April 20, 2021

What should be mentioned in company’s security guidebook?


I am a CTO of a young startup and I am making our first internal security best practices guide. So far I’ve got:

> Below is an outline of measures you are expected to follow to help keep our data, as well as the data of our customers secure. If you do not understand any of the measures outlined below, please contact [email protected]
>
> ## Do not share PII
>
> You may be given access to personally identifiable information (PII) through backups, temporary files, spreadsheets, etc. This data should be handled with care, not shared with others, and deleted when it is no longer needed. If you are giving others access to PII, include only the minimum amount of data they need (i.e., leave out data data they have no use for, e.g. addresses, phone numbers).
>
> ## Use secure passwords
>
> Passwords should never be shared with others, and each web service should use a unique password. We ask you to use [LastPass Password Generator](https://www.lastpass.com/password-generator) generate passwords for all Contra services.
>
> ## Store passwords securely
>
> We ask you to store all Contra passwords using [LastPass](http://lastpass.com/) Contra team account. You must not share passwords in public Slack channels or over email. Use LastPass built-in password sharing functionality to share passwords with other teammates.
>
> ## Use two-factor authentication
>
> Two-factor authentication prevents people from accessing your accounts simply by knowing your login credentials.
>
> Depending on the site, enabling two-factor authentication will usually require either your cell phone number, or an app on your phone, where you can access the security code you need to sign in.
>
> When you activate two-factor authentication, you will be provided **recovery codes**. Make a copy of these codes and store them securely.
>
> ## Lock your computer
>
> Your computer should require a password when it is turned on, and it should be configured to lock after a period of inactivity, this will prevent data on your computer from being accessed without your consent.
>
> ## Enable Find My Mac
>
> This will allow you to locate your lost computer, or remotely delete all data from the device if it cannot be recovered.
>
> ## Encrypt your computer
>
> Encrypting the data on your computer will help prevent unauthorized access to that data if your computer is lost or stolen.
>
> ## Encrypt Time Machine backups
>
> You must encrypt all data on your backup disk; this helps prevent unauthorized access to that data if your backup disk is lost or stolen.
>
> ## Report breaches
>
> If you have reason to believe that confidential data has been lost, stolen, or accessed without authorization, immediately report this to [email protected]

Each section also includes “How to” instructions.

What else should I include?

Comments

gajus0

Just added:

> ## Use VPN when working out of home
>
> We ask you to use [iVPN](https://www.ivpn.net/) Contra team account whenever using your computer out of home. VPN reduces the risk of anyone intercepting sensitive information by inspecting your network traffic.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.