Acceptable Use Policy

1 Introduction#

The Acceptable Use Policy outlines the security measures that all TSP staff will have to adhere to ensure strong IT security in TSP.

*Staff refers to all individuals engaged in the provision of services for TSP, including but not limited to employees, contractors, and interns, whether on a full-time or part-time basis.

2 Scopes#

This policy is applicable to the following key domains.

• General
• Use of Software Applications and Tools/Utilities
• Network
• Confidentiality and Integrity

3 General#

3.1. ✅ DO use either your TSP-authorized laptops or TSP-Virtual Machines for all your work.

3.2. ✅ DO carry TSP-authorized devices (laptops, portable storage devices, etc.) as hand luggage when traveling.

• Not Applicable to ODC Staff. For ODC Staff, please refer to TSP Asset Management – Bandung Office [1]

3.3 ✅ DO take good care of the TSP devices assigned to you.

3.4. ✅ ALWAYS set Calendar Event’s visibility as ‘Private’ for events related to Project Meetings.

• The default visibility is ‘Public’, you would need to change it to ‘Private’ to ensure meeting agendas are not visible to anyone outside of your project.

3.5. ❌ DO NOT let others use your TSP-authorized devices.

3.6. ❌ DO NOT use any cloud service for synchronizing other than TSP’s Microsoft OneDrive or TSP’s Google Drive.

3.7. ❌ DO NOT share company’s and client’s personal information with external parties without permission from the Management.

3.8. ❌ DO NOT work on TSP projects from a public location e.g., cafes, libraries, etc.

3.9. ❌ DO NOT leave confidential material on printers or photocopiers.

4 Use of Software Applications and Tools / Utilities#

4.1. ❌ DO NOT run software from untrusted sources.

• ✅ DO request access to third-party software by submitting a ticket via the YouTrack TSP Helpdesk [2] . Software applications that do not require approval are Zoom, Teams, Meet.
• ❌ DO NOT download, install, or run third-party software from the internet, without prior approval from IT Ops Team. (This is more relevant for non-developers).

4.2. ❌ DO NOT upload code to any code hosting service (github.com, gitlab.com, etc.) other than official TSP git repositories.

• ✅ DO inform IT Ops Team immediately if any code has been uploaded.
• ✅ ALWAYS use TSP’s services only e.g., TSP’s Gitlab, TSP’s Google Drive, TSP’s Microsoft OneDrive, etc. If you are unsure if a type of service belongs to TSP or is authorized by TSP for usage, confirm with IT Ops Team before using it.

4.3. ❌ DO NOT use online tools/utilities for splitting and/or merging PDF files, etc. for any document that belongs to TSP or TSP’s project. In general, do not use online tools/utilities. DO reach out to Dev team or PMO team for recommendations.

• ❌ DO NOT use online tools/utilities for processing data/code e.g., do not use online JSON serialisers or code prettifiers. Use DevToys or equivalent that runs locally.
• There are many open-source and command-line options for such use cases. When in doubt, you can google and share the best options you found with Dev team who can give you advice.

4.4. ❌ DO NOT use online tools/utilities for notetaking, project management, task management, e.g., Trello, Notion, Asana, etc.

• ✅ DO use OneNote from your Microsoft 365 account for notetaking.
• ✅ DO use our issue trackers for project management. You might find the above less convenient; however, we should not place any work we do for our clients into these online tools/utilities.

4.5. ❌ DO NOT use screenshots or screen-recording services that automatically upload a copy online.

• ✅ DO configure Xbox game bar for local usage only. For screen recording, press Windows + G (on Windows) to bring up the Xbox game bar.
• For screenshots, press Windows + Shift + S to bring up Windows Snipping tool.

5 Network Security#

5.1. ✅ DO use strong and secure passwords for your home’s WIFI network especially when you connect your laptops with TSP information to your home’s WIFI network.

• ❌ DO NOT perform any port scanning or any security scanning on TSP resources.
• Note: This is not applicable to ODC Staff.

5.2. ❌ DO NOT use BitTorrent, Onion, and I2P networking protocols on your TSP laptops or on TSP’s network.

• Users with TSP laptops or TSP Virtual Machines (VM) are prohibited from using BitTorrent clients on their laptops.
• Users logged into any VPN provided by TSP are prohibited from using BitTorrent clients when connected to TSP VPN.

5.3. ❌ DO NOT connect any non-TSP authorized device to TSP network or IT Systems.

5.4. ❌ DO NOT allow guests to connect TSP network:

• ✅ DO request guests to use their own hotspot.
• ❌ DO NOT allow them to use TSP network via Ethernet cables.
• ❌ DO NOT share TSP Wi-Fi passwords to guests.

5.5. ❌ DO NOT use commercial or third-party VPN to access TSP network or IT Systems e.g., Mullvad, Nord VPN, PIA etc.

• ✅ DO only use VPN provided by TSP.
• TSP VPN should only be installed on a TSP-authorized laptop or TSP Virtual Machine.

5.6. ❌ DO NOT use free public Wi-Fi networks on TSP-authorized devices.

