Prevent cut & paste and typing passwords. If possible, the Tuxis Password Manager should fill in the credentials so you know you are on the correct URL.
• Check if multi-factor authentication (MFA) is available and enable it.

Remote Working Policy

Terms and Definitions

Teleworking has been defined as: “a form of organising and / or performing work, using information technology, in the context of an employment contract / relationship, where work, which could also be performed at the employer’s premises, is carried out away from those premises on a regular basis.”

Note that teleworking can encompass a variety of working arrangements, including home-working, telecentres and working from satellite offices in different locations. Teleworkers may be employees or self-employed.

General

This policy relates to any arrangement where particular staff work at an offsite location, on a regular or long term basis, and which also involves them in either:

• Holding Tuxis’s confidential information offsite, whether in electronic or paper format.
• Having a type or level of remote access to information or applications on our network servers which exceeds that which is ordinarily available to all staff.

The purpose of this policy is to ensure that teleworking is undertaken safely from an information security perspective. It is therefore required that information security risks, related to each specific teleworking scheme, are identified, assessed and managed.

authorization for teleworking

A member of staff may only undertake teleworking where Tuxis wishes, and is able, to provide suitable teleworking facilities.

Staff must be authorized by their Head of Department to undertake teleworking, as distinct from other remote working arrangements, and must comply with all other requirements for offsite working.

The teleworking authorization process is undertaken by The IT Manager and involves the assessment of information security risks, taking into account:

• Protection against the theft of equipment and information, the unauthorized disclosure of information, unauthorized remote access to the organisation’s internal systems or misuse of facilities.
• The sensitivity of the information that will be accessed and pass over the communication link and the sensitivity of the internal system.
• The threat of unauthorized access to information or resources from other persons using the accommodation, e.g. family and friends.
• The technical security measures of the facilitating external internet providers.
• The use of home networks and requirements or restrictions on the configuration of wireless network services.
• Arrangements to prevent disputes concerning rights to intellectual property developed on privately owned equipment.
• Access agreements to privately owned equipment (to check the security of the machine or during an investigation), which may otherwise be prevented by privacy legislation.
• Arrangements to ensure that we don’t become liable for the licensing of private software on workstations owned privately by employees, contractors or third party users.
• Encryption arrangements.
• Anti-virus protection and firewall requirements.
• A definition of the work permitted, the hours of work, the classification of information that may be held and the internal systems and services that the tele-worker is authorized to access.
• The provision of suitable communication equipment, including methods for securing remote access.
• Training requirements of the teleworker.
• Equipment and software maintenance.
• Arrangements for back-up and business continuity.
• Audit and security monitoring.
• Revocation of authority and access rights, and the return of equipment when the teleworking activities are terminated.

The agreed arrangements must be registered by the IT Manager, Senior Management or Security Officer in the Teleworking Register.

Security of information while teleworking

Teleworking staff must:

• Not put sensitive information at risk by using less secure computing and communication equipment than that provided.
• Not modify or replace the computing and communication equipment provided without prior authorization from the IT Manager.
• Not permit others to use the equipment provided.
• Ensure that adequate backup procedures for any information held offsite are properly implemented and maintained.
• Only use equipment that is approved by Tuxis.

Staff must not take, send or print hard copies of confidential documents offsite unless it is unavoidable and comply with the Acceptable use of information and other associated assets when doing so.

Where it is absolutely necessary for a teleworker to handle confidential hard copy documents offsite, they should be kept in locked cabinets when not attended (clear desk policy), sent by special delivery post, delivered by hand where possible and disposed of by shredding through a DIN P5 shredder.

Physical Security Perimeters Policy

This document sets out Tuxis’s arrangements for:

• Preventing unauthorized physical access, damage and interference to our information and information processing facilities.
• Preventing loss, damage, theft or compromise of assets.
• Preventing interruption to our operations.

Secure Areas

Where appropriate, we provide secure areas to prevent unauthorized physical access, damage and interference to our information and information processing facilities.

Physical security perimeter

Security perimeters have been defined and are used to protect areas that contain either sensitive or critical information and information processing facilities. Physical security perimeters, including barriers such as walls, cardcontrolled entry gates or manned reception desks, are implemented taking into account the following guidelines:

• Security perimeters are to be clearly defined, and the siting and strength of each perimeter should reflect the security requirements of the assets within the perimeter and the results of a risk assessment.
• Perimeters of the building or site containing information processing facilities must be physically sound and all external doors must be protected against unauthorized access with control mechanisms.
• Where necessary, doors and windows are to be locked when unattended.
• The reception area, if there is one, is to be manned and access to sites and buildings should be restricted to authorized staff only.
• Where necessary, physical barriers are to be erected to prevent unauthorized physical access.
• All fire doors on the security perimeter are to be fitted with alarms, monitored, and tested to establish the required level of security in accordance with appropriate standards – fire doors must always operate in accordance with the applicable fire code in a failsafe manner.
• Certified or recommended intruder detection systems are to be installed and regularly tested to cover all external doors and accessible windows.
• Information processing facilities that we manage are to be physically separated from those managed by third parties.

Physical entry controls to secure areas

• Secure areas are protected by appropriate entry controls to ensure that only authorized staff are allowed access.
• The date and time of entry and departure of visitors to secure areas are recorded and all visitors are supervised unless their unsupervised access has been previously approved. Visitors are only granted accessfor specific authorised purposes and are briefed, in advance, on thesecurity requirements of the area and on emergency procedures.
• Authentication controls (access control card plus PIN to be entered atthe door or similar) are used to authorise and validate all access. An audit trail of all access is securely maintained.
• Third party support service staff are granted restricted access to secure areas only when required, and this access is authorized and monitored.
• Access rights to secure areas are regularly reviewed and updated, and revoked when necessary.

Securing offices, rooms and facilities

Physical security for offices, rooms, and facilities have been designed and applied taking into account the following guidelines:

• All relevant health and safety and fire regulations must be observed.
• Where practicable, key secure facilities are to be sited so as to avoid access by the public.
• Internal directories and plans identifying locations of sensitive information processing facilities are to be kept away from the public.
• Where practicable, buildings and facilities are to be made unobtrusive and give minimum indication of their purpose, with no obvious signage identifying the presence of information processing activities.

Eareas and their access level

Who has acces to what can be found in our Access Matrix.

Protecting against external and environmental threats

Appropriate physical protection against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disaster have been put in place, taking into account the following guidelines:

• Hazardous or combustible materials are stored at a safe distance from a secure area
• Bulk supplies such as stationery are not stored within a secure area.
• Backup equipment and media are sited at a safe distance from the location where they would be used.
• Appropriate fire-fighting equipment is provided in suitable locations, and staff appropriately trained, in accordance with our fire risk assessment and fire safety policy.

