04 · User Guidance Hub
This section contains practical guidance for the situations you actually encounter at work. Each page focuses on a specific scenario — what to look for, what to do, and who to call. The pages here are not policy documents. They are operational guides written for the moment when something is happening or you are about to do something and want to do it correctly.
Bookmark this section. The pages you are most likely to need urgently are [Reporting a Security Incident] and [I've Lost a Device].
Page index
- Phishing and Suspicious Emails
- Travel Security
- Working from Home
- Sharing Data and Documents
- Lost or Stolen Device
- Clear Desk and Clear Screen
- Passwords and MFA
Phishing and Suspicious Emails
What you need to know in one paragraph
Phishing emails are messages designed to look legitimate — from your bank, from Microsoft, from a colleague, from HMRC, from a courier — that try to get you to click a link, open an attachment, or hand over your credentials. They are the most common starting point for serious security incidents, including ransomware attacks that have shut down hospitals and government agencies. You will receive phishing emails. The question is not whether they will arrive in your inbox but whether you will recognise them when they do.
How to spot a phishing email
No single sign makes an email definitely phishing. You are looking for a combination of signals that, together, make you pause before acting.
The email creates urgency or pressure. "Your account will be suspended in 24 hours." "Urgent action required." "You must respond immediately." Urgency is manufactured specifically to make you act before you think. If an email is pushing you to do something right now, slow down.
The sender's address does not match who they claim to be. The display name might say "Microsoft Support" but the actual email address is support@microsoft-helpdesk.ru or m1crosoft.com. Click on the sender's name in your email client to reveal the actual address. Look carefully — attackers use addresses that are almost right. company.co.uk.maliciousdomain.com is not a company.co.uk address.
The email was not expected. A courier notification when you have not ordered anything. An invoice for a service you do not recognise. A password reset for an account you did not try to log into. A voicemail notification from a service you do not use. Unexpected emails that require action are a phishing signal.
Links go somewhere unexpected. Hover your mouse over any link in the email — without clicking — and look at the URL that appears at the bottom of your screen or in a tooltip. If the link text says "Click here to verify your account" but the URL is a string of random characters or an unfamiliar domain, do not click.
The attachment is unexpected or the file type is unusual. An .exe file, a .zip file, a .js or .vbs file, a document that asks you to enable macros, an Office file with macros enabled, a PDF that asks you to run a script or approve something. These are high-risk attachment types. Even from senders you recognise.
The tone or content is slightly off. An email from a colleague that does not sound like them. Poor spelling or grammar in an email from an organisation that would normally have professional communications. A senior leader asking you to do something financial via email without any other communication.
It asks for credentials. No legitimate organisation will ask for your password, your PIN, your full bank details, or your MFA codes via email. Ever. If an email asks for these, it is an attack.
The anatomy of common phishing types
Credential harvesting: you receive an email saying your account access is about to expire or you need to verify your details. The link goes to a webpage that looks exactly like a Microsoft, Google, or company login page. You enter your credentials. They go to the attacker. You may then be redirected to the real service so you do not notice anything wrong. Your account is now compromised.
Malicious attachment: the email contains an attachment — typically a PDF, an Office document, or a compressed file. When you open it, it either installs malware directly or asks you to enable macros or run a script that then installs malware. The attachment may appear to be an invoice, a delivery notification, a contract, or a CV.
Business email compromise: the attacker has compromised a colleague's or supplier's email account and is sending emails from that real, legitimate address. The emails may ask you to change a bank account number for payments, transfer funds urgently, or send sensitive information. Because the email comes from a real account you know, it bypasses many instincts. If you receive an unexpected financial request via email, verify it by phone before acting — even if the email address is correct.
CEO or executive impersonation: an email appears to come from the CEO, MD, or another senior person asking you to do something quickly and quietly — buy gift cards, transfer money, share a sensitive file. Executives do not typically ask for these things by email. If you receive such a request, call the person directly on a number you already have to verify before doing anything.
Spear phishing: a targeted attack where the attacker has researched you specifically. They may reference your name, your role, your colleagues, your projects, or your location. The email feels highly personal and therefore more credible. The defences are the same — look at the actual sender address, verify links, and never provide credentials or take financial actions based on an email alone.
Exactly what to do when you receive a suspicious email
Step 1 — Stop. Do not click any link. Do not open any attachment. Do not reply.
Step 2 — Report it. Use the phishing report button in your email client. In Outlook this is a button in the Home ribbon — ask IT Operations to show you where it is if you have not used it before. Alternatively, forward the email to [security@organisation.com]. Either method works.
Step 3 — Delete it. After reporting, delete the email from your inbox. Do not leave it there in case you or a colleague accidentally clicks on it later.
Do not forward it to colleagues to warn them. Forward it to the security team, not to people in your contact list. When you forward a phishing email to colleagues, you are doing the attacker's work for them — the email now reaches more potential victims.
Do not investigate it yourself. Do not try to visit the link in a browser to see where it goes. Do not open the attachment in a safe-looking way. The security team has tools to analyse suspicious emails safely. You do not.
If you clicked the link or opened the attachment
If it has already happened — you clicked before you were certain it was phishing — here is what to do.
Tell the security team immediately. Call or email the security team right now. Tell them what happened, what you clicked, what (if anything) you entered, what you saw on screen after clicking, and when it happened. Do not wait to see whether anything bad happens. Report first and let the team investigate.
Do not try to fix it yourself. Do not run an antivirus scan. Do not change your password without being told to by IT Operations (changing your password on a compromised device may mean the new password is also captured). Do not restart the device. The security team may need to forensically examine the device in its current state.
If you entered your password on the page: tell the security team this specifically, as it changes the urgency and the response. They will need to lock your account and reset credentials from a clean device.
Do not be embarrassed. Phishing emails are specifically designed to fool intelligent people who are busy and not expecting an attack. Security professionals click phishing emails. The most important thing is prompt reporting, not how it happened.
The phishing simulation programme
The organisation periodically sends test phishing emails to staff. These are designed to look like real phishing emails. If you click a link in a test phishing email, you will be taken to a training page. This is not a trap and it is not disciplinary. It is a way of measuring and improving the organisation's overall phishing awareness.
The correct response to any suspicious email — whether real or a test — is the same: report it using the phishing report button and do not click any links. If you report a test email as suspicious, that is the correct outcome. If you click a test link and are taken to the training page, read the page and note what signals you missed.
