Access Policy

What: The Access Policy establishes the basic rules regarding the passphrases and the access (to folders and documents) granted to your organization’s employees, contractual workers, and partners. It also outlines the procedures to follow when a staff member leaves or is promoted.

Approx. time: This policy can be formulated in a two-hour meeting during which you’ll be able to make all the decisions thaprt suit everyone.

Who: According to your organization’s governance structure.

---

An access policy allows you to establish clear rules that everyone accepts. If the access to sensitive data (see the Sensitive Data chapter) is properly managed, you will significantly reduce your attack surface. By limiting access, you will ensure a better integrity of documents (you lower the risk that an employee modifies or deletes a document by mistake) without affecting their availability!

The objective of an access policy is to formalize the rules that make sense for your team. A policy will work only if everyone understands its usefulness and learns its fundamentals. 

For this reason, we recommend that you plan a meeting of approximately two hours so that you can agree on the usefulness of these measures and make strategic decisions by mutual agreement. 

We suggest that you designate a person on your team who will be responsible for verifying whether the policy is being applied correctly over the course of a year following its implementation.

The four parts of the policy

• Passphrase management
• Role planning and access management
• Email management
• Employee turnover procedure

---

PART 1: Passphrase management

As we discussed in the Passphrase chapter, establishing an internal policy is necessary to encourage good practices. These standards should be communicated clearly to your employees and collaborators. Here is a list of questions to help you organize this internal policy:

1) Establish a passphrase policy

a. Determine your criteria for the length (number of characters or words) and complexity (numbers and special characters) of the passphrases used in the organization’s activities. We suggest a few methods:

• Diceware method
• Mnemonic method
• The automatic “passphrase generator” function available in several password managers

b. Determine your criteria for the passphrase’s uniqueness. 

• You can recommend using passphrases that are drastically different from one account to another (for example, avoiding variations of the same passphrase). It would be advisable that your internal policy strongly urges your employees to use passwords/passphrases that are completely different from the ones they use in their personal accounts.

2) Choose a password manager

a. Determine your selection criteria. The following are the functions most frequently wanted:

• Cost (some options are free)
• Generates passwords
• Automatically fills out the appropriate fields in your browser
• Alerts users of data breaches
• Works on several devices simultaneously
• Allows a connection with a two-factor authentication

b. Do the research to find the manager that meets your needs. To help you, here is:

• a resource outlining some options
• an article listing the best password managers of 2020.

3) Implement the chosen password manager in your organization

a. Pick a plan that works for you.

• Some password managers have business packages. This could make your life easier, particularly regarding invoicing.

b. Download the password manager on the appropriate devices.

• In order to reduce the attack surface, use the manager only on the devices needed.

c. Familiarize yourself with the manager and gradually start using it. We suggest implementing it in stages.

• First, add and save the current types of access (without necessarily changing them).
• Then, get used to using the program.

4) Change the passwords/passphrases

a. Make sure that all your former access corresponds to the new security standards of your organization.

b. Designate a person in your organization who will ensure that everyone respects the new standards.

5) Use multi-factor authentication

Some platforms ask you to verify your identity by authenticating yourself on another device or by other means (code verification sent by email, validation on a cell phone, etc.). This adds another layer of security: Even if an adversary knows your password, with a second authentication factor they will not be able to access your account without it. 

a. Activate the “2FA” function on your various accounts. At the very least, if you use the same account (such as Gmail, Google Drive, Dropbox) for personal and professional purposes, using a two-factor authentication can be a necessary precautionary measure for securing the access further. Here are all the platforms that support the 2FA.

b. Download an authentication application. The most frequently used way to introduce a second authentication factor is by SMS. This is also the least secure method. We recommend using an authentication application. You can choose one of the following three options:

• Google Authenticator
• Microsoft Authenticator
• Authy

c. Save your backup codes. When you activate the 2FA, many services provide you with “backup” codes. These codes will allow you to regain access to your account if you ever lose your cell phone. Write them down on a piece of paper or copy them into your password manager. The important thing is to keep these codes secure!

• Should you use connections without authentication? For example, connecting with Gmail or Apple accounts.

Here is a template for setting up a passphrase policy.

PART 2: Role planning and access management

In the Limiting Access chapter, we discussed the importance of formalizing the roles and positions in the organization in order to determine and clarify the access associated with each one. 

