When we’re considering using a new (third-party) tool or service, it’s important that we’re able to implement the same security standards that we have internally. Our employees and customers trust us with their data, and we need to ensure we’re keeping that safe regardless of how we process it.
Using a new tool or service
We want everyone to have the tools they need to work productively, but we need to manage that with our security requirements to ensure we’re keeping data safe.
Generally, when using new tools, we should consider:
- The need to use the service (and whether we already have a tool that does this)
- The purpose of the tool
- The reputation of the company offering it
- How it integrates with our other tools
For tools that are processing our higher classifications of data (basically anything we expect to be kept private), we need to enforce certain rules to keep our data safe. We need to perform more due diligence and check more controls generally.
Where possible, we should select tools made by reputable companies, who offer strong data guarantees (such as via compliance standards), and who can integrate with our security tooling like SSO.
For Confidential and Restricted data in particular, any tools which control or process this must:
- Be reviewed every quarter as part of the periodic access reviews
- Use Multi-factor Authentication or Google Workspace SSO
- Meet legal requirements, namely the GDPR
- Be approved by Joe Hoyle, the CTO.
- Be added to the data inventory.
Major suppliers
Certain tools and services need an even higher level of due diligence to ensure they can meet both security and service standards. In particular, tools we use to directly provide services to customers need to meet the highest standards, and we need to review those regularly (at least annually).
Our Subcontractor Compliance Monitoring process and inventory records these services and their compliance status.
Giving people access
When configuring access for new services, special attention should be given to access controls, roles and authentication.
Wherever possible, we should use single sign-on (SSO) features which integrate with our Google Workspace. This allows users to join and leave much more easily, ensuring consistency across tools and simplifying the process for the People team. In cases where SSO is prohibitively expensive, exceptions can be made as part of the Handling Security Policy Deviations with explicit sign-off.
Where services do not support SSO, services should be configured to require Multi-factor Authentication (MFA) where possible, in accordance with our security policy. Password policies where enforceable should meet our Password Policy. Each team is responsible for managing these non-SSO tools.
If the tool supports role-based access control and granular permissions, follow the principle of least privilege. Ideally, tools should be administrated and owned by the most relevant leader. At least two admins should be added so that there’s always a way for the company to manage the account.
In the rarest cases where tools only support a single, shared login (or where it is prohibitively expensive otherwise), we can make an exception to these rules as part of the Handling Security Policy Deviations.
Administrator level access to tools and services that contain restricted or confidential data must be signed off by senior management. Elevated access reviews must include reviews of those administrators. Administrator access should only be used when necessary.
Removing services
When tools and services are no longer required, they should be closed down, and all data stored with the service should be deleted.
A copy of any data stored in the service should be exported if data has forensic or historical value. Store this data in an appropriate place that matches the data classification, such as Google Drive.
Backing up data
Tools and services that store canonical data that are critical to the business or its clients must implement data backup procedures. Backups must be stored separately to the service, and access to backups must be restricted in accordance with the data being backed up.
Data integrity on backups must be tested as part of Business Continuity Testing and performed at least annually.
When people leave
When employees no longer require access to a given service, or have ended their employment with Human Made, they must be removed from all services and tools. This is handled as part of the Offboarding Process.
In cases where services are not part of our company wide offboarding services list, you should ensure your team manage offboarding of tools and services as part of employee termination. (For tools which support SSO, people who are leaving will automatically lose access when the People team offboards them from the company.)
Periodic access reviews are completed every 6 months to ensure all service access control is correctly configured.
Regular access reviews
Annual reviews of access for all tools that contain internal, confidential or restricted data must be performed to ensure only those who should have access do so. Quarterly elevated access reviews must be performed for all administrator accounts in tools that contain confidential or restricted data. These must follow the review access to systems process.