Remote Working Procedure

Owner: Security Officer · Approved by leadership · Version 1.0 · Effective 27 May 2026 · Next review 27 May 2027

1. Purpose

This procedure defines the controls that apply when workforce members access Glassbreak systems from outside a controlled office environment — including from the home office, from shared or co-working spaces, while travelling, or from any other location not under Glassbreak's physical control. It operationalises the device, network, and access expectations set in the Information Security Policy and the Day 1 controls listed at /policies/onboarding §4.

2. Scope

All workforce members performing any Glassbreak work outside a Glassbreak-controlled office.
All devices used for that work — primary managed workstation, mobile devices used for MFA or communications, and hardware keys.
All access to production systems, the source-code repository, sub-processor admin consoles, customer correspondence, and internal documentation that is not public.

3. Baseline requirements

Every Glassbreak workforce member, whether working remotely full-time, occasionally, or while travelling, must meet the baseline defined at /policies/onboarding §4 before performing any Glassbreak work. In summary:

A managed workstation with full-disk encryption enabled, automatic security updates configured, OS-managed firewall enabled, and a 5-minute screen-lock timeout (/policies/onboarding §4.1).
Multi-factor authentication enforced on every account that touches a sensitive system (/policies/onboarding §4.2).
An MFA-capable hardware key for roles that require one (/policies/onboarding §4.1).
Personal devices are not used for production access (/policies/onboarding §4.1).

4. Procedure

4.1 Network choice

Production access from a public Wi-Fi network (cafe, airport, hotel, conference, train) requires the Glassbreak-approved VPN. Production access from public Wi-Fi without VPN is prohibited.
The home office network must be protected by a non-default administrator password and WPA2 or WPA3 encryption; default router credentials must be changed at setup.
A separate guest network is recommended for non-work devices (smart speakers, cameras, children's devices) where the router supports it.
Tethering to a personal hotspot is preferred over an unfamiliar public Wi-Fi network when VPN access is unavailable.
Connection over a captive-portal network is permitted only after the VPN tunnel has been re-established following the captive-portal authentication step.

4.2 Home-office security baseline

The workstation is positioned so the screen cannot be read from a window, doorway, or by anyone in the home not authorised to view Glassbreak information.
The workstation is locked when stepping away — see the Clear Desk & Clear Screen Procedure §3.1.
Printed material is handled per the Clear Desk procedure §3.2 and stored in a lockable drawer when not in use.
Smart-home microphones (voice assistants, smart speakers) are not left active in earshot of a voice or video call involving Glassbreak or customer information.
Cameras and microphones on the workstation are covered or disabled when not in use for a call.

4.3 Household-member separation

Glassbreak-managed devices are used only by the workforce member to whom they are issued. Household members, visitors, contractors, and any other person must not be permitted to use the device.
The workforce member's Glassbreak account credentials are not shared with any household member, even in an emergency.
Calls and screen-shares involving Glassbreak or customer information are conducted in a location where household members cannot overhear or view them, or with headphones and a privacy filter.
If a household member is also a Glassbreak workforce member, each must use their own managed device and own accounts; shared devices and shared accounts are prohibited.

4.4 Travel and airport precautions

The managed workstation and any hardware keys remain in cabin baggage at all times when travelling by air; they are not placed in checked baggage.
When passing through security, the device is removed only when required and is kept in line of sight at all times.
The device is not left in a hotel room unattended unless secured in an in-room safe; if no safe is available, the device travels with the workforce member.
Where reasonably possible, the device is powered down (not merely suspended) before crossing a border so that full-disk encryption is in its strongest at-rest state.
Use of customs-or-border-officer-supplied USB sticks, public charging cables, or unknown chargers is prohibited. A USB data-blocker or the workforce member's own charger and cable is used.
If the device is confiscated at a border, the workforce member treats it as compromised on return per section 4.6.
Travel to high-risk jurisdictions requires advance notification to the Security Officer and may require a travel-loaner device with no resident Glassbreak credentials.

4.5 Shared and co-working spaces

The workstation is treated as if in a public space — see Clear Desk & Clear Screen Procedure §3.7.
The device is not connected to the venue's wired network or to its print, scan, or fax peripherals.
Calls involving Glassbreak or customer information are taken in a private call booth or moved off-site; they are not conducted in open seating.

4.6 Lost or stolen device

If a Glassbreak-managed device, hardware key, or any device holding Glassbreak credentials is lost, stolen, or believed to be compromised:

Report the loss to the Security Officer immediately, by any available channel, without waiting for confirmation of theft or further investigation.
If reachable, file a police report or equivalent incident reference promptly; provide the reference to the Security Officer.
The Security Officer initiates the expedited access revocation under /policies/offboarding §5.2: all sessions revoked, all credentials disabled, remote wipe initiated where the device supports it.
Affected sub-processor admin credentials, signing keys, and any other shared credentials within the device's blast radius are rotated per /policies/offboarding §6.
An incident record is opened under the Incident Response Policy and triaged. Severity depends on what plaintext or persistent credential material the device held.

Late reporting of a lost or stolen device is a Material violation under /policies/sanctions §3.2. Prompt self-reporting is treated as a mitigating factor in any subsequent sanction decision.

4.7 Device hygiene

Automatic security updates are not disabled. Major OS updates are applied within the cadence published in the workforce handbook for that OS.
Only software approved for workforce use is installed on the managed workstation; arbitrary developer tools, browser extensions, and third-party utilities are reviewed by the Security Officer before installation.
Cloud-sync of folders containing Glassbreak material to personal cloud-storage accounts is prohibited.
Browser sync to a personal account is configured so that work credentials, work bookmarks, and work history do not synchronise to a personal device.
Workstations are restarted at least weekly so that queued security updates apply.

4.8 Returning to a controlled environment

After a period of travel or work in a high-risk location, the workforce member confirms with the Security Officer that no unusual activity was observed on their devices or accounts during the period away. Where any suspicion exists, section 4.6 is invoked.

5. Records

Lost-or-stolen-device incidents are recorded in the incident register per the Incident Response Policy.
Approved exceptions to the network-choice and travel-precaution requirements are recorded in the risk register with a recorded expiry.
VPN provisioning is recorded in the access register.

6. Enforcement

Compliance with this procedure is mandatory. Breaches are assessed and handled under the Sanctions & Disciplinary Policy in proportion to the nature, frequency, and impact of the breach. Bypassing the VPN requirement on a public network, or using a personal device for production access, are Material violations regardless of whether disclosure resulted.

7. Review

This procedure is reviewed at least annually and after any incident attributable to remote working. The next scheduled review is 27 May 2027.

8. Related documents

Counter-signed PDF copy available on request to compliance@glassbreak.io.