Operational Security Policy for the Web Security Checkup Service
*****
Author: Stelios Tigkas
Version: 1.0
Date: 01.03.2025

1. Scope & Purpose
This policy establishes guidelines for securing endpoints, handling and storing data, and securely transmitting reports for the "Web Security Checkup" Service provided to Animal Welfare Organizations.

2. Roles & Responsibilities
Test Leads:
- Conduct core security tests and oversee assigned projects.
- Ensure junior testers follow security policies.
- Store and manage test data securely on their own systems.

Junior Testers:
- Conduct controlled tasks under the guidance of a test lead.
- Must follow endpoint security guidelines strictly.
- Should not store or retain sensitive client information beyond the engagement.

3. Endpoint Security Guidelines
- Up-to-date OS: Testers must apply security updates and patches regularly.
- No public Wi-Fi: Only trusted networks or VPN-protected connections.
- Testers using Windows endpoints must have Windows Defender activated.

4. Encryption & Data Retention Policy
4.1. Raw Data Handling:
- Test leads store raw data locally (logs, scan results, notes).
- Junior testers do not store data—they submit findings to their test lead.
- 90 days after the engagement, raw data must be deleted.

4.2. Long-Term Report Storage:
- Only the final report is kept.
- The report must be encrypted with a shared team-wide PGP key before retention.
- Each test lead encrypts their reports using the same Greenbridge-wide PGP public key.

5. Incident Handling
If a security incident occurs (data breach, unauthorized access, malware infection, lost/stolen device):
- Testers must report incidents within 24 hours to a test lead.
- Compromised devices must be disconnected from the network immediately and sanitized.
- If client data is involved, the affected lead must assess impact and recommend mitigation.