Version 1.0 · March 2026 · Applies to all engagements
Communication Security
All communications related to client engagements are conducted exclusively over encrypted channels. Narrative Consulting does not use unencrypted email as a channel for sensitive information transfer, credential exchange, or system documentation.
Approved communication platforms include:
Google Meet, Microsoft Teams, and Zoom for video and voice (TLS 1.2+ in transit)
Client-provisioned Slack or Teams workspaces for day-to-day messaging
Encrypted email (S/MIME or PGP) when direct email is required for sensitive content
Client-approved secure file transfer methods for document exchange
Public or unverified channels are never used for work product, credentials, or system access details. All communication channels are agreed upon during project kickoff and documented in the engagement charter.
Credential Handling
Narrative Consulting operates on a strict zero-local-storage policy for client credentials. No credentials, API keys, tokens, or service account secrets are ever stored on consultant devices, in personal password managers, or in any system outside of client control.
Our credential handling standards:
All access uses client-provisioned accounts created specifically for the engagement
Credentials are transmitted only via client-approved encrypted methods (never plaintext email or chat)
Temporary credentials are rotated immediately upon receipt and stored only in client-owned vaults
No personal accounts are used to access client systems under any circumstances
Service accounts are created with the minimum required permissions for the stated task
All accounts provisioned for consultant use are tracked in the engagement access log
Upon engagement completion, a written confirmation of credential revocation is provided within 24 hours.
Access Scoping
Consultant access is strictly scoped to what is necessary to complete the defined engagement objectives. Access is never granted in bulk or on a standing basis — every access request is justified, documented, and time-bounded.
Access scoping principles:
Access requests are submitted in writing with explicit justification before provisioning begins
Production system access is obtained only when required by the engagement scope and approved in writing
Read access is used in preference to write access whenever possible
Privileged access (admin, root, owner roles) is requested only for specific tasks and immediately deprivileged after
Access to systems outside the engagement scope is declined even if offered
All access is tracked in the engagement access log delivered with final deliverables
Device Security
All client work is performed exclusively on dedicated, hardened devices. No client work is conducted on shared devices, public computers, or devices that do not meet our minimum security baseline.
Device security standards maintained at all times:
Full-disk encryption enabled on all devices used for client work
Operating system-level firewall active and configured
Automatic screen lock triggered after 2 minutes of inactivity
Operating system and security patches applied within 48 hours of release
Antivirus/endpoint protection active and updated
No client-related data stored on removable media without encryption
VPN in use when operating on untrusted networks
Public Wi-Fi networks are never used for client work without VPN. Home office networks are secured with WPA3 encryption and network segmentation where possible.
Post-Engagement Revocation
Access revocation is a formal, documented process — not an afterthought. Within 24 hours of engagement completion (or earlier if the engagement ends early), all consultant access is revoked and confirmed in writing to the client.
Post-engagement revocation checklist:
All client-provisioned accounts disabled or deleted, confirmed by client IT or security team
MFA tokens and authenticator entries removed from consultant devices
All local copies of engagement documents purged within 14 days
Browser sessions and cached credentials cleared
Written revocation confirmation delivered to client security contact
Engagement access log finalized and delivered as part of closing documentation
If the client cannot confirm revocation within 48 hours of our request, we escalate to the client's security team directly.
Subcontractor Policy
Narrative Consulting is a solo practice. No subcontractors, freelancers, or third parties are engaged on client work without prior written approval from the client. This is a firm commitment, not a default — the default is no subcontractors.
In the event a client approves subcontractor involvement:
Subcontractors must execute a written agreement binding them to the same security requirements as this statement
Subcontractors must complete a background check if required by the client
Client data is shared with subcontractors only to the minimum extent necessary for their defined task
Subcontractor access is provisioned separately and tracked independently in the engagement access log
All subcontractor access is revoked within 24 hours of their task completion
Clients are notified before any subcontractor is approached, and engagement does not proceed without explicit written approval.