Email, Internet Use, Computer Software and Data

The e-mail and Internet systems are the property of SB Partners.  Access to these systems is available to team members for the purpose of carrying out firm business.  SB Partners LLP may at any time limit or restrict access to these systems.  SB Partners may change this policy at any time without notice to team members.

All e-mail and Internet messages processed through the SB Partners’ systems or viewed on an SB Partners-owned computer, including non-business (personal), are the property of SB Partners.  All internet usage is monitored and logged for security and abuse tracking.

All communication should be in the team member’s name. When constructing an e-mail or Internet message, regard the communication as public, which can be read by outside parties to whom you did not intend to have access. All messages should be business-like, polite, and professional. When replying to an e-mail or Internet message, include the content of that message that is relevant to your reply.

All software and data that is stored on your company computer, disc, or drive and subscription-based\Cloud\SaaS software is the property of the firm and can be accessed at any time by the Director of Technology or Management. Management reserves the right to monitor any email, Internet, or other computer activity on SB Partners-owned machines.

Data should not be downloaded or carried outside of the SB office site for any purpose other than current work in progress, for example, taking a synced copy of a CaseWare file to work at the client site, taking copies of documents from iFirm, or taking a presentation to a conference or client site.  Data taken off-site should be returned to the network or appropriate cloud location as soon as possible.  Data MUST also be deleted from the portable device, whether laptop, USB memory stick, or any other type of data storage device upon completion of external use.

Data must not be copied to non-company devices, such as home computers or personal USB sticks.

Data taken off-site must always be kept in a private location, kept confidential from family members and guests and should never be left unattended in a vehicle.

A firm computer is to be used by the authorized team member only.  Access should not be given to family members or other non-SB Partners team members.

Confidential firm information must not be sent to unauthorized persons, whether internal or external. Where information is sent through a distribution list, the list must be verified to ensure that it is current and accurate prior to sending sensitive information. The list must only include those persons entitled to receive the confidential information.

A recipient of confidential firm information should access the message in private. Computers should be closed and locked when unattended.

Most e-mail messages should be deleted after you have read them. Keep only correspondence, particularly confidential information, and other messages that require follow-up or a record.  Upload appropriate client documentation to the document management/archiving system (iFirm Documents).

Illegal or unethical use of SB Partners’ systems is strictly prohibited. Copyright laws that apply to print and other media should be accorded to all e-mail and Internet use. Any contravention of copyright or other intellectual property law is strictly prohibited. Criminal and other laws also apply to Internet communications. Refrain from making defamatory, harassing, offensive remarks. Examples of prohibitive content would include sexual images or innuendos, racist comments, derogatory comments concerning a person’s age, disability, gender, national origin, political position or sexual orientation. Internet and email usage can be removed from a team member by management without notice.

Attempting to break passwords, or access data and files of third parties is strictly prohibited. Do not access a third party’s files without consent of that person.  Do not use a third party’s password or give your password to a third party or another staff member outside of the IT Department. Please see the “Password Policy” for further password guidelines.

All team members must activate the “standby” feature on your computer in order to secure confidential information in accordance with PIPEDA “Best Practices”.  When using a firm laptop containing client information at home or in the field, users will not leave the computer unattended for any reason without locking the computer.  This can be done by pressing the Windows Key + L.

Use of Messaging programs, aside from Microsoft Teams, are not permitted unless prior approval is obtained from the Director of Technology & reporting Manager and the reason for use is provided.

Streaming video or audio from the internet should be used only for business purposes or brief personal reasons.

All software to be installed on computers and laptops must be approved prior to installation, without any exceptions.  Downloaded software must be authorized to be downloaded by copyright or license agreement. Do not download software without the Director of Technology’s authorization.   Cloud\subscription\SaaS software used on company machines must be approved by the Director of Technology.

Altering or harming online data or software is strictly prohibited.

Making configuration changes to the system without authorization is strictly prohibited.

Do not distribute computer viruses or worms.

Users are wholly responsible financially, legally and otherwise for their own illegal or unethical use of e-mail, Internet systems, computer software or data.

Team members must report any abuses that they become aware of to the Director of Technology.

Passwords

The information network at SB Partners contains a large amount of highly confidential information. Cloud-based software is also used by SB staff and contains client data.  Therefore, it is imperative that all user accounts with privileges to log in to our network and Cloud-based applications are well-secured.  To ensure a high level of security on all accounts and minimize the risk of unauthorized access to our network and Cloud apps and storage, a strict policy will be enforced and must be adhered to at all times.

