Manual / Enterprise Foundation / EF-005 — Security Foundation
Cloudberrie Business & Operations Manual

EF-005 — Security Foundation

Minimum security controls for identities, critical platforms, recovery, access reviews, devices, and incidents.

Document ID: EFType: StandardStatus: ApprovedOwner: Cloudberrie StudioVersion: 1.0Updated: 2026-07-17

Critical Account Policy

Google Workspace, domain registrar, Cloudflare, GitHub, Firebase/Google Cloud, financial platforms, and developer stores are Tier 1 critical systems.

Password Manager

Select a business-capable password manager before scaling access. Bitwarden, 1Password, or an equivalent may be evaluated based on business ownership, sharing, recovery, audit history, and cost.

Never store passwords or recovery codes in email, ordinary Google Docs, spreadsheets, source code, or client chat.

Access Rules

  • Prefer invitations, partner access, organization roles, and delegated permissions over shared passwords.
  • Grant least privilege.
  • Remove access promptly during offboarding.
  • Review Tier 1 access quarterly and after role changes.
  • Do not use aliases as if they were independent login identities.

Approved Security Standards

SEC-001 Credential Management

Apple Passwords approved for 2026, with protected recovery codes and a January 2027 review.

SEC-002 MFA

Mandatory controls for Tier 1 platforms.

SEC-004 Recovery

Primary and encrypted offline recovery copies.

Device & Browser Minimums

  • Supported operating system and browser updates installed.
  • Screen lock enabled.
  • Device encryption enabled where supported.
  • No credential saving on shared/public devices.
  • Separate browser profiles for business and personal work where practical.

Incident First Actions

  1. Contain the account or system.
  2. Change compromised credentials and revoke sessions.
  3. Preserve logs and evidence.
  4. Assess client, data, billing, DNS, and email impact.
  5. Notify the responsible owner.
  6. Document the incident and lessons learned.