Security Protocol

Status: LIVE

Security Protocol

  • You will be entrusted with valuable information. It's your responsibility to protect that information.

  • Lock your monitor when leaving your device unattended.

  • Never leave non-company employees on company premises alone. The last person leaving must always be a company employee. For example if there's a party, and you're the last 9Y'er, then politely ask the remaining guests to help you lock up.

  • You can come to the office at any time. It’s open 24/7.

  • If you bring guests to the office, you are responsible for them.

  • Everyone is individually responsible for office security. Close windows when you leave, lock the doors, etc. See checklist under Office Basics.

  • Each teammate gets their own credentials, such as a username, password, and security badge. Try to avoid indistinguishable access credentials like PIN codes.

  • Use the need-to-know principle. Don't ask or share any more credentials than are needed.

  • Ensure that your machine has a password, which is required as soon as the machine goes to sleep.

  • A story about password security: you have been using the internet for a long time. As part of your journey you've created accounts on various services. Those services have been hacked and have exposed your password. Don't believe me? You can check which of your passwords have been compromised and how many times you've been affected, by entering your email on www.haveibeenpwned.com. Spoiler: all 3 founders have been pwned. Luka has had his password stolen from 19 different services, including (amongst others): Adobe, bitly, Dropbox, Houzz, Last.fm, LinkedIn, Myspace, Trillian. Check your own email, you'll be surprised.

  • Follow these simple rules for your own password security:

    • Don't reuse passwords across services. Ever.

    • Use multi-factor-auth on company related online services whenever you can.

    • Use a password manager. Always.

      • A good choice is 1password, it's ~2 EUR and in my opinion absolutely worth it for us digital natives. There are other choices too. If you need advice, ask the CTO.

  • Follow the above 3 points on password security religiously, ignore everything else and you're golden. Using a password manager that generates a random password for each website and warns you about data breaches such as 1password, along with generous use of MFA, is all that you need. Ignore everyone who gives you advice like "set a minimum length", "use specific characters", "rotate your password often", "password policy", and so on–their advice is well intentioned but misses the big picture.

  • When granting 3rd party apps access to GSuite, Slack, etc. Also applies to Add-ons (e.g. for Jira, Confluence). And integrations. 

    • When it affects your own account only: use your own common sense. If in doubt ask the CTO.

    • When it affects company wide resources: get permission from the CTO.

  • This is our default security policy. Some projects may require stricter policies and you’ll be informed of those when working on such projects.

See also:

 

 

Owner

Reviewer