How can we help you?
Our latest footprints
LAB3 Acceptable Use
Version 36 | Effective 30 January 2022
It goes without saying, technology is one of the most valuable resources in our business. The appropriate use of this technology is not only essential to the day-to-day running of our business, but to our client’s. Keeping our technology safe, secure, and operational is also critical to build trust and instil confidence with our existing and potential clients.
The inappropriate use of our technology could expose LAB3 to risks including virus and malicious software attacks, theft and unauthorised disclosure of information, disruption of systems and services or litigation.
The purpose of this policy is to provide you with clear guidance on the appropriate, safe, and legal way in which you can make use of our IT systems and IT equipment to ensure:
They are secure
Our network is operating at optimal efficiency levels
Users are protected from access to or distribution of inappropriate information, material, or data.
LAB3‘s Information Security policies have been broken down into categories to make it easier for you to find relevant information quickly and easily within Confluence.
Confidential Information means all information in any form which relates to the current or future business, interests, or affairs of LAB3 and/or its clients including but not limited to all technical, operational, trade secrets, intellectual property, licences, client lists, know-how, financial, business or restricted information, including any information which is marked as, or is by its nature, confidential and any other information the disclosure or use of which may be detrimental to the interests of LAB3 or of any other person who has provided it to LAB3 on a confidential basis.
Includes, but is not limited to, Local Area Networks (LANs), Wide Area Networks (WANs), Wireless Area Networks (WLANs), switchers, routers, cameras, Microsoft Cloud (eg Azure, M365 etc), IaaS, PaaS, SaaS, Intranet, Internet, electronic mail (email), computer systems, software, servers, and any other IT related systems and applications owned and/or leased by LAB3 or a client.
Includes desktop computers, laptops, mobile phones, iPad/tablets, headsets, USB memory sticks, 3/4/5G dongles and any other IT related equipment that have been provided to you by LAB3 and/or a client.
It also includes any BYO device registered to a LAB3 or client network.
Includes but is not limited to data, information (irrespective of format), images, video clips, audio recordings etc.
When using LAB3 Systems and LAB3 Equipment, the following principles apply:
Only use LAB3 Systems and LAB3 Equipment in a manner which is lawful, ethical, and efficient.
Always respect the rights and property of others, including privacy, confidentiality, and intellectual property.
Never do anything that will compromise the integrity and security of LAB3 Systems and LAB3 Equipment.
All LAB3 Systems and LAB3 Equipment and any software, applications developed or purchased on them including any LAB3 or LAB3 client information remains the property of LAB3 and must not be used, copied, distributed or borrowed without LAB3’s authorisation.
The following activities are, in general, prohibited. They are by no means exhaustive but attempt to provide a framework for activities which fall into the category of unacceptable use. When using LAB3’s Systems and LAB3 Equipment you must not use them:
For private business, advertising or performing work for personal gain or profit
For political activities, such as promoting a political party / movement, or a candidate for political office, or campaigning for or against government decisions
To knowingly misrepresent LAB3
To transmit Confidential Information outside LAB3 unless the information has been encrypted and transmission has been authorised by your LAB3 line manager
To create, view, download, host or transmit Material of a pornographic or sexual nature or which may generally be considered offensive or obscene and could cause offence to others on the grounds of race, creed, gender, sexual orientation, disability, age or political beliefs
To retrieve, create, host or transmit Material which is defamatory
For any activity that would compromise the privacy of others
For any activity that would intentionally cause disruption, corruption or destruction to systems or networks belonging to LAB3 or others
For any activity that would intentionally compromise the security of LAB3 Systems and LAB3 Equipment, including the confidentiality and integrity of information and availability of resources (i.e., by deliberately or carelessly causing computer virus and malicious software infection)
For the installation and use of software or hardware tools which could be used to probe or break LAB3 Systems, LAB3 Equipment or security controls
To gain access to LAB3 Systems or information belonging to the LAB3 or others which you are not authorised to access
For creating or transmitting “junk” or “spam” emails. This includes but is not limited to unsolicited commercial emails, jokes, chain-letters or advertisements
For any activity that would cause harm to LAB3 or constitute a criminal offence, give rise to a civil liability, or otherwise violate any law.
On completing the LAB3 User Registration Form and with the appropriate approvals, you will be granted access to LAB3 Systems required to carry out the duties of your role. Access may be denied or revoked if there is no legitimate business requirement, if there is a suspected risk to the security or integrity of the environment, or if this policy is not adhered to.
