PropoDoc provides self-help document templates and tools. It is not a law firm and does not provide legal advice. Learn more.
Skip to main content
Example
procedure

Security Protocol Example — Remote-First Company

Example document for Security Protocol. Use this as a reference when creating your own.

Professional Review Recommended

This document may have legal or financial implications. We recommend having a qualified professional review the final version before use.

Document: Security Protocol

Example Document

Last updated 6/4/2026

Security Protocol — Northwind Labs (Remote-First Company)

Organisation: Northwind Labs, a fully remote 40-person software company Owner: Dana Okafor, Operations Lead (security owner) Version: 1.3 Effective date: 1 May 2026 Next review: 1 November 2026


1. Purpose and scope

Northwind Labs has no central office; everyone works from home or co-working spaces. This protocol keeps our people, our customers' data, and our systems safe when the "building" is forty different locations. It applies to all employees and contractors, and to every company account, device, and network connection. It sits alongside our technical security plan, which covers how our product itself is built and configured.

2. Roles and responsibilities

RoleResponsibility
Operations Lead (Dana Okafor)Owns this protocol, reviews it, and is the first contact for incidents
Team managersBrief new joiners and make sure their teams follow the protocol
All staffFollow the rules below and report anything that looks wrong
IT (outsourced provider)Provision and revoke access; run device management and patching

3. Access control rules

  • Accounts: Everyone has their own named account on every system. We never share logins, even for convenience.
  • Least privilege: Access is granted by role. Administrator access to production is limited to two named engineers and reviewed every quarter.
  • Joiners: On day one, IT grants the access defined for the person's role and no more.
  • Leavers: On the last working day, IT revokes all access within one hour and arranges return of the company laptop.
  • Reviews: The Operations Lead reviews who has access to confidential systems every quarter.

4. Passwords, MFA, and device rules

  • Passphrases: Accounts require a passphrase of at least 14 characters; reused passwords are not allowed.
  • MFA: Multi-factor authentication is mandatory on email, the code repository, the customer database, and the password manager.
  • Password manager: Everyone uses the company password manager. Writing passwords down or storing them in a browser is not permitted.
  • Devices: Laptops are company-managed, encrypted, and auto-lock after five minutes. A lost or stolen device must be reported the same day so it can be remotely wiped.
  • Home networks: Staff use the company VPN on untrusted networks and keep their home router firmware up to date.

5. Data handling and classification

ClassificationExamplesWho may accessHow to share / store
PublicWebsite, blog postsAnyoneNo restriction
InternalTeam docs, runbooksAll staffCompany workspace only
ConfidentialCustomer records, contractsNamed rolesApproved tools, encrypted
RestrictedCredentials, production keysTwo named engineersPassword manager, logged access

Confidential information leaves Northwind only through approved, encrypted channels, and only after confirming the recipient. Customer records are never copied to personal devices or personal cloud accounts.

6. Physical security

Because we are remote, physical security means each person's workspace. Staff lock their screen whenever they step away, keep company devices out of sight in public, and never let family or housemates use a work laptop. Printed customer information is discouraged; where it is unavoidable, it is shredded, not binned.

7. Incident reporting

If you see or cause a possible security incident, report it immediately. Reporting quickly is the right thing to do and you will not be blamed for it.

  1. Recognise — for example: a clicked phishing link, a lost laptop, a misdirected email with customer data, or unexpected software on your machine.
  2. Report — message the #security channel or call Dana on the number in the team directory. The channel is monitored, and out of hours the on-call manager is paged.
  3. Preserve — do not delete anything or try to fix it yourself; leave it as-is so it can be assessed.
  4. Follow up — Dana triages within the hour, keeps you updated, contains the issue, fixes the cause, and records what we learned.

A recent example: an engineer reported clicking a phishing link within ten minutes. Because they reported it fast, IT reset the credentials and confirmed no data was accessed before any harm was done.

8. Enforcement and review

  • Training: Every new starter completes a 30-minute security briefing in their first week and signs to confirm they have read this protocol. Everyone repeats it once a year, and we run a simulated phishing email each quarter.
  • Enforcement: The rules apply to everyone, including the founders. Repeated, deliberate breaches are a performance matter; honest mistakes that are reported promptly are treated as learning, not punishment.
  • Review: Dana Okafor owns this protocol and reviews it every six months and after any significant incident.
  • Acknowledgement: Signed acknowledgements are stored in each person's HR record.

Notes

This is an illustrative worked example for a fictional remote-first company; the rules shown are examples for learning and this document is not a security certification or a substitute for professional advice.

About this Example

Part of the Security Protocol document collection

Document Type

Security Protocol

The defined steps and rules for handling security in a specific area.

Complexity

moderate

Risk Level

medium