ISMS Acceptable Use Policy

Table of Contents

1. Purpose, Scope, and User
2. Definitions
3. General
4. Confidentiality and Privacy
5. Equipment
6. Mobile Devices, Remote Working, and Bring Your Own Device (BYOD)
7. Data Storage
8. Copyright
9. Monitoring the Use of Information and Communication Systems
10. Incidents
11. Training and Awareness
12. Meta Information

1. Purpose, Scope, and User

This document sets out clear rules for the use of VSHN’s information systems and other information assets. It aims to prevent unauthorized access to mobile devices, both inside and outside VSHN premises. It also explains how VSHN maintains control over the organization’s information when it’s accessed through devices that do not belong to the organization.

These rules apply to the entire scope of the Information Security Management System (ISMS), covering all people, data, and assets within the ISMS scope. That includes any devices that can store, send, or process sensitive data. The policy also covers the use of personal devices, known as BYOD (Bring Your Own Device).

This policy is legally binding for all employees of VSHN AG. It must be acknowledged upon signing the employment contract.

2. Definitions

Bring Your Own Device (BYOD): BYOD refers to personal devices like laptops or mobile phones, that synchronize business data locally (for example, data from file servers, email, calendar, etc.). A computer that serves exclusively as a host for a virtual machine for business purposes is also considered BYOD. Additionally, personal devices that store private SSH/GPG keys for a VSHN account or have a VPN connection to the VSHN infrastructure are considered BYOD.
Not considered BYOD are devices used for two-factor authentication (2FA) such as YubiKeys, or other FIDO2 security keys. Storing your GPG or SSH key on such a security key is not covered by the BYOD policy either.
Information Assets: For the purposes of this policy, the term information assets is applied to information systems and other information/resources, including paper documents, mobile phones, portable computers, storage devices, etc.
Information System: Includes all servers and workstations, network infrastructure, system programs and applications, data, and other computer subsystems and components owned by, used by, or under the organization’s responsibility. The use of any information system also includes usage of all internal or external services such as Internet access, email, etc.
Mobile Device: VSHN treats all provided computers and storage as mobile devices. This includes, in particular, all types of computers, mobile phones, smartphones, memory cards and other portable devices used for the storage, processing and transmission of data. This does not include fixed devices such as monitors, docking stations, etc. No approval is required for the removal of a mobile device from the organization’s site.
Remote Working: According to ISO/IEC 27002:2022 "remote working occurs whenever personnel of the organization work from a location outside of the organization’s premises, accessing information whether in hard-copy or electronically via ICT equipment."

3. General

3.1. Acceptable Use

Information assets provided by the company are to be used primarily for business purposes to perform tasks for the organization. Personal use outside working hours is permitted with restrictions according to the point Forbidden Activities below.

3.2. Forbidden Activities

Use of the infrastructure in a manner that unnecessarily uses capacity, degrades the performance of the information system, or poses security risks is not permitted.

It is also forbidden to…

use the business email address for personal correspondence.
use external devices for storing and reading business data (for example USB Flash Drives) without the explicit approval of the CISO; use in compliance with the Information Classification Policy is permitted.

3.3. Responsibility for Assets

Each information asset held by VSHN is assigned an owner in the inventory of assets. The asset owner is responsible for the confidentiality, integrity, and availability of the information in that asset.

4. Confidentiality and Privacy

4.1. Confidentiality Levels

According to the Information Classification Policy, information is categorized into the following confidentiality levels:

Level "Public" / "Öffentlich": not marked
Level "Authorized" / "Berechtigt": marked "INTERNAL" / "INTERN"
Level "Confidential" / "Vertraulich": marked "CONFIDENTIAL" / "VERTRAULICH"

4.2. Use of AI and Translation Services

The usage of generative AI like ChatGPT or translation services like DeepL is allowed. However, users must take utmost care to not share any sensitive data through such tools. ^[1].

