Critical Account Policy
Google Workspace, domain registrar, Cloudflare, GitHub, Firebase/Google Cloud, financial platforms, and developer stores are Tier 1 critical systems.
Password Manager
Select a business-capable password manager before scaling access. Bitwarden, 1Password, or an equivalent may be evaluated based on business ownership, sharing, recovery, audit history, and cost.
Never store passwords or recovery codes in email, ordinary Google Docs, spreadsheets, source code, or client chat.
Access Rules
- Prefer invitations, partner access, organization roles, and delegated permissions over shared passwords.
- Grant least privilege.
- Remove access promptly during offboarding.
- Review Tier 1 access quarterly and after role changes.
- Do not use aliases as if they were independent login identities.
Approved Security Standards
SEC-001 Credential Management
Apple Passwords approved for 2026, with protected recovery codes and a January 2027 review.
SEC-002 MFA
Mandatory controls for Tier 1 platforms.
SEC-004 Recovery
Primary and encrypted offline recovery copies.
Device & Browser Minimums
- Supported operating system and browser updates installed.
- Screen lock enabled.
- Device encryption enabled where supported.
- No credential saving on shared/public devices.
- Separate browser profiles for business and personal work where practical.
Incident First Actions
- Contain the account or system.
- Change compromised credentials and revoke sessions.
- Preserve logs and evidence.
- Assess client, data, billing, DNS, and email impact.
- Notify the responsible owner.
- Document the incident and lessons learned.