Device Security Policy
We trust you to maintain the security of devices that access company data. This policy outlines the mandatory security requirements for all devices used in connection with company operations.
Scope
This policy applies to all devices (laptops, desktops, mobile phones, tablets) used by employees and contractors that:
Access company data, systems, or networks
Store company or customer information
Connect to company infrastructure
Mandatory Security Requirements
The following security measures are non-negotiable and must be implemented on all covered devices:
1. Operating System Updates
All devices must run the latest version of their operating system
Security updates must be installed promptly when available
Automatic updates should be enabled where possible
2. Device Encryption
All devices and storage drives must be encrypted. Unencrypted devices are prohibited from accessing company data.
macOS: FileVault must be enabled
Windows: BitLocker must be enabled and active
Linux: Full disk encryption must be enabled using the distribution's recommended encryption solution (LUKS, dm-crypt, etc.)
External drives: All external storage devices must be encrypted before use
3. Device Tracking
When available, device tracking features should be enabled:
Apple devices: Enable Find My iPhone/Find My Mac
Windows devices: Enable Find My Device through Microsoft Account
Android devices: Enable Find My Device through Google Account
4. Strong Authentication
All devices must be protected with a strong password, PIN, or biometric authentication
Passwords must meet company password policy requirements
Devices must never be left accessible without authentication
5. Automatic Lock Settings
Devices must automatically lock after a maximum of 5 minutes of inactivity
Screen savers with password protection must be enabled on desktop systems
Mobile devices should use the shortest practical timeout period
Our Trust-Based Approach
We operate on a foundation of trust. We would prefer not to implement Mobile Device Management (MDM) solutions, instead relying on our team members to take ownership of these essential security practices.
However, this trust comes with responsibility. Each team member is accountable for maintaining these security standards on their devices.
Compliance and Consequences
Monitoring and Assessment
We reserve the right to verify compliance with this policy
Security assessments may be conducted periodically
Team members may be asked to demonstrate compliance upon request
Non-Compliance Consequences
Failure to comply with these security requirements may result in:
Immediate restriction of access to company systems and data
Formal disciplinary action, up to and including termination of employment or contract
The severity of consequences will depend on the nature and extent of non-compliance
New Device Setup
When setting up a new device:
Enable encryption before storing any company data
Configure automatic updates
Set up device tracking features
Establish strong authentication
Configure automatic lock settings
Verify all requirements are met before accessing company systems