The results of phishing simulations are reviewed by the CISO but are used for programme improvement, not for identifying individuals to discipline.
Quick reference
| Signal | What to do |
|---|---|
| Suspicious email received | Report via phishing button, then delete |
| Unexpected attachment | Do not open — report first |
| Link to unfamiliar URL | Do not click — hover to check, then report |
| Request for credentials | Never provide — report immediately |
| MFA request you did not initiate | Deny it — change password and report |
| Already clicked a link | Report to security immediately — do not wait |
| Already entered credentials | Report urgently — this changes the response |
Travel Security
The security risks of travel
When you travel for work, the routine controls that protect you in the office — the corporate firewall, the secure Wi-Fi, the physical security of the building — are absent. You are working in environments that may be actively hostile: airports, hotels, trains, and conference venues where other people can see your screen, where networks may be compromised, and where devices can be lost, stolen, or tampered with.
This guidance covers domestic and international travel, both business travel and commuting.
Before you travel
Know what is on your device. Before travelling to a high-risk country or a sensitive meeting, speak to the CISO. For travel to countries with elevated intelligence collection risk — including but not limited to China, Russia, Iran, and North Korea — there are specific requirements around what information can be on a travel device. In some cases, a loan device (a clean device with only the information needed for the specific trip) may be required. Ask before you go, not when you return.
Ensure encryption is active. Your company laptop should have full-disk encryption (BitLocker on Windows, FileVault on Mac) enabled and active. If you are not certain, contact IT Operations before travel. An unencrypted device lost in an airport is a data breach. An encrypted device lost in an airport is a lost device.
Know the 24-hour contact for IT Operations. If something goes wrong with your device while travelling — loss, theft, compromise — you will need to reach IT Operations promptly. Have the number saved on your personal phone, not just on the work laptop that may be the thing that has been stolen.
Enable remote wipe on your device. Confirm with IT Operations that your device is enrolled in MDM and can be remotely wiped if necessary. If it is reported stolen, the ability to wipe it remotely is the primary data protection mechanism.
Do not travel with more data than you need. If you are attending a meeting, take only the files needed for that meeting. Do not travel with your full local copy of shared drives. Use cloud access via VPN to retrieve files you need rather than keeping them locally.
Physical security of your device while travelling
Never leave your device unattended in a public space. Not on a seat while you join a queue. Not on a café table while you use the bathroom. Not in a car boot unless it is locked and concealed. Device theft at airports, train stations, and hotel lobbies is common and opportunistic. Devices left on seats or visible in bags invite theft.
At the airport security checkpoint: keep your device in sight at all times. At busy checkpoints, devices can be stolen in the time between placing your bag on the conveyor and reaching the other side of the scanner. If the queue is slow, wait until you can walk through immediately after placing your bag. Be particularly cautious if someone causes a delay at the scanner in front of you — this is a known distraction technique.
In your hotel room: the room safe is better than leaving the device on the desk, but it is not guaranteed security. For extended stays or sensitive travel, consider whether the device should travel with you rather than stay in the room. Never leave CUI-containing devices in the room when you leave for the day without first confirming the room safe is both locked and adequate for the purpose.
On public transport: sit with your back to a wall if possible, particularly on trains. Use a privacy screen (a physical filter that limits who can see your screen from the side). Do not conduct sensitive calls or video meetings in carriages where other passengers can overhear you.
Adapt to your environment. In a private taxi or your own car with windows up, a phone call is reasonably private. In a public space, it is not. In a hotel conference room with doors closed, discussing contract details is reasonable. In a hotel bar with other guests nearby, it is not. Apply common sense to what you say aloud about sensitive topics.
Network security while travelling
Public Wi-Fi is untrusted. Airport Wi-Fi, hotel Wi-Fi, coffee shop Wi-Fi, and conference Wi-Fi are all networks you do not control, whose security configuration you cannot verify, and which may be monitored or manipulated by other users on the same network. Do not access company systems on public Wi-Fi without the corporate VPN.
Always use the corporate VPN when accessing company systems remotely. This is not optional for travel. The VPN encrypts your traffic between your device and the corporate network, protecting it from interception on whatever network you are using. If the VPN is unavailable — the connection is not working, the service appears to be down — contact IT Operations before accessing anything sensitive. Do not assume the problem will resolve itself.
Be cautious with hotel Wi-Fi specifically. Hotel Wi-Fi is a known target for attack. In some cases, attackers set up their own hotspot with a name similar to the hotel's network (the "Evil Twin" attack). Connect to hotel networks only after confirming the exact network name with hotel staff, and always use the VPN once connected.
Avoid public charging points where possible. USB charging points in airports, hotels, and public spaces can be modified to transfer data from devices while they charge — a technique called "juice jacking." Use your own charger plugged into a standard power socket. If you must use a public USB port, use a data-blocking adapter (a USB adapter that passes power but not data). These are inexpensive and available from IT Operations on request.
Be careful with Bluetooth. Keep Bluetooth disabled when not in active use. Bluetooth devices can be discovered and in some cases attacked by nearby devices. Disable it in settings when you do not need it, particularly in public spaces.
Confidentiality while travelling
Shoulder surfing — where someone nearby reads your screen — is a genuine risk on trains, planes, and in waiting areas. Use a privacy screen filter when working on sensitive documents in public. If you do not have a privacy screen filter and are working somewhere visible, either adjust your position to minimise the viewing angle or avoid working on sensitive material until you are in a more private environment.
Sensitive calls in public spaces are a risk regardless of how discreet you feel you are being. People nearby can hear more than you expect. If you receive a call that requires discussing sensitive contract details, customer information, or CUI while you are in public, it is acceptable — and encouraged — to say "I need to call you back when I am somewhere more private" and call back when you are.
Photographs of your screen or your documents can be taken by people nearby without your awareness. In conference environments, be conscious of what is visible on your screen during breaks — a screen left displaying a sensitive document while you leave the table is visible to anyone who walks past.
International travel — additional considerations
Border crossing device inspection: in some countries, customs or border control authorities may request access to your device or may copy its contents without your knowledge. This is a legal reality in some jurisdictions including the United States. If you are travelling to a country where this is a risk, speak to the CISO before travel. Options include travelling with a loan device, removing sensitive content before crossing and downloading it after entry, or using cloud-only access rather than local storage.
