ST.

SECURITY & TRUST

/

Trust fails when controls are informal and evidence handling is ad hoc. Good work becomes indefensible if access drifts, provenance is unclear, or decisions cannot be reconstructed under scrutiny.

ST.01/

Security is not a feature. It is the operating condition.

Archer Knox embeds governance, chain of custody, and auditability into how work is performed. Controls are designed to preserve confidentiality, defensibility, and continuity—without slowing execution.

This posture applies across people, process, and platform: least privilege, verified provenance, and documented decision paths that remain coherent after the fact.

ST.02/

Posture

Governance and evidence handling as default.

Governance & Controls

  • Least privilege and role-based access.
  • Separation of duties across collection, analysis, and approval.
  • Change control and peer review on sensitive adjustments.
  • Logging and audit trails designed for reconstruction.

Evidence Handling

  • Case segregation and need-to-know distribution.
  • Provenance captured for key artifacts and decisions.
  • Minimization and redaction by default.
  • Disclosure-ready documentation when required.

ST.03/

Data Handling

Classification, access, and retention.

Class Examples Controls
Restricted Active case evidence, privileged notes, sensitive PII. Encrypted at rest; restricted access; disclosure controls by agreement.
Sensitive Operational plans, internal playbooks, client contact data. Encrypted at rest; staff access by role; monitored handling.
Internal Process documentation, non-confidential deliverables. Team access; audit logging where applicable.
Public Published insights and public materials. Public distribution.

Retention and destruction follow client policy, jurisdictional constraints, and engagement requirements.

ST.04/

Access & Monitoring

Control drift is treated as risk.

Identity & Access

  • MFA enforced; elevated access constrained and reviewed.
  • Quarterly access reviews; immediate off-boarding.
  • Secrets rotation and scoped service accounts.

Monitoring & Incident Response

  • Centralized logging with retention aligned to policy.
  • Alerting on anomalous access and potential exfil patterns.
  • Evidence preservation and documented response ownership.

ST.05/

Vendors & OPSEC

Third-party exposure is treated as first-party risk.

Third-Party Controls

  • Confidentiality and handling terms by agreement.
  • Purpose limitation and minimization.
  • Engagement-specific requirements honored contractually.

Physical Security & OPSEC

  • Device hardening, encryption, patch policy, secure disposal.
  • Need-to-know communications and restricted printing where applicable.
  • Social-engineering awareness and operational hygiene.
Request security brief