Web Site Access

2-step verification must be enabled on all web sites that support it. Specifically, everyone should enable 2-step verification for:

• Cultivate’s Google App (gmail, etc)
• Dropbox
• A Github account that is part of the Cultivate organisation

1 time keys should be used to enable 2 factor authentication recovery. These must be stored somewhere secure and encrypted, such as 1Password, LastPass, or Passpack.

Passwords : Storage, Exchange, and Strength

1Password must be used for all password communication.

NEVER send passwords via email, IRC, Slack, instant messaging, or other online communication channels! If a contractor, employee, or client sends a password via an insecure mechanism, that password must be changed.

Do not use the same password for different sites.

Use strong passwords. Read this article for tips. Better yet, use PassPack itself or a program like 1Password to generate passwords and remember them for you.

Any password or key that is proprietary to Cultivate (eg Admin password for services) must be stored in the 1Password shared vault.

Cultivate Computer Setup (including personal computers with Cultivate or Cultivate client IP)

All information about/from Cultivate or any of its clients must be stored encrypted. This includes ALL code repositories, work related downloaded files, etc. The simplest mechanism on a Macintosh computer is to enable OS X FileVault.

• FileVault Directions on Apple’s Support Page
• TrueCrypt Site (alternative for non-Macintosh computers)

A firmware password must be set for all Cultivate computers that support one. To set a Firmware password on a modern Mac, hold cmd-R while rebooting.

Note that only Apple can reset firmware password if lost or forgotten (see apple support note).

Computers must be password protected and require password when starting

Computers must have password protected screen saver that is set to automatically starts after 5 minutes or less. One should enable the screen saver immediately if you walked away from your computer.

###Employees Leaving Cultivate

When a contractor or employee leaves the company, all passwords that the employee had access to should be changed.

Some areas to investigate and add to this policy: PreyProject (tracking stolen computers) : http://preyproject.com/ locked screens with wipe disk drives after 10 failed attempts As part of HIPAA compliance, any known breaches in security (lost computers, exposed passwords, etc) must be logged.