Working in secure areas

We have established information security policies and procedures to be followed by staff working in secure areas.

• Staff are made aware of only the existence of, or activities within, a secure area on a need to know basis.
• Unsupervised working in secure areas is avoided both for safety reasons and to limit opportunities for malicious activities.
• Photographic, video, audio or other recording equipment, such as cameras in mobile devices are not permitted in secure areas unless authorized.

Delivery and loading areas

Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises are controlled and, where practicable, isolated from information processing facilities to avoid unauthorised access.

Equipment

To prevent loss, damage, theft or compromise of assets and interruption to our operations, we apply the controls described below.

Equipment siting and protection

Where practicable, equipment is sited and protected to reduce the risks from environmental threats and hazards. We reduce the risks and opportunities for unauthorized access by adopting the following measures, wherever practicable:

• Equipment should be sited to minimise unnecessary access into work areas.
• The viewing angle of information processing facilities handling sensitive data should be restricted to reduce the risk of information being viewed by unauthorised persons.
• Storage facilities should be secured to avoid unauthorised access.
• Items requiring special protection should be isolated to reduce the general level of protection required.
• Controls should be adopted to minimise the risk of potential physical threats, e.g. theft, fire, explosives, smoke, water (or water supply failure), dust, vibration, chemical effects, electrical supply interference, communications interference, electromagnetic radiation, and vandalism.
• Environmental conditions, such as temperature and humidity, should be monitored.
• Lightning protection should be applied to all buildings and lightning protection filters should be fitted to all incoming power and communications lines.

Supporting utilities

We protect critical equipment from power failures and other disruptions caused by failures in supporting utilities. The precautions we employ, where appropriate and practicable, include:

• Incoming support utilities are regularly inspected and tested as appropriate.
• An online UPS system having adequate backup time has been installed to support orderly close down or continuous running for equipment supporting critical business operations.
• Power contingency plans cover the action to be taken on failure of the UPS. A backup generator can be connected to bridge prolonged maintenance windows on the grid.
• The UPS are maintained and checked regularly to ensure there is adequate capacity
• Emergency power-off switches are located near emergency exits in equipment rooms to facilitate rapid power down in case of an emergency.
• Emergency lighting is provided in case of main power failure
• An alarm system detects malfunctions in the supporting utilities
• Telecommunications equipment are connected to the utility provider by at least two diverse routes to prevent failure in one connection.
• Voice services are adequately protected to ensure their continued functioning for emergency communications.

Cabling security

Power and telecommunications cabling carrying data or supporting information services are installed in such a way that they are protected from interception or interference or damage. The precautions we employ, where appropriate and practicable, include:

• Power and telecommunications lines into information processing facilities are subject to adequate protection.
• Network cabling is protected from unauthorised interception or damage, by using a conduit (shield) or by avoiding routes through public areas.
• Clearly identifiable cable and equipment markings are used to reduce handling errors.
• A documented patch list is used to reduce the possibility of errors.
• For sensitive or critical systems further controls are used, including:
  • installation of armoured conduit and locked rooms or boxes at inspection and termination points.
  • Use of alternative routings and/or transmission media providing appropriate security.
  • Use of fibre optic cabling.
  • Use of electromagnetic shielding to protect against interference .
  • Initiation of technical sweeps and physical inspections for unauthorised devices being attached to the cables.
  • Controlled access to patch panels and cable rooms.

Equipment maintenance

We ensure that all equipment is properly maintained to ensure continued availability and integrity, including:

• Equipment is maintained in accordance with the supplier’s recommended service intervals and specifications and, where appropriate, preventative maintenance is undertaken.
• Only authorized maintenance staff are permitted to carry out repairs and service equipment.
• Records are maintained of all suspected or actual faults, and all preventive, regular and breakdown maintenance.
• Appropriate working instructions are available when equipment is scheduled for maintenance, including, where necessary, removing information from the equipment prior to maintenance.
• Where additional requirements are made by insurance providers, those requirements are met

The IT manager has a register listing the systems to be included in monthly maintenance.

Removal of assets

Equipment, information and software are not permitted to be removed from our premises or from secure areas without prior authorisation.

Security of equipment off-premises

Security has been applied to off-site assets such as laptop computers and GPS systems, taking into account the various additional risks arising from working outside of our premises.

The use of any information processing equipment outside of our premises must be authorised in advance and staff are required to:

• Not leave media or equipment unattended in public places
• Carry portable devices as hand luggage when travelling
• Take care not to expose devices to adverse environments, such as water and strong electromagnetic fields

Unattended (user) equipment

When leaving equipment unattended, handle it as if it contains data with a very high confidentiality unless you are sure it does not. The following rules apply:

• Secure the Area: Ensure that the area where the equipment is located is secure and has restricted access for strangers.
• Lock Equipment: If possible, lock the equipment or secure it with a cable lock to prevent theft.
• Log Out of Accounts: Always log out of any accounts or applications before leaving the equipment unattended to protect sensitive information.
• Turn Off Equipment: If feasible, turn off the equipment or put it into sleep mode to reduce the risk of unauthorized access.
• Avoid Leaving Sensitive Information: Do not leave sensitive documents or information visible on the equipment or in the surrounding area.

Clear desk and clear screen policy

A clean desk policy is an important tool to ensure that all sensitive/confidential materials are removed from an end user workspace and locked away when the items are not in use or an employee leaves his/her workstation. It is one of the top strategies to utilize when trying to reduce the risk of security breaches in the workplace. Such a policy can also increase employee’s awareness about protecting sensitive information.

Sensitive information of Tuxis must be protected for sharing via fysical items on the desktop or office space. Therefore:

• Employees are required to ensure that all sensitive/confidential information in hardcopy or electronic form is secure in their work area at the end of the day and when they are expected to be gone for an extended period
• Any Restricted or Sensitive information must be removed from the desk and locked in a drawer when the desk is unoccupied and at the end of the work day
• Keys used for access to Restricted or Sensitive information must not be left at an unattended desk.
• Passwords may not be written down
• Printouts containing Restricted or Sensitive information should be immediately removed from the printer.
• Upon disposal Restricted and/or Sensitive documents should be shredded in the official shredder bins or placed in the lock confidential disposal bins
• Whiteboards containing Restricted and/or Sensitive information should be erased.
• All printers and fax machines should be cleared of papers as soon as they are printed; this helps ensure that sensitive documents are not left in printer trays for the wrong person to pick up.

Network Policy

This policy sets out Tuxis’s requirements regarding connecting devices to our networks. the IT Servicedesk operates this policy to ensure the security and appropriate use of Tuxis Networks, and to allocate access to network resources and bandwidth in an equitable manner.

