ℹ️ The goal of this document is to explain the importance of security and encourages you, the reader, to take it on as a personal directive, not just a task you are required to perform because someone told you so. By working together and taking a proactive approach to security, we can ensure that our company remains protected against potential threats.

As the technical support team, it is our responsibility to ensure the security of our company's data and systems, but this task is not our sole responsibility; it is the responsibility of every employee! Security is an essential aspect of any organization and it is the responsibility of every employee to help protect Magic Memories' data and proprietary systems. As Technical Support, we understand that security can sometimes seem like a burden, but it is a necessary part of everyone’s jobs. By following the guidelines outlined in this security policy, we can all play a role in ensuring the security of our company.

Security is not just the responsibility of technical support; it is everyone's duty to protect the company's sensitive information. Whether you handle confidential data on a daily basis or simply use Magic’s devices and systems, you have a role to play in maintaining the security of our organization. By following best practices and being vigilant about potential threats, we can all work together to protect the company's assets.

In order to maintain the highest level of security, all employees are required to follow the guidelines outlined below:

Do not share login credentials

It is important to keep your login credentials private to protect the security of your accounts and company data. NEVER share login credentials with each other, nor with any member of the technical team.

Why?

Sharing your login credentials with others could allow unauthorized access to sensitive information.

Approved AntiVirus software is mandatory

All company-owned devices are required to have AntiVirus (AV) software installed. As of writing, this software is called BitDefender. This software helps to detect and prevent malware infections that can compromise the security of our devices and networks.

All employees are required to have the approved AntiVirus software installed on their company-owned devices. If you do not have the software installed, please raise a ticket with the IT department for assistance. Please do not install other AV software.

Why?

AV is an automated line of defense against many forms of electronic attacks.

Approved Remote access software is mandatory

All company-owned devices are required to have the remote access software installed. As of writing, this software is ConnectWise Control (formerly ScreenConnect). This software allows the IT department to access the device for potential security threats and to take action to prevent or mitigate any risks. It is also used as a theft deterrent, but cannot be relied upon entirely as a “silver bullet” against theft.

All employees are required to have the remote access software installed on their company-owned devices. If you do not have the software installed, please raise a ticket with the IT department for assistance. The software can be downloaded at: u.mmem.co/scdl Do not install alternative remote software, unless directed to by the Technical Support team.

No expectation of Privacy

It is generally accepted that employees do not have a reasonable expectation of privacy when using company-owned equipment. This is because the equipment is provided by the employer and is intended for business use. As a result, employers have the right to monitor and access employee devices for business purposes. It is important to note that employers have a legal obligation to inform employees of their policies and practices regarding the monitoring of employee electronic communications. As of writing, there is no program or procedure in place to actively monitor employees device use or habits, however, employees should be aware that their company-owned equipment can be accessed by authorized technical support agents at any time. If accessed, a banner will appear at the top of the page with the user’s name. Additionally, the wallpaper will turn black during the period an agent is connected to the remote machine.

• In Australia, the Workplace Surveillance Act allows employers to monitor and access employee electronic communications if the monitoring is justified on "workplace grounds" or is necessary to protect the employer's legitimate business interests.

• In New Zealand, the Privacy Act allows employers to monitor and access employee electronic communications for business purposes, as long as the monitoring is reasonable and justified.

• In the United Kingdom, the Regulation of Investigatory Powers Act (RIPA) allows employers to monitor and access employee electronic communications for business purposes.

• In the United States, the Electronic Communications Privacy Act (ECPA) allows employers to monitor and access employee emails and other electronic communications that are sent or stored on company-owned devices.

Why?

Magic Memories has a right to inventory and access assets the company owns.

Do not download or install unauthorized software

Installing unauthorized software on company devices can introduce security risks and may compromise the integrity of our systems.

Why?

By only downloading and installing software that has been approved by the IT department, we can limit the attack vector that software presents and ensure that our devices remain secure.

Do not connect personal devices to the company network

Personal devices may not have the same level of security as company-owned devices and could potentially compromise the security of our network if not properly configured. Only company-owned equipment may be connected to the Magic Memories “MM-Global” network. All other devices must be connected to the MM-Guest network.

Why?

By connecting only approved devices to the network, we can protect the security of our systems and network.

Do not share company data with unauthorized individuals

Sharing company data with unauthorized individuals can compromise the security of our information, potentially harm the company, and can damage our relationships with partners. It is important to only share data with those who are authorized to receive it and to protect the confidentiality of our information.

Why?

All external disclosures should be approved by our legal department to ensure compliance with applicable laws.

Report any suspected security breaches or suspicious activity

If a security breach or suspicious activity is not reported, it can compromise the security of our systems and data. By reporting any suspected incidents, we can take the necessary steps to protect the security of our company.

Why?

Reporting concerns as quickly as possible can help limit the extent of a potential attack.

Use strong and unique passwords

Using strong and unique passwords helps to protect the security of our accounts and devices. Weak passwords can be easily guessed or hacked, which can lead to unauthorized access to company information.

Why?

Easy password means easy access.

Keep your devices secure & Up to date

Locking your devices when not in use, logging out of accounts, and keeping software up to date helps to protect against unauthorized access to company information.

Why?

Regular software updates ensure that potential vulnerabilities are addressed and patched.

Use caution when opening emails and attachments

All emails from external sources (Outside of Magic Memories email system) are marked with [EXTERNAL]. Additionally, Google marks suspicious messages with a yellow banner, and spam/phishing messages with a red banner. Outlook does not support this additional security method; do not use Outlook or other 3rd party Mailbox services to read your company emails. Opening emails and attachments from unknown sources can expose our devices and systems to malware or phishing attempts.

Why?

By being cautious and only opening emails and attachments from trusted sources, we can help to protect the security of our company from an engineered “way in”.

Report Spam

It is important to report spam emails to the IT department to help protect the security of our systems and data. Spam emails can contain malware or phishing attempts that can compromise the security of our devices and networks. If a message is suspected spam or phishing, do not click on any links or download any attachments in the suspicious email. DO NOT FORWARD ANY SUSPECTED SPAM MESSAGES TO ANYONE, INCLUDING THE TECHNICAL SUPPORT TEAM.

To report a spam email in Google, click on the octagon shape (stop sign) with an exclamation mark inside of it. Read more about How To Identify Phishing Scams.

Protect against social engineering

Social engineering is the use of psychological manipulation or persuasion to influence individuals to divulge sensitive information or perform actions that may not be in their best interest. It is a common tactic used by hackers and cybercriminals to gain access to sensitive information or systems from unsuspecting employees such as yourself.

To protect against social engineering:

• Do not give out personal or company information to anyone over the phone, email, or in person unless you know the person.

• Be cautious when receiving emails or phone calls from unknown individuals.

• Be wary of unusual requests or offers that seem too good to be true.

• Communication with a sense of urgency from unknown individuals should be treated as a red flag.

• If you suspect that you have been the target of a social engineering attack, report it to Digital Operations immediately.

• Confirm authenticity of an individual or request by contacting them directly through a method you trust.

Why?

A user or colleague’s account may have been compromised.