Security Concerns: Users are responsible for using generative AI and translation tools only in a secure manner. They must make absolutely sure that no passwords, secrets, or other confidential or sensitive information is ever being submitted.
Privacy: Users are responsible for protecting the privacy of personal and company data when using such tools. That means ensuring to not submit information that can be used to identify yourself or others.
Intellectual property: Every VSHN employee is responsible for respecting the intellectual property rights of others when using generative AI and translation tools. They must not infringe any copyright of another party using such tools.
Accuracy: VSHN employees are responsible for how the information generated by AI and translation tools is used. The result must not be blindly accepted as correct without verification.

4.2.1. Integrated Cloud Translation Tools

Tools like LanguageTool (and any others) for integrated translation must run with a local server or a server approved by Corporate IT. ^[2]

4.2.2. Integrated AI Tools

AI Tools directly integrated in your working environment (that is your IDE) must not be used. The CISO can define exceptions. ^[3]

4.3. Clear Desk and Clear Screen

Any information classified as "Authorized" and "Confidential" under the Information Classification Policy is considered sensitive information in this section.

4.3.1. Clear Desk Policy

If a VSHN employee is not at their desk, all paper documents and data carriers marked as sensitive must be removed from the desk and other locations (printer, copier, etc.) to prevent unauthorized access.

Such documents and media must be stored securely in accordance with the Information Classification Policy.

4.3.2. Clear Screen Policy

If the user is not at their workstation, sensitive information must not be displayed on the screen.

To ensure this, all users must lock their screen immediately when leaving their work desk.

4.3.3. Physical Security

All employees must adhere to the ISMS Physical Security Policy. Particularly:

Regularly check your peripheral devices such as keyboards to ensure they are not manipulated and no keyloggers are attached. ^[4]
Make sure guests are accompanied and aren’t left alone in the office.

4.3.4. Protection of Physical Documents

Documents containing sensitive information must be removed from printers and copiers immediately.

4.3.5. Postal Mail

Incoming

Incoming mail is to be received solely by authorized personnel from Office Management.
Identification of personal mail:
- Mail marked as "Personal" or "Confidential" or with the employee’s name above the company name is considered private.
- Personal mail items are not opened; the intended recipient is notified.
The recipient is informed about the arrival of their personal mail and the consignment is put into their inbox in the office.

Outgoing

Employees are responsible for outgoing mail themselves.
Office Management carries a supply of stamps.

4.4. Work from Outside Switzerland

Because of the Swiss Data Protection Law by default employees are only allowed to work from Switzerland, Canada, or European Economic Area. Exception from that rule must be discussed with ISMS work group before working abroad as customers must be informed if their data is processed outside that defined countries. ^[5]

Some customers must not be served from outside Switzerland. Employees working outside Switzerland must ensure that they do not connect to such services and servers. See the wiki page Definition of "Leistungserbringung" for further information.

Employees who work remotely outside Switzerland (except VSHN Canada) must follow the policy Working abroad (out of Switzerland) which includes legal obligations.

4.5. Authorizations for the Use of Information Systems

Users may only use the information system for the purposes for which they are authorized.

Users must not perform any activities that could be used to circumvent the security measures of the information system.

Certain employees (including members of the board, management, and some engineers) have admin access rights for operational reasons. Examples of this include tasks such as maintenance or granting access rights. In theory, these employees could use such rights to grant themselves additional permissions or to log in with a shared admin user account, thereby potentially viewing, modifying, or copying data they are not authorized for. Such confidential information includes for example information from the People Ops/HR area on VSHN systems, as well as any sensitive customer data such as "customer identifying data (CID)" of banking customers.

Intentional access to data for which one does not have authorization is strictly prohibited and will be internally investigated in every instance. Such cases typically lead to immediate termination of the employment contract and the filing of a criminal complaint.

4.6. User Account Responsibilities

The user may not, either directly or indirectly, allow other persons to use their credentials (user name/password, ssh keys, etc.), nor may they use any of the credentials of another person.

The use of shared user names is to be avoided whenever possible.

The user of a user account is its owner, responsible for both the use of the user account and all actions conducted with it.