This policy advises users regarding the specifics of connecting devices to the network.

• Staff may only connect to the network from those locations that IT Services has designated as connectivity points: voice/data jacks or separate demarcation points
• These connections are limited to end-point devices such as PCs, notebooks, workstations, printers, or other terminating devices.
• Staff may not extend or modify the network in any way by installing devices such as repeaters, bridges, switches, routers, gateways, wireless access points, or permanent hubs unless specific permission has been obtained from the IT Servicedesk
• Staff may not install servers that provide network services without first discussing their project requirements with the IT Servicedesk.
• Staff must seek prior authorisation from the IT Manager before they install web, application, music, or other types of servers or devices designed to provide file, print, application, or access services
• Staff must use network services provided by the IT Servicedesk, and not attempt to provision network services such as IP address assignment (i.e., DHCP servers), DNS, or other management services

Any piece of equipment that is found in violation of these requirements will be subject to immediate disconnection.

Wireless Network Policy

General

Our requirements of wireless networks include the following:

• Our IT Servicedesk ensures that our secure wireless networks comply with all legal and regulatory requirements and our ISMS
• All access points and wireless devices used on our secure wireless network must conform to all related national regulations, standards and recommended specifications as defined by the IT Servicedesk
• All new access points and wireless devices used on our secure wireless network must be purchased and installed by the IT Servicedesk
• Requests for the installation of new access points or wireless devices must be directed through the IT Service Desk
• All access points and wireless devices used on our secure wireless network must follow the standard configuration settings supplied by the IT Servicedesk
• The IT Servicedesk has the right to disable, without prior notice, any non-standard or unauthorised devices on our secure wireless network
• The IT Servicedesk department regularly monitors our secure wireless networks
• Such audit penetration tests must only be carried out with the prior agreement of the IT manager
• where unauthenticated open access to the Internet is provided it is provided separately from the secure wireless network and unauthenticated access via personal laptops and other mobile devices will be subject to internet filtering
• Only software and hardware devices that are approves by The IT Servicedesk are permitted on our secure wireless network
• Staff must not connect any unauthorised equipment to our secure wireless network without prior approval from The IT Servicedesk
• No information regarding our wireless networks, including configuration and setup information, may be shared with any unauthorised users, third party vendors or members of the public, apart from notification of the availability of our guest unauthenticated wireless network

Cloud Computing Policy

Staff must not open cloud services accounts or enter into cloud service contracts for the storage, manipulation or exchange of Tuxis’s communications or information without being authorised to do so by the IT Manager.

Tuxis remains committed to enabling staff to do their jobs as efficiently as possible through the use of technology. The following policy establishes a process whereby our staff can use cloud services without risking the integrity and confidentiality of our data and the security of our computing facilities.

• If you are not sure whether a service is cloud-based or not, please contact the IT Servicedesk
• Use of cloud computing services for work purposes must be formally authorised by the IT Manager who ensure that security, privacy and all other IT management requirements will be adequately addressed by the cloud computing vendor
• For any cloud services that require users to agree to terms of service, such agreements must be reviewed and approved by the IT Manager
• The use of any cloud services must comply with all of our other relevant IT policies and procedures.
• The use of cloud services must comply with all laws and regulations governing the handling of personally identifiable information, corporate financial data or any other data owned or collected by Tuxis.
• The IT Manager decides what information may or may not be stored in the Cloud
• Personal cloud services accounts may not be used for the storage, manipulation or exchange of Tuxis’s communications or information

Pre-approved cloud computing services

There are no pre-approved cloud computing services

Social Engineering and Scam Awareness Policy

The Social Engineering Awareness Policy bundle is a collection of policies and guidelines for employees of Tuxis In order to protect Tuxis’s assets, all employees need to defend the integrity and confidentiality of Tuxis’s resources.

This policy has the following purposes:

• To make employees aware that:
  • fraudulent social engineering attacks occur
  • there are procedures that employees can use to detect attacks
• Employees are made aware of techniques used for such attacks
• Employees recognize they are an important part of Tuxis’s security. The integrity of an employee is the best line of defense for protecting sensitive information regarding Tuxis’s resources
• To create specific procedures for employees to follow to help them make the best choice when:
  • Someone is contacting the employee – via phone, in person, email, fax or online – and elusively trying to collect Tuxis’s sensitive information
  • The employee is being “socially pressured” or “socially encouraged or tricked” into sharing sensitive data.

Social Engineering Techniques

Typical social engineering techniques used are the following:

• Caller ID Spoofing: Technology may be used to make it appear as though they are calling from a legitimate number. A phonenumber does not identify a person.
• Urgency or Threats: A sense of urgency may be created or use threats to pressure you into providing personal information or money.
• Request for Personal Information: Small pieces of information may be requested that does not seem sensitive in itself. However, such insensitive information may be collected in multiple phone calls to be aggregated later into a complete profile.
• Unsolicited Offers: If you receive an unsolicited call offering you something that sounds too good to be true, it’s likely a scam.
• Poor Grammar or Pronunciation: Many scam calls originate from overseas call centers, so the caller may have difficulty speaking fluent English.
• Refusal to Provide Information: Legitimate organizations will usually provide you with their contact information and allow you to verify their identity.
• Pressure to Act Immediately: Scammers often try to rush you into making a decision without giving you time to think it over.

Recognise Social Engineering and Scam attempts

Sensitive information of Tuxis will not be shared with an unauthorized individual even if he/she uses words and/ or techniques such as the following:

• An “urgent matter”
• A “forgotten password”
• A “computer virus emergency”
• Any form of intimidation from “higher level management”
• Any form of intimidation that a customer will cancel his account
• Any “name dropping” by the individual which gives the appearance that it is coming from legitimate and authorized personnel.
• The requester requires release of information that will reveal passwords, model, serial number, or brand or quantity of Tuxis resources.
• The techniques are used by an unknown (not promptly verifiable) individual via phone, email, online, fax, or in person.
• The techniques are used by a person that declares to be “affiliated” with Tuxis such as a sub-contractor.
• The techniques are used by an individual that says he/she is a reporter for a well-known press editor or TV or radio company.
• The requester is using ego and vanity seducing methods, for example, rewarding the front desk employee with compliments about his/her intelligence, capabilities, or making inappropriate greetings (coming from a stranger).

