Skip to main content Skip to docs navigation
Benchmark IT Solutions

Security Policy Document

Last modified: 2nd February 2025

Access Management and Password Policy

  • Purpose
    • Information security is the protection of information against accidental or malicious disclosure, modification or destruction. Information is an important, valuable asset of Benchmark which must be managed with care. All information has a value to the company. However, not all staff require access to all information.
    • Access controls are put in place to protect information by controlling who has the rights to use different information resources and by guarding against unauthorized use. Formal procedures must control how access to information is granted and how such access is changed.
    • The policy describes the registration and de-registration process for all Benchmark systems. These policies apply especially to new starters, leavers and those moving jobs or responsibilities.
    • This policy also mandates a standard for the creation of strong passwords, their protection and frequency of change.
  • Scope
    • This policy applies to employees, contractors, consultants, temporaries, and other workers at Benchmark with any form of access to Benchmark IT infrastructure.
  • Policy Statement
  • Passwords
    • Passwords are the first line of defense for our systems and together with the user ID help to establish that people are who they claim to be. A poorly chosen or misused password is a security risk and may impact upon the confidentiality, integrity or availability of our computers and systems.
    • Weak and strong passwords
    • A weak password is one that is easily discovered, or detected, by people who are not supposed to know it. Examples of weak passwords include the word password, phone numbers, date of births, names of children and pets, car registration numbers and simple patterns of letters from a computer keyboard.
    • A strong password is a password that is designed in such a way that it is unlikely to be detected by people who are not supposed to know it, and difficult to work out even with the help of a computer.
    • Everyone must use strong passwords with a minimum standard of:
      • At least eight characters.
      • Contain a mix of alpha, numeric and symbol, with at least one of each and at least one capital letter (provided the system allows all options)
      • More complex than a single word (such passwords are easier for hackers to crack).
      • It is required that you generate passwords using your Last Pass account.
      • Pin Numbers for Mobile devices such be a minimum of 8 digits. Patterns or Biometric logins are not permitted.
    • Protecting Passwords
    • It is of utmost importance that the password remains protected at all times. The following guidelines must be adhered to at all times:
      • Never reveal your passwords to anyone.
      • Never use the 'remember password' function.
      • Never write your passwords down or store them where they are open to theft.
      • Store Passwords in your Last pass account
      • Never store your Last Pass password in a computer system without encryption.
      • Do not use any part of your username within the password.
      • Do not use the same password to access different systems.
      • Do not use the same password for systems inside and outside of work.
      • Two Factor Authentication must be used wherever it is available.
      • Last Pass Account Master Passwords must be changed every year.
    • Changing Passwords
      • All Benchmark passwords must be changed every 90 days, or whenever a system prompts you to change it. If the password is securely stored in the employees Last Pass Account, it need only be changed only once a year. Passwords to sites must be changed when prompted to do so. Default passwords must also be changed immediately. If you become aware, or suspect, that your password has become known to someone else, you must change it immediately and report your concern to the IT Manager.
      • Users must not reuse the same password.
    • System Administration Standards
    • If a system password needs to be reset, the user will contact the administrator. The Administrator will then contact the user to confirm the request is valid. If a Third Party is the administrator, they must additionally contact the office and speak to an IT Manager or Director to confirm the request is valid.
    • Records of change requests will be kept by the IT provider or administrator to ensure the process is properly controlled, secure and auditable.
    • Role Management is operated so that functions can be performed without sharing passwords
    • Generic Accounts or Groups of Users is prohibited.
    • If a Third Party system supplies only one account for multiple users, the password may be shared securely through password. This must be approved by the Compliance Function.
  • Access Management
    • User Access Management
      • This section details the procedure to ensure authorized user access and to prevent unauthorized access. It covers all stages of the lifecycle of user access, from the initial registration of new users to the final deregistration of users who no longer require access. Each user must be allocated access rights and permissions to computer systems and data that:
      • Are commensurate with the tasks they are expected to perform.
      • Have a unique login that is not shared with or disclosed to any other user.
      • User access rights stored in the Asset Register must be reviewed at regular intervals to ensure that the appropriate rights are still allocated. This will be included in The IT Service Providers business tool report. System administration accounts must only be provided to users that are required to perform system administration tasks.