System level and user level passwords must comply with our System Hardening Policy and must be kept confidential to avoid unauthorised access. You must never use another person’s login or password to access LAB3 Systems or LAB3 Equipment. You will be required to change your password at regular intervals, or when prompted to do so by the system.
Access to LAB3 Systems and LAB3 Equipment is also contingent on you ensuring:
You complete the relevant Cyber Security Awareness training on an annual basis.
All mobile and computing devices that connect to LAB3’s network comply with our Enterprise Mobility Policy.
All computing devices are secured with a password-protected screensaver with the automatic activation feature set to 10 minutes or less.
That you lock the screen or log off when the device is unattended.
That all LAB3 Systems and LAB3 Equipment are not accessed (including internet access) by persons who are not authorised.
Applications needed in addition to the standard offering, are approved by your Director via a Service Now request.
It is a mandatory requirement that all LAB3 Systems, LAB3 Equipment (excluding BYO devices) and Material be returned to LAB3 no later than the last day of your employment with LAB3. Employees will have all access to LAB3 Systems revoked and any BYO devices deregistered from the Company Portal no later than their last day of employment with LAB3.
Privileged access (if granted) enables you to take actions that may affect LAB3’s Systems or the accounts, files, data or processes of other users. Privileged access is typically granted to system administrators, network administrators, or other users whose job requires special privileges over LAB3’s Systems.
If you are granted privileged access, you must:
Respect the rights of system users and respect the integrity of LAB3’s Systems
Not browse another user’s files, directories or email unless authorised to do so by the Chief Information Security Officer, Chief Executive Officer or the Chief Operating Officer.
Not use privileged access accounts to create temporary files or directories for your personal use.
Not make changes related to your own accounts.
The classification of data helps us determine what baseline security controls are appropriate for safeguarding that data. LAB3 applies the following data classification principals:
Data generated within LAB3 about LAB3 Systems which is for internal LAB3 consumption is classified as LAB3 SENSITIVE, unless declassified by a member of the LAB3 Senior Leadership Team.
Data generated by LAB3 users for clients will have the classification assigned to it by the client’s system owner.
Data generated within LAB3 about client systems which is for internal LAB3 consumption is classified as COMMERCIAL-IN-CONFIDENCE and requires a need-to-know for any form of dissemination.
At no point are you permitted to process Federal Government rated classified material (UNCLAFFIFIED-DLM, OFFICIAL, PROTECTED, SECRET, TOP-SECRET, CABINET-IN-CONFIDENCE etc) on any LAB3 System or LAB3 Equipment.
Firstly, whenever you use LAB3 Systems and LAB3 Equipment you should not consider that use private. We routinely monitor, log, and record all use of our IT resources for the purposes of helping to trace and resolve technical faults and investigating actual and suspected security breaches and or inappropriate use.
Refer to our Workplace Surveillance Policy for additional detail.
LAB3 Systems and LAB3 Equipment are to be used primarily for LAB3 business-related purposes. You can make use of these resources for occasional personal use provided it:
Is not excessive
Does not interfere with your performance or the performance of others
Does not incur unwarranted expense or liability for LAB3
Does not have a negative impact on LAB3 in any way
Does not involve commercial activities, such as running any sort of private business, advertising or performing work for personal gain or profit
Is lawful and complies with this policy and all other relevant LAB3 policies.
You are not permitted to use client systems and/or equipment (including a network connection) for personal use.
Blogging, whether using LAB3 Equipment, LAB3 Systems or personal computer systems, is also subject to the terms and restrictions set out in this policy. Blogging is acceptable, if it is done in a professional and responsible manner, does not otherwise violate LAB3’s policy and is not detrimental to LAB3’s best interests.
When engaged in blogging, always be aware of and not reveal any Confidential Information or any other material covered by the confidentiality requirements outlined in your Employment Agreement or Independent Contract Agreement.
When engaged in blogging or on social media, attributing personal statements, opinions or beliefs to LAB3 or expressing your beliefs and/or opinions whilst expressly or implicitly representing yourself as an employee or representative of LAB3 is not permitted without the permission of the Chief Operating Officer.
In the course of your work at LAB3, you may have access to privileged or sensitive information. Such information irrespective of the format (e.g., paper, electronic or otherwise) is strictly confidential and must always be safeguarded.
Only software which has the correct and proper licence may be installed and used on any LAB3 Equipment.
Mobile and smart device application software (e.g., apps) must only be downloaded and installed on LAB3 Equipment where there is a valid business reason, and the software adds value to your work. We reserve the right to remove software at any time and for any reason.
