This policy defines the minimum security requirements for contractors who access Company systems, accounts, code, or data.

Purpose

The purpose of this policy is to reduce the risk of unauthorized access, data loss, credential compromise, and avoidable security incidents.

Scope

This policy applies to all devices, accounts, software, tools, and storage locations used for Company work, whether owned by the contractor or provided by the Company.

Account Security

Contractors must:

• Use only their own assigned accounts and credentials
• Keep passwords and access tokens confidential
• Enable multi-factor authentication where available
• Use strong unique passwords for Company systems
• Immediately report any suspected credential compromise

Shared credentials are prohibited unless the Company has explicitly authorized a controlled shared account for a specific purpose.

Device Security

Devices used for Company work must:

• Be protected by a password, passcode, or equivalent authentication
• Run a currently supported operating system version
• Install security updates promptly
• Use active antivirus, endpoint protection, or equivalent safeguards
• Lock automatically after a short period of inactivity