Other suspicious acts

The techniques used above can also be used differently, making it less noticeable. Here are some examples:

• When you get a request from someone who normally does it themselves. Think urgent money transfers, opening ports of servers, giving access.
• The client says: Unfortunately, I cannot reach the person responsible, takes a lot of time, is a hassle, is too busy, must not be disturbed, has passed away. You are the only one who can help me. Recognise the situation: If you do help them, then you are the hero. If you don’t, then that’s a huge problem for them. Still, not a reason to supply information.
• I’d like to know who I’m talking to. That’s why I ask some verification questions first. If someone asks you that question, you may feel it’s OK and, worse, provide information to identify yourself. After all, that was what the caller needed. It may take several minutes that make you forget that you had not taken the initiative. Then come the questions for information.
• All initiatives come from the other side. You never have to call or email them but they always contact you. As a result, you never call the phone number recorded in our systems and forget to verify the person.
• The e-mailadres used is not the actueal e-mailaddress of the client. Some mailclients only show the name. Be aware that TUXIS.nl is not the same as TUXlS.nl.
• Webaddresses might be confusing. https://www.tuxis.nl/portal/loginpage/ is a url for tuxis.nl. https://www.tuxis.nl.portal.loginpage.io/ however goes to loginpage.io so a completely different server. And again, https://www.TUXlS.NL is not https://www.tuxis.nl/
• Requesting information that is publicly available can happen. Refer that person to that source. If that person doesn’t want to, finds it weird, objects, it could be a sign that that person is eager to talk to you so they can gain trust.

Not suplying sensitive information will never get you in trouble with management. When in doubt, don’t give information and consult your manager for steps to take.

How to identify a person

To identify a person, the rule of thumb is that you get in contact with that person by using information you already have. Keep the following in mind:

• A phonenumber can be spoofed. When you are called, the phonenumber does not identify a person.
• A mailaddress can be spoofed. When you receive an email, it does not identify a person.

How to handle

When called with a request, call them back but make sure you use a phonenumber that is known to you. When mailed with a request, check the sender before replying and repeat the question and ask for approval. Make sure the person that is doing the request is allowed to do so.

There might be a situation where you have to identify a person by other means. Depending on the request (delete all my data needs more identification than what invoices do i have to pay), you can ask for information that is most likely not known by others. Things like a debtor number, services that they buy from us. What whas discussed in our last contact moment. When was that? The full name. Address.

Social Networking Policy

This policy is designed to allow the company to take advantage of social media’s business benefits and promote its products/services, contribute to the relevant online dialog, and better engage with customers and prospects, while avoiding the significant risks involved.

• All staff are expected to use the Internet responsibly and productively, and excessive personal Internet browsing, including social media use, is not permitted
• We reserve the right to monitor how staff use company-owned property, including computers and networking equipment, and employees should be mindful that any and all web browsing they do on the company’s premises may be monitored

Social media posts about Tuxis

• Staff are forbidden from using social networks to post or display comments about co-workers, supervisors or Tuxis that are vulgar, obscene, threatening, harassing, or a violation of our policies on discrimination or harassment
• Staff may not use social networks to disclose any confidential or proprietary information about Tuxis or its employees, customers or business partners
• When appropriate, employees should disclose their relationship with Tuxis in their online posts and refrain from speaking on behalf of Tuxis when not authorised to do so
• Staff should keep in mind that they are personally responsible for what they post online and be mindful that what they say will be available publicly for a long period of time
• Social media use is subject to the same workplace policies staff must follow in other situations, including but not limited to our policies regarding harassment, discrimination, defamation, confidentiality, non-competition and general Internet use

Monitoring and logging

Monitoring takes place on availability, capacity and integrity (error messages). For these parameters, threshold values are determined per system / component that must be met. If such a threshold is exceeded, a notification is sent to the responsible parties/administrators concerned. All notifications are logged and followed up.

Logging

When performing monitoring, logging of information is necessary. This includes securing the logs (authorisation, securing against intrusion or forgery, availability), clock synchronisation so that they match the correct time (also between logs of other systems) and logging of administrators and the management tasks performed.

Logging is stored in system files that can only be accessed by the source applications or administrators/root users. Users have no direct write rights to the log files.

Log files are maintained with a rotation schedule of preferably 30 days. In case of (suspected) incidents, all relevant log files should be kept separately to prevent loss of information/evidence.

Monitoring

In general we monitor systems for peak values of CPU, Memory and storage. In addition, we monitor whether critical services are running. A service is considered critical when normal functioning of the system is not possible without it. Not all monitored values trigger an alarm. That is only done for critical errors.

Critical monitoring

The values below are indications. The engineer that sets up the monitoring will use his expertise to set sensible values.

Type	Critical value
Memory	Swap full
Disk	max 90% filled
Critical services	Not running
Reachability	Not reachable

Technical Vulnerability Management Policy

We prevent the exploitation of technical vulnerabilities by:

• Seeking to obtain timely information on the vulnerabilities of our information systems
• Evaluating our exposure to such vulnerabilities.
• Taking appropriate and timely measures to address the associated risk..

The steps we take to manage technical vulnerabilities are as follows:

1. The IT-manager is responsible for arranging technical vulnerability management. The IT Servicedesk is responsible for vulnerability monitoring, vulnerability risk assessment, patching, updating information resources and asset tracking.
2. Information resources that are to be used to identify relevant technical vulnerabilities and to maintain awareness about them have been identified based on the Asset Inventory.
3. These information resources are regularly updated based on changes in the inventory, or when other new or useful resources are found.
4. The vulnarability is recorded by the applicable Work instructions
5. We aim to react to notifications of potentially relevant technical vulnerabilities within 12 hours.
6. Once a potential technical vulnerability has been identified, we identify the associated risks and determine the actions to be taken.
7. Systems at high risk are addressed first.
8. Depending on how urgently a technical vulnerability needs to be addressed, the action taken is carried out according to either the controls related to change management, or by following our information security incident response procedure.
9. If a patch is available, the risks associated with installing the patch are assessed compared to the risk posed by the vulnerability.
10. Patches are tested and evaluated before they are installed to ensure they are effective and do not result in side effects that cannot be tolerated.
11. If no patch is available, other controls are considered, including:
    • adapting or adding access controls, e.g. firewalls, at network borders
    • increased monitoring to detect or prevent actual attacks
    • raising awareness of the vulnerability
    • turning off services or capabilities related to the vulnerability

A record is made of all actions undertaken. This technical vulnerability management process is regularly monitored and evaluated in order to ensure its effectiveness and efficiency.

Threat Intelligence Information Collection Policy

This chapter establishes the administrative and practical actions to be taken to be up-to-date of all CVEs relevant to Tuxis infrastructure.

Schedule

Once a week on Thursdays, all information sources from the Threat Intelligence nieuwsbronnen are gone through & checked for relevant CVEs.

Relevant CVE’s are:

• CVEs that apply to software packages we use in our infrastructure.
• CVE that causes damages to systems if it were to be abused.

If this determines that this is severe enough to warrant attention, the policy Technical Vulnerability Management Policy will be followed.

