Skip to main content

IT Security & Access Control Policy

System: 06 Administration
Owner: COO / Operations Manager
Last Updated: December 17, 2025
Status: Active

1. Purpose

To ensure the confidentiality, integrity, and availability of TTDTTD The organization managing this documentation. Business Manager data and assets. This policy applies to all employees and contractors.

2. Core Principles

  1. Least Privilege: Users are granted only the minimum level of access required to perform their job duties.
  2. Zero Trust: Never assume a connection is safe. Always verify identity.
  3. Separation of Duties: Critical tasks (e.g., approving payments) should require two distinct checks where possible.

3. Account Security

3.1 Password Management

  • Mandatory: Use a dedicated Password Manager (e.g., 1Password, LastPass, Bitwarden).
  • Prohibited: Reusing passwords across personal and work accounts.
  • Prohibited: Sharing passwords via Slack, Email, or Text. Use the secure sharing feature of the Password Manager.

3.2 Multi-Factor Authentication (MFA)

  • Requirement: MFA/2FA must be enabled on ALL accounts that support it (Microsoft 365, HubSpot, Thinkific, Banking, Social Media).
  • Method: Authenticator Apps (Microsoft Authenticator, Authy) or Hardware Keys (YubiKey) are preferred over SMS 2FA.

4. Device & Network Security

4.1 Workstation Security

  • Disk Encryption: Full disk encryption (BitLocker for Windows, FileVault for macOS) must be enabled.
  • Updates: Operating systems and browsers must be set to auto-update.
  • Lock Screen: Devices must auto-lock after 5 minutes of inactivity.

4.2 Network Access

  • Public WiFi: Do not access company systems (Admin panels, CRM, Banking) over public WiFi (cafes, airports) without a VPN.
  • Home Networks: Ensure home router firmware is up to date and default passwords are changed.

5. Data Handling

5.1 Data Classification

  • Public: Marketing materials, blog posts.
  • Internal: SOPsSOP A documented set of step-by-step instructions compiled by an organization to help workers carry out complex routine operations., meeting notes, project plans.
  • Confidential: Customer lists, financial reports, strategic roadmaps.
  • Restricted: Customer PII (Personally Identifiable Information), credit card data, passwords.

5.2 Data Sharing

  • External: Only share Confidential/Restricted data via secure, expiring links (e.g., SharePoint/OneDrive specific sharing, not "anyone with the link").
  • Storage: Store work files ONLY in the designated company cloud storage (SharePoint/OneDrive), not on local desktops.

6. Onboarding & Offboarding

6.1 Provisioning

  • Access is granted based on the Role Profile defined in Planning/08_People_Management/Role_Definitions_and_Career_Paths.md.
  • All accounts must be created using the company email address (no personal Gmails).

6.2 Deprovisioning

  • Immediate Action: Access to core systems (Email, CRM, Slack) is revoked during the termination meeting.
  • Audit: A checklist is run to ensure all third-party tool access is removed within 2 hours of departure.

7. Incident Reporting

  • Duty to Report: Any suspicion of a breach, lost device, or accidental data exposure must be reported to the COO immediately.
  • No Retaliation: We prioritize fixing the breach over assigning blame. Report early.

Related Documents: