Assets Management

This policy applies to all employees and contractors.

Asset Management

All assets must be inventoried. An asset is something of value for Rocket.Chat (e.g. information itself, a device, intellectual property). We maintain a list of all devices and all software used, including additional information relevant per type of asset. References to sublists for assets (e.g. virtual machine inventories, mobile device lists) are allowed and should be referenced. The amount of effort needed to maintain a detailed list of assets should correspond to the criticality of the asset.Assets must be returned to Rocket.Chat once an owner leaves the organization. Ownership of an asset and the risks associated with an asset are separated to focus on overarching risk mitigation without boundaries between assets.

The lists of assets can be found here.

Acceptable Use

This section is about general acceptable use of equipment, systems, the internet, etc. when you are using those in a capacity for Rocket.Chat. We have additional, specific policies for device types, which are presented in the upcoming sections.

Applicability:

This policy applies to assets, when these assets are provided by Rocket.Chat or when they are provided by you and used in the name of Rocket.Chat. Assets are: Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP. It does not apply to the usage of e.g. your private internet at home when not working for Rocket.Chat.

Acceptable Use:

Assets must primarily be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations. You are responsible for exercising good judgment regarding the reasonability of personal use. Personal use may never endanger the objectives of our policies (e.g. via actions regarded as unacceptable use)

Unacceptable Use:

The following are examples of unacceptable use:

  • Violations of the law or of rights of any person or company, e.g. copyrights, patents, trademarks

  • Accessing data, a server or an account for any purpose other than conducting company business

  • Exporting technology in violation of international or regional export control laws

  • Introduction of malicious programs into the network or server

  • Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.

  • Making statements about warranty, expressly or implied, unless it is a part of normal job duties

  • Effecting security breaches or disruptions of network communication, e.g. port scanning or security scanning

  • Circumventing user authentication or security of any host, network or account.

Certain exceptions to the items listed under acceptable use apply when such behaviour listed is expressly part of your job duties (e.g. to perform vulnerability scanning) or with prior authorization of senior management.

Enforcement:

For security and network maintenance purposes, authorized individuals within Rocket.Chat may monitor equipment, systems and network traffic at any time. This also includes equipment that you privately own, but use for business purposes. Rocket.Chat reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. In case additional software is needed to run on a system or device, you must facilitate the installation of the software and not interfere with its intended function.

Device & Portable Storage Security

Our general policy is that everyone is responsible to secure their workstation by themselves. We do not enforce group policies, software whitelisting, or such. This means in turn that you yourself must be taking a greater amount of care to secure your workstation.

General

Applicable to all devices:

  • Keep your workstation in a secure environment (e.g. a locked room or building).

  • Always lock your workstation screen when leaving it.

  • Store all important or sensitive information on network drives (e.g. GSuite).

  • Keep your antivirus and antimalware protection up to date at all times and with daily definition updates

  • Keep on updating your operating system and local software to the latest version as soon as it becomes available.

  • Run a full anti-malware check at least monthly.

  • In case of a virus/malware warning, run a full scan and resolve all findings.

  • Use software and OS that still receive security updates from their vendors.

  • Do not install software that could cause security risks (e.g. not from official app stores). You are responsible to determine if a new software you are about to install poses a security risk.

  • Limit your privileges to what is necessary (e.g. do not run programs with administrator privileges that do not need them).

  • When decommissioning a workstation, securely wipe it with DBAN or an alternative (e.g. factory reset) before using it in another way (e.g. selling it).

Mobile Device Specifics

  • Install at least one authenticator app to allow for multifactor authentication

  • No jailbreak / rooted devices

  • Do not store business information outside of apps (e.g. in the download folder), instead keep information inside the native apps and use the app-side browser to view and modify information.

Portable Storage

Portable Storage (e.g. USB sticks, external HDDs) creates some additional risks, especially to availability of information and the risk of theft. That is why portable storage is generally not allowed to be used for Rocket.Chat information. You may use portable storage in limited circumstances when you have custody of the device (e.g. you own it) and it is used:

  • For non-sensitive purposes (e.g. marketing material to be shared with a customer on a USB stick)

  • For encrypted backups of your workstation

  • To extend the storage of your mobile devices

Portable storage you acquire in a used state or not directly from a vendor (e.g. a gift you received, lost & found devices) may never be connected to your devices and should be returned or destroyed because they could be infected with Malware, even after wiping them. Instead of using portable storage, you should always use shared network resources (e.g. GSuite).