IT at SB Partners LLP

To ensure responsible, secure, and professional use of SB Partners’ information technology systems, including email, internet, software, data resources, and personal devices.

This policy applies to all SB Partners team members and partners who access or use company-owned or managed IT systems, devices, software or data. It also applies to personal devices used in work-related communications and tasks.

1. Acceptable Use

Firm messaging, email, and internet systems are provided for business purposes. Limited internet for personal use is permitted if it does not interfere with work or violate firm policies.

All communications via firm systems must be professional, respectful, and appropriate for a business environment.

Recording and recording devices, such as computers, tablets, phones, watches, eyewear, and any other device must only be used for business purposes. The action of recording must be fully disclosed to all individuals being recorded.  Disclosure must occur prior to the commencement of any recording, ensuring that all parties are aware before recording begins. This includes audio, video, and photos at locations in the office, firm events\gatherings outside of the office, and in virtual meetings or conversations.

2. Ownership and Monitoring

All data, emails, and internet activity on SB Partners systems are firm property. SB Partners reserves the right to monitor, restrict, or revoke access to IT systems without notice. Monitoring covers device security compliance, data security, and may include internet usage, software activity, and data access.

3. Data Security and Confidentiality

Confidential data must not be shared with or left visible to unauthorized individuals. Distribution lists must be verified before sending sensitive information using the SafeSend add-on in Classic Outlook.

Personal devices (e.g., home computers, USB sticks) must not be used to store firm or client data.

Data taken off-site must be:

• For SB Partners’ business use only.
• Stored securely and confidentially.
• Returned to the firm network/cloud promptly.
• Deleted from portable devices, including laptops, after use.

4. Device and Access Control

Firm devices are for use by authorized team members only and devices must be locked when unattended (to lock manually, press the Windows key + L).

Passwords must be kept confidential and comply with the Passwords and Authentication Policy.

Unauthorized access to another user’s files or credentials is strictly prohibited.

5. Software and System Integrity

Only licensed and authorized software may be used, including cloud-based apps.  All software installations will be screened by a Privileged Access Management tool (AutoElevate) and must be pre-approved by the IT Operations Manager. Altering system configurations or software without approval is prohibited.

All hardware or software malfunctions must be reported to the IT Department in a timely manner by sending an email to ITSupport@sbpartners.ca.

Distribution of malware (e.g., viruses, worms) is strictly forbidden.

6. Legal and Ethical Use

All use of IT systems must comply with applicable laws, including copyright and privacy regulations including PIPEDA.

Prohibited content includes:

• Harassing, defamatory, or offensive material.
• Discriminatory remarks based on race, gender, age, disability, sexual orientation, or political beliefs.

Users are personally responsible for any illegal or unethical use of firm systems.

7. Reporting and Enforcement

Any suspected abuse or violation of this policy must be reported to the IT Operations Manager.

Any suspected security threat or anomaly must immediately be reported to the IT Department.

Violations may result in disciplinary action, including loss of access or termination.

This policy outlines the secure and responsible use of Artificial Intelligence (AI) tools and applications within SB Partners LLP (the “Firm”) and all its affiliated companies. It aims to mitigate risks associated with using AI tools and applications, including data leaks, impersonation threats, and deepfakes, while ensuring compliance with Canadian regulations such as the Personal Information Protection and Electronic Document Act (“PIPEDA”) and the forthcoming Artificial Intelligence and Data Act (“AIDA”). The purpose of this policy is to provide protocols that maximize the benefits of using AI tools while minimizing any potential risks or concerns.

This policy applies to all team members, contractors, and third-party service providers who use AI tools and/or applications in the course of their work for the Firm and all its affiliated companies. It covers all devices, networks, and platforms used to access AI tools and/or applications. This policy applies to the use of AI tools and applications both during and outside of normal hours of work, whether at the Firm’s office or from a remote work location.

Approved Tools:

The only AI tool currently approved for use is Microsoft Copilot Chat.  All other AI platforms are prohibited unless explicitly authorized by the IT department following a formal risk assessment.  If approved, they will be added to this policy.

