Commitment

Lane Four is dedicated to maintaining the security and functionality of all devices used in its operations. Where direct control over devices is limited, we implement compensating controls to ensure that company data and systems remain protected.

Security Requirements for All Devices

Built-in Antivirus and OS Protection
All laptops must have active, up-to-date antivirus software and operating system security protections enabled. For customer-provided devices, this may include customer-mandated tools, but they must meet Lane Four’s minimum security standards.

Operating System and Application Updates
All devices must be kept up to date with the latest security patches and critical updates (e.g., operating system, browsers such as Chrome, and other commonly exploited applications). Where Lane Four does not control patching (e.g., customer devices), employees must ensure compliance with both customer and Lane Four requirements.

Remote Wipe Limitations
Remote wipe capabilities may not be available on customer-provided laptops. As a result, Lane Four will prioritize protecting data at the application and cloud level (e.g., session controls, restricted downloads, and access revocation).

IT Review and Oversight for Lane Four issued laptops

Annual Review by IT
IT conducts an annual review of Lane Four–owned laptops, including: Software and application updates, vulnerability assessments and endpoint health checks

For customer-provided laptops, IT will instead: Review access methods and security controls, and validate that minimum security requirements and compensating controls are in place

Vulnerability Management
For Lane Four devices, IT will directly remediate vulnerabilities. For customer-provided devices, risks will be mitigated through access restrictions, secure environments, and coordination with the customer where appropriate.

Endpoint Health and Compliance

Lane Four Devices
IT conducts full endpoint health checks, including installed software, configurations, and compliance with internal policies.

Customer-Provided Devices
Health checks are limited; therefore, compliance is enforced through:

• Restricted access methods
• Use of secure environments (e.g., VDI, remote access tools)
• User accountability and adherence to both Lane Four and customer policies

Device Management Policy (Updated for Customer-Provided Laptops)

At Lane Four, we are committed to ensuring the security and reliability of all laptop devices used to access company systems and data. This includes both Lane Four–owned devices and laptops provided by our customers. This policy is overseen by IT and reviewed annually. This policy applies to: Lane Four-owned laptops and customer-provided laptops used by Lane Four employees

Additional Requirements for Customer-Provided Laptops

Access Controls and Segmentation
Access to Lane Four systems from customer-provided laptops must be secured using approved methods (e.g., VPN, virtual desktop environments, or browser isolation). Where feasible, Lane Four data should not be stored locally on customer devices.

Data Protection
Customer data must be accessed and stored in approved cloud environments or secure systems. Local storage of company data on customer-provided laptops should be avoided or minimized and must comply with data classification policies.

Device Compliance Verification
IT will not have full administrative control over customer-provided laptops. Therefore:

• Users must attest to device compliance with this policy
• Where possible, access may be restricted to devices that meet minimum security checks (e.g., via conditional access policies)