Your security standards should not stop at your own systems

Written by Grace Pateman | Jul 7, 2026 10:31:26 AM

Every enterprise has a security standard. Password rules, session limits, network restrictions, lockout thresholds. It is written down, agreed with the board, and enforced carefully across the systems IT built themselves.

Then the business buys software. And with every vendor, the standard quietly becomes a negotiation. Can you enforce our session timeout? Can you restrict access to our network? Can we stop password reuse? Too often the answer is a roadmap, a workaround, or a shrug.

Our view is simple: the measure of enterprise software is not whether it has a security page. It is whether your standards survive contact with it.

Policy set once, enforced everywhere

Ocapii gives each organisation its own security policy, configured at HQ and inherited by every site automatically. Not per-site settings that drift apart, and not platform-wide defaults you have to accept. Your policy, applied to your estate.

That policy covers the questions that appear on every security questionnaire. Minimum password length and history depth, so old passwords cannot come back. Web session lifetime, so idle sessions expire on your schedule. IP allow-listing, so web and mobile access can be restricted to your office or VPN ranges, with a safeguard that stops an admin locking themselves out. All of it enforced across every child site the moment it is saved.

The controls behind the policy

  • Account lockout: five failed attempts lock the account on web and API alike, and unlocking is a deliberate admin action that forces a password change
  • Modern password policy: history, complexity and forced rotation on risk events, aligned with current NIST guidance rather than arbitrary expiry dates
  • Sign out everywhere: one click ends a user's access on every device and every site, and it happens automatically when someone is deactivated
  • Hardened edges: rate limiting on every sign-in path, progressive delays and IP bans on abuse, and modern security headers throughout
  • Encryption end to end: TLS in transit, encryption at rest on Google Cloud, bcrypt for credentials, and secrets stored encrypted or hashed and shown once

Each of these is a standard question on a standard questionnaire, and each is answered by a control you can watch working, not a paragraph in a policy document. That distinction matters. A policy describes intent. A control enforces it at three in the morning when nobody is watching.

Why this matters beyond the questionnaire

It is tempting to treat security controls as a procurement hurdle: boxes to tick so the deal can proceed. That undersells what they do. The same controls that satisfy a reviewer are the ones that protect the operation day to day.

A locked-out brute-force attempt is an incident that never happened. A session that expired on schedule is a terminal in a busy back office that nobody left open. An IP allow-list is a stolen password that never became a breach. None of these produce headlines, which is rather the point. Good security is the disciplined absence of drama.

There is also a quieter benefit: consistency. When policy lives at HQ, every site is provably running the same standard. No site-by-site audit to find the outlier, no local admin who set things up differently three years ago. The estate behaves as one system because, from a governance point of view, it is one system.

Multi-site estates feel this more than anyone. A single-site business has one back office, one router, one set of habits. An estate has fifty of each, plus a mobile workforce signing in from kitchens, corridors and car parks. Controls that assume everyone sits at a desk behind the corporate firewall quietly exclude the people doing most of the operational work. The policy has to travel to where the work happens, which is why ocapii enforces it on mobile and API access as well as the web.

Enforcement also needs a witness. Every one of these controls writes to a per-tenant audit log, and every event can stream to your SIEM in real time, so your security team does not have to take the enforcement on faith. A policy that cannot show its own evidence is just a setting; a policy that reports every lockout, sign-in and change is part of your security operation.

Bring your standard with you

When you evaluate any operations platform, ocapii included, put your own security standard on the table and ask to see it enforced, live, not described in a PDF. Controls you can verify are worth more than assurances you have to trust.