Version no: 1 | Last updated: March 2022
Authorised by: Timothy Musoke, CEO, Laboremus Uganda Ltd.
This Policy sets out the obligations of Laboremus Uganda Limited (“the Company”), a company incorporated in Uganda under registration number 164360, whose registered office is Plot 57B, Luthuli Avenue Bugolobi, Kampala Uganda, regarding the constraints and practices that a user must agree to for access to a Laboremus Network, and the ancillary resources used to access or connect to such networks, in accordance with the Data Protection and Privacy Act, 2019 (“DPPA”).
For further information on other aspects of data protection and compliance with theDPPA, please refer to the Company’s Data Policies that can be found here https://www.laboremus.ug/legal
You can also contact our Data Protection Officer(“DPO”);
Personnel are responsible for complying with Laboremus policies when using Laboremus information resources. If requirements or responsibilities are unclear, please seek assistance from the Laboremus’ DPO.
Personnel must promptly report harmful events or policy violations involving Laboremus assets or information to their contact at Laboremus, who shall then alert a member of the IT management Team in accordance with the IT Incident process. Events include, but are not limited to, the following:
I. Technology incident: any potentially harmful event that may cause a failure, interruption, or loss in availability to Laboremus’ Information resources.
II. Data incident: any potential loss, theft, or compromise of Laboremus information.
III. Unauthorized access incident: any potential unauthorized access to Laboremus’ information resources.
IV. Facility security incident: ant damage or potentially unauthorized access to a Laboremus owned, leased, or managed facility.
V. Policy violation: any potential violation to this or other Laboremus policies, standards, or procedures.
Personnel should not purposely engage in activities that may:
I. Harass, threaten, impersonate, or abuse others.
II. Degrade the performance of Laboremus Information resources.
III. Deprive authorized Laboremus personnel access to a Laboremus Information resource.
IV. Obtain additional resources beyond those allocated or,
V. Circumvent Laboremus computer security measures.
Personnel should not download, install, or run security programs or utilities that reveal or exploit weakness in the security of a system. For example, personnel should not run password cracking programs, packet sniffers, port scanners, or any other non-approved programs on any Laboremus Information resource.
All inventions, intellectual property, and proprietary information, including reports, drawings, blueprints, software codes, computer programs, data, writings and technical information, developed by Laboremus are the property of Laboremus.
Personnel are expected to cooperate with incident investigations, including any state investigations.
Personnel are expected to respect and comply with all legal protections provided by patents, copyrights, trademarks and intellectual property rights for any and all software and/or materials viewed, used, or obtained using Laboremus information resources.
Access to information is based on a “need to know”.
Personnel are permitted to use only those network and host addresses issued to them by Laboremus and should not attempt to access any data or programs contained on Laboremus systems for which they do not have authorization or explicit consent.
All remote access connections made to internal Laboremus networks and/or environments must be made through approved, and Laboremus-provided, VirtualPrivate Networks (VPNs).
Personnel should not divulge any access information to anyone not specifically authorized to receive such information, including IT support personnel.
Personnel must not share their personal authentication information, including:
i. Account passwords
ii. Personal Identification Numbers (PINs)
iii. Security Tokens
iv. Multi-factor authentication information
v. Access cards and/or keys
vi. Digital certificates
vii. Similar information or devices used foridentification and authentication purposes.
Accesscards and/or keys that are no longer required must be returned to physicalsecurity personnel.
Lost ofstollen access cards, security tokens and/or keys must be reported to physicalsecurity personnel as soon as possible.
All personnel are required to maintain the confidentiality of personal authentication information.
Any group/shared authentication information must be maintained solely among the authorized members of the group.
All passwords, including initial and/or temporary passwords, must be constructed, and implemented according to the following rules:
i. Must meet all requirements according to Laboremus’ Password Policy to conform to the following standards:- contain at least three of the five following character classes:
(a) Lowercase characters
(b) Uppercase characters
(c) Numbers
(d) Punctuation
(e) Special characters
And contain at least eight to fifteen alphanumeric characters.
ii. Must not be easily tied back to the account owner by using known information such as social security numbers, nicknames, relative’s names, birth dates, etc.
iii. Must not be the same passwords used for non-business purposes.
Unique passwords should be used for each system, whenever possible.
User account passwords must not be divulged to anyone. Laboremus support personnel and/or contractors should never ask for user account passwords.
If the security of a password is in doubt, the password should be changed immediately.
Personnel should not circumvent password entry with application remembering, embedded scripts or hard coded passwords in client software.
Security tokens must be returned on demand or upon termination of the relationship with Laboremus, if issued.
Personnel should log off from applications or network services when they are no longer needed.
Personnel should log off or lock their workstations and laptops when their workspace is unattended.
Confidential or internalinformation should be removed or placed in a locked drawer or file cabinet whenthe workstation is unattended and at the end of the workday if physical accessto the workspace cannot be secured by other means.
File cabinets containing confidential information should be locked when not in use or when unattended.
Physical and/or electronic keys used to access confidential information should not be left on an unattendeddesk or in an unattended workspace if the workspace itself is not physicallys ecured.
Passwords must not be posted on or under a computer or in any other physically accessible location.
Copies of documents containing confidential information should be immediately removed from printers and fax machines.
Personnel should use approved encrypted communication methods whenever sending confidential information over the internet.
Confidential Information transmitted through mail services must be secured in compliance with Laboremus’ Data Security Policy.