Clock synchronization

The clocks of all relevant information processing systems within the scope of this ISMS are synchronized to a single, dependable, reference time source via NTP. We use our own NTP servers as the source (ntp1, ntp2 and ntp3.tuxis.nl).

Configuration Management Policy and Change management

The purpose of this policy is to establish guidelines for managing configuration data across different environments. This policy applies to all development, testing, staging, and production environments within our organization.

Versioning and storage

Configurations of hardware and, when possible, software is stored in a GIT repository. Access to this system is implemented according our Access Control Policy .

Key Principles

Proper configuration management ensures consistency, security, and efficient deployment of applications and services.

Version Control with Git:

• All configuration files must be stored in Git repositories.
• Each environment (e.g., development, QA, production) should have a corresponding Git branch.
• Changes to configuration files must be tracked using Git commits.

Separation of Secrets:

• Sensitive information (such as API keys, passwords, and tokens) should not be stored directly in configuration files.
• Use environment variables or secret management tools to handle secrets securely.

Immutable Infrastructure:

• Configuration data should be treated as code.
• Avoid making manual changes to configuration files on production servers. Instead, update the Git repository and redeploy the application.

Documentation:

• Maintain clear and concise documentation for each configuration parameter.
• Document the purpose, expected values, and any dependencies.
• Store documentation alongside the configuration files in the Git repository.

Testing and Validation:

• In case of applications:Validate configuration changes in a staging environment before deploying to production.
• In case of configurations: Use the four eyes principle as enforced in a production environment.

Audit Trail:

• Keep track of configuration changes using Git commit history.
• Include meaningful commit messages to describe the purpose of each change.

Initial configuration of servers and devices

Install servers purely with the necessary services. For this, use GIT and Ansible so that forced settings are applied during installation. Use the principle: Not unless. Ports should only be open when strictly necessary. Install services only when strictly necessary.

Apliances and workstations are configured according to the supplier’s best practice and according to the relevant policies in this document. Remember password policies and security principles.

Workflow for script development

For configuring servers, use Ansible scripts. Maintain those scipts in our GIT in the following way:

Development Workflow:

• Developers create or modify configuration files locally.
• Changes are committed to the appropriate Git branch (e.g., dev).
• Regularly pull updates from the main branch (e.g., main).

Deployment Workflow:

• Deployments to different environments (e.g., QA, production) are triggered by Git commits.
• Changes are committed to the appropriate acceptance Git branch.
• Changes are checked by an other engineer than the one that did the commit.
• Changes are committed to the appropriate production Git branch.
• CI/CD pipelines automate configuration deployment where practical.

Rollback and Recovery:

• In case of misconfigurations or issues, roll back to a known good state using Git history.

Information security in project management

This project management method should be used in the following cases:

• When work is performed on assets marked as critical infrastructure, it should be made into a project unless it involves regular maintenance or modifications that, in the opinion of an Engineer, can be carried out with the 4-eye principle
• When new product or service is developed
• Moving critical IT infrastructure to an other location

A project consists of several steps:

Create a project document with the following subjects:

1. Goal.
2. Roles and Responsibilities: Who is responsible, who does what task.
3. If there is documentation, mention what documentation you used (might be the manual or internal documentation).
4. Planning.
5. Information Security Risk Assessment. Use the table below as an example. A score of 7 or higher needs to be addressed with management.
6. Inform customers if downtime might be suspected.

After completion of the project do the following:

1. Monitoring. Check if everything is working as intended
2. Were there incidents. If so, create an incident report
3. Review: Could things be done differently. Is documentation available and correct?

Risk ID	Risk Description	Explanation	Impact (1-5)	Likelihood (1-5)	Risk Level (Impact + Likelihood)	Mitigation Strategy	Owner	Status
R1	Data breach due to unauthorized access	Is there a risk of a data breach during project implementation?
R2	Project delays due to resource unavailability	Do we have enough manpower
R3	Non-compliance with regulatory requirements	Is there during the project a moment of non compliancy?
R4	Technology failure impacting project delivery	Is there equipment that might fail?
R5	Stakeholder disengagement	Can stakeholders delay or block the project
R6	Inadequate training for project team	Is every member of the team trained for their taks?
R7	Possible force majeure that could jeopardise the project	Could equipment, weather, transportation or any other assest hinder the completion of the project?

How to Use the Table:

• Risk ID: A unique identifier for each risk.
• Risk Description: A brief description of the risk.
• Explanation: How to interpret the risk.
• Impact (1-5): A rating of the potential impact of the risk on the project (1 = low, 5 = high).
• Likelihood (1-5): A rating of the likelihood of the risk occurring (1 = unlikely, 5 = very likely).
• Risk Level: Calculated as Impact + Likelihood to prioritize risks.
• Mitigation Strategy: Actions to reduce the likelihood or impact of the risk.
• Owner: The person or team responsible for managing the risk.
• Status: Current status of the risk (e.g., Open, Mitigated, Closed).

Asset Management Policy

An asset is anything that has value to the interested parties, data, software, hardware, and physical property. Assets can be tangible or intangible and can include things like databases, servers, intellectual property, and customer information.

Inventory of Assets

Important assets associated with information and information processing facilities are identified and listed in the Classification and Risk Analysis of Assets, which is maintained by the ISMS Manager.

Such assets include:

• information: databases and data files, contracts and agreements, system documentation, research information, user manuals, training material, operational or support procedures, business continuity plans, fallback arrangements, audit trails, and archived information – electronic, paper and other media
• software assets: application software, system software, development tools, and utilities
• physical assets: computer equipment, communications equipment, removable media, and other equipment
• services: computing and communications services, outsourced and online services, general utilities, e.g. heating, lighting, power, and air-conditioning
• people: including their qualifications, knowledge, skills, and experience

Ownership of Assets

Asset owner

Our Clasificatie en Risico Analyse van Activa defines who is responsible for assets related to the infrastructure. The Workstation Use Policy and User Endpoint Devices Policy policies describe how employees should handle their equipment.

Return of assets

All employees and other users of listed assets are required to return those assets upon termination of their employment, contract or agreement, and:

• In cases where an employee or other party purchases a listed asset, we ensure that all relevant information is transferred to ourselves and securely erased from the equipment, prior to purchase.
• In cases where an employee or other party under our control uses their own equipment we ensure that all relevant information is transferred to ourselves and securely erased from said equipment.
• In cases where an employee or other party under our control has knowledge that is important to ongoing operations, that information is documented and transferred to ourselves.

Classification of Information

To ensure that information receives an appropriate level of protection in accordance with its importance, information is classified by Role.

The purpose of the ISMS is to protect information. However, information must also be able to be used. And so this involves the level of access, or sharing, of information.

At Tuxis, information storage can be divided into 2 types.

1. Information placed by customers in Tuxis’ services.
   Of such information, we do not know the protection level. The level very high is used for this purpose.
2. Information used by Tuxis for its business operations.
   In this respect, information is determined by the rights a person has. So whether a person can see a document is determined in the access matrix.

The levels below determine the extent to which something may be shared:

• Very High: Only share with people with equal functions within the organisation.
• High: Only sharing within the department
• Medium: Sharing with Tuxis employees
• Low: Sharing with trusted external
• Very low: Public sharing

The table below determines confidentiality:

Role	Confidentiality
NOC	Very High
Engineer	High
Support	High – Very low
Sales	Medium – Very low
Administration	High – low
Purchase	High-Low
HR	Very High
Management	Very High

Labeling of Assets

We label assets under the following rules and guidelines:

Asset type	Labeling	Registration
Storage hardware	A label is mandatory. The vendorlabel (serialnr) may be used.	Netbox
Confidential information	We only label information with a confidentiality of Medium or higher, when exporting from the original place, location, or storage, to an external party.	On information in physical or digital form

Handling of Assets

Hardware Handling

Hardware can contain data and information. This can be stored on media like disks, but also on non removable WORM and RAM chips. With the following procedures we prevend unauthorized disclosure, modification, removal or destruction of information stored on hardware. Therefore, an engineer must check if the hardware is capable of storing information. If so, treat the hardware as Media.

Media Handling

We prevent the unauthorized disclosure, modification, removal or destruction of information stored on media as set out below.

Management of removable media

Removable media are managed in accordance with our information classification scheme.

Management of removable media includes:

• Where re-usable media is no longer required, the contents are made unrecoverable.
• Authorization is required, where necessary and practicable, for media to be removed from our control, and such removal is recorded.
• All media are stored in a safe, secure environment, in accordance with manufacturers’ specifications.
• Information stored on media, that needs to be available longer than the expected lifetime of the media, is also stored in such a way as to avoid information loss due to media deterioration.
• Removable media is registered to limit the possibility of data loss.

Disposal of media

Media is disposed of securely and safely when no longer required, according to the following arrangements:

• Items that might require secure disposal are identified.
• Media containing sensitive information are stored and disposed of securely and safely, e.g. by incineration or shredding, or the data is thoroughly erased before use by another application.
• All media items are collected and disposed of securely, rather than attempting to separate out sensitive and non-sensitive items.
• When accumulating media for disposal, due consideration is given to the aggregation effect, which may cause a large quantity of non-sensitive information to become sensitive.
• Care is taken to select suitable media disposal contractors who have adequate controls and experience.
• Disposal of sensitive items is logged, where practicable, in order to maintain an audit trail.

Physical media transfer

As a rule, when we need to ship media that contains information, the customer sends us a courier. Media containing information needs to be protected against unauthorized access, misuse or corruption during transportation beyond our physical boundaries, according to the following arrangements:

• Courier / Transporter identification is checked before media is released to them.
• Adequate packaging is applied to protect the contents from any physical damage likely to arise during transit and in accordance with any manufacturers’ specifications.
• controls are adopted, where necessary, to protect sensitive information from unauthorized disclosure or modification, including:
  • The use of locked/sealed containers.
  • Delivery by hand.
  • The use of tamper-evident packaging (which reveals any attempt to gain access).

Control of Outsourced Processes

An “outsourced process” is a process that is required by Tuxis, but which Tuxis chooses to have performed by an external party We ensure that outsourced processes that may pose a threat to the information security of our business are properly identified and controlled.

Policy

When a proposal is made to outsource a new process, which may have implications for information security, the responsible manager informs the ISMS Manager and discusses the need for any information security related controls.

• The ISMS Manager determines if the proposed outsourcing poses any threat to information security and, where a threat is identified, an agreement is reached between the responsible manager and the ISMS Manager on the controls to be implemented.
• The ISMS Manager ensures that the new agreement is recorded.
• The responsible manager ensures that the agreed controls are implemented and maintained.

Note that the need for placing information security controls on an outsourced process, may also be identified during internal / external audits.

Procurement Criteria

When a supplier processes information for Tuxis, the supplier must meet our procurement criteria. It’s essential to ensure that the criteria align with Tuxis’s information security management system (ISMS) and support the overall objectives of maintaining confidentiality, integrity, and availability of information.

Here are some key procurement criteria to consider:

1. Compliance with Information Security Standards: Ensure that suppliers comply with relevant information security standards, including ISO 27001 or equivalent frameworks.
2. Security Policies and Procedures: Evaluate the supplier’s information security policies and procedures to ensure they are robust and align with your organization’s requirements.
3. Risk Management Practices: Assess the supplier’s risk management practices, including how they identify, assess, and mitigate information security risks.
4. Data Protection Measures: Verify that the supplier has appropriate data protection measures in place, including encryption, access controls, and data handling procedures.
5. Audit and Compliance History: Review the supplier’s history of audits, compliance with regulations, and any past security incidents or breaches.
6. Service Level Agreements (SLAs): Ensure that SLAs include specific information security requirements, such as response times for security incidents and data breach notifications.
7. Business Continuity and Disaster Recovery: Evaluate the supplier’s business continuity and disaster recovery plans to ensure they can maintain operations during disruptions.
8. Physical and Environmental Security: Assess the physical security measures in place at the supplier’s facilities, including access controls and environmental protections.
9. Technical Security Controls: Review the technical security controls implemented by the supplier, such as firewalls, intrusion detection systems, and vulnerability management processes.
10. Confidentiality Agreements: Ensure that confidentiality agreements are in place to protect sensitive information shared with the supplier.
11. Performance Monitoring and Review: Establish criteria for ongoing performance monitoring and regular reviews of the supplier’s information security practices.
12. Termination and Data Return/Destruction: Define criteria for the secure return or destruction of data upon termination of the contract.

If a supplier does not meet reasonable criteria, ask Senior Management to make a decision about it. This can be done by assessing the risks in view of information security policies.

Environmental Policy

This chapter sets out Tuxis’s arrangements for:

• Maximize use of energy sources.
• Incorporate energy-efficient technologies.
• Promote employee sustainability practices.
• Prioritize suppliers that share our commitment.

When selecting solutions, hardware and suppliers, Tuxis will look if a lower environmental impact is possible and if the alternative is reasonable.

we are committed to minimizing our environmental impact and promoting sustainability in all aspects of our operations. We recognize the importance of protecting the environment for future generations and strive to be responsible stewards of our resources. To achieve this, we have established this environmental policy.

In the workplace

Energy Efficiency

• Turn off lights, computers, and other electronic devices when not in use to conserve energy.
• Utilize natural light and ventilation whenever possible to reduce reliance on artificial lighting and air conditioning.

