5  Security, Privacy & Acceptable Use (Remote)

Applies to all Company and client data, systems, and devices used for Company work.

5.0.1 Device & Account Security

  • Use Company‑approved devices or keep personal devices up‑to‑date: full‑disk encryption, current OS/patches, antivirus.

  • MFA is mandatory on Company email, code hosting, PM tools, and cloud drives.

  • Lock screens on step‑away; avoid shared devices; use a password manager.

5.0.2 Data Handling & Storage

  • Store files only on approved cloud (Google Drive) with correct access controls; avoid local copies unless encrypted.

  • Do not forward Company data to personal email or unauthorized apps.

  • Classify data as Public / Internal / Confidential / Restricted and handle accordingly.

5.0.2.1 Additional Pointers:

  1. Never store client secrets in source code; use vaults or CI secrets.

  2. Redact PII in screenshots and logs before sharing.

  3. Follow retention rules: delete temporary exports after ingestion/validation.

5.0.3 Network & Access

  • Use VPN on public/untrusted networks.

  • Least‑privilege access; rotate credentials as required.

5.0.3.1 Additional Pointers:

  1. Avoid public Wi‑Fi; if unavoidable, use VPN end‑to‑end.

  2. Disable remote access/port forwarding unless explicitly approved.

  3. Review access monthly; remove stale memberships.

5.0.4 AI Tools & External Services

  • Only use approved AI tools. Never paste client‑identifiable or restricted data into unapproved tools/public models.

  • Review tool‑specific data handling (logging, training opt‑outs) before use.

5.0.4.1 Additional Pointers:

  1. Check tool data policies; opt out of training/log retention where possible.

  2. Do not input client names, keys, or unredacted data into AI tools.

  3. Document significant AI‑assisted outputs (prompt → result) in the project doc when they influence shipped work.

5.0.5 Incident Reporting

  • Report suspected breaches, device loss/theft, or phishing immediately to your manager.

  • Do not self‑investigate—preserve evidence and await guidance.

5.0.5.1 Additional Pointers:

  1. Provide: what happened, when noticed, systems affected, and your current containment.

  2. Severity guide: Sev1 (prod down), Sev2 (degraded), Sev3 (minor bug/near miss).

5.0.5.2 Additional Security Pointers

  • BYOD Minimums: OS fully supported; full‑disk encryption; password manager installed; antivirus/EDR active.

  • Home Wi‑Fi: Use WPA2/WPA3, change default router passwords, and update router firmware quarterly.

  • Lost/ Stolen Device: Immediately notify your manager; we will remote‑revoke tokens and wipe where possible; change passwords afterwards.

  • Removable Media: Avoid USB storage for Company data; if unavoidable, encrypt and delete after transfer.

  • Data Exports: Only export data when necessary; store exports in approved folders and set expiry reminders for deletion.

  • Client Secrets: Use secret managers/CI vaults—never in code, screenshots, or docs.

  • Third‑Party Access: Grant least privilege, time‑bound. Review shared links and app connections quarterly.