- Business email accounts ([email protected]) shall have two factor authentication enabled.
- Primary identification for other services is always a business email address ([email protected]).
- With the exception of services that naturally integrate personal accounts with organisations (e.g. Github).
- For any service, there will be one and only one root admin account that is tied to [email protected].
- In case of services that separate accounts from organisations (e.g. Github), this means that a "personal" account will be created for [email protected] and that will be used to create and own the organisation settings.
- Passwords for accounts tied to personal email addresses ([email protected]) are never stored in a shared password vault, only in a personal vault.
- Passwords for accounts tied to [email protected] are stored in a shared password vault to which access is limited to a set of n individuals, where 2 <= n <= 4.
- This same set of people, whenever this configuration is possible, must receive security alerts for all services.
- The second authentication factor for [email protected] is a device or hardware factor that's securely stored in a known location with adequate physical access control (e.g. safe in the office); including printed revocery codes, etc.
- It is regularly checked and reported that all known factors are still in this place.
- Administrative privileges are always delegated to personal accounts and then accessed through these personal accounts (i.e. we don't log into things as [email protected] after initial sign up, unless there is absolutely no other way).
Last active
September 6, 2019 12:55
-
-
Save friso/47aa06ccb657065480ef1c42b3626c42 to your computer and use it in GitHub Desktop.
Commandments for SaaS tools and business email
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment