Security Policy

This content is controlled for compliance requirements. Please contact the owner (Joe Hoyle) if you need to make changes.

As part of working at Human Made you are going to come into contact with a lot of important, confidential information, including internal information like our business plans, or customer information. Before you can dive in, we need to be on the same page about how we work in a secure way.

This policy applies to all employees, contractors, consultants, freelancers, and other workers at Human Made, and covers any device you use for work. That includes company-issued laptops, phones, any existing devices you bring with you, and any devices you borrow or use temporarily.

Take this policy seriously. Everything in this policy is a requirement unless we say otherwise. Anyone who violates this security policy may be subject to disciplinary action, up to and including termination of employment.

When things go wrong

Incidents happen to everyone. When it happens to you, it’s important that you tell us so that we can immediately begin to fix it.

When something goes wrong, email security@humanmade.com with as much detail as you can about what seems to have happened. This will contact everyone who needs to know, including Joe Hoyle, our CTO and security officer.

If you’re not certain but you’ve got a bad feeling, tell us; we won’t yell at you for being cautious.

Staying safe

All of us work remotely, which means we’re all individually responsible for our devices. This includes physical security (like not letting someone steal your laptop) and virtual security (like not letting someone hack your laptop).

These requirements apply to any device you use for work, including both computers we give you and any you bring yourself.

Setting up your computer and phone

• Set your computer to require a password to wake up from sleep, that way if you close the lid and step away for a few minutes someone can’t steal it and get access to all the secrets.
  • You should use biometric scanners where you can, such as a fingerprint scanner or FaceID.
• Enable full disk encryption, so that if someone steals your device, they can’t access anything.
  • Don’t take backups of your machine. Instead, store data you need to keep in the cloud directly, so that it’s kept encrypted and secured.
  • Don’t download or copy anything onto external/removable drives, like USB drives. These aren’t protected by the same encryption as your hard drive, so are much less safe.
• Automatically lock your computer after a short period of idle time (10 mins maximum).
• Run a virus scanner on any files you are sent (Gmail does this for you automatically).
• Enable device tracking. This ensures if you lose your device, you can find it again, and if it’s stolen, we can verify and revoke its access.
• Enable your operating system’s built-in anti-malware or anti-virus. You should avoid installing third-party anti-virus (like McAfee) which can have its own problems.
• Only use supported devices which receive regular updates. If your device isn’t getting those, you can expense a replacement.
• When using Wi-Fi, you must follow the wireless security guide.

As part of onboarding, we’ll ask you to set up Mobile Device Management (MDM) tools, which allow us to enforce these settings.

For reference, those settings are:

• macOS Settings
  • Full Disk Encryption:
    • System Preferences → Security & Privacy → FileVault (you should also encrypt your backups).
  • Device Tracking:
    • System Preferences → iCloud → Find My Mac
    • Check on icloud.com to verify.
  • Anti-Malware:
    • System Preference → Software Update → Advanced → Install system data files and security updates
    • Ensure System Integrity Protection is enabled (it is by default, unless you run special commands; don’t do that)
  • Require password:
    • System Preferences → Security & Privacy → General → Require password after sleep or screen saver begins
• Windows Settings
  • Full Disk Encryption:
    • Enable Bitlocker
  • Anti-Malware:
    • Enable Windows Defender (Also called Windows Security in newer versions)
• iOS Settings
  • Encryption:
    • Set a passcode, at least a 6-digit pin to unlock your phone
    • Under Settings > Touch ID & Passcode, “Data protection is enabled” should be shown at the bottom of the screen.
  • Device Tracking:
    • Settings → iCloud → Find My iPhone
    • Check on icloud.com to verify.
• Android Settings
  • Encryption:
    • Set a passcode, at least a 6-digit pin to unlock your phone
    • Settings → Security → Encrypt phone. This should show “Encrypted” if enabled.
  • Device Tracking:
    • Settings → Google → Security → Remotely locate this device.
    • Check on Android Device Manager to verify.

Installing apps

When you install apps on your device, make sure you’re only installing trusted and highly-rated apps, ideally from official app stores. Apps can often access anything on your computer and present a risk.

This applies to browser extensions too, which can see what you’re doing across sites, including our internal communication tools or customers’ websites.

Important: extensions that operate on text such as Grammarly can send everything you type on a web page to a service that you do not control. If they are running when you use websites such as Gmail, Slack, GitHub, Small Improvements, Workable or anything else work related you could be sending sensitive data to a 3rd party not covered by our privacy policy. These extensions should be switched off for work related websites and are otherwise generally discouraged.

Passwords & 2-factor authentication

Unlike many companies, we don’t have a physical office, so we protect all of our communication tools and collaboration spaces with user accounts and passwords instead. Just like you lock your house, we expect that you treat passwords as your key to the company, and be careful with them.

