BYOD Endpoint Security Policy

1. Purpose

Defines the Bring Your Own Device (BYOD) operating model and minimum endpoint security requirements for all devices used to access Meridian Seven systems and data.

2. Scope

All employees, contractors, and third parties who use personal devices (macOS, Windows) to access Meridian Seven systems or data, regardless of location.

3. BYOD Operating Model

Meridian Seven operates a BYOD (Bring Your Own Device) model. Employees use their personal devices for all work activities. Security is enforced through software controls — CrowdStrike Falcon (endpoint detection and response), 1Password (credential management), Google Workspace (identity, MFA, endpoint verification), and disk encryption — rather than hardware ownership.

All devices used for work must meet the minimum requirements in this policy before accessing company systems. Compliance is verified through automated posture checks and continuous monitoring.

4. Minimum Device Requirements

Requirement	macOS	Windows
OS Version	macOS 14 (Sonoma) or later	Windows 11 22H2 or later
Disk Encryption	FileVault enabled	BitLocker enabled
Screen Lock	5-minute maximum inactivity timeout	5-minute maximum inactivity timeout
Firewall	macOS Firewall enabled	Windows Defender Firewall enabled
EDR	CrowdStrike Falcon sensor installed and active	CrowdStrike Falcon sensor installed and active
Password Manager	1Password app and CLI installed	1Password app and CLI installed
Auto-Updates	Automatic OS and security updates enabled	Automatic OS and security updates enabled
MFA	Configured on all company accounts	Configured on all company accounts

5. Device Onboarding

New employees must complete device setup within 48 hours of their start date:

Install 1Password using the invitation sent to your Meridian7 email
Install the CrowdStrike Falcon sensor using the enrollment email sent by CrowdStrike
Enable disk encryption (FileVault on macOS, BitLocker on Windows)
Confirm firewall is enabled and screen lock is set to 5 minutes or less

6. Data Handling on Personal Devices

Internal data: Access via browser and approved applications only
Confidential data: Access via approved applications; local caching permitted only within approved apps (e.g., 1Password, Google Drive desktop client). Do not export to personal storage or unapproved locations.
Restricted data: Access only via Doppler or 1Password. Never stored locally outside these tools.
Removable media: Prohibited for all company data per the Data Classification Policy

7. Offboarding

When an employee departs Meridian Seven:

CrowdStrike Falcon sensor removed from device (or remote uninstall initiated via Falcon Console)
Employee signs out of all company accounts (Google Workspace, Slack, GitHub, 1Password, etc.)
Employee removes all company data from local storage
Device removed from CrowdStrike host inventory
Google Workspace account suspended (triggers deactivation of SSO-linked services)

See the Offboarding Checklist for the complete process.

8. Non-Compliance

Devices that do not meet minimum requirements will have access to company systems suspended until the device is brought into compliance. The CTO or CISO may grant a time-limited exception with documented justification.

9. Control Mapping

Control	Description
CC6.4	Asset protection — endpoint security requirements
CC6.5	Restrict data movement — device-level controls
CC6.6	Boundary protection — firewall and encryption requirements
CC6.7	Data transmission — encryption in transit and removable media prohibition
CC7.2	Anomaly detection — CrowdStrike EDR on all devices

Meridian Seven — Confidential