    • User Registration
      • Starting
        • A request for access to the Benchmark systems must first be submitted to The IT Manager by a Director via email.
        • Request to Add user The IT Manager should detail any other access the user requires. Eg: Shared Folders, Remote Access, Mobile devices.
        • Admin Access
        • Admin Access is required for the following:
          • Creating new accounts
          • Changing settings
          • Downloads
          • Run Command
          • Access to protected files
          • Applications like wamp, lamp services start and stop and edit configuration files
          • Only select users will have admin access. This must be approved by a Director.
          • Third-Party Systems (eg. CRM, Hubspot, Last Pass, Insurance Company Websites, etc.)
  • Business Line Managers are responsible for requesting access or creating accounts to required systems employees. The Compliance Function should be notified of any access given. It should be noted if the user should have basic or admin level access.
  • Leaving
    • When an employee leaves Benchmark their access to computer systems and data must be suspended at the close of business on the employee’s last working day. It is the responsibility of the Business Line Manager to request the suspension of the access rights via The IT Manager by email. Business Line Manager will be responsible for checking employee’s emails, documents, openvpn, gitlab, desk profiles and desktop for anything that needs to be kept. All profiles will be deleted within 30 days.
    • Third Party Systems (eg. CRM, Hubspot, Insurance Company Websites etc)
      • Business Line Managers are responsible for suspending accounts or requesting that accounts are suspended from system administrators. The Compliance Function should be notified of any changes to access given or changes to access level.
      • All integrated user profiles ( GITLAB + Openvpn + Facto HR + Zoho Desk ..etc) should be terminated within a 15 day period.
      • Also need to check he/she has any user credentials to access the client resources, if yes then delete it immediately.
  • Records
    • Records of User Access and Access levels to all systems are stored in the Asset Register.
  • User Responsibilities
    • It is a user’s responsibility to prevent their userID and password being used to gain unauthorized access to Benchmark systems by:
      • Following the Password Policy Statements outlined above.
      • Ensuring that any PC they are using that is left unattended is locked or logged out.
      • Leaving nothing on display that may contain access information such as login names and passwords.
      • Informing The IT Manager or Compliance Function of any changes to their role and access requirements.
  • Network Access Control
    • Access to the Benchmark network is operated by The IT Manager.
    • The normal operation of the network must not be interfered with. Specific approval must be obtained from The IT Manager and authorized by a Director before connecting any equipment to the Benchmark network. Personal Devices should not be connected to the Network like wireless access points and mobile to the computer systems.
    • Secure remote access must be strictly controlled with encryption (ie Virtual Private Networks (VPN)). Where remote access to the Benchmark network is made by a secure VPN administered by The IT Manager.
    • An application must be made to The IT Manager by a Director. Remote access to the network must be secured by username and a password in line with the above policy. Separate VPN user profiles needed with firewall and cloud services access.
  • Supplier’s Remote Access to Benchmark Network
    • Partner agencies or 3rd party suppliers must not be given details of how to access Benchmark network without permission from The IT Manager or the Compliance Function. Any changes to supplier’s connections must be immediately sent to The IT Manager so that access can be updated or ceased. All permissions and access methods must be controlled by The IT Manager.
    • Partners or 3rd party suppliers must contact the IT Manager before connecting to the Benchmark network and a log of activity must be maintained. Remote access software must be disabled when not in use.
  • Operating System Access Control
    • Access to operating systems is controlled by a secure login process. The access control defined in the User Access Management section and the Password above must be applied. The login procedure must also be protected by:
      • Not displaying any previous login information e.g. username.
      • Limiting the number of unsuccessful attempts and locking the account if exceeded.
      • The password characters are hidden by symbols.
      • Displaying a general warning notice that only authorized users are allowed.
      • No direct root / admin access to the Linux or Windows servers
    • All access to operating systems is via a unique login id that will be audited and can be traced back to each individual user. The login id must not give any indication of the level of access that it provides to the system (e.g. administration rights).
    • System administrators must have individual administrator accounts that will be logged and audited. The administrator account must not be used by individuals for normal day to day activities.
  • Roles and Responsibilities
    • The IT Manager and Management will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the compliance function.
  • Exceptions
    • Any exception to the policy must be approved by The IT Manager, Compliance Function. To request an exception, please forward a change request to support@benchmarkit.solutions
  • Non-Compliance
    • An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Acceptable Usage Policy