Prohibited Practices:

In order to ensure client and company confidentiality, users must not enter firm names, client names, or any personally identifiable information (PII – see definition at the end of this document) into Copilot Chat or any other AI tool or application. Sharing confidential client or firm information, documents, or sensitive communications within AI platforms is strictly forbidden.  Content must be cleansed of firm names, client names, PII, and any business identifying information before copying or inserting into all AI.

Team members are not permitted to use AI tools to manipulate or alter existing information and data for resharing.

Security Measures:

When using Copilot Chat, users must be logged in with their SB Partners email address (Microsoft 365 account) and the green checkmark icon for Enterprise data protection must be present.

Users also must have read the IT email with the subject “Introducing Microsoft Copilot Chat” or watched the Copilot Chat training video: 24-Copilot Chat Get Started Video.mp4 (found in Teams) and completed the important instructions for first-time logon.  These are provided during Onboarding and are available upon request from the IT Department.

To address emerging AI threats:

• Multi-factor authentication (MFA) and endpoint protection will be enforced on all devices accessing AI tools.
• Regular training will be provided to team members on identifying impersonation and phishing attempts via the Breach Secure Now training system.

The Firm reserves the right to monitor all AI use on its IT systems, as reasonably required, to protect its business interests and  meet its legal obligations.

Reliability:

AI tools and applications have the potential to produce inaccurate outputs or hallucinations. There is also a risk that the output is biased, inappropriate or otherwise offensive. All AI output must be checked by Team members for accuracy and to ensure the intention of the content aligns with the intended use before sharing. Critical thought must be applied to all outputs and outputs must always be fact and sense-checked before being relied on for business purposes. Each user is required to ensure that the outputs generated (i) do not contain biased, offensive or discriminatory content; (ii) do not improperly use or disclose personal or confidential information; and (iii) have been verified by other trusted sources to ensure accuracy.

Compliance:

All AI usage must comply with PIPEDA and other applicable laws and regulations. Once enacted, AIDA will also govern high-impact AI applications. Non-compliance may result in disciplinary action, up to and including termination and possible legal liability.

The Firm may agree to comply with specific client AI use policies in its business dealings, in such cases, the IT and Risk Management teams will review such client policies and requirements before these policies are implemented. If the Firm agrees to comply with such additional policies, affected employees will be notified. All affected employees must comply with any such policies, including any related training requirements.

Review Process:

This policy will be reviewed annually and as new AI tools or applications are adopted by the IT and Risk Management teams to ensure alignment with evolving AI threats and regulatory requirements. Updates will be communicated to all team member and incorporated into mandatory training sessions.

Incident Response:

Any AI-related security incident, including any use of non-approved AI tools or applications, must be reported immediately to the IT department. A formal investigation will be conducted, and corrective actions will be documented and implemented.

Definition of PII:

PII stands for Personally Identifiable Information, which is any data that can be used to identify a specific individual, either directly or indirectly when combined with other information.  In Canada, PII is any information about an identifiable individual, including direct identifiers like name, address, and phone number, as well as sensitive details such as race, religion, medical history, financial transactions, Social Insurance Number, and any other identifying numbers. It also encompasses opinions or views about an individual and information that, when combined with other data, can identify someone.

To protect SB Partners LLP’s information systems and client data, including Cloud-based storage and applications, all computer and software accounts must adhere to strong authentication requirements.

This policy applies to all SB Partners team members, partners, and contractors who access or use firm-owned or managed IT systems, devices, software, and data, as well as personal devices accessing firm apps and data.

Password Standards

Passwords should be a minimum of 12 characters and must include uppercase, lowercase, numbers, and special characters. They must not contain dictionary words, firm name, personal information, names, birthdays or common phrases. Passwords must be unique and may not be used across different systems.

For your voicemail, PINs must be at least 6 random order digits.

Password Management

Passwords should never be written down or shared.

If a password needs to be recovered, IT can reset passwords as needed or users can employ the Reset Password feature in the associated application

Multi-Factor Authentication (MFA)

MFA is mandatory for all cloud services and remote access systems. Approved methods such as Duo, Microsoft Authenticator, Google Authenticator, or SMS, aka text, are to be used.

