Workstation Policy

2025.1

Reviewed: 12/03/2024
Updated: 12/03/2024

Purpose and Scope:

1. This policy defines best practices to reduce the risk of data loss/exposure through workstations.
2. This policy applies to all employees and contractors. Workstation is defined as the collection of all company-owned and personal devices containing company data.

Controls and Procedures

1. Workstation devices must meet the following criteria:
   a. Operating system must be no more than one generation older than current
   b. Device must be encrypted at rest
   c. Device must be locked when not in use or when employee leaves the workstation
   d. Workstations must be used for authorized business purposes only
   e. Loss or destruction of devices should be reported immediately
   f. Laptops and desktop devices should run the latest version of antivirus software that has been approved by IT
   g. Intrusion detection and prevention will be handled by endpoint protection, currently BitDefender and Pulseway

2. Desktop & laptop devices
   a. Employees will be issued a desktop, laptop, or both by the company, based on their job duties. Contractors may be provided with IMPLAN equipment; otherwise, will provide their own laptops.
   b. Desktops and laptops must operate on macOS or Windows. c. Operating systems must be patched automatically through policies configured and deployed by the IT team.

3. Mobile devices
   a. Mobile devices must be operated as defined in the Cloud Storage and BYOD Policy.
   b. Mobile devices must operate on iOS or Android.
   c. Company data may only be accessed on mobile devices using the following apps:

   • Slack
   • Outlook or Mail
   • Jira
   • Ringcentral
   • Google Apps
   • Salesforce

4. Removable media
   a. Removable media is permitted on approved devices as long as it does not conflict with other policies.