Device security policy
Device security policy
Introduction
Agile Collective is committed to protecting the security and integrity of our devices and data. This Device Security Policy outlines the guidelines and requirements for securing devices used for work-related activities. This policy applies to all devices used for work-related activities, including laptops, desktops, mobile devices, and tablets.
Policy
Device security
- Software: Software must only be installed from trusted sources (see software policy)
- Ubuntu users should only install software from Canonical maintained repositories or trusted software provided in containerised formats (Snap, Flatpak, Appimage)
- MacOS users should only install software available from the App store
- Device Configuration: Devices must be configured with the company’s security settings, including automatic screen lock, full disk encryption, and restricted administrative access.
- Linux devices must use full disk LUKS encryption.
- MacOS devices must enable FileVault.
- Lost or Stolen Devices: Any lost or stolen device must be reported to the Tech circle immediately.
- Data Backup: Employees must ensure that any work-related data is stored on or backed up the company’s secure cloud storage solutions and not stored solely on local devices.
- Operating System Updates: Employees must apply operating system updates (Ubuntu or Mac OS) within 14 days, critical software updates must be applied immediately. It is the responsibility of the individual to monitor, test, and deploy these updates in a timely manner. Failure to comply may result in disciplinary action.
- Firewalls: devices must have local firewalls configured to block incoming connections
- Linux users must install and configure UFW
- MacOS users must enable the Firewall in
System Setting>Network>Firewall
- Anti-malware: devices must have anti malware installed and configured
- Linux users must install and configure ClamAV to scan the home directory on a regular basis
- MacOS users must ensure XProtect is enabled.
Incident reporting
- Incident Response: Members and employees must immediately report any security incidents, such as phishing attempts, data breaches, or malware infections, to the Tech circle via email or Rocket chat.
Member and employee responsibilities
- Compliance: Members and employees are responsible for adhering to this policy at all times. Non-compliance may result in disciplinary action.
Exceptions
- Any exceptions to this policy must be approved in writing by the Tech circle and will be granted only under exceptional circumstances.
Monitoring and review
- Policy Review: This policy will be reviewed annually or as required to ensure its effectiveness and alignment with the latest cybersecurity standards.
- Audit and Monitoring: The Tech circle will audit and monitor compliance with this policy, including periodic checks of remote working setups.
Last updated: