Information Security Policy
============================

All employees are responsible for protecting company data and systems.

Password Requirements:
- Minimum 12 characters
- Must include uppercase, lowercase, numbers, and special characters
- Cannot reuse last 5 passwords
- Must change password every 90 days
- Use password manager (company-provided) for all accounts

Data Classification:
- Public: Can be shared externally
- Internal: Company-wide access only
- Confidential: Restricted to specific teams
- Restricted: Requires explicit authorization

Access Control:
- Principle of least privilege: Only grant access necessary for job function
- All access requests must be approved by data owner
- Access reviews conducted quarterly
- Terminated employees' access revoked within 24 hours

Device Security:
- Company laptops must have full disk encryption enabled
- Personal devices used for work must be enrolled in MDM
- No unauthorized software installations
- Automatic security updates must be enabled

Incident Reporting:
- Report security incidents immediately to security@company.com
- Do not attempt to investigate or contain incidents yourself
- Preserve evidence: Do not delete logs or files