This policy is applicable to both in-house network\computer\VPN\RDS passwords and Cloud-based Office 365 passwords. Passwords for any other Cloud-based applications should also adhere to this policy as closely as possible.

A password must never be written down on anything kept in the office, and it must never be revealed to anyone else including other team members. In the event of an emergency, the Director of Technology has the ability to gain access to another user account.

Here are the requirements that must be met by passwords:

  • Must be a minimum of 10 characters in length
  • Not be based on the user’s account name
  • Must contain characters from these four categories:
    • Uppercase alphabet characters (A–Z)
    • Lowercase alphabet characters (a–z)
    • Arabic numerals (0–9)
    • Nonalphanumeric characters (for example, !$#,%)
  • Must not be words found in the dictionary, places, common numbers, etc.
  • Must not be names of pets, friends, family, co-workers, etc. or any names or words spelled backwards, or include the company name or any variation of the word “password”
  • Must not be your birthday, address, telephone number, or any other personal information

In addition, all accounts will be forced to change their passwords regularly so that no password is older than 60 days. The login servers will issue warnings when network passwords are nearing the maximum age so as to give plenty of time to change to a new password. If a password exceeds the maximum age, the network account will be automatically disabled, and the network administrator will be required to unlock the account only when the user is prepared to set a new password.

The Office 365 system does not notify of an impending password expiry via Outlook, only through the web interface, therefore it is strongly advised to change your O365 password manually at the same time you change your network password.

To change your Office 365 (email) password:

  • Log on to outlook.office.com
  • Click on your name or the person icon in the upper right-hand corner
  • Click My Account
  • Click Manage Security & Privacy
  • Click Password
  • Key in your new password and click Submit
  • If you are asked for your old password when creating the new one and can’t remember it, you will need to have IT change your password

The telephone voicemail system will also have a minimum password length of 6 digits.

Please be aware, at all times, that these requirements are vital to the security of our business.

Lost and Stolen Equipment

To ensure lost or stolen equipment is tracked and dealt with in a timely manner to protect firm and client data.

Equipment: includes laptop, notebook, and desktop computers, FOBs, USB keys, cameras, docks, monitors, portable monitors, portable scanners, portable printers, projectors, and any other device provided to team members by SB Partners. As well, personally owned devices (tablets, smart phones, etc.) which access SB Partners email or other data.

The screen locking feature must be used on all mobile computers, tablets, Smart Phones, and any other “live” device accessing any SB Partners system or data, whether company-provided or personally-owned.

Any equipment that has been lost or stolen must be reported immediately to ITSupport@sbpartners.ca, which notifies the IT team. If a response during daytime hours is not received within an hour, further effort should be made to contact the Director of IT.  Only direct contact from the IT team is considered as a response (ie. the automated confirmation of ticket creation is not considered a response).

Reported information should include the following:

  • Type of equipment – list all
  • Was equipment lost or stolen?
  • Where (location last seen)?
  • When (date and time)?
  • Circumstances of loss
  • What data did the equipment contain?

The IT team will use the information provided to determine how to proceed, including replacement of equipment, police reporting, and possible insurance claims.

Microsoft Teams, SharePoint and OneDrive Usage

  • To ensure that the highest level of confidentiality is retained when screen sharing and otherwise working with clients and other non-staff
  • To ensure an understanding that primarily only documents in use for collaboration with multi-users are stored in OneDrive and Teams
  • To ensure awareness of the difference between storing files within the SB server\local computer system and the Microsoft Cloud

Note: Teams and OneDrive are a subsection of SharePoint Online, simply referred to as SharePoint. OneDrive, SharePoint, and Teams are also sometimes referred to as the Microsoft Cloud or M365 (Microsoft 365).

Content saved into OneDrive and in Microsoft Teams is primarily for collaboration purposes, as well as for storing large files such as videos rather than on internal servers. For example, the A&A Workflow Workbook that needs to be edited by many team members concurrently would reside in Teams.

  • All client files must continue to be saved in iFirm Document, CaseWare Cloud, and X: drive.
  • Files where live collaboration is not needed should continue to be stored on Network Drives (F:, H:, T:, V: or X:).
  • The original publisher of a document saved and\or shared to OneDrive or Teams is the owner of that document and has the responsibility to manage it and, if needed, to delete it.
  • Be very cognizant of who exactly documents are shared with – use the “Specific People” option for “Who would you like this link to work for?” as your primary choice unless an exception must be made.

When sharing the view via Teams, care is to be taken for privacy of information at all times – share individual program windows whenever possible. Share entire screens only as absolutely needed.  Minimize or close other programs such as Outlook to prevent viewing of email arrival notifications where pop-ups show a preview.