  • Purpose
    • The purpose of this policy is to outline the acceptable use of computer equipment at Benchmark Holdings and its subsidiaries. These rules are in place to protect the employee and Benchmark Holdings and its subsidiaries. Inappropriate use exposes the company to risks including virus attacks, compromise of network systems and services, data breach incidents and legal issues.
  • Scope
    • This policy applies to the use of information, electronic mobile and computing devices, and network resources to conduct Benchmark business or interact with internal networks and business systems, whether owned or leased by Benchmark Holdings and its subsidiaries, the employee, or a third party. All employees, contractors, consultants, temporary, and other workers at Benchmark are responsible for exercising good judgment regarding appropriate use of information, electronic devices, and network resources in accordance with Benchmark policies, and local laws and regulation.
    • This policy applies to employees, contractors, consultants, temporaries, and other workers at Benchmark including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by Benchmark.
  • Policy Statement
    • General Use and Ownership
      • Benchmark data stored on electronic and computing devices, whether owned or leased by Benchmark Holdings and its subsidiaries, the employee or a third party, remains the sole property of Benchmark Holdings and its subsidiaries. You must ensure through legal or technical means that information is protected in accordance with our Data Protection Policy.
      • You have a responsibility to promptly report the theft, loss or unauthorized disclosure of Benchmark proprietary information, equipment or confidential information.
      • You may access, use or share Benchmark data only to the extent it is authorized and necessary to fulfill your assigned job duties.
      • Benchmark equipment such as personal computers, laptops and mobile devices are for company use only. They should not be for personal use.
      • For security and network maintenance purposes, authorized individuals within Benchmark may monitor equipment, systems, network traffic, e-mail, documentation and phone calls at any time.
      • Benchmark reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
    • Security and Proprietary Information
      • System level and user level passwords must comply with the Password Policy. Providing access to another individual, either deliberately or through failure to secure its access, is prohibited.
      • All computing devices must be secured with a password-protected screensaver with the automatic activation feature set to 5 minutes or less. You must lock the screen or log off when the device is unattended.
      • PC’s must be turned off when leaving the office and laptops must be turned off when in transit.
      • Laptops that are removed from the office must be kept with the staff member or in their home or in the locked safe at a hotel.
      • Employees must use extreme caution when opening email attachments received from unknown senders, which may contain malware.
    • Unacceptable Use
      • The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting services).
      • Under no circumstances is an employee of Benchmark authorized to engage in any activity that is illegal under local, IN or international law while utilizing Benchmark owned resources.
      • The lists below are by no means exhaustive but attempt to provide a framework for activities which fall into the category of unacceptable use.
    • System and Network Activities
      • The following activities are strictly prohibited, with no exceptions:
      • Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by Benchmark Holdings and its subsidiaries.
      • Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which Benchmark or the end user does not have an active license is strictly prohibited.
      • Accessing data, a server or an account for any purpose other than conducting Benchmark business, even if you have authorized access, is prohibited.
      • Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question.
      • Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
      • Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.
      • Using a Benchmark computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws.
      • Making fraudulent offers of products, items, or services originating from any Benchmark account.
      • Making statements about warranty, expressly or implied, unless it is a part of normal job duties.
      • Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
      • Executing any form of network monitoring which will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty.
      • Circumventing user authentication or security of any host, network or account.
      • Introducing honeypots, honeynets, or similar technology on the Benchmark network.
      • Interfering with or denying service to any user other than the employee's host (for example, denial of service attack).
      • Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, by any means, locally or via the Internet/Intranet/Extranet.
      • Providing information about, or lists of, Benchmark employees or clients to parties outside Benchmark
      • Internet Content Filter automatically blocks content such as but not limited to: pornography, Chat/Instant Messaging, Social Media, Malware, Freeware software downloads.
    • Email and Communication Activities
      • When using company resources to access and use the Internet, users must realize they represent the company. Whenever employees state an affiliation to the company, they must also clearly indicate that "the opinions expressed are my own and not necessarily those of the company". Questions may be addressed to the IT Department
      • Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam)Any form of harassment via email, telephone or messaging, whether through language, frequency, or size of messages.
      • Unauthorized use, or forging, of email or letter head.
      • Solicitation of email for any other email address, other than that of the poster's account, with the intent to harass or to collect replies.
      • Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type.
      • Use of unsolicited email originating from within Benchmark networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by Benchmark or connected via Benchmark network.
    • Blogging and Social Media
      • Whether or not an employee chooses to create or participate in a blog or other form of online publishing is at his/her/their own provided that it is done in a professional and responsible manner, does not otherwise violate Benchmark policy and is not detrimental to Benchmark best interests.
      • Benchmark’s Data Protection policy also applies to blogging. As such, Employees are prohibited from revealing any confidential or proprietary information, trade secrets or any other material covered by the company’s Data Protection policy when engaged in blogging.
      • Employees shall not engage in any blogging that may harm or tarnish the image, reputation and/or goodwill of Benchmark and/or any of its employees. Employees are also prohibited from making any discriminatory, disparaging, defamatory or harassing comments when blogging or otherwise engaging in any conduct prohibited by Benchmark ’s Bullying and Harassment Policy.
      • Don’t cite or reference colleagues, customers, suppliers, etc. without their approval.
      • Employees may also not attribute personal statements, opinions or beliefs to Benchmark when engaged in blogging. If an employee is expressing his or her beliefs and/or opinions in blogs, the employee may not, expressly or implicitly, represent themselves as an employee or representative of Benchmark Holdings and its subsidiaries. Employees assume any and all risks associated with blogging.
      • Benchmark’s trademarks, logos and any other Benchmark intellectual property may also not be used in connection with any blogging activity
      • Please be aware that should an employee or customer contact us regarding anything that is written or displayed which they feel is objectionable or inflammatory, or should the company become aware of any written or displayed work-related matters we will investigate the matter under the appropriate policy and disciplinary action up to and including dismissal.
    • Roles and Responsibilities
      • The IT Manager and Management will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the compliance function.
    • Exceptions
      • Any exception to the policy must be approved by The IT Manager, Compliance Function To request an exception, please forward a change request to support@benchmarkit.solutions
    • Non-Compliance
      • An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

