← All policies

Endpoint Security Policy

1. Purpose

To define the minimum security configuration and operational practices for endpoint devices used to access Cadences's information, systems, or production environment.

2. Scope

All workstations, laptops, tablets, and mobile devices used by personnel for Company business — currently the Director's primary workstation and mobile device. Includes Company-issued and personally-owned devices used for work (Bring-Your-Own-Device).

3. Device inventory

All endpoints used for Company work are recorded in the Asset Inventory with:

• Device type, model, serial number;
• Operating system and version;
• Owner;
• Encryption status;
• Date last reviewed.

The inventory is updated when devices are added, replaced, or retired.

4. Required configuration

4.1 Workstations (macOS / Windows)

Mandatory baseline:

• Full-disk encryption enabled (FileVault on macOS, BitLocker on Windows). Recovery key stored in the password manager.
• Automatic screen lock within 5 minutes of inactivity.
• Login password / passphrase of at least 12 characters; biometric unlock permitted as a convenience layer over the underlying password.
• Operating system auto-update enabled, with major-version updates applied within 30 days of public release.
• Browser auto-update enabled.
• Firewall enabled (macOS Application Firewall / Windows Defender Firewall).
• Backup to an encrypted destination (Time Machine to an encrypted volume; equivalent on Windows).

Recommended:

• Endpoint detection and response (EDR) — CrowdStrike Falcon Go, SentinelOne, or equivalent. Becomes mandatory before the Company's first employee or contractor join.
• Anti-malware — built-in (XProtect on macOS, Windows Defender) considered sufficient for the founder's solo workstation; evaluated in conjunction with EDR.

Prohibited:

• Unmanaged remote-desktop or remote-shell software (TeamViewer, AnyDesk, plain SSH listeners) on the public internet.
• Cracked, pirated, or unverified software.
• Browser extensions of unknown provenance, especially any with access to all websites.

4.2 Mobile devices (iOS / Android)

Mandatory:

• Device passcode or biometric lock with secure-element backing.
• Full-disk encryption (default on modern iOS / Android).
• Automatic OS updates.
• Find-My-Device / Find-My-iPhone enabled with remote-wipe capability.
• Email / chat apps used for Company business signed in with the Company-provided account, never personal.

The mobile device is treated as a secondary endpoint; full administrative work (production deployments, secret rotation) is performed on the workstation only.

5. BYOD considerations

The Company has one director and no other personnel; the Director's workstation and mobile device are personally owned and used for Company work. The Director applies the §4.1 and §4.2 baseline to those devices.

If additional personnel are engaged in future and use personally-owned devices for Company work, the device must meet §4.1 or §4.2 baseline; the Company reserves the right to remotely wipe Company data from a BYOD device on departure or loss, while preserving personal data to the extent possible. This is captured in the contractor or employee onboarding agreement under HRP-001 §7.1.

6. Loss or theft

A lost or stolen device is reported immediately under the Incident Management Policy and the Acceptable Use Policy. On report:

• Active sessions are terminated where possible (SaaS sign-out from other sessions).
• Device-level remote wipe is initiated if the device contains accessible Company data.
• Credentials potentially exposed are rotated.
• An incident record is opened.

7. Physical security

• Devices are kept in personal control or secured (locked office, locked drawer, hotel safe) when not in use.
• Devices are not left unattended in public spaces.
• Workstations are positioned to prevent shoulder-surfing of Confidential or Restricted content.

8. Disposal

When a device is retired:

• Storage is wiped using a method appropriate to the medium (diskutil secureErase on macOS for older drives; secure-erase or DBAN-equivalent for SSDs; factory reset for mobile devices in DEP/MDM scenarios).
• The device is recorded as retired in the Asset Inventory.
• Where physical destruction is required (severely damaged drives, devices that handled Restricted data and cannot be reliably erased), destruction is documented.

9. Compliance and references

ISO/IEC 27001:2022 Annex A: A.7.7 (clear desk and clear screen), A.8.1 (user endpoint devices), A.8.7 (protection against malware), A.8.8 (management of technical vulnerabilities), A.8.13 (information backup).

10. Version history