Skip to content
RunWhen

End User Accounts and Device Policy

Purpose

This policy defines RunWhen’s policies around end user accounts and device protections.

Scope

This policy applies to:

  • All employees, contractors, and third parties using Google Workspace and GitHub accounts.
  • All authentication methods, including passwords, OAuth tokens, and API keys.

Google Workspace Accounts

Token Expiry

  • OAuth tokens and session tokens are configured to expire after 24 hours.
  • Users must re-authenticate after token expiration.

Password Complexity

  • Minimum length: 12 characters.
  • Must include at least one uppercase letter, one lowercase letter, one number, and one special character.
  • Must not match any of the previous 10 passwords.

Password Change Frequency

  • Passwords must be changed at least every 90 days.
  • Accounts are configured to enforce automatic prompts when passwords expire.

Password Configuration

  • Passwords are managed via Google Workspace Admin Console with enforced complexity and rotation rules.
  • 2-factor authentication (2FA) is mandatory for all accounts.

GitHub Accounts

  • GitHub access must be via SSO (Google Workspace) where supported.
  • If direct GitHub authentication is required:
    • Same password complexity and rotation rules apply as in Google Workspace section.
    • 2FA is mandatory (preferably via hardware security keys).
  • Personal access tokens (PATs) must:
    • Be configured with the minimum required scope.
    • Expire after a maximum of 90 days.
    • Be stored only in approved secret managers (not in code or plaintext).

Devices

  • When the company macOS MDM vendor is selected, all employees must ensure that it is installed and admin configured on any laptop that may carry credentials to access dev environments.
  • Screen lock after 10 minutes.
  • FileVault (full disk encryption) must be on.
  • Automatic security updates must be on.
  • Gatekeeper application verification protection must be on.
  • XProtect malware protection must be on.
  • System Integrity Protection must be on.

Governance

This policy is jointly owned by the Head of Engineering and Head of Security/Compliance, and it is reviewed at least annually or whenever practices evolve significantly.

For any questions or clarifications regarding this policy, please contact the Security or Engineering leadership team.