Waste Reduction and Recycling

• Reduce paper usage by opting for digital communication and documentation whenever feasible.
• Sort and recycle waste materials according to the designated recycling bins provided in the workplace.
• Minimize single-use plastics by using reusable containers and utensils for meals and beverages.

Sustainable Practices

• Choose environmentally friendly products and suppliers that prioritize sustainability in their operations.
• Support local and organic food options for company events and meetings to reduce the carbon footprint associated with food transportation.

Transportation

• Use public transportation, carpooling, biking, or walking for commuting to reduce greenhouse gas emissions.
• Use telecommuting and virtual meetings to minimize the need for travel whenever possible.

Infrastucture guidelines

Tuxis uses relatively large amounts of hardware and data centres. Environmentally friendly choices should be made when picking hardware and data centres. These chapters provide the directives.

Selecting hardware

In a datacenter, the footprint of powerusage is much bigger than the footprint of production. When selecting hardware, the following should be considered:

• Aim to optimize your equipment selection based on your specific needs, such as processing power, speed, storage capacity, and scalability.
• Choose equipment that is energy-efficient and have high Energy Star ratings to minimize power consumption and reduce carbon footprint.
• Look for equipment from manufacturers that use renewable energy sources in their production processes and operations.
• Prioritize equipment that are designed for easy parts replacement, disassembly and recycling at the end of their lifecycle to reduce electronic waste.
• Opt for equipment made from sustainable and environmentally friendly materials to minimize environmental impact.
• Consider the overall carbon footprint of the equipment, including manufacturing, transportation, and usage, to select options with the lowest environmental impact.

Selecting a datacenter

When selecting an environmental data center, there are several key factors to consider to ensure it aligns with your sustainability goals. Here are some important considerations:

• Choose a data center that prioritizes energy efficiency through measures such as efficient cooling systems, server virtualization, and renewable energy sources.
• Look for data centers that have certifications like LEED (Leadership in Energy and Environmental Design) or ISO 14001, which demonstrate their commitment to environmental sustainability.
• Opt for data centers that use renewable energy sources such as solar, wind, or hydroelectric power to minimize carbon emissions.
• Evaluate the data center’s cooling systems to ensure they are energy-efficient and utilize innovative technologies to reduce energy consumption.
• Choose a data center located in a region with access to clean energy sources and a favorable climate for natural cooling to reduce energy usage.
• Look for data centers that offset their carbon emissions through initiatives like tree planting or purchasing carbon credits to achieve carbon neutrality.

Documentation Procedure

Document Creation

• Internal controlled documents are only to be created by those with good knowledge of the subject matter.
• All internal controlled documents share a single electronic format and documents of a similar type are consistently formatted.
• All controlled internal documents are subject to review and approval.
• The management system manual, and any changes to it, are subject to approval by the most senior manager with direct responsibility for its contents.
• All other management system documents are reviewed and approved by a senior manager who, wherever practicable, is not the author but is knowledgeable regarding the subject matter.
• The reviewer indicates approval of the document via GIT.

Document Distribution

All internal controlled documents are made available to all staff via Git and should be protected against editing for those who are not authorised to do so.

All staff who require access to controlled documents to properly undertake their roles are trained in their access and use.

Uncontrolled copies of documents are not issued to staff or outside parties who manage, perform, or verify work that is directly affected by the document.

Documents accessible for third parties are read-only and should be protected against editing for those who are not authorised to do so.

Periodic Re-evaluation of Documents

The Document Controller ensures that:

• Details of all controlled documents are automatically tracked by Git.
• All controlled documents are re-evaluated by a subject matter expert at least every three years and updated as required.
• The Document Controller identifies when controlled documents are due for re-evaluation.
• Where a controlled document is determined to require updating, the changes are made, and a revised version issued, according to the procedure set out below.

Document Revisions

• Staff may request a change to a controlled document via a commit request in Git.
• Each controlled document contains a revision history in Git.
• Commits are reviewed for approval by those authorised to change controlled documents.
• Commits must have a commit message with short description of changes and reason.
• Re-evaluation, inspection (where applicable) and internal auditing will be used to confirm the effectiveness of revisons.
• the request for a process change is documented, including its justification, typically using a commit request with a motivation via Git.
• The change is reviewed and approved by the responsible managers, including the ‘process owner’.
• The appropriate document defining the process is updated to reflect the change and reviewed and approved in accordance with this procedure.
• Following implementation, it is verified, in accordance with the CPAR system, that the change has had the intended effect unless it is a minor change.

Revisions to Documents Requiring Regulatory or Customer Approval

Any changes to documents that require customer or regulatory review and / or approval are not released until such approval has been obtained in writing by e-mail or letter.

Controlling Third-Party Documents

External documents which are referenced in a customer purchase order or contract, such as standards or third party specifications may be maintained without control:

• Where the customer has indicated a document version number that version is used
• Where the customer has not provided a version number, the most recently available version is used

External documents necessary for the planning and operation of the management system, such as standards, regulatory guidance or third party are to be controlled.

Obsolete Documents

Obsolete controlled documents are clearly marked in the title with a word like obsolete, ignore or invalid and closed.

Forms

All forms are controlled wherever they impact on the outcomes of our activities or management systems or where they are used to create controlled records.

However, where this is not the case, managers and supervisors may create and approve local “forms”, for use in their area of control. Such local “forms” do not require an approval signature nor a revision history table.

Forms should be filled out online. When this is not possible, they are printed directly from the source.

Incident Response Procedure

In this chapter, we ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. The following procedure, and associated responsibilities, have been established to ensure a fast, effective, and orderly response to information security incidents.

What is an incident?

Examples of information security events include:

• loss of data, equipment or facilities
• system malfunctions or overloads
• human errors
• non-compliance with policies or guidelines
• breaches of physical security arrangements
• uncontrolled system changes
• malfunctions of software or hardware
• anomalous system events
• access violations

We require all malfunctions and anomalous system events to be reported as an information security event, as they may be an indicator of a security attack or actual security breach.

When an information security event is reported, the ISMS Manager, Management or SO assesses the event to see if it should be classified as an incident and, where necessary, takes immediate remedial actions to alleviate the threat.

Incident management instructions

We have developed and documented specific incident management instructions in our Calamiteiten plan for the analysis and identification of causes, and their containment, for the following classes of incident:

• Information system failures and loss of service
• Malicious code
• Denial of service
• Errors resulting from incomplete or inaccurate business data
• Breaches of confidentiality and integrity
• Misuse of information systems

Collection of evidence

The Engineers of the Engineering Department are skilled in the identification, collection, acquisition and preservation of information, which can serve as evidence.

