Security Guidelines
Security Policy Overview
Section titled “Security Policy Overview”At OpticWorks, security is everyone’s responsibility. These guidelines help protect our company data, customer information, and intellectual property.
Password Security
Section titled “Password Security”Password Requirements
Section titled “Password Requirements”- Minimum length: 12 characters
- Complexity: Mix of uppercase, lowercase, numbers, and symbols
- Unique: Never reuse passwords across services
- Regular updates: Change passwords every 90 days
Password Manager (Required)
Section titled “Password Manager (Required)”- Tool: 1Password (company-provided)
- Usage: ALL work passwords must be stored in 1Password
- Master password: Use a strong, memorable passphrase
- Never: Share passwords via email, Slack, or text
Two-Factor Authentication (2FA)
Section titled “Two-Factor Authentication (2FA)”Required for:
- Email and Google Workspace
- GitHub and code repositories
- AWS and cloud services
- VPN access
- Admin panels and internal tools
Preferred 2FA method: Duo Mobile authenticator app
Device Security
Section titled “Device Security”Company Devices
Section titled “Company Devices”- Keep operating system and software up to date
- Enable full-disk encryption (FileVault on macOS, BitLocker on Windows)
- Set auto-lock after 5 minutes of inactivity
- Use strong device passwords/PINs
- Never share your device with others
Personal Devices (BYOD)
Section titled “Personal Devices (BYOD)”If using personal devices for work:
- Install company MDM (Mobile Device Management)
- Use 1Password for all work accounts
- Keep devices updated with latest security patches
- Separate work and personal data
- Report lost/stolen devices immediately
Physical Security
Section titled “Physical Security”- Lock your screen when stepping away
- Don’t leave devices unattended in public
- Use privacy screens in public spaces
- Secure devices when traveling
- Report lost or stolen equipment to IT immediately
Network Security
Section titled “Network Security”VPN Usage (Required)
Section titled “VPN Usage (Required)”Use VPN when:
- Working from home or remote locations
- Accessing internal company resources
- Using public WiFi networks
- Connecting to production systems
VPN Setup: See instructions in IT portal
WiFi Security
Section titled “WiFi Security”- Office WiFi: Use OpticWorks-Secure network
- Public WiFi: Always use VPN
- Home WiFi: Use WPA3 or WPA2 encryption
- Never: Connect to unknown or open networks without VPN
Remote Access
Section titled “Remote Access”- Use company VPN for all remote connections
- Never use personal RDP or remote desktop tools
- Access internal resources only through approved methods
- Log out when finished working
Data Protection
Section titled “Data Protection”Data Classification
Section titled “Data Classification”Public
Section titled “Public”- Marketing materials
- Public website content
- Press releases
Internal
Section titled “Internal”- Internal communications
- Project documentation
- Non-sensitive business data
Confidential
Section titled “Confidential”- Customer data
- Financial information
- Unreleased product information
- Employee personal information
Restricted
Section titled “Restricted”- Credentials and passwords
- Security configurations
- Compliance-related data
- Trade secrets
Handling Confidential Data
Section titled “Handling Confidential Data”- Store in approved company systems only
- Encrypt when transferring
- Share only on a need-to-know basis
- Delete securely when no longer needed
- Never upload to personal cloud storage
Email Security
Section titled “Email Security”- Verify sender before opening attachments
- Hover over links before clicking
- Watch for phishing attempts
- Use encryption for sensitive data
- Report suspicious emails to security@opticworks.com
Cloud Security
Section titled “Cloud Security”Approved Cloud Services
Section titled “Approved Cloud Services”- Google Workspace
- GitHub
- AWS (for authorized teams)
- Slack
- Jira/Confluence
Shadow IT (Prohibited)
Section titled “Shadow IT (Prohibited)”- Don’t use unapproved cloud services for company data
- Request approval before using new SaaS tools
- Check with IT before sharing company data externally
Cloud Access
Section titled “Cloud Access”- Use SSO (Single Sign-On) when available
- Enable 2FA on all cloud accounts
- Review access permissions regularly
- Revoke access for former employees immediately
Development Security
Section titled “Development Security”Code Security
Section titled “Code Security”- Never commit credentials or API keys to repos
- Use environment variables for sensitive configs
- Scan dependencies for vulnerabilities
- Follow Code Standards
- Review code for security issues
API Keys & Secrets
Section titled “API Keys & Secrets”- Store in approved secret management systems
- Rotate regularly (every 90 days)
- Use different keys for dev, staging, production
- Revoke immediately if exposed
- Never share in Slack or email
GitHub Security
Section titled “GitHub Security”- Enable 2FA on GitHub account
- Use SSH keys for authentication
- Don’t commit sensitive data
- Review pull requests for security issues
- Report security vulnerabilities privately
Incident Response
Section titled “Incident Response”Security Incidents
Section titled “Security Incidents”If you suspect a security incident:
- Stop: Don’t delete evidence or logs
- Disconnect: Isolate affected systems if safe to do so
- Report: Contact security@opticworks.com immediately
- Document: Note what happened and when
- Cooperate: Work with security team on resolution
Common Security Incidents
Section titled “Common Security Incidents”- Phishing emails or suspicious messages
- Lost or stolen devices
- Suspected malware or virus
- Unauthorized access attempts
- Data breaches or leaks
- Accidental data exposure
Phishing & Social Engineering
Section titled “Phishing & Social Engineering”Warning Signs
Section titled “Warning Signs”- Urgent or threatening language
- Requests for credentials or sensitive data
- Unexpected attachments or links
- Sender address doesn’t match display name
- Poor grammar or spelling
If You Receive Phishing
Section titled “If You Receive Phishing”- Don’t click links or download attachments
- Don’t reply or provide information
- Forward to security@opticworks.com
- Delete the email
- Report in #security Slack channel
Compliance
Section titled “Compliance”Data Privacy
Section titled “Data Privacy”- Follow GDPR, CCPA, and other regulations
- Minimize collection of personal data
- Respect user privacy preferences
- Delete data when requested
- Report privacy incidents immediately
Customer Data
Section titled “Customer Data”- Access only what’s needed for your role
- Never share customer data externally
- Anonymize when possible
- Follow data retention policies
- Obtain consent before using for new purposes
Security Training
Section titled “Security Training”Required Training
Section titled “Required Training”- Annual security awareness training
- Phishing simulation exercises
- Role-specific security training
- Incident response procedures
Ongoing Education
Section titled “Ongoing Education”- Monthly security newsletters
- #security Slack channel
- Security team office hours
- Internal security documentation
Contact Security Team
Section titled “Contact Security Team”How to Reach Us
Section titled “How to Reach Us”- Email: security@opticworks.com
- Slack: #security
- Emergency: Call IT hotline (24/7)
- Anonymous reporting: Security hotline
When to Contact
Section titled “When to Contact”- Security questions or concerns
- Suspected security incidents
- Need security tool access
- Report vulnerabilities
- Request security review
Quick Reference
Section titled “Quick Reference”Security Checklist
Section titled “Security Checklist”- 1Password installed and configured
- 2FA enabled on all accounts
- VPN installed and working
- Device encryption enabled
- Auto-lock configured
- Latest OS and software updates installed
- Completed security training
- Familiar with incident reporting process
Remember: If you see something, say something. Security is everyone’s responsibility.