The Codex · Cybersecurity · Protocol CSP-003

Device Security Baseline

The most sophisticated account security is worth nothing if the device used to access it is unencrypted, unpatched, or physically unsecured. This protocol defines the minimum configuration required on every device used for any work of significance — no exceptions for convenience.

Protocol CSP-003

Classification Open

Compliance Sentinels and above — required · Knights — strongly advised

Requirements

Full-disk encryption must be enabled on all devices used for any work of significance. The platform-native solution is required: FileVault on macOS, BitLocker on Windows, and device encryption on iOS and Android. Encryption must be verified — enabled by default does not mean correctly configured.
All devices must be set to lock automatically after a maximum of two minutes of inactivity. The lock screen must require authentication to dismiss. Notification previews must not be visible from the lock screen on devices that handle sensitive communications.
Operating system updates must be applied within seven days of release. Application updates must be applied within seven days. Critical security patches — those addressing actively exploited vulnerabilities — must be applied within twenty-four hours of availability.
Biometric authentication is acceptable as a convenience layer. A strong PIN or passphrase of at least twelve characters must be configured as the mandatory fallback. Face unlock must not be used in any public environment where the device could be presented to your face without your awareness or consent.
Remote wipe capability must be enabled and tested on all mobile devices. Find My (Apple) and Find My Device (Android/Google) must be active. The ability to wipe remotely must be confirmed before it is needed, not at the point of loss.
Firmware must be kept current. On laptops handling sensitive work, a UEFI or BIOS password must be set to prevent pre-boot modification or unauthorised boot from external media.
A device confirmed lost or stolen must be remotely wiped within one hour of the loss being established. The incident must be logged and, where the device had access to shared systems or member communications, the relevant parties must be notified.

Why Devices Are the Primary Attack Surface

The majority of significant security compromises begin at the endpoint — the laptop, the phone, the tablet — rather than at the network or the service. Credential theft via malware, physical access to an unlocked device, and exploitation of unpatched vulnerabilities are consistently among the most common and most consequential attack vectors. Hardening accounts and communications while leaving devices themselves inadequately secured is a fundamental gap in posture.

A device that is lost or stolen presents a direct risk to everything stored on it and everything it can access. An unencrypted drive can be read without the operating system login. An unlocked screen provides immediate access to everything open. An unpatched vulnerability can be exploited remotely before the owner is aware a patch exists. These are not hypothetical failures. They are routine ones.

Full-disk encryption does not protect a device that is logged in and unlocked. It protects the data on a powered-down or locked device from being read directly from the storage medium. Both conditions must be managed — encryption and lock discipline.

Encryption at Rest

Full-disk encryption ensures that if your physical storage medium — the SSD in your laptop, the chip in your phone — is removed and read directly, the contents are unreadable without the decryption key. Without encryption, physical access to the hardware is sufficient to access everything on it, regardless of your operating system password.

Enabling the operating system's native encryption tool is the required approach. Third-party full-disk encryption solutions introduce unnecessary complexity and potential key escrow risks. FileVault (macOS), BitLocker (Windows), and the default device encryption on iOS and modern Android are well-audited, hardware-accelerated, and sufficient. After enabling, verify encryption status explicitly — some systems report encryption as enabled before the initial encryption process has completed.

Patch Discipline

Security patches exist because vulnerabilities have been discovered and, in most cases, are already being actively exploited before the patch is released. The window between a vulnerability becoming publicly known and being patched on your device is the window during which you are exposed. The longer that window, the greater the risk.

The seven-day patch window is not a suggestion. It is the outer limit of acceptable delay for routine updates. For critical patches — those tagged as addressing zero-days or actively exploited vulnerabilities — the window is twenty-four hours. Automatic updates should be enabled wherever they do not create operational disruption. Where they are disabled for stability reasons, a manual patch review process must replace them.

Mobile Devices

Mobile devices are simultaneously the most frequently carried and the most frequently lost devices in most people's possession. They have access to email, authentication apps, financial accounts, and sensitive communications. They are also carried into environments — restaurants, transport, events — where loss or theft is far more likely than at a fixed workstation.

The remote wipe requirement is non-negotiable. Enabling it takes minutes. Discovering that it was not enabled after a device is stolen is not recoverable. Test the remote wipe process on a non-production device if possible. Understand what data is wiped, what data is backed up to a cloud service, and whether that cloud backup itself is adequately secured.

The question to ask about any device is not "what would happen if someone stole this?" — it is "what would an attacker who held this device in their hands for sixty minutes be able to access?" Answer that question honestly, then close the gaps.