Whenever using the Chat area of Teams, chat content and language should be professional and respectful.

Be aware that any file you have shared with another person or group can be further shared by that person. These files are downloadable, so could be shared further without your knowledge.

Team members are prohibited from sharing any company or client files per the “Email, Internet Use, Computer Software and Data Policy”.

Mobile Technology

To outline staff guidelines, expectations, and requirements regarding the use of any mobile technology owned or paid for by SB Partners, or personally-owned devices containing email or other data accessed/downloaded from the SB Partners network.

Technology types covered by this policy:

  • Laptops, Notebooks, NetBooks, Tablets
  • Smart phones including Blackberrys, iPhones, Android phones, Cellphones, PDAs, any handheld data device plus Smart Watches
  • Cameras, iPods, iPads, CDRs, Scanners, flash drives (SD card), MP3 players, USB memory sticks
  • Networking devices using WiFi, Infrared, Bluetooth, WiMax, any wireless transmission method
  • Technology that allows data and apps to move beyond our servers and workstations
  • Any devices referred to above that SB Partners has purchased, leased or rented for a staff member, or to which SB Partners contributes partial payment
  • Devices owned by SB Partners staff over which they access company email or other data

Staff must be keenly aware and alert regarding the security of mobile technology, having an understanding of the following:

  • Mobile/wireless technology is far less secure than “wired” technology
  • Mobile browsing/downloading is risky without a virus scanner
  • Scanners exist that can monitor voice conversations over wireless/cell phones and Bluetooth (never give out credit card or password information over one of these devices)
  • Bluetooth is the least secure type of wireless
  • Although workstations and servers have layers of protection such as firewall and antivirus, malware can be transferred to them via un-secured mobile devices
  • Some International Borders consider mobile/portable devices as “containers” and may seize these devices and review all data
  • The greatest risk is loss, whether the device is left behind, forgotten or stolen
  • Be cognizant of identity theft through information acquired from lost or stolen mobile devices
  • Lost or stolen devices containing company or client info pose a potential risk to the company. Refer to the “Lost and Stolen Equipment Policy” for the procedure for lost or stolen devices

All other IT Policies also apply to Mobile Technology devices.

These policies include:

  • Email Internet use, Computer Software and Data Policy
  • Computers and Peripherals Policy
  • Wireless Communication Policy
  • Lost and Stolen Equipment Policy
  • IT Data Removal Policy

SB Partners authorizes use of iPhone, Android and Blackberry SmartPhones, iPads, iPod Touches, and Android-based tablets for access to email, contacts, calendar and tasks.  These apps on these devices are to be configured by the IT Department, must be password protected with a maximum 15-minute screen inactivity lock-out setting.

Staff may employ “BYOD” (Bring Your Own Device), using personal tablets, phones, and other devices, provided they follow all company IT policies.  Any misuse or security risk may be cause for disciplinary measures.

Plugging unapproved devices in to a computer for charging or any other reason is prohibited as mobile devices may copy malware to computers.

Devices connecting to wireless networks must use encryption such as WPA2.

Personal USB memory sticks should not be used for exchanging client or company data.  Only company-authorized, password-protected, USB memory sticks, available from the IT Department, are to be used for exchange of client or company information, unless supplied by the client with pre-existing data.  The supplied password protection software on the memory stick and password must be used with these memory sticks, ensuring that client and company information is secure.  No company or client data should exist on the memory stick outside of the password protected section.  Memory sticks provided by clients fall outside of this requirement.  Memory sticks provided by clients must be returned to the clients as soon as possible or with their completed work.

All unnecessary information on a mobile device must be deleted after its usefulness – for example, a client’s synced CaseWare file should be deleted when no further work will be done by the user.

Uploading/transferring of company information to any mobile device or off-site location, or burning to DVD or CD for any reason aside from current daily business is strictly prohibited.

The use of internet upload/download/data storage services such as “DropBox”, “Google Docs”, “iCloud” is strictly forbidden.  SB Partners provides a Web Portal/FTP site for up and downloading of documents for business purposes, as well as RDS and VPN for remote access. Secure, encrypted FTP/Portal sites of clients and business partners may also be used.