Account Lockout

SB domain accounts will lock after 5 failed login attempts.  IT must verify a user’s identity before they can unlock an account.

Cloud apps each have different lock-out features and tolerances. Please connect with IT if you need assistance.

Any suspicious activity, such as receiving unsolicited MFA codes, should be reported immediately to the IT Department

Failure to comply with this policy may result in account suspension or disciplinary action.

This policy establishes guidelines for the secure and effective use of Microsoft Teams, SharePoint, and OneDrive within the firm. It aims to: maintain confidentiality when collaborating internally and externally, clarify appropriate use of cloud-based storage versus local/network storage and promote secure sharing practices and responsible document management.

Note: Microsoft Teams and OneDrive are components of SharePoint Online, collectively part of Microsoft 365 (M365).

This policy applies to all team members, partners, contractors, and authorized users of the organization’s Microsoft 365 environment.

1. Storage and Collaboration

OneDrive and Teams are for storing non-client documents.  Client documents must be stored in CaseWare Cloud and iFirm Documents and Jobs (some older files remain stored on server drives).

OneDrive should be used for storing files that are primarily for your own use.  OneDrive defaults privacy to per individual user.  You may share documents from your OneDrive but note that you are fully responsible for managing access and changes.

Teams should be used primarily for committee and collaborative documents requiring multi-user access, as well as reference documents for all staff. Teams may also be used for collaborating with external clients for meetings and documents.  The creator of a Team with an external Guest is responsible for member and content management and for ensuring all firm protocols are followed.

Note: iFirm Portal is the preferred application for file-sharing between the firm and our clients

2. Ownership and Responsibility

• The Organizer of a meeting is responsible for content
• The Owner(s) of individual Teams and Channels are responsible for its content and membership
• The original publisher of a document in OneDrive or Teams is its owner and is responsible for managing and sharing permissions and deleting outdated or unnecessary files.
• All content of SB Partners’ Microsoft 365 is firm property.

3. Sharing and Access Control

• Always use ‘Specific People’ when sharing links unless an exception is approved.
• Be mindful of who has access – shared files can be downloaded and redistributed without your knowledge.
• Do not share firm or client data outside of the organization, per the SB Technology Usage Policy.

4. Screen Sharing, Video Communication, Meeting Recordings and Privacy

When presenting via Teams, share individual application windows whenever possible.  Avoid sharing entire screens.  Close or minimize programs to prevent unintentional appearance of confidential information

Individuals appearing on video to other attendees during meetings and chats, must use the provided SB background or the blur feature to ensure no background is visible

Recordings of meetings, their storage location, and access settings are the responsibility of the meeting organizer.

5. Professional Conduct

Maintain professional and respectful language in Teams, Chats, and any other communication.

To establish guidelines for the secure and responsible use of mobile & wireless technology, including firm-owned and personal devices that access SB Partners’ systems, email, or data.  The term “wireless” encompasses all types of non-wired networking connectivity, such as Wi-Fi, Bluetooth, and Cellular.

This policy applies to all SB Partners team members, partners, and contractors who access or use company-owned or managed IT systems, devices, software, and data, as well as personal devices accessing firm apps and data.

Mobile devices and wireless technology introduce unique security risks. All users must adhere to best practices to protect firm and client information.

Covered Devices

Smartphones, tablets, laptops, wearable devices, USB drives, eReader, paper tablets, and any technology capable of storing or transmitting firm data.

Personal devices may be used for work only if they comply with all security requirements

Security Requirements

• Wi-Fi must be password protected and use encryption of WPA2 or higher
• Cellular networks (Bell, Rogers, Telus, etc.) provide security with their access
• Devices must be protected with strong passwords and biometric authentication where available.
• Multi-Factor Authentication (MFA) must be used for all firm accounts.
• Devices must auto-lock after a maximum of 5 minutes of inactivity.  One minute is the preferred lock-out.
• Report lost or stolen devices immediately to IT, including personal devices that contain firm data or email

Prohibited Actions

Avoid connecting to unsecured Wi-Fi networks. Use a smartphone’s password protected Hotspot or a firm TurboHub whenever possible.  Avoid storing firm data in personal cloud services (e.g., Dropbox, Google Drive, iCloud) as these locations are not protected or backed by the firm security tools.