Counterfeit hardware and software: purchasing replacement cables, adapters, or storage devices in some overseas markets carries a risk of counterfeit products that may contain compromised hardware. Use only hardware you brought from home or purchased from trusted retail sources. Do not plug borrowed USB drives or adapters from local sources into your company device.
Government-mandated monitoring: in some countries, hotel internet connections and local networks may be monitored by government or intelligence services. Assume that your internet traffic is observable in any country with a significant surveillance capability. The VPN is your primary protection — it encrypts your traffic even in a monitored network environment — but it does not make you anonymous.
What to do if something goes wrong while travelling
Lost or stolen device: call IT Operations immediately on the 24-hour number. They will initiate a remote wipe. Report the loss to local police if theft is involved and obtain a crime reference number. Then call the CISO to assess what data was on the device and whether any breach notifications are required. Full procedure is in [Lost or Stolen Device] below.
Device tampered with or returned from unknown custody (for example, a device that was taken by customs officials and returned, or a device that was left unattended in a hotel room for a period): do not use the device as normal. Contact IT Operations immediately. The device should be forensically reviewed before it is returned to normal use, particularly if it had CUI or OFFICIAL-SENSITIVE content on it.
You cannot connect to VPN: contact IT Operations. Do not access sensitive company systems without it. If your work requires urgent access and VPN is unavailable, use your personal device in a personal capacity to call IT Operations and wait for the issue to be resolved rather than accessing work systems without protection.
You witness or suspect a security incident involving someone else — a colleague left their laptop unattended in a public space, you notice someone photographing a screen during a presentation: report it to the CISO. You are not responsible for your colleagues' decisions but reporting concerns is part of the organisational security culture.
Quick reference — travel security rules
| Situation | Rule |
|---|---|
| Public Wi-Fi | Always use VPN — no exceptions |
| Public USB charging | Use your own charger and power socket |
| Sensitive work in public | Use privacy screen filter |
| Sensitive calls in public | Call back when private |
| Device left in hotel room | Use room safe or take it with you |
| Device at airport security | Keep it in sight at all times |
| Travel to high-risk country | Speak to CISO before travel |
| Device lost or stolen | Call IT Operations immediately, then CISO |
| Bluetooth not in use | Disable it |
| VPN unavailable | Contact IT Operations — do not proceed without it |
Working From Home
Why home working has specific security requirements
When you work from home, you are moving company information and company systems out of the controlled environment of the office into an environment the organisation does not manage. Your home network, your home router, your home physical environment — none of these have the security controls that exist in the office.
This does not mean home working is inherently insecure. It means the security of your home working environment is partly your responsibility in a way that office security is not. The organisation cannot configure your home router on your behalf. It cannot ensure your screen is not visible to someone walking past. It cannot stop your family members from using your company laptop if you leave it unattended. These controls are in your hands.
This page tells you what good home working security looks like and what you specifically need to do.
Your home network
Your router is the gateway. All the traffic between your home network and the internet passes through your home router. A router with default credentials or outdated firmware is a potential entry point. This is not theoretical — home routers have been targeted in campaigns specifically designed to intercept traffic and compromise connected devices.
Change the default admin password on your router. Log into your router's admin interface (instructions are usually on the back of the router or in the documentation) and change the admin password from the default to a strong, unique one. If you do not know how to do this or are unsure whether it has been done, ask IT Operations — they can advise.
Ensure your Wi-Fi uses WPA3 or WPA2 with a strong passphrase. Your Wi-Fi network should be protected by WPA2 or WPA3 encryption with a passphrase that is not the default (the default is usually printed on the router and is widely guessable). Change the Wi-Fi password to something long and not related to your address, your name, or the router manufacturer.
Keep your router's firmware updated. Router manufacturers release firmware updates that patch security vulnerabilities. Many routers will notify you through the admin interface or update automatically. Check that automatic updates are enabled or check for updates manually every few months.
Do not connect company devices to untrusted networks. If a guest in your home is using your Wi-Fi, be aware that they are on the same local network as your company laptop. The VPN protects your traffic to and from the corporate network, but local network exposure is still a consideration. If possible, use a separate guest network for visitors.
The VPN — mandatory for company system access
The corporate VPN is required for all access to company systems from outside the office. This is not a suggestion — it is a policy requirement. The VPN encrypts your traffic between your device and the corporate network, protecting it from observation on your home network or any network between you and the corporate servers.
Connect to the VPN before opening company applications and files. Do not access SharePoint, the file server, your email via Outlook, or any other company resource without first being connected to VPN. Some applications will simply not work without it — this is intentional.
If the VPN is not working: contact IT Operations. Do not access company systems without it. The inconvenience of waiting for the VPN to be fixed is significantly less than the risk of accessing sensitive information over an unprotected connection.
Split tunnelling is disabled. The VPN is configured so that all your internet traffic routes through the corporate network, not just the traffic going to company servers. This means the corporate firewall and web filtering apply to your home working session in the same way they apply in the office. You may notice that some personal browsing habits differ from what you experience on a personal device — this is expected.
Your physical work environment
Your workspace should be private when you are handling sensitive information. The practical standard is: when you are working with Restricted or CUI information — which for many roles is most of the time — your screen should not be visible to people who are not authorised to see that information. This includes family members.
This does not mean you need a dedicated home office with a locked door. It means being aware of who is present and what is on your screen. If you are working at a kitchen table and someone comes into the room, it is appropriate to minimise your screen or turn your laptop away from view if you are working on sensitive content.
For video calls: be aware of what is behind you and what might be audible. Sensitive documents visible on a shelf, a whiteboard with information on it, or a conversation within earshot of household members are all considerations. Use a virtual background if needed to conceal your environment.
A screen privacy filter is available. If your home working involves regular work with sensitive content in a shared space, a physical screen privacy filter limits the viewing angle so your screen can only be seen from directly in front. These are available from IT Operations on request. If you are regularly in a situation where your screen is visible to household members, request one.
CUI on printed paper is a specific concern. Do not print CUI at home unless a cross-cut shredder is available for when the document is no longer needed. Standard household recycling is not an acceptable disposal method for CUI or OFFICIAL-SENSITIVE printed documents. If you must print sensitive documents at home, treat them as you would in the office — lock them away when not in active use and shred them when finished.
Your devices
Only company devices for company work. Do not access company systems, files, or email on personal devices — personal laptops, family computers, tablets that are not enrolled in the company MDM, or phones that are not set up for company access. Personal devices do not have the security controls that company devices have, their patch status is unknown, and any data accessed on them is outside the organisation's data protection and security controls.
