Skip to main content
BehaviourWellbeingInsightsCommunity
Our StoryBlogFAQContact
ten points
Pricing
Book a callLog in
BehaviourWellbeingInsightsCommunity
Our StoryPricingBlogFAQ
Book a callLog in

Trust Centre

Acceptable Use & Endpoint Security Policy

Last updated: May 21, 2025

← Trust Centre

Version: 1.0Effective Date: 01 Oct 2025Approved By: Board of DirectorsNext Review Date: 01 Oct 2026

1. Purpose

This policy sets out Ten Points Education Limited’s (“Ten Points”) requirements for the secure use of endpoints (laptops, mobile devices, tablets), including Bring Your Own Device (BYOD), and remote working arrangements.

The purpose is to:

  1. protect the confidentiality, integrity, and availability of Ten Points’ information and systems;
  2. ensure personal and customer data remains secure when accessed on personal or company devices; and
  3. define responsibilities of staff when working remotely or from home.

2. Scope

This policy applies to:

  1. all employees, contractors, and third parties who access Ten Points systems or data;
  2. all endpoints used to access Ten Points services, whether corporate-owned or personal (BYOD); and
  3. all remote and home-based working arrangements.

3. Identity & Authentication Requirements

  1. All staff accounts must be created and managed through Ten Points’ approved identity provider (SSO).
  2. Where passwordless authentication is supported (e.g., FIDO2 keys, platform authenticators, passkeys), it is the preferred method of authentication.
  3. Where passwordless is not supported, passwords must meet the following minimum requirements: at least 12 characters in length; contain a mix of upper/lowercase letters, numbers, and symbols; must not be reused across personal and company accounts; must not appear on known breached password lists.
  4. Passwords must be stored only in an approved password manager, never written down or shared.
  5. MFA is mandatory for all Ten Points accounts and must be activated wherever supported on third-party services.
  6. Accounts are locked after repeated failed login attempts to prevent brute-force attacks.
  7. Default vendor/admin passwords must be changed before systems are used in production.

4. Endpoint Security Requirements

  1. Devices must be protected with a strong password, passcode, or biometric authentication.
  2. Devices must lock automatically after a maximum of 10 minutes of inactivity.
  3. Devices must have full-disk encryption enabled (e.g., FileVault, BitLocker, iOS/Android encryption).
  4. Devices must be kept updated with vendor security patches and operating system updates.
  5. Anti-malware protection should be enabled where available.
  6. Only supported and up-to-date operating systems may be used to access Ten Points systems.
  7. Loss or theft of a device used for Ten Points business must be reported immediately (see Section 10).

5. BYOD (Bring Your Own Device)

  1. BYOD is permitted only for staff who accept and comply with this policy.
  2. BYOD devices must meet the same security standards as corporate-owned devices (see Section 4).
  3. Personal devices must not be shared with unauthorised individuals when logged in to Ten Points services.
  4. Company data must be accessed only through authorised applications and interfaces.
  5. Company data must not be stored permanently on personal devices, unless explicitly approved and encrypted.
  6. Access to production or administrative systems via BYOD requires multi-factor authentication.
  7. Ten Points reserves the right to revoke BYOD access if the device or usage does not meet security standards.

6. Remote and Home Working

  1. Staff working remotely must connect only via secure, trusted Wi-Fi networks.
  2. Public Wi-Fi must not be used for accessing Ten Points services unless protected by a VPN.
  3. Confidential conversations or work should not be conducted in public areas where information may be overheard or observed.
  4. Screens must be locked when devices are unattended.
  5. Sensitive documents must not be printed or left unsecured in home environments.
  6. Devices should be stored securely when not in use (e.g., locked desk or room).
  7. Remote access to Ten Points systems requires MFA and identity verification.

7. Data Handling & Storage

  1. Customer and student data must not be stored permanently on personal devices.
  2. Downloading or synchronising Ten Points data to local drives, removable media, or unauthorised cloud services is prohibited.
  3. Sensitive data must only be accessed through Ten Points’ approved cloud services and applications.

8. Communications & Email Security

  1. Staff must use Ten Points’ company email accounts for all official business.
  2. Forwarding Ten Points emails to personal accounts is prohibited.
  3. Collaboration tools and messaging platforms must be approved by Ten Points prior to use.

9. Removable Media & External Devices

  1. Use of USB sticks, CDs, or external drives is prohibited unless explicitly approved by the Information Security Officer.
  2. Where permitted, all removable media must be encrypted and scanned for malware.

10. Monitoring & Logging

  1. Ten Points monitors logins, device information, and access activity for security purposes.
  2. Staff consent to such monitoring as a condition of accessing Ten Points systems.
  3. Logs are retained and reviewed to detect suspicious or unauthorised activity.

11. Incident Reporting

  1. All security incidents, including lost or stolen devices, must be reported within 1 hour.
  2. Any suspected compromise of accounts, phishing attempts, or malware infections must be reported immediately.
  3. Reports must be made to the Information Security Officer or DPO.
  4. Staff must co-operate with investigations and may be required to revoke device access or perform remote wipe.

12. Offboarding & Termination

  1. Access to Ten Points systems will be revoked immediately upon termination of employment or contract.
  2. BYOD devices must have all Ten Points data and applications removed during offboarding.
  3. Company-owned devices must be returned in full working order.

13. Acceptable Use

  1. Ten Points systems and data must be used only for legitimate business purposes.
  2. Staff must not attempt to disable, bypass, or tamper with security controls.
  3. Installation of unapproved software that interacts with Ten Points data or systems is prohibited.
  4. Staff must not download or copy Ten Points data to unauthorised storage services.

14. Roles & Responsibilities

  1. Staff are responsible for securing their devices and complying with this policy.
  2. The Information Security Officer is responsible for monitoring compliance and investigating incidents.
  3. Line managers are responsible for ensuring staff working remotely understand and apply this policy.

15. Non-Compliance

Failure to comply with this policy may result in:

  1. withdrawal of BYOD or remote working privileges;
  2. disciplinary action, up to and including termination of employment; and
  3. legal action where required.

Contact

Information Security Officer
Ten Points Education Limited
Email: [email protected]

  • Home
  • Behaviour
  • Wellbeing
  • Insights
  • Community
  • Our Story
  • Blog
  • FAQ
  • Pricing
  • Contact
Get started
ten points
Trust CentreAgreement

© 2026 Ten Points Education Ltd