Data Handling

Users are required to delete firm-related data from devices when no longer needed, including firm laptops.
For file transfers, use company-approved secure portals, including Microsoft 365.
If using a USB drive, it must be encrypted and authorized by IT.

Compliance

All mobile device use must comply with applicable laws, including Ontario’s Distracted Driving Law (Distracted driving | ontario.ca)

Intentional misuse or failure to comply with this policy may result in disciplinary action, up to and including termination.

Reimbursement Of Mobile Device Charges and Equipment

The cell phone reimbursement plan applies to manager and above team members who have been approved to participate in the plan.

Cell phones and cell phone numbers are the property of the team member. However, all devices must have the appropriate and identified controls and passwords in place, as per the Mobile Technology Policy.  Team members are asked to read the Mobile Technology Policy in its entirety to understand their responsibilities.

The cell phone reimbursement plan applies as follows:

• Monthly Plan Fees: Payment or reimbursement to a maximum of $75 plus HST per month.  If the team member is on the corporate plan, any costs incurred over this amount will be reimbursed by the team member within 10 days following receipt of the cell phone bill. Those who do not participate in the current corporate plan, but who are approved for reimbursement of monthly fees are to submit an expense report and include a copy of the monthly bill.
• Initial Hardware Purchases and Future Upgrades: Payment or reimbursement to a maximum of $250 plus HST every 36 months towards the initial purchase or upgrade of hardware and associated hardware activation or upgrade processing fees including any type of device accessories. If the team member is on the corporate plan, any costs incurred over this amount will be reimbursed by the team member within 10 days following receipt of the applicable invoice for the purchase.  If the team member is not on the corporate plan, an expense report including a paid receipt must be submitted for reimbursement.
• Additional Charges and/or Add-Ons for Business purposes: must be pre-approved by the Controller before being fully reimbursed by the firm.

SB Partners values trust, discretion, and transparency and believes team members deserve to know when and how their work is being monitored. This policy is to be used in addition to the firm “Technology Usage Policy” and “Mobile Technology Policy” and is intended to establish guidelines for firm practices and procedures related to electronic monitoring of team members.

Electronic monitoring: Using technological, electronic, or digital means to track, observe, or monitor someone’s actions.

PII (Personally Identifiable Information): Any data that can directly or indirectly identify a specific individual.

Electronic Monitoring Practices

SB Partners collects information through electronic monitoring for a variety of reasons, including protecting the firm’s legal and business interests. The firm will electronically monitor the following activities and procedures:

• Security of network, servers, computers, and other equipment for protection against viruses, intrusion, and data theft
• Security of Cloud-based applications for protection against viruses, intrusion, and data theft
• Health of network, servers, computers, and other equipment for notifications of failure, malfunctions, misuse, and availability
• Alleged misuse of client contact information/data or workplace misconduct using any firm owned equipment, software, applications or property for the purposes of a workplace investigation

Important items to note:

• Automated presence monitoring by Office Status and Microsoft Teams are used as business functionality tools to help maintain a high level of Client Service and both can be manually adjusted and locked.
• Cloud-based technologies keep an Audit Trail for reference of changes and a history of documents for restoration purposes.
• Workflow and team member education applications track and keep a history of statuses and completion.

Any information collected by electronic monitoring may be used during team member reviews or during consideration of disciplinary decisions.

To promote impartiality, and to ensure any information collected through electronic monitoring is handled appropriately, SB Partners will monitor these activities by:

• Review of management interfaces for Microsoft 365 and individual apps (ie: Duo, Datto RMM, Threatdown Antivirus, Huntress EDR, Avanan SPAM filter, AutoElevate and other cloud management dashboards)
• Reports and alerts from monitoring software deployed by our Managed Service Provider
• Automated alerts of anomalies from our Cloud-based apps

Privacy and Confidentiality

The firm’s monitoring is aimed at collecting information related to its business. However, some information collected by electronic monitoring may be considered PII. When PII is under SB Partners’ control, it is the responsibility of the firm to protect it.

