Device Security Policy

We trust you to maintain the security of devices that access company data. This policy outlines the mandatory security requirements for all devices used in connection with company operations.

Scope

This policy applies to all devices (laptops, desktops, mobile phones, tablets) used by employees and contractors that:

• Access company data, systems, or networks

• Store company or customer information

• Connect to company infrastructure

Mandatory Security Requirements

The following security measures are non-negotiable and must be implemented on all covered devices:

1. Operating System Updates

• All devices must run the latest version of their operating system

• Security updates must be installed promptly when available

• Automatic updates should be enabled where possible

2. Device Encryption

All devices and storage drives must be encrypted. Unencrypted devices are prohibited from accessing company data.

• macOS: FileVault must be enabled

• Windows: BitLocker must be enabled and active

• Linux: Full disk encryption must be enabled using the distribution's recommended encryption solution (LUKS, dm-crypt, etc.)

• External drives: All external storage devices must be encrypted before use

3. Device Tracking

When available, device tracking features should be enabled:

• Apple devices: Enable Find My iPhone/Find My Mac

• Windows devices: Enable Find My Device through Microsoft Account

• Android devices: Enable Find My Device through Google Account

4. Strong Authentication

• All devices must be protected with a strong password, PIN, or biometric authentication

• Passwords must meet company password policy requirements

• Devices must never be left accessible without authentication

5. Automatic Lock Settings

• Devices must automatically lock after a maximum of 5 minutes of inactivity

• Screen savers with password protection must be enabled on desktop systems

• Mobile devices should use the shortest practical timeout period

Our Trust-Based Approach

We operate on a foundation of trust. We would prefer not to implement Mobile Device Management (MDM) solutions, instead relying on our team members to take ownership of these essential security practices.

However, this trust comes with responsibility. Each team member is accountable for maintaining these security standards on their devices.

Compliance and Consequences

Monitoring and Assessment

• We reserve the right to verify compliance with this policy

• Security assessments may be conducted periodically

• Team members may be asked to demonstrate compliance upon request

Non-Compliance Consequences

Failure to comply with these security requirements may result in:

• Immediate restriction of access to company systems and data

• Formal disciplinary action, up to and including termination of employment or contract

• The severity of consequences will depend on the nature and extent of non-compliance
  
  

New Device Setup

When setting up a new device:

1. Enable encryption before storing any company data

2. Configure automatic updates

3. Set up device tracking features

4. Establish strong authentication

5. Configure automatic lock settings

6. Verify all requirements are met before accessing company systems