• Use a password manager like 1Password for your passwords.
  • Human Made has its own 1Password account. You will need to use this to access some shared systems, so you should use it for your other passwords too.
• For any shared accounts, use 1Password team vaults in the Human Made account.
  • Avoid sharing accounts where possible. Use private vaults with individual members added instead where you can.
• Never reuse passwords across sites, and don’t write them down on paper that you might lose or someone else might be able to see.
• Use strong long passwords (16+ chars) made up of random letters, numbers and symbols. 1Password will make these for you.
• Enable 2-factor authentication everywhere you can. This ensures that even if someone gets your password, they still won’t be able to access anything.
  • 1Password supports two factor authentication, so you can use that.
  • Alternatively, Authy or Google Authenticator are good choices.
  • Do not use SMS for 2FA. SMS has been shown to be vulnerable to social engineering attacks and has been removed from US government security recommendations.
• Always use a separate password for each service. This reduces the chance of wider compromises in the event your password is discovered.
• Treat any P2 uploads (e.g. images, videos) as potentially externally accessible and use Google Drive or Dropbox to share files internally for truly private stuff.

Tool-specific guidance

All of our company-wide tools are described in our Tools page, and our Tools and Services Policy describes how we use any new tools or services.

Sites with two-factor

• Amazon AWS
• Backblaze
• Bob
• GitHub
• Google (Gmail)
• Humanmade.com
• Slack
• WordPress.com
• Xero
• Zoom – If you store sensitive data in your Zoom account (i.e. record to Zoom Cloud and/or use the audio transcribe feature)
• Any other team-specific services you use that support two-factor authentication

GitHub

• If you are using GitHub on the command line, create a unique access token.
• Use a strong password with your SSH key. SSH keys can give you access to change customer systems, which is dangerous.
  • You can test your SSH password by running ssh-keygen -y on the command line. If you are not prompted for a password, you need to add one, which you can do with ssh-keygen -p. Your public key will remain the same, so remote servers/proxy access does not need to be updated
  • You should also use strong algorithms with RSA 2048 at a minimum; higher numbers are better, and 4096 should be used for any new keys generated. (ed25519 is also OK.) to check the algorithm.
• Never share your private key with anyone, or copy to a remote server. If you need access from another server with your remote key, use SSH agent forwarding.

Google Docs, Google Sheets

When starting a new Google Doc or Google Sheet, it is best to start from the intended resting folder within the correct Team Drive. This way the documents inherit the default, secured permissions from the Team Drive.

Never start company documents from your private Google account.

For documents you share with the company, make sure you’re setting sharings to “Anyone in Human Made can access” and not “Anyone with the link can access”.

Your working space

When you’re working in public (such as a co-working space, cafe or the airport; list not exhaustive), be mindful of your surroundings, and don’t discuss private things in front of others. Not only should you avoid being the obnoxious loud talker, but we don’t want anyone else knowing about our secret stuff. You should also ensure people can’t read over your shoulder, and always lock your devices, even if you’re only leaving them for a minute.

Keep your devices secure from theft, including having a lock on your front door at home (which you do have, right?), making sure your co-working space has things like security cameras or door fobs, and avoid leaving your devices unattended in public. If you lose your device, use the device tracking you set up just before to find it; if you still can’t, tell us about it so we can lock your devices out until you get it back.

How you use your stuff

Devices and accounts you use for work should be used for work, and you should not use them for anything particularly personally sensitive. It’s best to assume others will have access to your data at some point.

For example, if the company is sued, you might need to hand over your devices for evidence. Or, if you leave the company, we might need to access data in your work accounts so that other team members can pick up where you left off.

We won’t stop you from using work devices for personal things like reading Reddit or calling your parents, and we’ll ensure anyone here who has these access super-powers acts under tight ethical standards. We’ll also help to protect your devices and accounts from access from others.

If you abuse this and do illegal things with company stuff, we’re not responsible for this, and we’ll assist law enforcement.

Working with other people

User accounts and access are tied to you, and everyone at Human Made will have access to different things. While we operate as open by default, some things will be limited in their access, and you shouldn’t assume everyone will have the same level of access you do. Check with whoever owns the service, document, etc before sharing.

Be careful when sharing stuff with people outside of the company, who may not follow these same rules. Don’t let people you don’t trust use your devices, and check whether there’s anything sensitive before sharing information.

Ensure you follow the Data Classification Policy with any data you create, share, or use internally.

If you’re one of those people with super-powers giving you access to other employees’ stuff, treat those powers with care and use them sparingly. Don’t abuse those powers to inappropriately access things, provide anyone with favours, and definitely don’t use them to commit fraud. There are higher expectations of you with this access, and as a result, disciplinary action will be harsher if you abuse it.

Footnotes

Occasionally, we may need to make exceptions to this policy for practical or legal reasons. If we do, we follow the Security Exception Process, we record the exceptions, and we review them regularly.

If you have any questions about this policy, ask in #company-admin on Slack and we’re happy to answer!