Your company laptop is not a family computer. Children and other household members should not use your company laptop. This is both a security policy and a practical protection — a child who accidentally installs something on your company laptop or who browses to an unexpected site creates a real security risk.
Lock your screen when you leave your workstation. Even at home. The household members who should not have access to your work files are a real consideration, and the habit of locking your screen whenever you step away is one of the most effective security behaviours you can maintain. Windows: Windows key + L. Mac: Control + Command + Q.
Do not leave your device where it could be taken. If someone breaks into your home, a visible laptop is a target. When your working day ends, put your company laptop somewhere that is not immediately visible — in a bag, in a drawer, out of the window line. This is both physical security and theft prevention.
Smart speakers and voice assistants
Smart speakers and voice assistants (Amazon Alexa, Google Home, Apple HomePod, and similar devices) are designed to be always listening for their wake word. In practice, they sometimes activate in response to conversations that are not addressed to them.
If your home working environment includes a smart speaker and you are making sensitive calls — particularly calls involving CUI, contract details, or any information that is Restricted or above — either move to a room without the device or disable it for the duration of the call. This is not paranoia; it is a straightforward precaution against an ambient recording risk.
The company's home office security checklist (completed annually) asks whether smart speakers are present in your work area. This is why.
Video calls and online meetings
Join from a private space where possible. If a meeting involves sensitive content — a contract discussion, a personnel matter, a security briefing — join from a room where you are not overheard.
Check your background before joining. A few seconds before a client call or a sensitive meeting to check what is visible behind you prevents an inadvertent disclosure.
Use the waiting room and do not admit unknown participants. If you are hosting a video call, use the waiting room feature of your meeting platform so you can verify who is joining before admitting them. Do not admit participants you do not recognise.
Mute when you are not speaking. This prevents ambient household noise from being transmitted and reduces the risk of inadvertent disclosure of conversation that was not intended for the call.
Recording meetings requires consent. If you want to record a call for later reference, inform all participants before starting the recording and get their agreement. Recording calls without informing participants may breach UK GDPR and the organisation's data handling obligations. Never record calls involving CUI or sensitive contract information to a personal device or personal cloud account.
Your annual home office security checklist
Once a year, all staff who work from home are required to complete a home office security checklist confirming that their home working environment meets the organisation's minimum requirements. The checklist covers network security, device security, and physical environment. You will receive a reminder to complete this from IT Operations.
The checklist is not an inspection — the organisation cannot audit your home. It is a self-attestation that you understand the requirements and that your environment meets them. If completing the checklist reveals a gap — your router still uses default credentials, for example — that is an opportunity to address it rather than a problem to hide.
Quick reference — home working rules
| Requirement | Standard |
|---|---|
| VPN | Mandatory for all company system access |
| Home Wi-Fi | WPA2 or WPA3, strong passphrase, non-default |
| Router admin password | Changed from default |
| Router firmware | Up to date |
| Screen visibility | Not visible to unauthorised household members |
| Personal devices for work | Not permitted |
| Household members using company laptop | Not permitted |
| Screen lock when leaving desk | Always |
| Printing CUI at home | Only if cross-cut shredder available |
| Smart speakers during sensitive calls | Disable or move to another room |
| Home office security checklist | Complete annually when requested |
Sharing Data and Documents
The basics of sharing information correctly
Information sharing is a normal and necessary part of work. The question this guidance answers is not whether to share, but how to share in a way that protects the information and complies with our obligations.
The core principle is this: information should only be shared with people who are authorised to receive it, using a method that protects it appropriately for its classification level, with a record of what was shared and with whom.
Most sharing mistakes happen not because people intend to share wrongly but because they use the most convenient method without thinking about whether it is the appropriate method. Forwarding to a personal email to work on something later. Attaching a file to a WhatsApp message to send to a colleague quickly. Sharing a link to a folder without checking the permissions. This guidance helps you identify the right method before you share.
Internal sharing — within the organisation
Sharing documents internally via SharePoint, Teams, or the company file server is the standard method for internal document sharing. These platforms are managed by IT Operations, have appropriate access controls, and are monitored. When you share a document via a SharePoint link, recipients need an active company account to access it — the link does not work for people outside the organisation.
Check who has access before sharing a folder link. SharePoint and Teams sometimes offer "share with everyone in the organisation" as a default option. For most documents this is fine. For Restricted content or anything containing personal data, check that you are sharing only with the people who need it, not the entire organisation.
Use email for correspondence and small, non-sensitive files. Company email is appropriate for day-to-day correspondence and sharing documents that do not require additional controls. It is not appropriate for sending large volumes of personal data, for CUI, or for anything you would not be comfortable being seen by IT Operations during a routine log review.
Do not use personal messaging platforms for work document sharing. WhatsApp, personal Telegram, personal Signal, Facebook Messenger, and similar platforms are not approved for sharing company information, regardless of how quickly it would resolve the immediate problem. The data leaves the organisation's control the moment it is in a personal messaging app.
Sharing externally — outside the organisation
Sharing information with people outside the organisation requires more care, because once data leaves our systems we have less control over how it is handled, stored, or further shared.
Before sharing anything externally, ask these four questions:
- Is this person authorised to receive this information? Is there a contract, an NDA, or a legitimate business relationship that governs the sharing?
- What is the classification of what I am sharing? Different classifications require different methods.
- What is the appropriate method for sending it?
- Does this sharing need to be logged or approved by anyone?
Methods for external sharing — which to use when
Standard email to a known external contact is appropriate for Public and Internal level information where the recipient is a known business contact. It is not appropriate for Restricted information unless additional protections are applied.
Encrypted email is appropriate for Restricted information to external recipients. The company email gateway can apply encryption to outbound emails. Contact IT Operations for instructions on how to send an encrypted email using the approved method. Do not use personal or third-party encryption tools — only the approved method.
Secure file transfer portal is appropriate for large files and Restricted content. The organisation operates an approved secure file transfer service. This is the right method for sharing contract documents, technical specifications, or any Restricted content with external parties. Contact IT Operations for access details.
SharePoint external sharing is available for specific circumstances. SharePoint can be configured to allow external recipients to access a specific file or folder with a link that requires authentication. This is appropriate for ongoing collaboration with approved external parties. It requires IT Operations to configure the sharing correctly — do not enable external sharing yourself on SharePoint sites that were not set up for it.