E-mail Policy

  • Purpose
    • The purpose of this email policy is to ensure the proper use of the Benchmark email system and make users aware of what Benchmark deems as acceptable and unacceptable use of its email system. This policy outlines the minimum requirements for use of email within the Benchmark Network. The Policy is also intended to outline how emails should be retained and for how long.
  • Scope
    • This policy covers appropriate use of any email sent from a Benchmark email address and applies to all employees, vendors, and agents operating on behalf of Benchmark. The policy also covers the retention of emails
  • Policy Statement
    • All use of email must be consistent with Benchmark policies and procedures of ethical conduct, safety, compliance with applicable laws and proper business practices.
    • Benchmark email accounts should be used for Benchmark business-related purposes; personal communication is not permitted. Non Benchmark related commercial uses are prohibited.
    • All Benchmark data contained within an email message or an attachment must be secured according to the Data Protection Policy.
    • Email should be retained only if it qualifies as a Benchmark business record. Email is a Benchmark business record if there exists a legitimate and ongoing business reason to preserve the information contained in the email.
      • Email that is identified as an Benchmark business record shall be retained as follows
      • E-mails regarding a client should be exported to the relevant policy/claim on the CRM system
      • Any other emails that need to be kept should be saved in the relevant shared drive folder using reverse Gregorian date format.
      • E-mails can be deleted from outlook after confirming they have been saved on the CRM/shared drive.
      • E-mails saved in the CRM/Shared Drive will be dealt with as per the retention schedule
    • The Benchmark email system shall not be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Employees who receive any emails with this content from any Benchmark employee should report the matter to their supervisor immediately.
    • Users are prohibited from automatically forwarding Benchmark email to a personal e-mail system.
    • Users are prohibited from using personal email systems and storage servers to conduct Benchmark business, to create or memorialize any binding transactions, or to store or retain email on behalf of Benchmark. Such communications and transactions should be conducted through proper channels using Benchmark approved documentation.
      • Sending chain letters or joke emails from a Benchmark email account is prohibited.
      • Benchmark employees shall have no expectation of privacy in anything they store, send or receive on the company’s email system.
      • Benchmark may monitor messages without prior notice.
  • Roles and Responsibilities
    • The Compliance Function and Data Protection will verify compliance to this policy through various methods, including but not limited to, periodic checks, monitoring, business tool reports, internal and external audits, and feedback to the board.
  • Non-Compliance
    • An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Software Installation Policy

