Convictional

Security Policy

Security Training

As we grow and take on more customers, security is increasingly important. Our security is an opportunity for differentiation and competitive advantage. We deal with business data that is highly sensitive in nature, and our security posture reflects that.

We default to using Google services. Whenever a Google service is available, we use it (e.g., Google Cloud, Google Calendar, Gmail, and Google Drive). If a Google service is an option, it should be used.

Logging In

  • Whenever possible, use Google Single Sign-On (SSO) to login.
  • If SSO is not available, you must use multi-factor authentication (MFA). Acceptable options include Authy, Bitwarden, Apple Passwords, and Google Authenticator.
  • All passwords must be stored in a password manager and follow company password guidelines.
  • Every password must be unique.

Communicating

  • All company communication will come via an official company email address or over Google Meet.
  • Email requires additional caution: do not trust unknown senders, do not click unexpected links or attachments, and do not share information unless the contact can be verified.
  • Use Signal for work communications. SMS and phone calls are not considered secure for these purposes.
  • Beware of phishing attempts via SMS. The company will not message you via SMS for official requests.

Using Your Computer

  • Company computers are provided with necessary hardware-level security.
  • You must only work on a computer that has an encrypted disk. Windows machines must use Bitlocker, MacOS must use FileVault, and Linux machines must use LUKS.
  • Only perform company work on company machines to decrease the likelihood of attacks from less secure services and devices.
  • Store sensitive information only in Google Drive. Do not put sensitive information on a USB, and never share sensitive information over email.
  • Do not plug unfamiliar USB or data storage devices into your computer.
  • Open source software must be approved and vetted by engineering and legal to avoid onerous licensing requirements.

For Developers:

  • Do not keep credentials in your bash history.
  • Only access sensitive credentials in the Key Management System (KMS), never directly.

Using Your Phone

  • If you use your phone for company work, you must use a passcode. Biometric or facial recognition is preferred.
  • Your phone must be encrypted. Ensure the device is encrypted before accessing company data.
  • Use Google services on your phone to access company data, not third-party services. Exceptions must be approved by the Security team.

CISA Recommendations

We follow recommendations from the US Cybersecurity and Infrastructure Security Agency (CISA):

  • Use only end-to-end encrypted communications.
  • Use FIDO authentication, such as FIDO security keys or passkeys.
  • Do not use SMS MFA.
  • Use a password manager.
  • Set a Telco PIN or use MFA with your provider to protect against SIM-swapping.
  • Update your software regularly and use up-to-date hardware.
  • Avoid single-hop VPNs. iCloud Private Relay is considered a secure two-hop alternative.

Using Online Accounts

  • Before using a new service, inquire about audit trails, 2-factor authentication, and Google SSO.
  • Do not integrate third-party apps with Google Drive, Google Calendar, or Gmail without prior check-in.
  • Third-party tools that can read your email (e.g., Grammarly) are not allowed.
  • If you suspect a service is compromised or experiencing unexpected behavior, reach out to the compliance team immediately.

When Something Goes Wrong

  • Contact the compliance team immediately and let them know what happened.
  • You will not get in trouble for genuine mistakes; it benefits the company to know sooner.
  • The company is liable for issues, and you are protected by the corporate structure.