- Business email accounts (you@company.com) shall have two factor authentication enabled.
- Primary identification for other services is always a business email address (any@company.com).
- With the exception of services that naturally integrate personal accounts with organisations (e.g. Github).
- For any service, there will be one and only one root admin account that is tied to admin@company.com.
- In case of services that separate accounts from organisations (e.g. Github), this means that a "personal" account will be created for admin@company.com and that will be used to create and own the organisation settings.
- Passwords for accounts tied to personal email addresses (you@company.com) are never stored in a shared password vault, only in a personal vault.
- Passwords for accounts tied to admin@company.com are stored in a shared password vault to which access is limited to a set of n individuals, where 2 <= n <= 4.
- This same set of people, whenever this configuration is possible, must receive security alerts for all services.
- The second authentication factor for admin@company.com is a device or hardware factor that's securely stored in a known location with adequate physical access control (e.g. safe in the office); including printed revocery codes, etc.
- It is regularly checked and reported that all known factors are still in this place.
- Administrative privileges are always delegated to personal accounts and then accessed through these personal accounts (i.e. we don't log into things as admin@company.com after initial sign up, unless there is absolutely no other way).
Last active
September 6, 2019 12:55
-
-
Save friso/47aa06ccb657065480ef1c42b3626c42 to your computer and use it in GitHub Desktop.
Commandments for SaaS tools and business email
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment