Purpose

Sourcegraph’s workforce is distributed globally, with many employees working from home or other remote locations by default. This operating model allows flexibility and supports productivity, but it also introduces unique risks to the security of our information and systems.

The purpose of this procedure is to outline the controls necessary to protect Sourcegraph's assets and information, addressing the three core aspects of information security: Confidentiality (C), Integrity (I), and Availability (A). These controls are designed to safeguard both physical and logical access to sensitive data while recognizing the practical realities of mobile and remote working.

This procedure applies universally, including all employees and contractors who use Sourcegraph-issued assets or personal devices for company business. It is intended to be read in conjunction with Sourcegraph's Acceptable Use Policy.

By implementing these measures, we aim to mitigate security risks while enabling our remote-first teams to work efficiently and securely.

Scope

This procedure covers all laptops and mobile devices (phones, USB sticks, etc.) used for Sourcegraph business. The term "staff" includes contractors, temporary workers, and anyone using Sourcegraph assets or personal devices for company-related purposes.

Procedure

Asset Issue

• The Tech-Ops Manager will maintain a log of all company-issued assets in the IT Asset Register. Sourcegraph assets are strictly for business purposes.
• Only Sourcegraph-issued laptops are permitted to access company data and systems.
• All laptops must be encrypted with approved encryption software installed by Tech-Ops.
• The use of personal (BYOD) mobile phones is allowable for receiving company calls and accessing allowlisted applications (public/internal) via the company identity provider.
• Employees and contractors are responsible for the safekeeping of Sourcegraph-issued mobile devices at all times.

Protection of the Asset

• All devices must have a power-on password and, where possible, Multi-Factor Authentication (MFA) and phishing resistance for accessing devices and data.
• Laptop passwords must comply with the company-wide password management policy.
• Devices must not be left unattended in cars, trains, aircraft, or other vulnerable locations. Devices should remain "out-of-sight" in public spaces such as hotels and cafes when not in use.
• Employees must be vigilant against threats like "shoulder surfing" and protect sensitive information in public places and unprotected areas.