Definitions
- “User(s)” means the employee(s) of Chillibreeze who have access to Chillibreeze SharePoint site where documents are stored.
- “IT Team” means Chillibreeze IT Team.
- “Document(s)” means all types of Microsoft Office files, Adobe files, video files, audio files, images etc.
- “Team Lead” means the authorized Chillibreeze staff to access the SharePoint site from outside premises.
- “Customers” means Chillibreeze clients who send projects to Chillibreeze.
- “Site(s)” means Chillibreeze SharePoint site(s) created by Chillibreeze to store documents.
- “Recipient(s)” means Chillibreeze clients who send projects to Chillibreeze.
Policy Compliance
Compliance Measurement: The IT Team will verify compliance with this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Exceptions: Any exceptions to this policy must be approved by the IT team in advance.
Non-Compliance: An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
1. Purpose of the Policy
Chillibreeze is committed to a policy of protecting the rights and privacy of data and confidential information belonging to both employees and customers. The policy applies to all staff of Chillibreeze. Any breach of the data protection policy is an offense, and, in that event, disciplinary procedures will apply.
As a matter of good practice, every staff at Chillibreeze will be expected to have read and complied with this policy.
2. Scope
This policy refers to all employees and job candidates at Chillibreeze.
It applies to all files that Chillibreeze receives from customers. This includes files that are received as an attachment via email, or via file transferring tools like Dropbox, WeTransfer, Box and completed files that Chillibreeze team members have worked.
3. SharePoint Data Encryption
Purpose
This policy is intended to establish the requirements for the application of encryption to documents and tools as a means of protecting the confidentiality, integrity, and availability of Chillibreeze and customers’ data and information.
Scope
The policy covers the application of encryption to documents stored in SharePoint site.
Policy
Chillibreeze does not implement any document encryption tool/application for documents in its SharePoint site.
Microsoft has implemented tools/application for encryption of data stored in SharePoint at the data center. Microsoft SharePoint uses disks with BitLocker encryption and secures traffic with SSL over HTTP.
Information Rights Management options allow us to further encrypt and control access to sensitive data. This allows users to restrict permission to access or open any document. This lets users set access permissions to help prevent sensitive information from being printed, forwarded, or copied by unauthorized people. Only the authorized recipient will be able to access or open the document. This option is not mandatory. This applies only on customers’ request.
Office 365 complies to data protection clauses such as EU Model Clauses, the Health Insurance Portability and Accountability Act Business Associate Agreement (HIPAA BAA), and the Federal Information Security Management Act (FISMA), which has really boost up the security standard provided by SharePoint to our files.
4. Data Loss Prevention
Purpose
This policy is intended to help Chillibreeze comply with business standards by protecting sensitive information in documents and preventing its inadvertent disclosure. The type of sensitive information could include Debit Card Number, Passport Number, Social Security Number and Credit Card Number.
Scope
The policy applies to all documents located in SharePoint sites and Exchange Online.
Policy
Data Loss Prevention (DLP) leverages a content analysis engine to scan through the contents of documents and identify sensitive information such as Debit Card Number, Passport Number, Social Security Number and Credit Card Number. Upon detection of data of a sensitive nature, this policy notifies the users with email and policy tips and send an incident report to the administrator at Chillibreeze. This prevents the accidental sharing of sensitive information with external users of the SharePoint site.
Responsibilities
-
- The IT team assign the DLP policy to SharePoint sites where documents are located.
- The IT team will monitor the report weekly. Upon receiving an alert on incidents, the IT Administrator will take required action such as to block or unblock sharing of files.
- Users who work with or have access to sensitive information are to stay compliant with Chillibreeze DLP policies.
- Policy tips notification or warning will appear when the users are working with content that conflicts with a DLP policy. Upon receiving this, users are to make sure they are aware of the sensitive content before sharing the files.
5. SharePoint site access control using Microsoft Device management
Purpose
This policy is intended to make sure only compliant devices are allowed to access SharePoint, emails and other Office 365 services and apps.
Scope
The policy applies to all users who are granted access to SharePoint for uploading and downloading documents.
Policy
Users having access to SharePoint sites where documents are stored are assigned Microsoft Intune Enterprise mobility + security E3. The IT Team creates the policy in Microsoft Intune to manage devices using conditional access feature. Users accessing SharePoint are assigned this policy. This policy determines the accessibility of SharePoint and other Office 365 services via browser or apps only from the managed and compliant devices. Non-compliant devices will not be able to access SharePoint or any other Office365 apps. This protects unauthorized access of Chillibreeze SharePoint site and other Office 365 services from unknown/non-compliant devices.