  • Purpose
    • The purpose of this policy is to outline the requirements around installation of software on Benchmark devices. To minimize the risk of loss of program functionality, the exposure of sensitive information contained within Benchmark network, the risk of introducing malware, the risk of a data breach, and the legal exposure of running unlicensed software.
  • Scope
    • This policy applies to all Benchmark Holdings or its subsidiaries employees, contractors, and vendors. This policy covers all computers, servers, smartphones, tablets and other computing devices operating within Benchmark Holdings and its subsidiaries.
    • Policy Statement
      • Employees may not install software on Company devices operated within the company network.
      • Software requests must first be approved by the requester's manager and then be made to the IT Manager via email.
      • Software must be selected from an approved software list, maintained on the Asset Register, unless no selection on the list meets the requester's need. Software not on the approved list must be approved by a Director and the Compliance Function.
      • The system administrator will obtain and track the licenses, test new software for conflict and compatibility, and perform the installation.
      • License Details will be kept on the Asset Register and details provided to the Compliance Function.
  • Roles and Responsibilities
    • The IT Manager will verify compliance to this policy through various methods, including but not limited to, periodic checks, monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
  • Exceptions
    • Any exception to the policy must be approved by The IT Manager, Compliance Function To request an exception, please forward a change request to support@benchmarkit.solutions
  • Non-Compliance
    • An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Antivirus and Web Control Policy

  • Purpose
    • The purpose of this policy is to provide guidelines to staff to help prevent virus/malware problems.
  • Scope
    • This policy applies to all Benchmark employees, contractors, vendors and agents with Benchmark owned mobile devices. This policy covers all computers, servers, smartphones, tablets and other computing devices operating within Benchmark GG. Policy Statement
  • Staff Guidelines
    • Never open any files or macros attached to an email from an unknown, suspicious or untrustworthy source. Delete these attachments immediately, then "double delete" them by emptying your Trash;
    • Delete spam, chain, and other junk email without forwarding;
    • Never download files from unknown or suspicious sources;
    • Never click on a link in an email from unknown or suspicious sources;
    • Be vigilant in regard to what websites you visit;
    • If you receive an email from a contact but you are unsure of the attachment or link, please contact them by phone to verify it is legitimate;
    • If you are unsure regarding an email or website, please consult the IT Manager without forwarding the mail.
    • If you suspect the anti-virus software is not running correctly on your computer, please contact the IT Manager.
  • Antivirus and Firewall Monitoring
    • Anti-Virus Protection is run, updated and monitored by IT Manager through Tata WatchGuard EndPoint Security.
    • Notifications of any attacks or suspicious activity will be sent to the IT Manager who will investigate.
    • Any issues will be reported to Benchmark as soon as possible;
    • Issues must be corrected within 24 hours.
    • Details of Monitoring will be included in the quarterly audit report to Benchmark.
    • Categories of Websites Blocked or Allowed through Web Control are cataloged by the IT Manager and reported in the quarterly audit report to Benchmark.
  • Roles and Responsibilities
    • All employees are responsible for being vigilant regarding suspicious emails, files or websites.
    • The IT Manager will verify compliance to this policy through various methods, including but not limited to, periodic checks, monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
  • Non-Compliance
    • An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Asset Management Policy

