CISOfy Handbook

Your first day and beyond

It is a great pleasure that you joined our company. As with every activity, it is usually the start that is the most difficult. Where and how to start is available in this handbook. It will guide you through your first day and the many days following.

Discovered something that is unclear? A typo? Or some other feedback? Create a pull request and become a crucial part of this handbook.

Values

Be awesome

Be the best person you can be. That starts with being good for yourself, our customers, partners, team members, and community.

Transparancy

Our customers, partners, and colleagues should be able to rely on our work and word. Being open is important, which is also the reason this handbook is available to the world. Although we have confidential data, our way of working should be transparant.

Ethics and integrity

From every employee of CISOfy we expect ethical behavior. This means you won't do activities that harm others on purpose. Every action you take, from development to sales, should be tested against the common believes of what is ethical. For this same reason we expect employees to have a high level of integrity. This applies to both your professional and private activities. Do those things that are good for society, help others where needed, and don't make other people feel less important than yourself. Fraud and unethical behavior can result in direct termination of your contract.

How we think about security

Security is in our blood. For this reason we limit the amount of data we have access to, and share also the very minimum with others, yet still allow to do our jobs. If you feel that security it too paranoia for you, or really restricts you in your work, speak up and discuss it with your manager. Otherwise there are no exceptions for sloppy behavior. We expect all employees to know the security policy. We might perform security tests and test your team, your manager, or you.

Workplace

There is no reason to have your desk cluttered with papers and other stuff. The brain of humans work best when things are structured and ordered. For this reason a clean desk helps you focusing on the right things, keeping distractions to a minimum.

Communications

Currently our main communications channel is email and direct calls (via Hangouts, Skype, or phone). Due to development and possible sensitive details we discuss, other communication channels can not be used.

Email

For email usage the rule is simple: use the official address you received only. No personal accounts or servers are approved for communications with other employees and contractors. Use your work email address for business, your private email address(es) for private matters.

Productivity

Results

We care about achievements: the improvements to documentation, your code, or helping out a customer with a phone call. It is not the hours you put into it, but what you achieve.

Flexible time

Each individual has a different set of skills and capabilities. We allow flexible work times to give everyone the opportunity to achieve maximum potential from a single day. For this reason we don't have fixed office times.

Even with flexible timing we expect everyone to be responsive to direct team members. Each team has the flexibility to divide the work load.

Meetings

For all internal meetings:

  • Be there 5 minutes before start of meeting
  • Maximum time of a meeting is 45 minutes
  • Agenda should be available at least 24 hours before meeting
  • The agenda should contain points of discussion and expected outcomes
  • No agenda = no meeting
  • One person will take meeting notes

Meetings with customers, partners, and suppliers can take any amount of time. This is allowed to account for questions and that the other party may not be familiar with our strict rules. In any case, take meeting notes and send out an agenda when we are the organizing party.

Confidentiality

All information received (internally and externally) is considered confidential by default. If you want to allow documents to be used by the general public, mark them as public. This does only apply to non-sensitive information. Always use personal judgement to determine if it warrants to mark something public.

Exception: the website is public by default and does not have to be marked as such. The website however can't serve any confidential data.

Travel

Travelling can be joy, or a pain. Check first with your manager what we can do regarding travelling and accomodations like hotel nights.

Handling Data

One of the most precious assest to each company are people and data. Together they can provide a business advantage. That is why we consider each piece of data as a delicate thing that needs to be treated correctly. When dealing with data, from orders to log events, keep them internally and confidential by default. Store only data when really needed, destroy data as soon as possible when it has no longer its value.

When possible, mark sensitive data as 'confidential'. Also mark 'public' data, like a presentation you give at a conference, as such. All data that is not marked, should be treated as confidential.

See the security policy for more details.