This CyberSecurity policy is for our employees, subcontractors, vendors and partners. This CyberSecurity policy protects both Athens Group’s and our clients’ data and technology infrastructure.
This policy applies to all of Athens Group Service surveyors, subcontractors, interns, vendors, and anyone else who has approved access to Athens Group Service’s systems, software and hardware.
Further information is available in Athens Group Service’s policies and procedures, cloud-based application usage instructions, training, and online knowledgebase.
Client’s Confidential Data
Client confidential data includes:
- Requests for proposal and invitations to tender
- Project data including agreed billing rates
- Project deliverables
- Specific asset data
- Equipment vendor data specific to assets and projects
- Data identifying customer or project personnel
- Any other data marked as confidential by the client
Athens Services Group’s Confidential Data
Athens Group Service’s confidential data include:
- Financial information
- Employee personnel data
- Subcontractor personnel data
- Customer data
- Data about partners
- Data about vendors
- Business and market plans
- Patents, formulas or new technologies
- Any other data marked as confidential by Athens Group Services
Device Security – Using personal devices
Logging into any Athens Group Services or client accounts with personal devices such as mobile phones, tablets, or laptops, can put client and Athens Group Service’s data at risk. Athens Group Services does not recommend accessing any Athens Group Services data from personal devices. Surveyors and subcontractors are obligated to keep their devices in a safe place, not exposed to anyone else.
We audit surveyors and subcontractors for compliance with these best practices:
- Keep all electronic devices’ passwords secured and protected
- Logging into Athens Group Service’s and clients’ accounts should be done only through safe networks
- Install security updates as they become available
- Install antivirus software updates as they become available
- Don’t ever leave your devices unprotected and exposed
- Lock your computers when leaving your work area
Device Security – Personal Laptop Waiver
There is only one personal computer waiver process and that must be approved by the Athens Group Services Chief Security Officer (CSO). The waiver is allowed ONLY when a critical client need is identified; e.g. client requires a top drive expert in the arctic within the next 24 hours and there is not enough lead time to ship an Athens Group laptop to the subcontractor. The waiver is granted and acknowledged via email among the project manager, the subcontractor and the CSO. The waiver email will contain the following:
This waiver is granted to subcontractor ________________________, for project _____________________, beginning on _______________, and scheduled to end on ______________, for client ______________________. It has been determined by Athens Group Services CSO, that subcontractor _____________________ may use their own personal laptop for this identified project. During the period of this contract, subcontractor ____________________ personal laptop will be treated as if it was an Athens Group Services laptop and be subject to all internal processes so identified in the governing subcontractor PSA.
Email Security
Emails can carry scams or malevolent software (for example worms, bugs etc.). In order to avoid virus infection or data theft, our policy is for employees to:
- Abstain from opening attachments or clicking any links from unknown senders
- Always check email addresses and names of senders
- Search for inconsistencies
- Avoid “clickbait”; e.g. offering prizes, advice, pornography, free anything, etc.
In case anyone on the Athens Group Services mail system is not sure if the email received, or any type of data is safe, IMMEDIATELY contact the CSO.
Managing Passwords
To protect your Athens Group Services and client accounts’ password, use these best practices for setting up passwords:
- If two factor authentication is available, always use it!
- At a minimum use 8 characters containing capital and lower-case letters, numbers and symbols
- Do not write down password and leave it unprotected
- Do not exchange credentials
- Change passwords every 6 months
Transferring Data
Data transfer outside the Athens Group Services and clients’ networks is one of the most common ways cybercrimes happen. Follow these best practices when transferring data outside secured networks; e.g. your hotel, Starbucks, Public WiFi:
- Use a Virtual Private Network on your devices
- Avoid transferring confidential data listed above
- Adhere to local personal data protection laws
Working On Customer Sites
The majority of Athens Group Service’s engagements are on customer sites and assets. When accessing Athens Group’s applications and client networks, all CyberSecurity policies apply. There are no exceptions.
Disciplinary Action
When best practices and Athens Group Service’s policy are not followed, disciplinary actions take place. Disciplinary actions are covered in Employee and Subcontractor employment agreements covering Athens Group Service’s policies and procedures.