Security Guidelines

Having a secure online repository like Haplo for all your information is just the first step to securing your information. You also need to make sure that you and your colleagues use Haplo in a secure manner.

The only truly secure system is one which allows no one any access at all. Unfortunately, this would be impossible to use. Security is about striking the right balance between usability and security. You need to keep your information secure and enable people to do their work by providing users with appropriate access.

Your main concerns should be about preventing outsiders from accessing your information. This involves:

  • Preventing unauthorised people from accessing your information
  • Minimising the problems caused by accidents

A system is only as secure as its weakest link, and users are often the weakest link through careless actions, such as using a weak password or losing their laptop or phone. To protect your information, you must ensure that all your users take responsibility for their part in running a secure information system.

Trusting your users

The Haplo security model is designed to protect your information from outsiders. Within your organisation, we take the reasonable position that you should trust your staff. There are very few, if any, technical measures that can be taken to stop insiders from abusing their access — they have a valid login to the system which legitimately gives them access to information.

You should verify the actions of your users through the tools provided, such as the RECENT listing.

To restrict access within the system, see Labels and Permissions in the setup guide for how to set access controls for your users. We recommend taking a balanced approach to setting access controls. Imposing unnecessary restrictions can lead to further problems, such as staff borrowing each others’ logins to access material.

Seek professional advice

This document is intended to provide general advice. If security is critical for your organisation, as it is for most organisations, you should seek professional advice for your exact circumstances.

Ask us for a referral to a qualified professional.

Recommendations

These security guidelines make some important recommendations. We’ll use the words should and must (in italics) with very specific meanings:

  • must — implementing this recommendation is an absolute requirement. Without it, you’re taking a big risk.
  • should — there may exist valid reasons in particular circumstances to ignore this recommendation, but the full implications must be understood and carefully weighed. It’s not 100% vital that you follow this recommendation, but if you’re dealing with information you consider very confidential, treat this as must!

If you fail to follow a recommendation marked as must, you are taking an unacceptable risk that we, as the providers of your information system, cannot mitigate through technical measures in the service we provide. We have made your information as secure as possible through technical means, but you need to do your part to keep your information safe.

Contents

Passwords
Authentication tokens
Desktop computers
Mobile devices
Feeds and updates
Revoking access
Best practice
Resources