When an incident that may require the preservation of evidence is reported to the ISMS Manager, the ISMS Manager takes control as first responder and:

• Briefly describes the incident to the Engineer, takes any initial advice, and requests that they attend the scene
• Enforces the following good practice principles to help ensure that the evidence is protected so that it would remain admissible in court:
  • don’t change any data
  • don’t access the original data
  • keep a detailed audit trail of what has been done

When an Engineer from the Engineering Department arrives, they take control, and we act in accordance with their instructions.

The ISMS Manager works jointly with the concerned staff to plan and take the necessary corrective actions to prevent recurrence of the same / similar threats.

recovery

Actions to recover from security breaches and system failures are carefully and formally controlled as follows:

• Only clearly identified and authorised staff are allowed access to live systems and data
• Do not attempt to prove suspected security weaknesses if that could result in dataloss or service interruptions.
• All emergency actions taken are documented in detail
• Emergency action is reported to management and reviewed in an orderly manner
• The integrity of business systems and controls is confirmed with minimum delay

The ISMS Manager records details of the incident in the Incident board in our ISMS.

Learning from information security incidents

The ISMS Manager monitors and analyses the types, volumes, and costs of information security incidents to help reduce the likelihood or impact of future incidents. Where this monitoring and analysis identifies an adverse trend the ISMS Manager reports this to the information security management review to agree suitable corrective / preventative action.

Calamity Response Procedure

There are different types of calamities. That is why we have different steps due to the different nature of these calamities. If a calamity occurs, an incident must be created. The practical steps for responding are written down in a document. Engineers should follow the steps in that document.

System failure

When a system failure is detected, the engineer on duty will determine if the failure should be handeled as a calamity or an incident. Confirm the nature and extent of the failure as soon as it is discovered to the Management team.

Management team will appoint a person to lead the investigation This person will make sure the following steps are taken:

• Evaluate the impact of the system failure on the organisation and operations.
• Determine which systems are affected and which processes are affected.
• Document all findings and decisions.

Containment

• Take immediate measures to prevent further damage, such as making sure data loss is prevented.
• Communicate with affected teams to inform them of the situation and instruct them on temporary measures.

Recovery

• Perform recovery procedures to restore systems to operational status, such as restarting servers or restoring data from backups.
• Ensure that all necessary resources are available to support the recovery process.

Communication

• Inform internal and external stakeholders, including customers, partners and regulators, as appropriate.
• Follow legal requirements for data breach reporting, such as the EU General Data Protection Regulation (GDPR).

Responsibility

Ths ISMS manager is responsible for evaluation and improvement and will take the following steps:

• Conduct a post-incident evaluation to learn from the system failure.
• Document what went well and what can be improved in the incident response procedure.
• Update the incident response plan and infrastructure based on lessons learned, and consider improvements in redundancy and backup systems.

Data breach

When a data breach is detected, confirm the nature and extent of the data breach as soon as it is discovered to the Management team.

Management team will appoint a person to lead the investigation This person will make sure the following steps are taken:

• Evaluate the impact of the data breach on the organisation and data subjects.
• Determine what data was leaked and who was affected.
• Document all findings and decisions.

Containment

• Take immediate measures to prevent further damage, such as isolating affected systems.
• Restrict access to sensitive data and systems until the problem is resolved.

Removal

• Identify and remove the cause of the data breach.
• Conduct a thorough analysis to understand how the data breach occurred and which vulnerabilities need to be addressed.

Recovery

• Restore systems and data to a secure state.
• Ensure that all security measures have been restored and enhanced to prevent future data breaches.

Communication

• Inform internal and external stakeholders, including customers, partners and regulators, as appropriate.
• Follow legal requirements for data breach reporting, such as the EU General Data Protection Regulation (GDPR).

Responsibility

Ths ISMS manager is responsible for evaluation and improvement and will take the following steps:

• Conduct a post-incident evaluation to learn from the data breach.
• Document what went well and what can be improved in the incident response procedure.
• Update the incident response plan and security measures based on lessons learned.

Procedure for legal GDPR requests

This procedure outlines the steps to be followed when receiving legal requests under the GDPR, ensuring that all requests are handled consistently and in compliance with applicable regulations.

Step 1: Receipt of the Request

• Identification: Receive the legal request, which may come via email, postal mail, or in person.
• Documentation: Record the date of receipt and the details of the request in the processing register

Step 2: Acknowledgment of Receipt

• Acknowledgment: Send an acknowledgment of receipt to the requester within 5 working days.
• Reference Number: Assign a unique reference number to the request for tracking purposes.

Step 3: Assessment of the Request

• Evaluation: Assess whether the request meets the requirements of the GDPR and whether the requester is entitled to submit the request.
• Additional Information: If necessary, request additional information to verify the identity of the requester.

Step 4: Data Collection

• Data Gathering: Collect the relevant personal data pertaining to the request.
• Security: Ensure that the collected data is securely stored and accessible only to authorized personnel.

Step 5: Communication with the Requester

• Decision: Communicate the decision regarding the request within the statutory timeframe of [number] days.
• Information: Provide information about the action taken (e.g., access to data, rectification, erasure) and, if applicable, the reasons for any denial.

Step 6: Documentation and Reporting

• Documentation: Document the request, the actions taken, and the communication with the requester.
• Reporting: Ensure that a report is made to the Data Protection Officer or the responsible department regarding the request and its handling.

Disciplinary procedure information security breaches

Scope.

This procedure describes the steps to be taken by Tuxis in the event of an information security breach.

Responsibilities.

The HR Manager is responsible for all aspects of the implementation and management of these arrangements, unless otherwise stated.

Managers and supervisors are responsible for implementing these arrangements within the scope of their responsibilities and must ensure that all employees under their control understand their responsibilities and carry them out accordingly.

Steps

Investigate:

• Conduct a thorough investigation into the violation.
• Collect evidence, interview relevant parties and assess the seriousness of the incident.

Communication:

• Provide a written communication to the employee or contractor, clearly setting out the violation and the allegations against him or her.
• Transparency is essential.

Disciplinary conversation:

• Organise a disciplinary conversation in which the employee or contractor can tell his or her side of the story.
• This allows an honest assessment of the situation.

Decision

For making a descision, the manager is bound to the Disciplinary procedure for information security breaches

• The decision should take into account factors such as the nature of the offence, its impact and whether it is a first offence.
• Based on the investigation and hearing, make a disciplinary decision.
• This can range from a verbal warning to more severe measures, depending on the severity of the offence.

Objection

Employees have the right to object to the suspicions and steps as named in this procedure. They can report this in writing to the management or ultimately to the court. Objection of the employee is also recorded in the personnel file and the management is expected to respond substantively within 10 working days.