Access Control and Authorization Policy

This is a copy of our internal policy. We share it to help customers get a better understanding how how we work. The policy will get updated or improved from time to time. You’re welcome to give us feedback by sending an e-mail to security@small-improvements.com.

We manage highly confidential customer data, our own financial data, and plenty of our business plans and goals. The moment adversaries get access to this data, our entire business is at stake. We need to ensure that we only use systems we trust, and that we only give access to staff we trust.

In addition though, it’s important to remember that even a person we trust may have their account breached by intruders. So even the most trustworthy staff member should only get access to just as much data and applications that they can do their job well, and also only for the time they need and but not longer (“least privilege principle”)

Some practical guidelines:

  • Never share any crucial passwords between staff. Only use and commission new systems that support multiple user accounts
  • Make sure you enable 2-factor authentication when dealing with important data, especially if you’re an admin, but also when possible as a normal user. Example: Even as a contributor (e.g. non-admin) for the website, your account could be misused to link to malware sites.
  • The main admin accounts are assigned by the CTO by the Information Security team. For each system we also have system-owners who are in charge of assigning new users when needed.
  • If API keys have to be used to access another application from within SI, treat those API keys like a password and don’t share it widely, only store it inside 1Password and only share with the people who really need to lnow
  • As an admin to any system, make sure that you only assign additional access (both in terms of new users, and in terms of added privileges) only on a strict need-to-know basis. Check with the system owner, or with the Information Security Team (or with the CTO) if in doubt.
  • Always consider handing out permissions temporarily. Someone might only need access for a week. Revoke the permission after a week then.
  • The Information Security Team routinely revisits all systems and removes people who don’t require access anymore. If in doubt, we’ll err on the safe side. So if your account was downsized or removed by accident, please let them know, it was not done with bad intentions, we’ll reinstall your permissions so you can do your job