CUI must use approved encrypted channels. Any information classified as Controlled Unclassified Information cannot be shared via standard unencrypted email. It must use an approved encrypted method — the secure file transfer portal, encrypted email, or an approved contractor portal. If you are unsure which method to use for CUI, contact the CISO before sharing.
Never use personal email for external work sharing. Forwarding a work document to your personal Gmail or Hotmail account to share it from there — even if your intention is to share something unimportant — is a policy breach. The document leaves the organisation's control and the sharing becomes unlogged and unmonitored.
Never share via personal cloud storage. Personal Dropbox, personal Google Drive, personal iCloud — these are not approved for work document sharing. Even if you set a link as public or share it via a password, data stored in personal cloud accounts is outside the organisation's control and may be accessible to the cloud provider in ways that breach our obligations.
Sharing personal data
Personal data — any information that identifies or could identify a living person — has additional obligations under UK GDPR. This includes customer names, email addresses, employee records, supplier contacts, and any other information about individuals.
Personal data should be shared on a need-to-know basis. Only share it with people who genuinely need it for a specific work purpose. Do not send bulk personal data to someone who only needed to see one or two records.
Do not share personal data outside the UK/EEA without approval. If a recipient is based outside the UK or EEA, sending them personal data may require specific safeguards under UK GDPR. Contact the DPO before sharing personal data internationally.
Personal data should be sent via encrypted methods. A spreadsheet of customer contact details sent via unencrypted email to an external recipient is both a policy breach and potentially a reportable data breach under UK GDPR. Use the encrypted file transfer method.
Retain a record of what was shared and with whom. For significant personal data disclosures — sharing a customer list with a supplier, for example — make a note of what was shared, with whom, when, and why. This record matters if there is ever a question about where data went.
Sharing with suppliers and contractors
Sharing information with suppliers and contractors is governed by the Supplier Security Policy. The headline rules are:
Information shared with suppliers should be the minimum necessary for the service they are providing. Sharing broad access to information systems, customer lists, or contract documents beyond what is needed creates unnecessary risk.
Suppliers must have signed an NDA before receiving any Restricted or CUI information. Do not share sensitive information with a supplier until the NDA and data processing agreement are in place. If you are not sure whether agreements are in place, ask the CISO before sharing.
CUI shared with suppliers under US defence contracts must be tracked and the supplier must have their own CMMC or equivalent compliance. The CISO manages which suppliers are approved to receive CUI — do not share CUI with a supplier who has not been through the approval process.
If you make a sharing mistake
Mistakes happen. A misdirected email, a file shared with the wrong person, a message sent before you realised it contained more than you intended. Here is what to do.
Report it to the security team and DPO immediately. Do not hope it does not matter or that the recipient will not notice. Report it the same day. The sooner it is reported, the more options exist for containment — requesting the recipient delete the email, revoking a SharePoint link, assessing whether a regulatory notification is required.
Do not try to cover it up. Covering up a data sharing mistake and having it discovered later is significantly worse — both for the organisation and for you — than reporting it promptly.
A mistake that is personal data: if what was shared was personal data about one or more individuals, this may trigger a UK GDPR notification obligation to the ICO within 72 hours. The 72-hour clock starts from when you became aware of the breach. Immediate reporting to the DPO is therefore important for compliance, not just for correction.
Quick reference — sharing methods by classification
| Content type | Internal sharing | External sharing |
|---|---|---|
| Public | Any method | Any method |
| Internal | Company email, SharePoint, Teams | Only with specific approval — use secure method |
| Restricted | SharePoint, Teams, company email | Encrypted email or secure file transfer only |
| CUI | CUI file share only (via VPN) | Approved encrypted method only — CISO approval required |
| Personal data | Need-to-know only | Encrypted method — DPO approval for outside UK/EEA |
Lost or Stolen Device
Why speed matters
When a company device is lost or stolen, the clock starts immediately. Every hour that passes is an hour during which the device may be accessed, the data may be read, and the possibility of remotely wiping it before any harm is done gets smaller. Remote device wipe is one of the most effective responses to device loss — but it only works if the device has not been powered off, and only if IT Operations knows to initiate it.
The rules in this section exist because fast action keeps a lost device from becoming a data breach. Slow action turns a bad situation into a worse one.
Immediately: what to do in the first minutes
Step 1 — Call IT Operations on the 24-hour number. Do not wait until you are sure it is lost. Do not wait to see if it turns up. If your company device is not in your possession and you cannot immediately locate it, call IT Operations now.
24-hour IT Operations number: [phone number]
What to tell them:
- Your name and the device (laptop / phone / tablet)
- The last time and place you had it
- Whether you think it was lost or stolen
- Whether the device was locked with a PIN or password when last seen
- Whether the device was encrypted (if you do not know, say so — they can check)
- Whether you were connected to company systems or had sensitive files open
Step 2 — If stolen: call the police. Report the theft to the local police and get a crime reference number. You will need this for the insurance claim and for the incident record.
Step 3 — Call the CISO. After IT Operations has been informed and the wipe has been initiated, call the CISO. They need to assess what was on the device, whether any CUI or personal data was accessible, and whether any breach notifications are required.
CISO direct number: [phone number]
What IT Operations will do
IT Operations will initiate a remote wipe via the MDM (device management) platform as soon as the loss is reported. The remote wipe erases all data on the device and renders it unusable. The wipe is sent to the device and takes effect the next time the device connects to the internet.
If the device is powered off or has been disconnected from all networks, the wipe command will queue and execute the next time the device connects. This is why you should not assume that turning a device off before it is stolen protects it — it does not prevent the eventual wipe, but it may delay it.
The MDM platform can also provide the last known location of the device at the time of the most recent check-in. IT Operations can provide this to you and to the police.
If the device was running FileVault (Mac) or BitLocker (Windows) encryption — which all company devices should be — the data on the device is encrypted and unreadable without the decryption key even if the device is not wiped. The wipe is still important, but encryption significantly limits the risk of data exposure from a lost encrypted device.
What the CISO will do
The CISO will assess what was on the device at the time of loss. This assessment considers:
- Which applications were open or recently used
- What files were stored locally (not just in cloud sync)
- Whether the device had CUI or OFFICIAL-SENSITIVE material accessible
- Whether personal data belonging to employees, customers, or others was on the device
- Whether the device was in a locked state or was an active session
Based on this assessment, the CISO determines whether the loss constitutes a reportable data breach under UK GDPR (potentially requiring ICO notification within 72 hours), a DFARS reportable incident (potentially requiring notification to the US DoD within 72 hours), or a DEFSTAN reportable incident (requiring notification to the contracting authority within 24 hours).
