Merge pull request #3154 from FlowFuse/zj-ai-policy

handbook: Update how to leverage LLMs for communication and code generation

Author: joepavitt

src/handbook/company/communication.md

@@ -13,6 +13,22 @@ members are expected to follow all announcements made in this channel. Depending
 kind of announcment, it will be accompanied with a video recording by the person making 
 the announcement and a link to the PR where the change was made. 
 
+## AI-Assisted Communication
+
+AI, particularly Large Language Models (LLMs), can be leveraged for better
+communication. For instance, a non-native English speaker could use an LLM to
+refine word choice and achieve the desired tone.
+
+Despite the helpfulness of LLMs, it is important to understand that human
+interpretation is the goal. The sender is  responsible for the message's content
+and quality, even with AI assistance. Verify any AI-generated suggestions!
+AI tools should be utilized to enhance, not replace, human communication efforts.
+
+As we, humans, encounter more content generated by LLMs, it's becoming more and
+more obvious when communication is done by LLMs. Machine-generated output is
+perceived by the recipient as impersonal and not genuine. Avoid this trap by
+editing your own tone, opinion, and voice back into LLM output.
+
 ## Date and time
 
 ### Use UTC for times

src/handbook/company/security/information-security.md

@@ -6,12 +6,12 @@ navTitle: Information Security Policy and Acceptable Use Policy
 
 | Policy owner   | Effective date |
 | -------------- | -------------- |
-| @ZJvandeWeg    | 2023-05-01     |
+| @knolleary     | 2025-04-16     |
 
 
 ## Overview
 
-This Information Security Policy is intended to protect FlowFuse’s employees,
+This Information Security Policy is intended to protect FlowFuse's employees,
 partners and the company from illegal or damaging actions by individuals, either
 knowingly or unknowingly.
 
@@ -26,7 +26,7 @@ understand this policy, and to conduct their activities accordingly.
 ## Purpose 
 
 The purpose of this policy is to communicate our information security policies
-and outline the acceptable use and protection of FlowFuse’s information and
+and outline the acceptable use and protection of FlowFuse's information and
 assets. These rules are in place to protect customers, employees, and FlowFuse.
 Inappropriate use exposes FlowFuse to risks including virus attacks, compromise
 of network systems and services, financial and reputational risk, and legal and
@@ -126,6 +126,14 @@ to ensure compliance with this policy.
 Employees must ensure the software they use is properly licensed and used as
 intended.
 
+### AI Tools Usage
+
+When using AI tools:
+1. Do not input sensitive or confidential information unless explicitly approved
+2. Be aware of data retention and privacy policies of AI tools
+3. Follow our security policies and guidelines
+4. Report any security concerns related to AI tool usage immediately
+
 ## Unacceptable Use
 
 Under no circumstances is an employee of FlowFuse authorized to engage in any
@@ -152,8 +160,8 @@ Role | Purpose
 [Human Resources Policy](./human-resources.md) | To ensure that employees and contractors meet security requirements, understand their responsibilities, and are suitable for their roles.
 [Incident Response Plan](./incident-response.md) | Policy and procedures for suspected or confirmed information security incidents.
 [Operations Security Policy](./operations-security.md) | To ensure the correct and secure operation of information processing systems and facilities.
-Physical Security Policy | To prevent unauthorized physical access or damage to the organization’s information and information processing facilities.
-[Risk Management Policy](./risk-management.md) | To define the process for assessing and managing FlowFuse's information security risks in order to achieve the company’s business and information security objectives.
+Physical Security Policy | To prevent unauthorized physical access or damage to the organization's information and information processing facilities.
+[Risk Management Policy](./risk-management.md) | To define the process for assessing and managing FlowFuse's information security risks in order to achieve the company's business and information security objectives.
 [Secure Development Policy](./secure-development.md) | To ensure that information security is designed and implemented within the development lifecycle for applications and information systems.
 [Third Party Risk Management Policy](./third-party-risk-management.md) | To ensure protection of the organization's data and assets that are shared with, accessible to, or managed by suppliers, including external parties or third-party organizations such as service providers, vendors, and customers, and to maintain an agreed level of information security and service delivery in line with supplier agreements.
 
@@ -179,7 +187,7 @@ company procedures up to and including termination of employment.
 
 ## Whistleblower Policy
 
-Our Whistleblower Policy is intended to encourage and enable employees and others to raise serious concerns internally so that we can address and correct inappropriate conduct and actions. It is the responsibility of all employees to report concerns about violations of our code of ethics or suspected violations of law or regulations that govern our operations. It is contrary to our values for anyone to retaliate against any employee or who in good faith reports an ethics violation, or a suspected violation of law, such as a complaint of discrimination, or suspected fraud, or suspected violation of any regulation. An employee who retaliates against someone who has reported a violation in good faith is subject to discipline up to and including termination of employment. Anonymous reports may be submitted via FlowFuse’s [Whistleblower Channel](https://forms.gle/mttPj8NXd9yhb31H7).
+Our Whistleblower Policy is intended to encourage and enable employees and others to raise serious concerns internally so that we can address and correct inappropriate conduct and actions. It is the responsibility of all employees to report concerns about violations of our code of ethics or suspected violations of law or regulations that govern our operations. It is contrary to our values for anyone to retaliate against any employee or who in good faith reports an ethics violation, or a suspected violation of law, such as a complaint of discrimination, or suspected fraud, or suspected violation of any regulation. An employee who retaliates against someone who has reported a violation in good faith is subject to discipline up to and including termination of employment. Anonymous reports may be submitted via FlowFuse's [Whistleblower Channel](https://forms.gle/mttPj8NXd9yhb31H7).
 
 ---
 Policy derived from [JupiterOne/security-policy-templates](https://github.com/JupiterOne/security-policy-templates) ([CC BY-SA 4 license](https://creativecommons.org/licenses/by-sa/4.0/)) and [Vanta](https://vanta.com)

src/handbook/development/tools.md

@@ -2,11 +2,24 @@
 
 ## GitHub
 
-This is at the heart of how we work. Everyone in the company will be made part of the
-[FlowFuse organisation](https://github.com/FlowFuse) as part of their on-boarding
+This is at the heart of how we work. Everyone in the company will be made part of
+the [FlowFuse organisation](https://github.com/FlowFuse) as part of their on-boarding
 activities.
 
-## GitHub Copilot
+## LLM Programming assists
+
+FlowFuse recognizes the potential of LLM (AI) tools to increase productivity and
+innovation. When using these tools, understand that the author and committer of
+any work remains fully responsible for its quality, functionality, and
+security. AI-assisted work must meet the same high standards as work written
+entirely by a human. Review each line of code before committing.
+
+When using AI tools for development, never share:
+1. Personal Identifiable Information (PII)
+2. Company secrets like API keys, private credentials, etc, etc.
+3. Customer code or other assets under NDA
+
+### GitHub Copilot
 
 We do not currently provide organisation-wide licenses for GitHub Copilot, but if
 team members wish to purchase an individual license they can do so via their Brex
@@ -18,4 +31,3 @@ individual access; and currently the benefits do not justify that increased cost
 
 We will keep this under review - if you feel we are missing out by not having
 the organisation level access, please speak to the CTO.
-