4.7. Passwords

Users must follow these best practices concerning security when selecting and using passwords:

Passwords may not be disclosed to other persons.
Passwords must not be written down in plain text.
Each user may only use the credentials assigned to them individually.
Personal passwords must be stored using a password manager. See Password Managers for a list of recommended password manager.
Personal passwords created by the user may not be passed on in any way (verbally, in writing or electronic form, etc.).
Passwords must be changed if there is any indication that the passwords or system may have been compromised - in which case a security incident must be reported.
Secure passwords can either be chosen by the user or generated:
- Requirement for a self-selected password:
  - Length of at least 12 characters. If the User has elevated rights at least 18 characters.
  - At least three out of the following four groups of characters must be represented: digits, upper case letters, lower case letters, special characters.
  - Passwords must not contain any personal data (for example date of birth, address, names of family members, etc.).
- Generated passwords:
  - Passwords can be generated using the methods provided in Generate a Password.
Personal passwords that protect publicly available services should be changed every 12 months. The last three passwords must not be reused.
The CISO may order passwords to be changed at any time.
Passwords not set by the user must be changed the first time the user logs on to a system.
Passwords used for private purposes must not be used for business purposes and vice versa.

4.8. Email and Other Methods for Exchanging Messages

According to the Information Classification Policy, management determines the communication channels that may be used for each type of data. Means of communication are documented in the handbook page Communication Channels.

When sending a confidential message, the user must protect it according to the Information Classification Policy. For acceptable methods of transferring confidential messages, see "How to transfer data securely".

Decisions and important information from chat must be documented in an appropriate system because information in the chat system is meant to be short-lived. Chat accounts from former employees are deleted after 6 months and therefore chat history won’t be a reliable source of truth.

4.9. Paper and ePaper Notebooks

Paper notebooks with work notes must be secured similarly to your laptop.

ePaper notebooks must have a PIN set.

Loss or theft of a notebook must be reported to the ISMS work group.

5. Equipment

5.1. Personal Device

Each employee gets a VSHN-issued personal work device according to Personal Hardware Budget.

5.2. Warranty and Repairs

Warranty and repairs are handled through purchases according to Personal Hardware Budget.

Confidential information (for example unencrypted disks) must be removed before repair.

After maintenance, the equipment must be checked for signs of tampering before putting it back into service.

If the equipment cannot be repaired, follow the disposal and destruction policy.

5.3. Taking Assets Off-Site

If an employee takes information assets or mobile devices outside the VSHN AG premises, the employee is fully responsible for their secure storage and monitoring.

5.4. Assets Return Policy Upon Contract Termination

Upon termination of employment or any other contract, all assets, including equipment, software, or information, must be returned to VSHN.

The off-boarding process is led by people operations.

Departing employees who want to keep their device as per the Personal Hardware Budget must provide evidence that all data owned by VSHN has been removed.

5.5. Internet Usage

Internet in the VSHN office is provided primarily for work-related purposes. It isn’t specially secured and all employees have to use it responsibly. All VSHN services are in the cloud and all connections to these services are encrypted.

The office WiFi is for use by VSHN employees only. For mobile phones the guest network should be used.

The user is responsible for all possible consequences that may result from unauthorized or inappropriate use of Internet services or content.

5.6. Web Filter

Users must use content blocking for their browser, for example installing content blockers according to advice of Corporate IT to reduce the risk of being compromised by malware. ^[6]

6. Mobile Devices, Remote Working, and Bring Your Own Device (BYOD)

6.1. Basic Rules

Anyone who uses computers outside the organization’s location or who is working remotely must observe the following rules:

Computers must be supervised, locked up or secured with special locks. Storage in the employee’s own home is considered locked in. The employee must ensure that information on the device cannot be accessed by family and friends.
When using computers in public places, the user must ensure that unauthorized persons cannot read or see data. For employees who regularly work in public areas (for example on trains) the use of a screen protection film / privacy filter is recommended.
Users must keep their devices regularly updated with the latest security updates from the supplier/manufacturer.
Systems which are no longer supplied with security updates by the provider/manufacturer may no longer be used.
To ensure a secure environment, users may be required to run scripts provided by Corporate IT in order to verify security settings.
The person using the computer is responsible for regularly backing up the data.
Connections must always be encrypted. WiFi networks at users’s home offices must comply with current security requirements. When using devices in public, a hot spot provided by the user’s mobile phone or an integrated mobile broadband is to be used whenever possible. Public WiFi should only be used with caution and a VPN (see How to Create a VSHN Full VPN Tunnel in our wiki) must be used through which all traffic is routed.
Information on computers must be encrypted. For this purpose, the entire hard disk must be encrypted except for the boot partition (see also Anhang: Anleitung zur Nutzung der kryptographischen Massnahmen)
The protection of sensitive data must be implemented in accordance with the Information Classification Policy.
Protection software such as anti-virus and firewall should be used according to best practices for the operating system in use.
Installation of software should be performed according to best practices for the operating system in use. Software that is incorrectly licensed or unlicensed must not be installed.

The ISMS work group is responsible for training and awareness of individuals using mobile devices outside of the organization’s location.

6.2. Additional Regulations Regarding Private Computers (BYOD)

VSHN is automatically assigned copyright on business-related work created on personal computers. The employee waives ownership of business data on the personal computer.
The employee grants VSHN the right to obtain accompanied access to the personal computer for the purpose of security checks or for audits, etc. Such access is carried out in accordance with our DPA in section "Subcontracting, teleworking and place of processing", paragraph 6.f.
The employee is responsible for ensuring that the used software is properly licensed.
A new personal computer to be used for BYOD must be reported to and approved by the CISO before it may be used. The personal device must be uniquely identifiable with the following information:
- Manufacturer
- Model/Description
- Serial Number or IMEI for mobile phones
- Address for non-mobile devices
Changes of status (no longer used, stolen, sold, lost, etc.) of the private computer must be reported to the CISO immediately.
In the case of dual-boot systems, which can be clearly separated into personal and business, the regulation concerning encrypted hard disks only applies to the operating system used for business.

6.3. Unauthorized Use

The following is not allowed with a computer:

Giving an unauthorized person access to company data stored on it.
Storing illegal data on the device.
Installation of unlicensed or incorrectly licensed software.
Transfer of company data to other unauthorized devices.

6.4. Security Breaches

All security breaches related to mobile devices, remote working, and BYOD must be reported immediately according to the Incident Management Process.

7. Data Storage

7.1. USB Flash Drives

USB flash drives may only be used if they come from VSHN’s stock in the storage room or if they were bought from a reputable shop and are still in the original, unopened package.

USB flash drives may only be used for:

creating bootable sticks to install or run operating systems.
personal data.
business data where there is no alternative, for example quotations.

It is explicitly forbidden to use USB flash drives that came from an unverifiable origin or were given as promotional gifts.

7.2. Backup Procedure

As a matter of principle, all data must be stored in VSHN owned services (Nextcloud, Wiki, ERP, Gitlab, etc.), thereby ensuring daily backups at all times. The user is responsible for ensuring there is a backup of data that is stored locally.

Backups can be done with:

The VSHN backup system according to the instructions in the appendix in our wiki.
Other backup systems that are encrypted client-side.

Local working copies (Git repositories, Nextcloud Sync, Vagrant caches, etc.) do not require being backed up periodically.

7.3. Cloud Storage

Employees must not store data on cloud storage such as Google Drive, OneDrive, and any others. Only cloud storage approved by Corporate IT may be used.

8. Copyright

Users must not make unauthorized copies of software.

Users must not copy software or other original material from other sources without authorization and are responsible for any consequences that may arise under intellectual property laws.

9. Monitoring the Use of Information and Communication Systems

All data created, stored, sent, or received via the information system or other communication systems, as well as via various applications, email, Internet, etc. of the organization, whether of a personal nature or not, are considered the property of VSHN AG.

The user agrees that persons authorized by management may access this data and that this access is not considered a violation of their privacy. In other words, VSHN is entitled to access the personal VSHN mailbox if operationally necessary.
Even though personal mail usage is prohibited according to Forbidden Activities, authorized personnel must refrain from viewing private emails that are clearly marked as such (for instance, by including 'PRIVATE' in the subject or folder).