  • Purpose
    • The purpose of this policy is to maintain appropriate protection on Computer and Mobile Assets.
  • Scope
    • This policy covers the following elements:
      • Physical Assets End user devices:
        • Desktop personal computers, All-in one Desktops , laptops etc
        • Other portable computing devices including Tablets, PDAs and smartphones Infrastructure:
      • Servers
        • Network devices, e.g. routers, switches and hardware firewall etc Software Assets Software is included where it is installed on infrastructure components and is (or may be) separately licensed. This includes, but is not limited to, Operating systems, database and application software.
  • Policy Statement
  • Asset Life Cycle
  • Asset Acquisition
    • Purchase of new assets must be approved by a Director
  • Installation
    • All authorized equipment must be fully and comprehensively evaluated, tested, assessed for fitness of purpose, hardened to security standards and formally accepted by the users before being transferred to the live environment.
  • Disposals and Recycling
    • All data and configuration settings (including User Ids and passwords) must be permanently deleted prior to disposal.
    • Hard Drives must be low level format and overwritten seven times before transfer for disposal.
    • Devices that contained data will be destroyed and certificates of destruction sought. Approved destruction company - ShredIt
  • Rights of Use - Software Licensing
    • Approval of software license agreements must be made by a Director
    • Purchasing documentation (including executed contracts) relating to software must be filed and retained in perpetuity to provide a historical record and evidence of prior licensing arrangements, including evidence of entitlement to current versions of software based on an upgrade path. (Please provide to compliance function)
    • Software license certificates must be retained in a secure environment. (Please provide to compliance function)
  • Asset Register
    • All assets covered under the scope above (owned and leased) must be captured on the appropriate Asset Register.
    • All such assets must have an identified custodian and named owner, captured in the asset register, and be tracked throughout its lifecycle. If Admin Access is granted, this should also be noted.
    • The serial number, asset tag, Name, Make, Model, Operating system, purchase date and warranty details for all such assets should be recorded on the Security Asset Register.
    • Quarterly checks of the hardware and software installed will take place to ensure that the asset register is an accurate reflection of the physical installations. This should be included in the Business Tools Report from The IT Manager.
    • Assets owned by Benchmark Holdings or its subsidiaries may only be disposed of with the agreement of a Director
    • When such assets are disposed of, the Asset Register must be updated to show that IT equipment / hardware has been decommissioned and the method of its disposal (the asset must not simply be deleted from the register).
  • Roles and Responsibilities
    • The IT Manager will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the compliance function.
  • Exceptions
    • Any exception to the policy must be approved by The IT Manager, Compliance Function To request an exception, please forward a change request to support@benchmarkit.solutions
  • Non-Compliance
    • An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Incident Response Policy

  • Purpose
    • The purpose of this policy is to establish the requirement that all staff are responsible for reporting any suspicious activity to management. Benchmark's IT Manager is responsible for reporting suspicious activity in business tools reports and escalating any urgent issues immediately. This ensures that management has all the necessary information to formulate a successful response should a specific security incident occur.
  • Scope
    • This policy applies to all staff Benchmark and Benchmark's service providers.
  • Policy Statement
    • All staff are responsible for reporting any suspicious activity or e-mails to management as per the Acceptable Usage Policy and Data Protection Policies.
    • Non urgent security issues are to be included Benchmark's IT Service Provider in the regular business tools reports to Benchmark Management.
    • Urgent issues should be brought to the attention of senior management and the compliance function immediately upon discovery.
    • Benchmark's Cyber Insurers should be notified as early as possible if necessary, who will coordinate investigation, emergency prevention and recovery in the event of a cyber incident.Benchmark's IT Manager and Application Providers will also coordinate data recovery as per our Backup Policy.
    • If the incident involves a data breach, please follow the procedures in the breach notification policy.
  • Roles and Responsibilities
    • Benchmark Holdings and Management will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the compliance function.
  • Non-Compliance
    • An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