Only authorized cloud computing applications may be used for sharing, storing and transferring confidential or internal information.
Information must be appropriately shared, handled, transferred, saved and destroyed, based on the information sensitivity.
Personnel should not have confidential conversations in public places or over insecure communication channels, open offices and meeting places.
Confidential information mustbe transported either by an employee or a courier approved by IT management.
All electronic media containing confidential information must be securely disposed.
Auto-forwarding electronic messages outside the company internal systems is prohibited.
Electronic communications should not misrepresent the originator or Laboremus.
Personnel are responsible for the accounts assigned to them and for the actions taken with their accounts.
Accounts must not be shared, without prior authorization from the Laboremus IT Management Team.
Employees should not use personal email accounts to send or receive confidential information.
Any personal use of Laboremus provided emails, should not:
i. Involve solicitation
ii. Be associated with any political entity
iii. Have the potential to harm the reputation of Laboremus
iv. Forward chain emails
v. Contain or promote anti-social or unethical behavior
vi. Violate local or international laws or regulations.
vii. Result in unauthorized disclosure of confidential information.
viii. Or otherwise violate any other Laboremus policies.
Personnel should only send confidential information using approved secure electronic messaging solutions.
Personnel should use caution when responding to, clicking on links within, or opening attachments included in electronic communications.
Personnel should use discretion in disclosing confidential or internal information in automated responses, such as employment data, internal telephone numbers, location information or other sensitive data.
All hardware must be formally approved by IT management before being connected to Laboremus networks.
Software installed on Laboremus equipment must be approved by IT management and installed by Laboremus IT personnel.
All Laboremus assets taken off-site should be physically secured at all times.
Employees should not allow family members or other non-employees to access Laboremus Information resources.
The internet must not be used to communicate confidential or internal information unless the confidentiality and integrity of the information is ensured and the identity of the recipient is established.
Use of the internet with Laboremus networking or computing resources must only be used for business-related activities. Unapproved activities include, but are not limited to:
i. Recreational games
ii. Streaming media
iii. Personal social media
iv. Accessing or distributing pornographic or sexually oriented materials
v. Attempting or making unauthorized entry to any network or computer accessible from the internet.
vi. Or otherwise violate any other Laboremus policies.
Access to the internet from outside the Laboremus network, using a Laboremus owned computer must adhere to all of the same policies that apply to use from within Laboremus facilities.
The use of a personally owned mobile device to connect to the Laboremus network is a privilege granted to employees only upon formal approval of IT management.
All personally owned laptops and/or workstations must have approved virus and spyware detection/protection software along with personal firewall protection, active.
Mobile devices that access Laboremus email must have a PIN or other authentication mechanism enabled.
Confidential Information should only be stored on devices that are encrypted in compliance with Laboremus’ encryption standard.
Confidential Information should not be stored on any personally owned mobile device.
Theft or loss of any mobile device that has been used to create, store, or access confidential or internal information must be reported to the Laboremus IT Management team immediately.
All mobile devices must maintain up-to-date versions of all software and applications.
All personnel are expected to use mobile devices in an ethical manner.
Jail-broken or rooted devices should not be used to connect to Laboremus information resources.
In the event that there is a suspected incident or breach associated with a mobile device, it may be necessary to remove the device from the personnel’s possession as part of a formal investigation.
All mobile device usage in relation to Laboremus information resources may be monitored, at the discretion of Laboremus IT management.
Laboremus IT support for personally owned mobile devices is limited to assistance in complying with this policy.
Use of personally owned devices must be in compliance with all other Laboremus Policies.
Laboremus reserves the right to revoke personally owned mobile devices use privileges in the event that personnel do not abide by the requirements set forth in this policy.
Personnel must badge in and out of access-controlled areas. Piggy-backing, tailgating, door propping and anyother activity to circumvent door access controls are prohibited.
Visitors accessing card-controlled areas of facilities must be accompanied by authorized personnel at all times.
Eating or drinking are not allowed in data centers. Caution must be used when eating or drinking near workstations or information processing facilities.
Laboremus may log, review and otherwise utilize any information stored on or passing through its information resources.
Systems Administrators, Laboremus IT, and other authorized Laboremus personnel may have privileges that extend beyond those granted to standard business personnel. Personnel with extended privileges should not access files and/or other information that is not specifically required to carry out an employment related task.
The use of removable media for storage of Laboremus information must be supported by a reasonable explanation.
All removable media use must be approved by Laboremus IT prior to use.
Personally owned removable media use is not permitted for storage of Laboremus information.
Personnel are not permitted to connect removable media from an unknown origin without prior approval from Laboremus.
Confidential and internal Laboremus information should not be stored on removable media without the use of encryption.
All removable media must be stored in a safe and secure environment.
The loss or theft or are movable media device that may have contained any Laboremus information must be reported to Laboremus.
All new personnel must complete an approved security awareness training session prior to, or at least within 30days of, being granted access to any Laboremus Information resources.
All personnel must be provided with an acknowledge they have received and agree to adhere to the Laboremus Information Security Policies before they are granted access to Laboremus Information resources.
All personnel must complete the annual security awareness training.
1.2 Your agreement to comply with and be bound by these Terms and Conditions is deemed to occur upon your first use of Our Site. If you do not agree to comply with and be bound by these Terms and Conditions, you must stop using Our Site immediately.