The CISO makes these determinations — you do not need to work out whether reporting is required. Your job is to report the loss promptly so the CISO has the time to make these assessments and act within the required windows.
Specific scenarios
You left your laptop on a train. Call IT Operations immediately. Contact the train operating company's lost property service at the earliest opportunity — many devices left on trains are recovered and returned. IT Operations will initiate a remote wipe in the meantime. If the device is recovered, do not reconnect it to company systems before IT Operations has assessed and reconfigured it.
Your bag was stolen with your laptop in it. Call the police to report the theft first if you are in a safe location to do so, then call IT Operations. If you are in an unsafe situation, prioritise your safety over the device report. Call IT Operations as soon as you are safe.
You think you may have left your phone at a venue. Call the venue to see if it has been handed in. Simultaneously call IT Operations so they are ready to wipe it if it is not recovered. Time is important here — a found phone handed in at a venue is typically stored for a period; a found phone taken by someone with bad intent may be accessed immediately.
A colleague's device is missing. Tell them immediately and encourage them to call IT Operations. If they are not reachable and you believe a device has been left unattended in a public place, call IT Operations yourself to alert them.
Your device is returned after being out of your control. Even if your device is returned — found at a lost property office, returned by a hotel, handed in by someone — do not reconnect it to company systems. Bring it to IT Operations for assessment first. A device that has been out of your control, even briefly, may have been accessed or tampered with.
After the loss
Do not purchase a replacement device yourself. Contact IT Operations. The replacement device will be procured, configured with the security baseline, and enrolled in MDM before being issued to you.
Change your passwords. After reporting to IT Operations and the CISO, change the password on your company account from a different device. If your device had your MFA authenticator app installed, IT Operations will revoke the existing MFA registrations and set up new ones.
Complete the incident report. You will be asked to provide a written account of the circumstances of the loss — where you last had the device, what you were doing, the sequence of events when you discovered it was gone. This is a standard part of incident documentation and is not an accusation.
Do not be embarrassed. Devices are lost. It happens. What matters is how quickly it is reported and how effectively it is contained. Every hour of delay makes the situation worse; prompt reporting is the single most protective action you can take.
Prevention — habits that reduce loss risk
- Never leave your device unattended in a public space, even briefly.
- Do not put your laptop in the overhead locker on a train if you will not be able to see it.
- At airport security, keep your device in sight and never place your bag on the belt before you are ready to walk through immediately.
- Do not leave your device in a visible position in a parked car.
- In hotel rooms, use the room safe for brief absences and consider whether to take the device with you for longer absences.
- Enable the lock screen PIN so the device is locked immediately when the screen goes off.
Quick reference
| Situation | First call | Second call | Third action |
|---|---|---|---|
| Device lost | IT Operations | CISO | Police if stolen |
| Device stolen | Police (if safe) | IT Operations | CISO |
| Device returned after absence | IT Operations (assessment before use) | — | — |
| Colleague's device missing | Tell colleague | Encourage them to call IT Operations | — |
IT Operations 24-hour: [phone number] CISO direct: [phone number]
Clear Desk and Clear Screen
What the policy requires
The clear desk and clear screen policy is one of the simplest in the organisation and one of the most frequently ignored. It requires two things:
- When you are not at your workstation, your screen must be locked so no one can see or interact with your open applications and files.
- When you are not at your workstation, sensitive documents must not be visible on your desk.
That is it. Two rules. This page explains why they matter, what "sensitive" means in practice, and what good behaviour looks like in the situations you actually encounter.
Why it matters more than it seems
The threats that clear desk and clear screen protect against are not theoretical. They happen in offices.
A visitor escorted through the office to a meeting room walks past a desk with a salary spreadsheet visible on screen. A maintenance engineer working in the server room observes an open network diagram on a desk nearby. A new joiner on their first week, not yet fully trained on what they can and cannot access, sits near a colleague's unattended desk and can read an open contract document. A cleaning staff member working after hours has unrestricted access to any visible document.
None of these scenarios require a sophisticated attacker. They require only proximity and an unlocked screen or a visible document.
For organisations that handle CUI or OFFICIAL-SENSITIVE material, a visible sensitive document is treated as a potential breach event. In some circumstances it is a reportable incident. Preventing it costs you three seconds.
Locking your screen
When to lock: every time you leave your workstation. Briefly. To get coffee. To use the bathroom. To talk to someone across the office. Every time.
The standard to apply is: would I be comfortable if anyone in the building could see what is on my screen for the duration of my absence? If no — lock the screen.
How to lock:
- Windows: Windows key + L. Two keys, one second.
- Mac: Control + Command + Q. Three keys, one second.
- On all devices: closing the laptop lid typically locks the screen, but this depends on power settings. Confirm with IT Operations that closing the lid locks rather than sleeps without locking on your device.
Automatic screen lock is also configured on all company devices — the screen locks automatically after 15 minutes of inactivity. This is a backstop, not an alternative to manually locking. Do not rely on it. If you leave your workstation for 14 minutes, an unlocked screen is present for the entire 14 minutes.
If your lock screen is not working — if the screen does not lock when you use the keyboard shortcut, or if the lock screen does not require a password to dismiss — report it to IT Operations. This is a configuration issue that needs to be corrected.
Clear desk — what needs to be cleared and when
Before you leave your workstation for any absence, the following must not be visible:
- Printed documents containing Restricted, CUI, or personal data. These should be in a folder, a drawer, or a locked cabinet.
- Handwritten notes containing sensitive information — meeting notes with contract details, phone numbers, passwords written down, access codes.
- Post-it notes with login information. If you have a post-it note with a password on it anywhere near your workstation, it should be destroyed immediately. A password note on a monitor is a security incident waiting to be discovered by an assessor.
- Printed lists of names, addresses, or contact details.
- Physical media — USB drives, printed screenshots, CDs — containing work data.
- Business cards, visitor passes, or other materials from sensitive meetings left visibly accessible.
At the end of the day, the standard is stricter. A document left visible during a brief absence is a risk for the duration of that absence. A document left on a desk at the end of the day is a risk for the entire overnight period, potentially including cleaning staff, security patrols, early-arriving colleagues, and any visitors to the office before you return.
At end of day: lock your screen. Lock away all documents. Clear your desk to the point where no sensitive content is visible.
