====== Workstation Policy ======

===== ACME Evil Anvil Corporation =====

March 2019
Contents
  - Purpose and Scope
  - Policy

Table 1: Control satisfaction
^Standard ^Controls Satisfied^
|TSC |CC6.8|

Table 2: Document history
^Date ^Comment^
|Jun 1 2018 |Initial document|

==== Purpose and Scope ====

  - This policy defines best practices to reduce the risk of data loss/exposure through workstations.
  - This policy applies to all employees and contractors. Workstation is defined as the collection of all company-owned and personal devices containing company data.

==== Policy ====

  - Workstation devices must meet the following criteria:
    - Operating system must be no more than one generation older than current
    - Device must be encrypted at rest
    - Device must be locked when not in use or when employee leaves the workstation
    - Workstations must be used for authorized business purposes only
    - Loss or destruction of devices should be reported immediately
    - Laptops and desktop devices should run the latest version of antivirus software that has been approved by IT
  - Desktop & laptop devices
    - Employees will be issued a desktop, laptop, or both by the company, based on their job duties. Contractors will provide their own laptops.
    - Desktops and laptops must operate on macOS or Windows.
  - Mobile devices
    - Mobile devices must be operated as defined in the Removable Media Policy, Cloud Storage, and Bring Your Own Device Policy.
    - Mobile devices must operate on iOS or Android.
    - Company data may only be accessed on mobile devices with Slack and Gmail.
  - Removable media
    - Removable media must be operated as defined in the Removable Media Policy, Cloud Storage, and Bring Your Own Device Policy.
    - Removable media is permitted on approved devices as long as it does not conflict with other policies.