Skip to content

Publication Summary

Title Online Collaboration Policy
Author(s) Alessandro Cardinali
Issued by CEO

Version doc.

Review freq.

0.1

Yearly
Date of issue December 11, 2023
Owner CEO/Founder
Document status Draft – Final Draft - Final
Approval Date n/a
Classification Internal

Change Log

Version Date Author Comments
0.1 October 23, 2023 Olaf Jacobson First draft document

Table of Contents

Publication Summary 2

1 Introduction 4

1.1 Purpose of this document 4

1.2 Areas of the standard addressed 5

2 Online collaboration policy 6

2.1 Use of collaboration tools 6

2.2 Virtual meetings 6

Monitoring of collaboration tools 7

Introduction

Partly driven by the impact of global events such as the COVID pandemic, the use of online collaboration tools has now become a vital business tool for communicating both internally and with customers and suppliers. However, because of its flexibility and general availability, the use of online collaboration tools carries with it several significant risks and all users must remain vigilant and adopt good practice when making use of them.

Online collaboration tools cover real-time video and audio conferencing systems that may be used for virtual meetings, webinars and other forms of communication in which the attendees are not physically in the same room. For the purposes of this policy, this includes (but is not limited to):

  • Microsoft Teams

  • Slack

  • Zoom

  • GoToMeeting

  • Confluence

  • Huddle

  • Trello

  • Monday.com

This policy document tells you how you may use the provided Soon online collaboration tools, including what you must and must not do. It applies to all use of these facilities whatever the means or location of access for example via mobile devices or outside of the office.

If you do not understand the implications of this policy or how it may apply to you, you should approach your line manager in the first instance.

This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Soon systems.

The following policies and procedures are relevant to this document:

Purpose of this document

This document sets out the responsibilities of the employee regarding their use of online collaboration tools, including video conferencing.

Areas of the standard addressed

The following areas of the ISO/IEC 27001 standard are addressed by this document:

  • A.5 Organizational controls

  • A.5.1 Policies for information security

  • A.5.10 Acceptable use of information and other associated assets

  • A.5.14 Information transfer

Online collaboration policy

Use of collaboration tools

Only collaboration tools provided by Soon may be used to share and discuss organization information. The use of non-approved tools is prohibited.

Creation of a group (such as team in Microsoft Teams) must only be carried out by an authorised administrator. Creation of sub-groups (such as channels in Microsoft Teams) may be delegated as part of business processes but must only be carried out in accordance with documented procedures.

Membership of a sub-group must be managed by the creator, with due regard to the classification of information that will be shared within it.

All messages sent within approved collaboration tools remain the property of Soon and are considered to be part of the corporate record.

The installation and use of apps within collaboration tools is subject to Soon Software Policy, and only authorised apps may be used.

The organization maintains its legal right to monitor and audit the use of collaboration tools by authorised users to assess compliance to this policy. This will be done in accordance with the provisions of relevant legislation.

Virtual meetings

When arranging virtual meetings, take care to ensure that only those invited are able to attend the meeting. This may require the use of special links, or meeting passwords or PINs. A lobby feature may be used to verify the authenticity of attendees if appropriate.

If participating in a virtual meeting whilst in a public place, be aware of the possibility of the audio being overheard and the video overlooked by members of the public or unauthorised persons. Classified information must not be discussed in these circumstances.

In general, meetings should not be recorded by default. In the event that a meeting is to be recorded, this fact must be stated before recording begins. Recordings of meetings containing classified information must be appropriately protected in line with the relevant classification. Recordings of meetings (such as webinars) that are to be published to publicly accessible media sharing sites (such as YouTube) must not contain personal information. If a recording does contain personal information, the lawful basis of the information processing must be established and, if appropriate, consent given and recorded by those affected (the data subjects) in accordance with relevant privacy legislation.

Care must be taken to ensure that the settings for the meeting are appropriate to the intended purpose, for example, muting of attendees, visibility of meeting chat and participants and screensharing ability.

Where video is used during a meeting (for example via a webcam), care must be taken to ensure that no classified information is revealed by accident, for example on a whiteboard or flipchart within view. Where appropriate, approved digital background effects that blur or replace the surroundings may be used.

When screensharing, take care that classified or personal information is not inadvertently shown when swapping between screens or applications, for example email or private chat.

Monitoring of collaboration tools

Collaboration tool usage within the organization is monitored and recorded centrally in order to:

  • Plan and manage its resource capacity effectively

  • Assess compliance with policies and procedures

  • Ensure that standards are maintained

  • Prevent and detect crime

  • Investigate unauthorised use

Monitoring will be undertaken by staff specifically authorised for that purpose. Consistent monitoring procedures will be applied to all users and may include checking the contents of messages.

If a manager suspects that collaboration tools are being abused by a user, they must contact the IT Manager. All such reports will be investigated according to documented procedures and where appropriate, evidence provided. There may also be a requirement to provide such information to regulatory or legislative bodies in accordance with the law.