What to do with paper documents
During active use: it is fine to have a document on your desk while you are working with it. The rule applies when you leave the workstation, not while you are present and working.
When finished with a document temporarily: put it in a folder or face-down on a clear area of your desk if you are returning shortly, or lock it in your desk drawer.
When finished with a document permanently: shred it. The organisation provides cross-cut shredders — use them. Do not put sensitive documents in general waste or recycling. "Sensitive" here means anything with names, financial information, contract details, technical specifications, or any content you would not want a random person to read.
If you do not have a locked desk drawer: speak to Facilities. Secure storage for sensitive documents is a reasonable working requirement, particularly for roles that handle CUI or personal data regularly.
Printers — a specific vulnerability
Printers are one of the most common sources of document exposure because people print, get distracted, and forget to collect the output. A printed document containing personal data or CUI sitting on a printer in the general office is accessible to anyone who walks past.
Collect your printed documents immediately. Do not send a document to the printer and walk away to do something else. Go directly from sending the print job to the printer.
Use follow-me printing if available. Some organisations configure printers so that jobs are only released when the user authenticates at the printer itself. If this is available, use it for sensitive documents — it prevents jobs from printing before you reach the printer and prevents your printed documents from sitting in the output tray.
If you find someone else's printed documents on a printer: do not read them. Place them face-down in the output tray and contact the IT Operations helpdesk or put a note by the printer asking the owner to collect. If the documents contain obviously sensitive information — CUI markings, a large amount of personal data — inform the security team.
Sensitive conversations and phone calls at your desk
Clear desk and clear screen is about visual exposure. There is an equivalent risk for audio — sensitive conversations at a shared desk or in a shared space where other people can overhear.
Calls involving CUI, contract details, customer personal information, or OFFICIAL-SENSITIVE content should be conducted in a space where they are not overheard. If you are at a desk in an open office and receive a call that quickly becomes sensitive, it is appropriate to say "let me call you back from somewhere private" and do so.
Speakerphone use in shared offices is generally not appropriate for sensitive calls. The content of the call is then audible to everyone nearby, including visitors and people you may not have noticed.
Visitors, contractors, and maintenance staff in the office
When visitors, contractors, or maintenance staff are in the office, the clear desk policy matters more than usual, because these individuals may have different levels of authorisation and are less familiar with what they should and should not see.
If a visitor is being escorted through the area where you work, it is appropriate to lock your screen and face any sensitive documents down while they are nearby. This is not rudeness — it is good practice and is likely to be appreciated by a visitor who understands security culture.
If you see a visitor who appears to be unescorted in an area where sensitive material is visible, address it — by alerting your host colleague, by politely asking the visitor if they need help finding someone, or by reporting the situation.
Clear screen on laptops in public spaces
The clear screen rule extends to laptops used in public spaces during travel, remote working in shared locations, or working in client offices. A locked screen when unattended in a coffee shop is obvious. Less obvious is the need to be conscious of what is visible on your screen when you are actively working.
A screen visible to the person sitting next to you on a train — showing a contract document, a personnel file, or a technical schematic — is a potential exposure even while you are present and working. Use a privacy screen filter in public spaces when working with sensitive content.
Quick reference
| Situation | Action |
|---|---|
| Leaving desk briefly | Lock screen (Windows: Win+L / Mac: Ctrl+Cmd+Q) |
| Sensitive documents on desk | Put in folder, face down, or drawer |
| End of day | Lock screen + lock away all documents |
| Printing sensitive documents | Go to printer immediately — do not walk away |
| Found documents on printer | Do not read — face down, notify IT/security if sensitive |
| Visitor walking through | Lock screen, face down any visible documents |
| Sensitive call in open office | Step somewhere private or offer to call back |
| Working in public | Use privacy screen filter |
| Post-it note with password near screen | Destroy it immediately |
Passwords and MFA
Why this matters more than it used to
Passwords are the primary key to your work identity. If someone has your username and password, they can log in as you — accessing your email, your files, your systems, and potentially any customer data you have access to. From the outside, their activity looks identical to yours.
This is not hypothetical. Credential theft is the most common starting point for serious cyberattacks. Passwords are stolen in three main ways: phishing (you are tricked into entering your password on a fake website), data breaches at other services (if you reused a password from a personal account that was compromised in a breach, that same password may work on your work account), and brute force or credential stuffing (automated tools try millions of password combinations or use stolen credential lists).
Multifactor authentication (MFA) is the most effective defence against all three of these attacks. Even if someone has your password, MFA requires them to have something else — your phone, your hardware token — before they can log in.
This page explains what good password and MFA practice looks like and what to do when things go wrong.
Passwords — the rules and the reasoning
The minimum length is 16 characters. This is not arbitrary. Password cracking tools can test billions of combinations per second. An 8-character password with numbers and symbols can be cracked in minutes. A 16-character passphrase — even one made of common words — is orders of magnitude stronger because length creates mathematical complexity that makes brute force impractical.
Use a passphrase, not a complex short password. The security advice to use a mix of uppercase, lowercase, numbers, and symbols has produced a generation of passwords like "P@ssw0rd1!" — which are both hard to remember and not actually strong, because the patterns are predictable. A passphrase like "correct horse battery staple" (a string of four random words) is longer, easier to remember, and significantly harder to crack. Length beats complexity every time.
Do not use a work password on personal accounts or a personal password at work. If your personal email is breached and your password is leaked, and you used the same password for your work account, attackers will try it on your work account within hours. This is called credential stuffing and it is automated. Use a unique password for your work account that you have never used anywhere else.
Do not write your password down anywhere near your workstation. A post-it note on your monitor, a note under your keyboard, a document on your desktop called "passwords.txt" — all of these are immediate security findings and represent a meaningful risk. If you cannot remember a strong unique password, use a password manager.
Use a password manager. A password manager is a secure application that stores your passwords in an encrypted vault. You remember one strong master password; the manager remembers everything else. The organisation uses an approved password manager — ask IT Operations for details. If you currently have passwords written down or are reusing passwords across accounts, migrating to a password manager is the most impactful single security improvement available to you.
Do not share your password with anyone. Not with IT support. Not with your manager. Not with a colleague covering your role while you are on leave. Legitimate IT support never needs your password — if they need to access your account for a technical reason, they have administrative tools to do so without knowing your credentials.
