Skip to content

Tools And Services Policy

When we're considering using a new (third-party) tool or service, it's important that we're able to implement the same security standards that we have internally. Our employees and customers trust us with their data, and we need to ensure we're keeping that safe regardless of how we process it.

Using a new tool or service

We want everyone to have the tools they need to work productively, but we need to manage that with our security requirements to ensure we're keeping data safe.

Generally, when using new tools, we should consider:

  • The need to use the service (and whether we already have a tool that does this)
  • The purpose of the tool
  • The reputation of the company offering it
  • How it integrates with our other tools

For tools that are processing our higher classifications of data (basically anything we expect to be kept private), we need to enforce certain rules to keep our data safe. We need to perform more due diligence and check more controls generally.

Where possible, we should select tools made by reputable companies, who offer strong data guarantees (such as via compliance standards), and who can integrate with our security tooling like SSO.

For Confidential and Restricted data in particular, any tools which control or process this must:

  • Be reviewed every quarter as part of the periodic access reviews
  • Use Multi-factor Authentication or Google Workspace SSO
  • Meet legal requirements, namely the GDPR
  • Be approved by the CTO.

Giving people access

When configuring access for new services, special attention should be given to access controls, roles and authentication.

Wherever possible, we should use single sign-on (SSO) features which integrate with our Google Workspace. This allows users to join and leave much more easily, ensuring consistency across tools and simplifying the process.

Where services do not support SSO, services should be configured to require Multi-factor Authentication (MFA) where possible, in accordance with our security policy. Password policies where enforceable should meet our Password Policy. Each team is responsible for managing these non-SSO tools.

If the tool supports role-based access control and granular permissions, follow the principle of least privilege. Ideally, tools should be administered and owned by the most relevant leader. At least two admins should be added so that there's always a way for the company to manage the account.

In the rarest cases where tools only support a single, shared login (or where it is prohibitively expensive otherwise), we can make an exception at the discretion of the CTO.

Administrator level access to tools and services that contain restricted or confidential data must be signed off by senior management.

Removing services

When tools and services are no longer required, they should be closed down, and all data stored with the service should be deleted.

A copy of any data stored in the service should be exported if data has forensic or historical value. Store this data in an appropriate place that matches the data classification, such as Google Drive.

Backing up data

Tools and services that store canonical data that are critical to the business or its clients must implement data backup procedures. Backups must be stored separately to the service (where possible), and access to backups must be restricted in accordance with the data being backed up.

When people leave

When employees no longer require access to a given service, or have ended their employment with FooEngine, they must be removed from all services and tools.

In cases where services are not part of our company wide offboarding services list, you should ensure your team manages offboarding of tools and services as part of employee termination. (For tools which support SSO, people who are leaving will automatically lose access when the People team offboards them from the company.)

Regular access reviews

Annual reviews of access for all tools that contain internal, confidential or restricted data must be performed to ensure only those who should have access do so. Quarterly elevated access reviews must be performed for all administrator accounts in tools that contain confidential or restricted data.