IT Change Management Policy

  • Purpose
    • The purpose of this policy is to outline the requirements around IT Changes on Benchmark devices. To minimize the risk of loss of program functionality, the exposure of sensitive information contained within Benchmark Network, the risk of introducing malware, the risk of a data breach.
  • Scope
    • This policy applies to all Benchmark Holdings or its subsidiaries employees, contractors, and vendors.
    • This policy covers all computers, servers, smartphones, tablets, software, Web and Email Control and other computing devices operating within Benchmark Holdings and its subsidiaries.
  • Policy Statement
    • Employees may not make any changes to Control Policies to any Hardware or Software within the company network.
    • Software requests must first be approved by the requester's manager and then be made to the IT Manager via email as per the Software Installation Policy.
    • Change Requests can be made by emailing support@benchmarkit.solutions. If the change request is in line with the Company Policy and Approved lists, the change will be made and confirmed by email.
    • If the change request is not in line with Company Policy or on an Approved List, the change must be approved by Management and the Compliance Function.
    • Details of all changes must be maintained on the Asset Register including, the date of the request, the requestor, staff the change applies to, details of changes made, the approver if required and reason for approval.
  • Roles and Responsibilities
    • Benchmark's IT Manager will verify compliance to this policy through various methods, including but not limited to, periodic checks, monitoring, business tool reports, internal and external audits, and feedback to the Compliance Function.
  • Exceptions
    • Any exception to the policy must be approved by Compliance Function and Management (whichever is more appropriate for the situation) in advance. To request an exception, please forward a change request to support@benchmarkit.solutions
  • Non-Compliance
    • An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Remote Access Policy

  • Purpose
    • The purpose of this policy is to protect Benchmark electronic information from being inadvertently compromised by authorized personnel using a dial-in connection.
  • Scope
    • The scope of this policy is to define appropriate dial-in access and its use by authorized personnel.
  • Policy Statement
    • Benchmark employees and authorized third parties (vendors) can use dial-in connections to gain access to the corporate network. Dial-in access for vendors should be strictly controlled, using one-time password authentication. Our IT Manager and Applied Systems are the only authorized vendors for remote access.
    • It is important that employees remain vigilant of potential social engineering and verify any request to access Benchmark data and systems.
    • It is the responsibility of employees with remote access privileges to ensure a dial-in connection to Benchmark is not used by non-employees to gain access to company information system resources. An employee who is granted remote access privileges must remain constantly aware that remote connections between their location and Benchmark are literal extensions of Benchmark corporate network, and that they provide a potential path to the company's most sensitive information. The employee and/or authorized third party individual must take every reasonable measure to protect Benchmark assets.
    • Authorisation for a Remote Access Account must be given by a Director in line with the Access Management Policy.
  • Roles and Responsibilities
    • All employees are responsible for maintaining vigilance regarding access to Benchmark network.
  • Non-Compliance
    • An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Backup Policy

  • Purpose
    • The purpose of this policy is to document the backup and recovery procedures for systems used by Benchmark.
  • Scope
    • This policy covers the following systems:
      • G-Suite email services.
    • Please note that back ups for CRMs and other systems are as per the suppliers procedures.
  • Policy Statement
    • Back Ups
    • G-suite email services.
      • G-Suite Files are synchronized almost instantaneously into Google Cloud. Data at rest is in the IN. Data centers are located in Ireland.
    • Ongoing Reports
    • Microsoft 365 and Sharepoint.
      • Synchronized Files show a green tick mark. If this is not happening, it should be immediately reported to The IT Manager for investigation and rectification
    • Recovery
      • G-suite Workspace and Documents.
      • Deleted files are kept for 30 days to enable back up.
      • Deleted Files can be restored from the G-suite admin Portal.
    • Recovery Tests
      • Individual File Recovery Testing
      • Each quarterly test includes a recovery of individual files. For this test, The IT Manager selects several files at random (files that have not been modified since the most recent backup) to restore from the most recent backup. The checksum of the restored files are compared to the original, inability to restore all of the files or any difference in the checksum is noted as a failure.
    • Full System Recovery Testing
      • At least once per year, The IT Manager conducts a full system (bare metal) recovery of a backup target. A new Virtual Machine is created, restored fully from the most recent backup of the target, and then tested for completeness of the restore and functionality of the system after restoration.
    • Testing After Backup System Changes
      • After any change, upgrade or update to any component of the backup system, including hardware, software or operating system of the backup server, a recovery test is performed. This test includes restoring from backups made prior to the change, as well as conducting a test backup and restore using the new configuration.
  • Roles and Responsibilities
    • The IT Manager will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the compliance function.
  • Non-Compliance
    • An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
  • Policy Review

Ready to take your business on the
path of success?

Let’s collaborate