When your password is at risk
If you entered your work password on a website that turned out to be fake: change your work password immediately on a different device (not the one you used to enter it on the fake site), then contact IT Operations and report that your credentials may have been compromised. They will check for unauthorised access.
If you receive a notification that your account was accessed from a location you do not recognise: change your password and contact IT Operations. This may indicate your credentials were used by someone else.
If IT Operations tells you your password has been found in a data breach list (these are lists of leaked credentials from third-party breaches that are checked against company accounts): change your password immediately. This means a password you have used somewhere was leaked, and if you used or reused it for your work account, it may be exposed.
If you forgot your password: use the self-service password reset function, which requires you to verify your identity using your MFA method. Do not ask a colleague to use their account on your behalf while you are waiting.
MFA — what it is and why you need it
MFA (Multifactor Authentication) adds a second verification step to your login. After you enter your username and password, you also need to prove your identity using a second factor — typically by approving a notification on your phone, entering a code from an authenticator app, or using a hardware security key.
The reason MFA works is that an attacker who has stolen your password usually does not have your phone. Even with your credentials, they cannot complete the login without the second factor. MFA blocks the vast majority of credential-based account takeover attacks. If every account in the organisation had MFA enabled, most of the account compromise incidents that happen in our sector would fail at the login stage.
MFA is mandatory for all company accounts. If your account does not have MFA set up, contact IT Operations immediately.
Setting up and using the authenticator app
The organisation uses an authenticator app (Microsoft Authenticator or equivalent approved app) on your phone as the primary MFA method. The app generates time-limited codes or receives approval notifications when you log in.
How to set it up: IT Operations will guide you through the initial setup during onboarding or when MFA is first required for your account. If you need to set it up and have not been guided through it, contact IT Operations.
How it works in practice: when you log in to a company system, after entering your username and password, you will receive either a push notification on your phone (tap Approve) or be asked to enter a code that appears in the authenticator app (type the 6-digit code). The code changes every 30 seconds, so it cannot be captured and reused.
If your phone is replaced: you need to re-enrol your new phone in MFA before you transfer or wipe the old one. Contact IT Operations when you are planning to change phones to ensure continuity. Do not wipe your old phone before re-enrolling the new one — you may lock yourself out of your account.
If your phone is lost or stolen: report it to IT Operations immediately. They will revoke the MFA registration for the lost phone so it cannot be used to approve login requests. This is a security action, not just an IT housekeeping task — a lost phone with an MFA app on it is a significant credential risk.
Approving and denying MFA requests — the critical rules
Only approve MFA requests that you initiated. An MFA notification appears on your phone because someone, somewhere, entered your username and password and is waiting for your approval to complete the login. If you are sitting at your desk, not trying to log into anything, and an MFA notification arrives — someone else has your password and is trying to use it. Deny the notification immediately and change your password.
If you receive an MFA notification you did not initiate:
- Deny or decline the notification (do not approve it).
- Change your password from a trusted device.
- Contact IT Operations and report that your credentials may have been compromised.
MFA fatigue — do not approve to make the notifications stop. A known attack technique is to send dozens of MFA approval requests in rapid succession, hoping the target approves one simply to stop the notifications. If this happens to you — multiple unexpected MFA requests in a short period — deny all of them. Do not approve any. Then call IT Operations immediately. This is an active attack on your account.
Never share MFA codes. If someone calls you claiming to be IT support and asks you for the 6-digit code currently showing in your authenticator app, do not provide it. This is a social engineering attack. The code is a one-time, time-limited credential equivalent to your password for the current login. Providing it gives the caller access to your account.
Hardware security keys
Some roles — particularly those with privileged system access — may use a hardware security key (such as a YubiKey) as the MFA method instead of or in addition to the authenticator app. Hardware keys are a stronger form of MFA because they are physical objects that cannot be phished — a fake website cannot capture and replay the authentication a hardware key provides.
If you have been issued a hardware security key: keep it secured at all times, treat it like a physical key to the building. If it is lost, report it to IT Operations immediately. Do not lend your hardware key to anyone.
Password managers — using them correctly
If you are using the organisation's approved password manager, here are the essential usage rules:
Use a strong master password for the password manager vault. This is the one password that protects all your other passwords. It should be your strongest, most unique passphrase — not one you have used anywhere else.
Enable MFA on the password manager itself. Most password managers support MFA for the vault. Enable it. The vault master password plus MFA means that even if someone learns your master password, they cannot access your other passwords without your phone.
Do not store your work MFA recovery codes in a personal password manager. Recovery codes for your work MFA should be stored in IT Operations, not in personal tools. They are stored separately so that access can be recovered through a controlled process.
Do not use the personal tier of the company password manager for company credentials. If the organisation provides a business-tier password manager, use that for company credentials. Do not mix your personal passwords and work passwords in the same vault — keep them separate.
What to do in common scenarios
| Situation | What to do |
|---|---|
| Forgot your password | Use self-service password reset using your MFA method |
| Received unexpected MFA notification | Deny it — then change password and report to IT Operations |
| Received many MFA notifications rapidly | Deny all — call IT Operations immediately |
| MFA app not working | Call IT Operations — do not use a backup that bypasses MFA |
| Phone lost or stolen | Report to IT Operations to revoke MFA — then follow device loss guidance |
| New phone — replacing old one | Contact IT Operations before wiping old phone |
| Someone asking for your password | Never provide it — report the request to IT Operations |
| Someone asking for your MFA code | Never provide it — report the request to IT Operations |
| Password entered on suspicious website | Change password immediately — report to IT Operations |
| Not sure if your password is strong enough | Contact IT Operations — they can advise without seeing your password |
Quick password health checklist
Run through this checklist. If any answer is no, take the action described.
Is my work password at least 16 characters long? If no: change it now at the self-service portal.
Is my work password unique — not used on any personal account? If no: change your work password to a unique value immediately.
Do I have MFA set up on my work account? If no: contact IT Operations today.
Is there a post-it note with my password near my workstation? If yes: destroy it immediately.
Do I know how to deny an unexpected MFA notification? If no: test this with a trusted device and confirm you know the procedure.
Is my phone secure? If your MFA app phone does not have a PIN or biometric lock, anyone who picks up your phone can approve MFA requests on your behalf. Enable screen lock on your phone.
Do I use a password manager? If no: ask IT Operations about the approved option.
User Guidance Hub — last reviewed: [DATE]. Owner: CISO. Questions: [security@organisation.com] or IT Operations helpdesk.