Remote Working Procedure (A.6.7)
Document ID: remote-working-procedure
Version: 1.0
Effective from: 2025-01-01
Owner: Founder / CEO
Review cycle: Annual
Context
Remote working is the default and only operating model for SigmaShake. There are no office premises; all work is conducted from personal or dedicated remote work locations. This procedure defines the security baseline for all work locations.
Device requirements
All devices used to access SigmaShake production systems must meet the following baseline:
| Control | Requirement | Evidence |
|---|---|---|
| Full-disk encryption | FileVault (macOS) / BitLocker (Windows) / LUKS (Linux) | Quarterly attestation |
| OS patch currency | Within 30 days of available patches | Quarterly attestation |
| Screen lock | Auto-lock within 5 minutes | Quarterly attestation |
| Anti-malware | Platform-native (XProtect / Defender) or third-party | Quarterly attestation |
| Firewall | Enabled and blocking inbound by default | Quarterly attestation |
When the Kolide endpoint management integration (endpoint-posture collector) is active, these controls are verified programmatically.
Network requirements
- VPN not required — Cloudflare Zero Trust enforces access control at the application layer via SSO + MFA, regardless of network
- Public Wi-Fi — Permitted for low-sensitivity tasks. For production access (Wrangler deploy, D1 access), use a trusted network or mobile hotspot
- Home network — Recommended to have a guest network isolating work devices from IoT
Physical security at remote locations
- Devices must not be left unattended in public without screen lock
- Production work must not be performed in view of others without a privacy screen
- Devices must not be connected to untrusted USB peripherals
Incident response
If a work device is lost or stolen:
- Report immediately to create an incident (Sev2 at minimum)
- Remote wipe if available (Apple Find My / Windows Remote Wipe)
- Revoke all associated sessions and API tokens
- Rotate any secrets that may have been accessible
Attestation
Quarterly acknowledgment of this procedure required. remote-working-policy-acknowledgment attestation type tracked in the compliance portal.
Evidence
| Collector | Cadence | Control |
|---|---|---|
endpoint-posture | Weekly | A.6.7, A.8.1 |