It is expected that all hand-held devices will be used in accordance with the Ontario “Distracted Driving Law” invoked on October 26, 2009.   From the Ontario Ministry of Transportation website: “The distracted driving law makes it illegal for drivers to talk, text, type, dial or email using hand-held cell phones and other hand-held communications and entertainment devices. Hands-free use of these devices is permitted. The new law also prohibits the viewing of display screens unrelated to driving such as laptop computers or DVD players.”  For more information, follow this link:  http://news.ontario.ca/mto/en/2010/01/road-rules-for-hand-held-wireless-and-entertainment-devices-1.html

Misuse: Intentional misuse of devices may result in reprimand or termination.

Reimbursement of Mobile Device Charges and Equipment

Cell phones and cell phone numbers are the property of the Team member. However, all devices must have the appropriate and identified controls and passwords in place, as per the Mobile Device Policy at all times.  Team members are asked to read the Mobile Device Policy in its entirety and understand their responsibilities.

The cell phone reimbursement plan applies to Principals and Management team members who have been approved to participate in the plan as follows:

  • Monthly Plan Fees: Payment or reimbursement to a maximum of $75 plus HST per month.  If the team member is on the corporate plan, any costs incurred over this amount will be reimbursed by the team member within 10 days following receipt of the cell phone bill. Those who do not participate in the current corporate plan but who are approved for reimbursement of monthly fees are to submit an expense report and include a copy of the monthly bill.
  • Initial Hardware Purchases and Future Upgrades: Payment or reimbursement to a maximum of $250 plus HST every 36 months towards the initial purchase or upgrade of hardware and associated hardware activation or upgrade processing fees including any type of device accessories. If the team member is on the corporate plan, any costs incurred over this amount will be reimbursed by the team member within 10 days following receipt of the applicable invoice for the purchase.  If the team member is not on the corporate plan, an expense report including a paid receipt must be submitted for reimbursement.
  • Additional Charges and/or Add-Ons for Business purposes: must be pre-approved by the Controller and/or HR Manager before being fully reimbursed by the firm.

IT Data Removal

To ensure no electronic data leaves the SB office via discarded equipment

Equipment containing physical memory media, whether flash memory or a hard drive, must have all company and client data completely erased.  In the case when a device is not accessible electronically for full erasure reimaging, the device should be physically destroyed.

Users must not discard equipment.  It is to be returned/delivered to the IT Department for the erasing to be performed.

This equipment includes, but is not limited to:

  • Computers
  • Cellphones & Smartphones
  • Photocopiers (software available from Canon)
  • USB keys (even if malfunctioning)
  • Any portable storage (eg:  CF or SD cards, MP3 players)
  • Servers

Electronic Monitoring

SB Partners values trust, discretion, and transparency and believes employees deserve to know when and how their work is being monitored. This policy is to be used in addition to the company “Email, Internet use, Computer Software and Data Policy” and “Mobile Technology Policy” and is intended to establish guidelines for company practices and procedures related to electronic monitoring of employees.

Policy Details

Electronic monitoring: Using technological, electronic, or digital means to track, observe, or monitor someone’s actions.

Personal information: Any factual or subjective information about an identifiable individual.

Electronic Monitoring Practices

SB Partners collects information through electronic monitoring for a variety of reasons, including protecting the firm’s legal and business interests. The firm will electronically monitor the following activities and procedures:

  • Security of network, servers, computers, and other equipment for protection against viruses, intrusion, and data theft
  • Security of Cloud-based applications for protection against viruses, intrusion, and data theft
  • Health of servers and other equipment for notifications of failure, malfunctions, and availability
  • Alleged misuse of client contact information/data or workplace misconduct using any Firm owned equipment, software, applications or property for the purposes of a workplace investigation

Note: Automated presence monitoring by Office Status and Microsoft Teams are used as business functionality tools to help maintain a high level of Client Service and both can be manually adjusted and locked.

Any information collected by electronic monitoring may be used during employee reviews or during consideration of disciplinary decisions.

To promote impartiality, and to ensure any information collected through electronic monitoring is handled appropriately, SB Partners will monitor these activities by:

  • Review of management interfaces for individual apps (ie: Duo, Bitdefender, Umbrella cloud management dashboards)
  • Reports and alerts from monitoring software deployed by our Managed Service Provider
  • Automated alerts of anomalies from our Cloud-based apps

Privacy and Confidentiality

The firm’s monitoring is aimed at collecting information related to its business. However, some information collected by electronic monitoring may be considered personal information. When personal information is under SB Partners control, it is the responsibility of the firm to protect it.

All information collected through electronic monitoring will be securely stored and protected. If any personal information is collected, its use and disclosure will be limited to achieve the stated purpose of its collection. The firm will adhere to all privacy and confidentiality legislation that applies to the collection, use, and disclosure of personal information obtained by electronic monitoring.