All information collected through electronic monitoring will be securely stored and protected. If any PII is collected, its use and disclosure will be limited to achieve the stated purpose of its collection. The firm will adhere to all privacy and confidentiality legislation that applies to the collection, use, and disclosure of PII obtained by electronic monitoring.

To ensure secure and responsible use of firm-owned hardware, which includes computers and peripherals (defined below), as well as the professional appearance of all equipment.

This policy applies to all SB Partners team members and partners who access or use firm-owned or managed IT systems, devices, software and data. It also applies to personal devices used in work-related communications and tasks.

Team members must:

• Use hardware for business purposes and occasional personal use in compliance with firm policies.
• Maintain equipment in good condition and report any damage or loss immediately.
• Make their equipment available for professional cleaning semi-annually.
• Follow protocols ensuring physical security of all devices and privacy of displayed data.
• Not add any personalization or decoration to the equipment in their possession.

The IT Department enters all inventory of larger and costlier items (computers, monitors, docks, printers, etc.) in the Sortly inventory tracking system and places a corresponding QR code sticker linked to entries in Sortly on the device. The QR code sticker should not be removed and if it falls off or is damaged, report it to IT as soon as possible.

Responsibilities

1. Ownership and Usage

All hardware and peripherals provided by the firm remain firm property. Team members may use them for occasional personal tasks provided security and compliance standards are maintained.

2. Remote Work Considerations

Team members working remotely must ensure devices are stored or used in secure environments and are not left unattended unless in a locked area.  All users are assigned a laptop lock, which can be taken from the office for use at home or a client site.

3. Device Lifecycle and Sustainability

Professional technology cleaners are contracted twice per year to ensure our equipment is well maintained optically.  During cleaning, devices are also disinfected.

Computers are replaced with a 4-year lifecycle for Partners and permanent team members.  Other equipment is replaced as it fails.

Team members must return devices upon termination or upgrade. The firm will ensure proper recycling and disposal of outdated equipment.

4.  Data Removal and Equipment Disposal

• Team members must return all equipment to the IT Department at end-of-life\replacement.
• Team members who are discontinuing use or disposing of personal phones and devices need to remove firm accounts or perform a wipe\reset.
• The IT Department is responsible for performing data erasure or physical destruction of storage media on firm-owned devices.

Peripherals include:

• Monitors
• Portable Monitors
• Scanners
• Printers
• Keyboards
• Mice
• Webcams
• Projectors
• Memory sticks
• Portable hard drives
• Mobile phones
• Headphones & speakers
• Headsets
• Cables
• Routers
• Presentation pointers
• Paper tablets
• Fobs

Compliance

Failure to comply with this policy may result in disciplinary action, including revocation of equipment privileges.

To ensure timely reporting and mitigation of lost or stolen equipment incidents to protect firm and client data, while adhering to security and compliance standards.

This policy applies to all SB Partners team members and partners who access or use firm-owned or managed IT systems, devices, software, data. It also applies to personal devices used in work-related communications and tasks.

In this policy, equipment includes door fobs, laptops, desktops, tablets, smartphones, USB drives, cameras, docking stations, monitors, portable scanners, printers, projectors, and any other device provided by the firm or personally owned that connects to firm resources.

Responsibilities and Reporting Procedure

Team members must report lost or stolen equipment immediately to the IT Department so that lock-out procedures can be implemented quickly.

Report losses to ITSupport@sbpartners.ca and make sure to get personal acknowledgement from a member of the IT team (the automated “ticket received” email is not sufficient).  If there’s no response within one hour, contact the IT Operations Manager directly at 905-869-1079, particularly when phones are involved.

When reporting lost or stolen equipment, please Include the following details:

• Type of equipment
• Specify whether it was lost or stolen
• Last known location
• Date and time of incident
• Circumstances of loss
• Data contained on the device

Compliance & Privacy

This policy aligns with PIPEDA and other applicable data protection regulations. Team members must maintain confidentiality and report breaches promptly.

Failure to comply may result in disciplinary or legal action.