01 Procedure: Device Provisioning and Hardening
DraftSOP · Procedure · SEC-SOP-1 — Device Provisioning & Hardening · 2025-05-15-v1.3.0§
(adds mobile-Telegram prerequisite + early desktop Telegram install to keep the comms line alive during setup)
Big-Picture Overview§
| Block | Content |
|---|---|
| Purpose & Scope | Hand every freelancer a secure, fully-tooled workstation + clean digital identity before the first billable minute. |
| When | Day-0 (first shift) · on OS-reinstall · on device swap. |
| Map / Flow | Prereq install Telegram on phone → unbox laptop / VM → create work Gmail → create Work OS profile → install Telegram Desktop immediately → apply Hardening Checklist → install remaining core apps (Drive, Trello, MarkText, Clockify, Insightful) → run Proof-of-Life test → submit Day-0 Device Trello card → Manager ✅/❌. |
| Roles / RACI | Freelancer Operator R · Ops Manager A · Systems-Ops Lead C · GPT Assistant I |
| KPIs | 100 % encryption · 0 admin accounts · Day-0 card approved before first timer |
| Tools | BitLocker/FileVault/LUKS · OS firewall & AV · Telegram (mobile + desktop) · Gmail (work-only) · Trello Desktop · Drive for Desktop · MarkText · Clockify · Insightful |
| Risks | Unencrypted lost device · Personal email leak · Comms lost during install · Missing Markdown viewer |
| Controls | Trello Day-0 template · Gmail naming st-<firstname><yy>@gmail.com · Recovery keys in 00-ADMIN · Telegram phone fall-back |
Detailed Workflow (8 bullets)§
| # | Step & Owner | Key Points / Controls |
|---|---|---|
| 0 · Prerequisite — Mobile Telegram Online Operator |
Install Telegram on phone → join /manager & /security-alerts channels (keeps live comms while desktop apps install). |
|
| 1 · Create Work-Only Gmail | If no Workspace account: make up-only-<firstname>.<lastname>@gmail.com (2-FA). Send address to Ops Manager for access provisioning. |
|
| 2 · Create Work OS Profile | Windows: Accounts ▸ Add work account (non-admin). macOS/Linux: new user work (Standard). |
|
| 3 · Install Telegram Desktop (Immediately) | Sign in; send “Device online” to /manager to confirm comms before hardening continues. |
|
| 4 · Apply Hardening Checklist | Encryption ON · patches current · firewall default-deny · AV clean · Bitwarden · uBlock Origin + Docs/Drive viewer only. | |
| 5 · Install Core Stack | Trello Desktop · Drive for Desktop (shared drives) · MarkText · Clockify · Insightful. Sign in with work Gmail/Workspace. Insightful: 30-sec shots; idle 1 min (desktop) / 5 min (mobile). |
|
| 6 · Configure Projects & Proof-of-Life | Clockify projects; Insightful path OP-<name>/Insightful/<date>/.Run 2-min timer “TEST – Device Ready” → Trello card to Doing → verify ≥ 4 Insightful screenshots. |
|
| 7 · Submit Day-0 Approval | Attach screenshots (Encryption ON, Insightful green, timer entry link) to card → move to Waiting for Approval → /manager ping. |
|
| 8 · Manager Review ≤ 24 h | ✅ Approved → operator archives card. ❌ Fix issues → resubmit. |
SLA — Device must be Approved before any billable Clockify timer.
WGLL Snapshot (unchanged)§
| Criterion | ❌ Miss | ✅ Meets | ⭐ Exceeds |
|---|---|---|---|
| Encryption | Off / unknown | Enabled & screenshot | Enabled + recovery key in 00-ADMIN |
| Proof-of-Life card | Missing | Card + 2 screenshots | Card + 2 screenshots + zipped Insightful folder |
| Work Gmail | Uses personal account | Dedicated st-… Gmail w/ 2-FA |
Recovery codes stored in 00-ADMIN |
ArchitectureSnapshot JSON (v1.3.0)§
{
"version_id": "SOP-SEC-1-v1.3.0",
"system_level": "Procedure",
"lifecycle_state": "DraftSOP",
"target_name": "SEC-SOP-1 – Device Provisioning & Hardening",
"parent_name": "Device Security & Compliance",
"last_updated": "2025-05-15T03:25:00Z",
"overview": {
"purpose": "Issue a hardened, fully-tooled device and work identity before the first billable minute.",
"flow": [
"Install Telegram on phone for live comms",
"Create dedicated work Gmail with 2-FA",
"Create non-admin work OS profile",
"Install Telegram Desktop immediately, confirm comms",
"Apply hardening checklist (encryption, firewall, AV, Bitwarden)",
"Install Trello, Drive, MarkText, Clockify, Insightful; sign in",
"Run Proof-of-Life timer and verify Insightful screenshots",
"Submit Day-0 Trello card; manager approves or rejects"
],
"roles": ["Freelancer Operator","Ops Manager","Systems-Ops Lead","GPT Assistant"],
"kpis": ["100% devices encrypted","Day-0 approval before work","0 local admin accounts"],
"tools": ["BitLocker/FileVault/LUKS","Telegram (mobile & desktop)","Gmail work account","MarkText","Trello","Drive","Clockify","Insightful"],
"risks": ["Unsecured device","Comms lost during install","Personal email leak"],
"controls": ["Day-0 Trello template","Gmail naming convention","Recovery keys in 00-ADMIN"],
"doc_link": "Drive:/01-SYSTEMS/IT-Security/SEC-SOP-1_Device_Provisioning_v1.3.0.md"
},
"procedure_core": {
"procedure_id": "SEC-SOP-1",
"name": "Device Provisioning & Hardening",
"purpose": "Day-0 checklist for secure, tool-ready freelancer machines.",
"trigger": "New device / OS reinstall / quarterly re-audit.",
"inputs": ["Fresh workstation","Google credentials","Day-0 Trello card"],
"responsible_role": "Freelancer Operator",
"steps": [
"Install Telegram on phone; join required channels",
"Create dedicated work Gmail (2-FA) if no Workspace account",
"Create non-admin work OS profile and sign in",
"Install Telegram Desktop; confirm comms",
"Apply hardening checklist (encryption, patches, firewall, AV, Bitwarden)",
"Install & sign-in to Trello, Drive, MarkText, Clockify, Insightful",
"Run 2-min Proof-of-Life timer and verify Insightful shots",
"Submit Day-0 approval card; fix ❌ items and resubmit if needed"
],
"outputs": ["Approved Day-0 card with evidence","Encrypted, tooled workstation"],
"sla": "Approval required before any billable work.",
"controls": ["Encryption screenshot","Insightful status screenshot","Manager approval comment"],
"tools": ["OS security panels","Telegram","MarkText","Trello","Clockify","Insightful"],
"kpis": ["Encryption 100%","Approval turnaround ≤24 h"],
"risks": ["Unsecured device","Operator skips approval"],
"doc_link": "Drive:/01-SYSTEMS/IT-Security/SEC-SOP-1_Device_Provisioning_v1.3.0.md"
},
"children": []
}
— End of SEC-SOP-1 v1.3.0