Security Requirements
In your work you might use multiple devices, e.g. laptops, desktop computers, smartphones, or tablets, that have been provided by the company or that personally belong to you. Your devices can be from any manufacturer and run any operating system, but we ask you to apply the same basic security rules to all of them:
- Enable automatic locking after any inactivity on both your computers and smartphones. Unlock can't be a simple swipe or click; it must be protected by a password, biometric ID, or something similarly secure;
- Update the OS and other software in a timely manner, especially when the updates contain patches for security vulnerabilities;
- If you sell, give away, or dispose of a device previously used for work, completely erase all the data from the device, and do so in a way that prevents it from being recovered;
- The hard drives of your laptops must be encrypted so their contents won't be compromised if a device is lost or stolen.
Passwords that meet the following criteria are considered secure:
- Length of 12 characters or more;
- Composed of random letters and numbers, eliminating their vulnerability to dictionary search;
- Never used twice. Each time you create an account, create a new password.
Use a password manager. Considering the number of systems we have to work with, it is the only realistic way to follow the guidelines above. LastPass, 1Password or Bitwarden are all examples. If you haven't started using a password manager yet, please start today.
If you need to give a colleague access to a system, create an account with a temporary password that they will change as soon as they log in. When possible, do not use shared logins. In exceptional cases, shared logins may be allowed for secondary non-critical systems that do not store important data, and for some reason do not allow a separate login to be created for each employee.
We urge you to enable 2fa on all systems that support it.
- Each key must be signed with the owner's email address. Anonymous or unidentifiable keys are deleted from the servers without warning;
- The key must be password-protected;
- Use the Ed25519 key format instead of OpenSSH default;
ssh-keygen -t ed25519 -C $EMAILThe detailed terms and conditions of the NDA are described in the agreement that is signed between you and the company upon hiring. We would like to draw attention to two main points here:
- The code you write for your job is owned by your employer and may not be disclosed or used on any third-party projects without explicit permission;
- It is not permitted to publicly mention any projects that the company is or has participated in without explicit permission.
English
Русский