6 Confidentiality and Integrity#

6.1 Password and Information Security#

• ✅ DO keep all secrets, keys, or passwords on Bitwarden
  • ✅ DO set Bitwarden to automatically clear the clipboard 1 minute after copying the password. Refer to Bitwarden Guideline [3] for further instructions.
  • ✅ DO use YouTrack TSP Helpdesk [2] to request if you do not have a Bitwarden account.
• ✅ DO use secure and strong passwords.
  • ✅ DO use Bitwarden password auto generator.
  • ✅ DO ensure passwords are at least 16 characters in length.
  • ✅ DO ensure that Passwords should be comprised of a mix of letters, numbers, and symbols (at least 2 each).
  • ❌ DO NOT reuse any password.
  • ❌ DO NOT use personal information in passwords e.g., birthdays, names etc.
• ✅ DO use Multi-Factor Authentication, whenever possible, especially for Google Account [4] , Microsoft Account [5] , and Bitwarden Account [6] .
• ✅ DO ensure laptops, mobile devices, and desktop computers are protected by:
  • Using a lock-screen password of at least 8 characters in length.
  • Enabling auto lock after 10 minutes of inactivity.
• ❌ DO NOT allow others to access your accounts (GitLab, VPN, Google Accounts, etc.) without explicit clearance from Management.
• ❌ DO NOT share any confidential information or passwords in plaintext with anyone or on Google Chat/Email or any other communication channels.
• ❌ DO NOT store passwords in plain text anywhere i.e., should not write down passwords on your notes or paste the passwords on your laptops.
• ❌ DO NOT use any browser extension password managers e.g., Google, Firefox, etc., including Bitwarden browser extension to store or access your passwords. (Only use web-based or desktop versions of Bitwarden).

• ❌ DO NOT send passwords in plain text via email / Google Chat or any other communication channels.
  • ✅ DO use Bitwarden to securely store and share passwords.
• ❌ DO NOT share passwords with anyone (including your TSP colleagues) without explicit approval from the Management.

6.2 Use of Data, Computers, and Portable Storage Media.#

• ✅ ALWAYS lock all devices that contain data pertaining to projects, financial information, organizational information, and personnel information when you step away from your laptops.
• ✅ ALWAYS enable disk encryption on TSP-authorized portable and non-portable devices.
  • ✅ DO use BitLocker if you are using Windows. If you don’t have Windows Pro, Please submit a ticket via the YouTrack TSP Helpdesk [2] to request.
• ✅ DO use Windows Defender as your anti-virus software for TSP VMs and TSP-authorized Laptops.
  • ✅ DO perform continuous and/or schedule full system scanning. If you use Windows, this can be done with Windows Defender.
  • ✅ DO ensure Windows Defender is updated regularly. DO ensure to schedule automatic updates.
  • ✅ DO ensure Windows Defender is always operating in real-time scan mode. Please refer to this Windows Security Guideline [8] for further instructions.
• ✅ ALWAYS enable the built-in firewall in your computer – contact IT Ops Team if you need help with this.
• Follow the steps below before sharing any TSP data with any internal or external party:
  • ✅ ALWAYS get permission to transfer data to an internal or external party – this will be Project Manager / Management – if in doubt, use the highest escalation level or contact IT Ops Team.
  • ✅ DO use TLS/SSL encryption to transmit the data to an internal or external party e.g., HTTPS, SSH, SCP, and VPN.
  • ✅ DO share files e.g., Word Documents, Google Docs, Excel, Google Sheets via Google Drive’s “share” options or emails.
    • ✅ DO ensure to give access to the file only to the person who needs it.
    • ✅ ALWAYS set access to Restricted under General Access when sharing files using the Google workspace with people who need access.
  • ✅ DO password-protect sensitive documents in non-Microsoft (MS) Office file format using 7zip or similar tools.
  • ❌ DO NOT send passwords in the same email where password-protected files are attached.
  • ❌ DO NOT use HTTP, FTP, and Telnet protocols to transfer data.
• ✅ DO check for vendor security updates (e.g., Adobe, Windows) and apply them.

• ✅ DO ensure the major operating systems’ e.g., Windows and Mac auto-update mechanisms are enabled.
• ❌ DO NOT share TSP and clients’ personal information with external parties without explicit permission from Management.
• ❌ DO NOT use someone else’s username and password to access the TSP IT System.
• ❌ DO NOT store any TSP data on non-TSP-authorized devices.
• ❌ DO NOT give or transfer TSP data, software, or software licenses to any person or organization without approval from Management.
• ❌ DO NOT share any code you write with anyone outside your project team.
• ❌ DO NOT share any code in any cloud service for synchronizing e.g., Dropbox, Microsoft OneDrive, etc. This applies to all documents and data belonging to TSP.
• ❌ DO NOT share codes anywhere e.g., in Stack Overflow to get answers, GitHub Gists, online code-editors such as repl.it etc.
• ❌ DO NOT mention any specific details of the projects, client names, etc., anywhere online.

6.3 For Internet Access and Email / Other Communications#

• ❌ DO NOT click or open unexpected or suspicious emails or email attachments.
• ❌ DO NOT forward messages containing general appeals or warnings like virus warnings, or request for help, by mass mail or otherwise. For example, be careful with forwarding emails that include files with .exe or .dll extensions.
• ❌ DO NOT send confidential data/information via commercial messaging platforms (e.g., WhatsApp, Signal, Telegram etc).
• ❌ DO NOT send TSP-related documents/files via personal email/personal devices.

6.4 Actions upon Termination of Contract#

• All TSP-authorized devices must be returned to TSP at the termination of the contract, i.e., on the last day at work.
• All TSP data or intellectual property developed or gained during the period of employment remains the property of TSP and must not be retained beyond the termination or reused for other purposes.

6.5 Compliance#

• All TSP personnel shall be compliant with the following regulatory requirements:
  • Personal Data Protection Act 2012.
  • Computer Misuse Act 1993.

7 References#

[1]: TSP Asset Management - Bandung Office

[2]: YouTrack TSP Helpdesk

[3]: Bitwarden - Clearing Clipboards

[4]: Google Multi Factor Authentication Guideline

[5]: Microsoft Multi Factor Authentication Guideline

[6]: Bitwarden Multi Factor Authentication Guideline

[7]: Password Security Guideline

[8]: Windows Security Guideline

ANNEX A#

ANNEX B#