We recommend that you approach this not in terms of people (Paul, Tim, and Lea) but in terms of roles (administration, communications, production, etc.). In an organization, the same person can have several roles. Similarly, a role can be attributed to several people.

This can help you when employees leave or change positions. 

a. First you need to compile a list of all the roles/positions in your organization.

• Make sure to include permanent positions, interns, short-term or contractual employees, as well as potential partners with whom you need to share files. 

b. Determine the list of access for each role.

• Include the folders, servers, social networks, etc.
• To help you, you can reuse the list that you compiled in the Security Policy inventory. 

c. Update the list regularly. It is generally recommended to update the list:

• every six months
• when a member of the organization stops working
• when there is a change in position (promotion or other).

To compile this list, here is a template to help you formalize the list of roles and the access associated with them.

PART 3: Email management

Emails are the basis of your work. We know that managing the emails in an organization where the staff changes often can be administratively cumbersome.

Determine what information can be sent by email

It’s important to keep in mind that an email is an open medium that passes through different systems before it is received. In short, it’s a means of communication that entails several confidentiality risks. We encourage you to consider what information is appropriate to send by email:

a. Confidential information: For confidential information, using email can be practical and appropriate. Nonetheless, you need to keep in mind that service providers can have access to these messages, depending on the service you use. To reduce the risks, you can:

• Save the more sensitive emails locally on your computer instead of keeping them in your inbox. This will affect the availability of the email, but increase its confidentiality. 
• Get into the habit of asking your interlocutor to delete the email after the information has been transmitted. Deleting the contents of your archive on a regular basis is also a good practice.  
• Change the provider in order to use services that offer more security. Services such as Proton, RiseUp, and Posteo have an excellent reputation.

b. Restricted information: For restricted information (such as a SIN), the transmission of which should be limited only to the parties concerned, we suggest:

• Use end-to-end encrypted communication channels such as WhatsApp or Signal Messenger.
• If the information is extremely restricted, configure these applications to allow transitory messages.

Choose your method of attributing email addresses

We suggest two possible approaches when it comes to attributing email accounts. You can pick the method that is most appropriate for your team. 

Generic email

Benefits:

• The generic email option (such as communication@imaa.ca) is very practical in terms of keeping track of things when there’s a staff change. 
• The transfer can be done with a minimum amount of forwarding or losing emails. You just need to change the passphrase in accordance with your access policy.

Drawbacks:

• A hacker can easily guess the accounts (hence the importance of using a passphrase) and therefore, the inbox can be spammed.

Personalized email

Benefits:

• The risk of spam is reduced

Drawbacks:

• The operations of deleting an account are more complex.
• There is a risk of creating confusion and losing emails with the forwarding function when there’s a staff change.

Make your team, members, and partners aware of the risks of phishing

To limit the risk of email attacks, the ideal is to set up training sessions on how to recognize suspicious emails (as explained in the chapter 5). These sessions can take place a few times a year so that everyone is always up to date!

Here are some resources for informing your team, members, and partners about the risks related to phishing:

An explanation of spam

An educational game about email and cybersecurity

A cybersecurity resource with a section on phishing

PART 4: Employee turnover procedure

The member organizations of IMAA are subject to a significant employee turnover. The teams are often composed of interns, consultants, and freelancers.

In order for the staff change to happen as securely as possible, we recommend that you set up an employee departure policy.

Here are some recommendations:

• Revoke the access for each role.
• Formalize your email management practices (reattributing emails or changing passphrases depending on the strategy chosen).
• Identify the measures needed to delete the data on personal devices.
• Revoke the access with connected accounts (Google, Facebook, etc.).

The departure of a staff member can lead to (intentional or accidental) damage or loss of data. By having a list of roles and their access as well as a policy to apply before the departure, you’ll be able to avoid most of these losses.

• Template of a departure of employee document

---

Checklist

• Establish a passphrase policy.

• Choose a password manager for the organization.

• Implement the chosen password manager.

• Ensure that the passphrase policy is respected (non-compliant password changes).

• Set up two factor authentication whenever possible. 

• Encourage employees to refrain from using connections without authentication.

• Compile a list of the different roles in the organization.

• Compile a list of the access for each role.

• Plan regular updates of the list (as soon as there’s a change in the organization).

• Determine what information can be sent by email with your members and team.

• Choose a method of attributing email addresses.

• Set up training sessions on how to recognize suspicious emails.

• Establish an employee departure policy.

• Plan the next meeting for discussing access.