Keeping laptops and phones secure is vitally important. We're a software company and many of us have access to secure systems (both our own and our customers).
The following guidelines apply to how we physically secure our laptops and mobile devices that may contain customer or user data.
- Make a note of serial numbers, model information
- Two Factor Authentication and strong passwords
- Keep your operating system and applications up to date
- Lock your device when you are away from it.
- Don't leave your devices unattended in an unsecured area.
- Install a device tracking and remote data wipe tool such as Prey.
- Encrypt your hard drive
- Mac users must add a firmware password
- Non Mac users must add a BIOS password
- Disable automatic login for OSX
- Auto logout after five minutes inactivity
- Require password after screensaver or sleep
- Only work from company laptops or follow BYOD policy
- Install iCloud/Find My Mac
We all use personal mobile devices, so your options are either not to add any company accounts to your phone (this includes Slack, Gmail etc), or to follow the checklist below.
- Ideally disable finger print login (or at least have TouchID on).
- Create a 6 digit passcode (or better)
- Turn on auto lock after 5 mins
- Use a unique password for every account you create.
- Use a tool like pwgen or 1password to generate random passwords.
- Use a tool like GnuPG to encrypt passwords if you need to share them with somebody.
- Use a PGP signature in an email if you want somebody to trust that you wrote it.
- Use PGP to check email signatures if you want to know who wrote it.
- Use PGP to encrypt emails if you want to be sure nobody but the recipient is reading it.
- Use ultimate trust for your own keys.
- Use full trust for keys you have verified in person or via a secure video chat.
- Don't share your private key with anyone, including services like Keybase.
- Keep at least one backup of your private key and revocation certificate in a secure location, such as a thumb drive.
- Depending on what you are making, limit access to your user databases.
- In case of a hack or data breach, check previous logs for data access, ask people to change passwords. You might require an audit by external agencies depending on where you are incorporated.
When someone finds a possible security issue in our software, we encourage them to report it to our security@d.foundation email address.
When an email comes in through this channel, reply quickly with confirmation (and CC security@d.foundation so others know that it has been handled) and the information for our PGP key, which is located at https://d.foundation/security.