10. Incidents

Every employee, supplier, or other third party who deals with data and/or systems of VSHN AG must promptly report any system vulnerability, incident, or occurrence that indicates a potential incident, in accordance with the Incident Management Process.

11. Training and Awareness

The ISMS work group is responsible for employee training and awareness within the scope of this policy. This includes, in particular:

the usage of mobile computing off-site at VSHN.
the appropriate use of BYOD.
promoting awareness of the most prevalent threats or hazards.

12. Meta Information

12.1. Policy Tracking

This policy is tracked and approved by the ISM Domain with ticket ISMS-166 and changes must be approved by Management.

12.2. Effective From

This policy is effective from September 25, 2023, and was completely revised, reviewed, and released in MR 892 with ticket ISMS-1210.

12.3. Reference Documents

ISO 27001:2013	ISO 27001:2022	Control Name ISO 27001:2022
A.8.1.2	A.5.9	Inventory of information and other associated assets
A.8.1.3	A.5.10	Acceptable use of information and other associated assets
A.8.1.4	A.5.11	Return of assets
A.13.2.1	A.5.14	Information transfer
A.13.2.3	A.5.14	Information transfer
A.9.3.1	A.5.17	Authentication information
A.18.1.2	A.5.32	Intellectual property rights
A.6.2.2	A.6.7	Remote working
A.11.2.9	A.7.7	Clear desk and clear screen
A.11.2.6	A.7.9	Security of assets off-premises
A.11.2.5	A.7.10	Storage media
A.11.2.4	A.7.13	Equipment maintenance
A.6.2.1	A.8.1	User endpoint devices
A.11.2.8	A.8.1	User endpoint devices
A.12.2.1	A.8.7	Protection against malware
A.12.3.1	A.8.13	Information backup
A.12.5.1	A.8.19	Installation of software on operational systems
A.12.6.2	A.8.19	Installation of software on operational systems

ISO 27001:2013

ISO 27001:2022

Control Name ISO 27001:2022

A.8.1.2

A.5.9

Inventory of information and other associated assets

A.8.1.3

A.5.10

Acceptable use of information and other associated assets

A.8.1.4

A.5.11

Return of assets

A.13.2.1

A.5.14

Information transfer

A.13.2.3

A.5.14

Information transfer

A.9.3.1

A.5.17

Authentication information

A.18.1.2

A.5.32

Intellectual property rights

A.6.2.2

A.6.7

Remote working

A.11.2.9

A.7.7

Clear desk and clear screen

A.11.2.6

A.7.9

Security of assets off-premises

A.11.2.5

A.7.10

Storage media

A.11.2.4

A.7.13

Equipment maintenance

A.6.2.1

A.8.1

User endpoint devices

A.11.2.8

A.8.1

User endpoint devices

A.12.2.1

A.8.7

Protection against malware

A.12.3.1

A.8.13

Information backup

A.12.5.1

A.8.19

Installation of software on operational systems

A.12.6.2

A.8.19

Installation of software on operational systems

12.4. Record Management

Record	Responsible person	Measure for the protection of the record	Storage duration
List of permitted BYOD devices	CISO	Only the CISO may edit the list and release a new version of it.	3 years

Record

Responsible person

Measure for the protection of the record

Storage duration

List of permitted BYOD devices

CISO

Only the CISO may edit the list and release a new version of it.

3 years

1. This section was inspired by Amazee’s Handbook regarding generative AI tools

2. A language tool integrated e.g. in a browser sends all written text to a server. That means all information we write in our ticket system is shared with an uncontrolled third party. Therefore it is forbidden until approved officially.

3. A chatbot / AI tool integrated your IDE sends all written code to a server and so is shared with an uncontrolled third party. Therefore it is forbidden until approved officially.

4. See also our internal ticket ISMS-1323.

5. See also our internal ticket ISMS-1383 and our AVV Art. 6e resp. DPA Art. 6e.

6. for example use uBlock Origin.