feat: adds some draft policies

policies/public_wifi.bs

@@ -0,0 +1,61 @@
+<h1>Public WiFi Policy</h1>
+<pre class="metadata">
+Status: DREAM
+Local Boilerplate: header yes, copyright yes
+Boilerplate: status no
+TR: https://www.sr2.uk/policies/public-wifi/
+Shortname: public-wifi
+Complain About: accidental-2119 yes
+No Editor: true
+!Version: 1.0
+Abstract: A policy governing staff and contractor use of public WiFi networks when accessing company data.
+</pre>
+
+# Objective # {#objective}
+
+The company approves remote working to work-related cloud services and work email accounts, as long as the devices used
+to access these have been sanctioned by the company. Using public WiFi to conduct business, without the necessary
+safeguards, places our data at risk of theft. The purpose of this policy is to provide the framework for those
+safeguards.
+
+# Scope # {#scope}
+
+The scope of the policy covers all individuals either employed or contracted to work with, or for, the company, either
+on a company site or remotely.
+
+# Definitions # {#definitions}
+
+: Public WiFi Network
+:: Any wireless network access provided by a third party, such as hotels, cafes, airports, or public hotspots, that is
+     open to public or unvetted access. For the purpose of this policy, eduroam connections other than those on an SR2
+     managed site are to be considered Public WiFi Networks.
+: Sanctioned Device
+:: A device (e.g., laptop, tablet, smartphone) that has been approved and provisioned by the
+     company for business use, with appropriate security configurations and software installed.
+
+# Policy # {#policy}
+
+Devices that are not sanctioned by the company, including home PCs or public access PCs, MUST NOT be used to access
+company cloud services, data, or email accounts.
+
+Though the company takes every effort to ensure that sanctioned devices are adequately protected, the individual MUST
+ensure that, before connecting to the Wi-Fi network, the device has:
+
+- up-to-date antivirus and antispyware software;
+- a firewall that is activated and configured to company requirements (i.e. the settings have not been changed) since
+    the device was configured;
+- all software (including the Web browser) is current with automatic updating;
+- file sharing (e.g. SMB) is switched off.
+
+For security reasons staff and contractors MUST:
+
+- consider if mobile phone tethering is available and use this as the first choice;
+- consider delaying transmission of information until at a secure location;
+- not follow prompts to update software whilst connected to a public network;
+- not rely on the encryption provided by the Public WiFi Network (e.g. WPA) to protect company data;
+- ensure that an end-to-end encrypted connection is established and the user has been trained in setting up
+    such a connection for each service to be used (for the avoidance of doubt, TLS is considered to be end-to-end
+    providing that the certificate presented by the server is validated);
+- ensure that URLs in Web browsers are showing the correct Web addresses in case a criminal has hijacked the Wireless
+    Access Point and is forwarding traffic to their site;
+- keep all information secure, including restricting the view of the screen from any unauthorised person(s);