For devices to be compliant to the policy, they need to be enrolled to Microsoft Intune with the approval from both the Team Lead and the IT Team.
Responsibilities
-
- The IT Team creates a policy for Device Management.
- The IT Team only enroll devices for users who have been approved to access SharePoint sites and other Office 365 services.
- The IT Team will monitor the conditional access compliance report weekly.
- Access to SharePoint sites, from compliant devices located outside premises, is granted only to the Team Lead and the IT Team. No other user will be granted access.
6. SharePoint site access control using SharePoint permission level
Purpose
This policy is intended to control access that employees at Chillibreeze and customers have to SharePoint sites. Only users working with specific customers are granted access to customers SharePoint site. With permission level, Chillibreeze can control access to edit or view and sharing of documents.
Scope
This policy covers all users in Chillibreeze and customers who have access to SharePoint sites.
Policy
Users in Chillibreeze with access to SharePoint site are assigned a permission level to edit the site. This permission level allows users to perform actions such as upload and download files, delete files, create or delete folders, share files and folders, sync files/folders, edit files online/offline, edit and manage the SharePoint site content and appearance. The site owner’s role with full control access is given only to the IT Team. Approval for the access request from both internal or external users is also controlled by the IT Team.
Customers are assigned with contribute role, where they can have permission to upload and download files, delete files, create or delete folders, share files and folders and edit files online/offline.
Responsibilities
-
- The IT Team is responsible to create SharePoint sites and assign permissions based on the policy to users and customers.
- The IT Team is responsible to onboard customers to SharePoint site. IT Team will onboard customers, who do not have Office 365 account, as guest users to access SharePoint.
- Users can share files or folders with customers. For access to sites, users need approval from the IT Team.
- On resignation or termination of employment or users moving to another role in the company, all permissions to SharePoint sites will be terminated immediately within the time of the notice received.
7. Documents Backup and Retention
Purpose
The purpose of the policy is to control the backup and retention process and period for the documents in SharePoint.
Scope
Backup and retention policies are applied to documents at SharePoint sites and at the devices that the team members function.
Policy
No manual system is implemented for backing up of documents. All documents will be stored in SharePoint site and will be assigned to the SharePoint backup and retention policy defined by Chillibreeze.
The retention period is defined by the retention policy created by the IT Team. The retention policy will retain the documents for 3 years from the date created. For documents older than 3 years, the policy deletes and removes permanently from SharePoint sites.
Responsibilities
-
- The IT Team create a retention policy for every SharePoint site where documents are being stored.
8. Sharing Documents using SharePoint
Purpose
This policy has been implemented in order to inform and educate Chillibreeze users and customers about the purpose of using SharePoint to share large-size documents (documents larger than 20 MB)
Scope
This policy applies to all users at Chillibreeze.
Policy
Users at Chillibreeze can share documents via SharePoint only for documents with a file size larger than 20MB. This is to prevent any attachments being undelivered in case the recipients’ email server policy limits files over 20 MB.
For customers already onboard (i.e. access to SharePoint has been completed) in Chillibreeze SharePoint directory, files can be shared in two ways:
-
- Using the guest link: Here the users can create a link to the file and set an expiry date for the link. Users send the link to the customers via an email. By clicking on the link, customers can download the document directly without being directed to the site. Both users and customers should take precautions when using this method of sharing as anyone with access to this link will be able to access and download the document if the link has not exceeded its expiration date.
- Direct access to the folder to download/upload documents: For customers having Office 365 accounts, they can easily onboard to the Chillibreeze SharePoint site by accepting an invitation received from the Chillibreeze IT Team.
For customers without an Office 365 account, the IT Team will provide access by onboarding them as guest users to SharePoint. This is a very simple process where the IT Team will send an invitation and guidelines to guide the customers for onboarding.
Once the customers can access the folder/SharePoint site, they can upload and download documents based on the privileges and permission levels set.
Responsibilities
-
- The IT Team is responsible to onboard customers to the SharePoint site.
- The IT Team is responsible to educate users and customers on how to share documents safely from SharePoint.
- Users shall strictly abide by the policy of sharing documents.