To mitigate risks and vulnerabilities individual personnel are responsible for ensuring that the computers and devices used to access Nested Knowledge services and systems are protected by basic security measures.
Scope: This policy affects all employees, contractors, and consultants of Nested Knowledge.
Definitions:
- End-user device refers to any desktop or laptop computer, any tablet, smart phone, or other mobile device is an end-user device. “End-user device” does not include removable storage like USB flash drives.
- End-user refers to a member of the Nested Knowledge workforce who accesses to information technology resources.
End-User Device Policy #
We require end-user devices to be protected by the security procedures described:
- Access to the device is protected with a password, PIN, or suitable biometric alternative.
- Where practicable, the screen or device locks after an inactivity timeout, and a password, PIN, or suitable biometric alternative is required to unlock it.
- Application updates, including security updates, are applied at least once every quarter.
- Where available, practicable, and advisable, a firewall is enabled.
- Anti-virus software is installed and automatic check for updates occurs at least weekly.
- Software or apps should not be installed unless the user explicitly trusts the source and knows a legal license exists.
- End-users must comply with software vendor license agreements and copyright holders’ notices. Making unauthorized copies of licensed and copyrighted software, even for evaluation purposes, is strictly forbidden.
- End-users are discouraged from storing client materials on their local machines; instead, files that are not in the production environment should be stored in an encrypted file drive.
Software Review #
Nested Knowledge reviews the applications installed on end-user devices on a quarterly basis using our Mobile Device Management solution.
Security Patches on End-User Devices #
Nested Knowledge uses Mosyle to prompt end-users to download and install the latest software updates for the operating system (MacOS) and applications. For both OS and most application updates, if updates are not installed by the end-user within five (5) days of release, the updates are installed automatically. Nested Knowledge developers with root-access to their devices may choose to delay software updates, but they are required to update software within 3 months of the software release and notice.
Anti-Malware Policy #
We require Nested Knowledge end-users to run antivirus software on the company-issued computers. Software includes macOS built-in anti-malware technologies and Mosyle’s Detection & Removal technology. We require contractors using personal devices to use Malwarebytes to scan and detect malware and ransomware. Positive findings must be reported to the CTO. Antivirus software installs must be updated (either by updating ruleset or fresh reinstalling) whenever scans are performed.
Schedule
The schedule for scanning is subject to change, but it will not fall below the minimum of twice annually. Currently, Nested Knowledge end-user devices use macOS malware defense as well as Mosyle’s anti-virus tools. macOS’s built in technology XProtect updates signatures automatically when new malware infections and strains are detected.
Reporting
Positive results in the scan must be reported to one or more members of the Incident Response team. If a virus is detected, all members of the IR team must be notified immediately.
Response
- The offending applications and files will be uninstalled or removed until the report returns zero results.
- The incident response team will analyze the malware attack surface and inventory the information that was available on the infected device since last scan.
- Based on the information available on the infected device, the appropriate Incident Response and Data Protection procedures will be enacted. Information about the threat will be escalated to clients/customers, according to the guidelines in our escalation policy.
Enforcement #
Failure to comply with this policy may result in disciplinary actions.
Revision History #
| Author | Date of Revision/Review | Comments |
|---|---|---|
| K. Cowie | 10/23/2024 | Revised |
| K. Holub | 12/15/2021 | Policy approved |
| K. Kallmes | 12/18/2021 | Policy approved |