LAB3 personnel should ensure that digital information of continuing value remains accessible and usable via one of the following LAB3 owned and approved applications:
LAB3 personnel should also ensure that any non-digital material is reformatted into digital content and that the digital content is accessible regardless of the challenges of media failure and technological change.
All devices and equipment provided by LAB3 remain the property of LAB3. Except for the laptop and mobile phone device (if applicable) assigned to you, you must not remove or borrow our devices or equipment without the authorisation of your line manager.
You must ensure that LAB3 Systems and LAB3 Equipment are always protected and adhere to all our security protocols.
If requested to by us or a client, you must return any LAB3 Equipment in your possession to the appropriate person.
You must take due care when using LAB3 Equipment and take all reasonable steps to ensure that no damage is caused. Immediately report all damaged, lost, or stolen LAB3 Equipment to your line manager.
Always operate a clear screen policy and log off or ‘lock’ your computer when you leave it unattended for any period.
Although LAB3 devices will be ‘locked’ when unattended, if users do not have line of sight vision to their devices, the devices must be locked in a cabinet or carried by the user on their person, especially and at the end of the each working day.
Always operate a clear desk policy and clear your desks of all Confidential Information (irrespective of the format) at the end of each working day or when leaving your workplace for a major part of the day.
When leaving the office all LAB3 Equipment must be physically secured (e.g., locked in a drawer or secured to a desk or some other stationary object using an appropriate locking mechanism) in such a way as to minimise the risk of theft. LAB3 Equipment must not be left unattended when working off-site.
In public places, you need to take precautions to ensure the information on any LAB3 Equipment cannot be viewed by others.
Access to our network domains and network resources is controlled and managed by the Managed Services team.
You must not, without the prior authorisation from the Chief Information Security Officer, connect any IT devices and equipment, laptop, smart device, mobile phone device or removable storage device which belongs to you and is not owned or managed by LAB3 to a LAB3 network unless it is in accordance with our Enterprise Mobility Policy.
Any data and information stored on LAB3 Systems and LAB3 Equipment must not to be distributed or downloaded onto portable devices without the consent of your line manager or Director. Users are strictly prohibited from hosting/storing Confidential Information on any personal device or public cloud (i.e., not owned or leased by LAB3).
Personal music, videos and photos are not to be stored on any LAB3 System or LAB3 Equipment.
Where it is necessary to transfer Confidential Information to third parties, only the minimum amount of information should be transferred as is necessary for a given task to be carried out. Where possible all transfer(s) of this information should take place electronically via secure channels (e.g., secure FTP, TLS, VPN etc) or encrypted email.
In circumstances where electronic transfer is not possible, Confidential Information may be transferred manually using a removable storage device provided the removable storage device or the information is encrypted, as verified by the LAB3 Service Desk or Managed Services Team.
To access LAB3’s data using a BYO device, you must first register your device with the “Company Portal” – the application which authorises your mobile device to access LAB3 data by using certificates.
To maintain high standards of information security, all devices registered with the Company Portal will be monitored by the LAB3 Security Operations Centre and will immediately be deregistered if they become non-compliant.
The Company Portal does not provide access to your personal data on registered devices – it will only control the access to LAB3 applications and their data.
If you work from home or another remote location you must take all reasonable measures to ensure that all LAB3 Systems and LAB3 Equipment are kept secure and are protected against unauthorised access, damage, loss, theft, or computer viruses.
You must also ensure that all:
Work carried out by you on behalf of LAB3 is processed on a LAB3 compliant device
LAB3 data is stored on LAB3 owned and approved applications and not on any other device or application which is your personal property or the personal property of another household member
Computer or laptop devices used by you to work from home have LAB3 approved encryption software installed and approved anti-virus software installed which is kept up to date
Confidential Information which is accessed by you or stored on LAB3 Equipment is always kept secure and confidential
LAB3 Equipment and information is not accessed by members of your family, other household members or visitors
LAB3 Equipment and information (irrespective of the format) is securely locked away when not in use.
Any exception to this policy must be approved by LAB3’s Chief Information Security Officer in advance.
The adherence of this policy is critical to the work we do and the trust our clients place in us. If you violate this policy, you may be subject to disciplinary action, up to and including the termination of your employment.
This policy will be reviewed and updated annually or more frequently, if necessary, to ensure any changes to LAB3’s business practices, legislative and regulatory standards or other matters which could affect this policy are properly reflected in this policy.