|
|
| Document ID |
ISMS-POL-004 |
| Version |
0.1 |
| Status |
Draft |
| Classification |
Internal |
| Owner |
Information Security Officer |
| Approved by |
Managing Director |
| Approval date |
pending |
| Effective from |
pending |
| Next review |
pending — annually, or on material change |
| Annex A controls |
A.5.15 (access control), A.5.16 (identity management), A.5.17 (authentication information), A.5.18 (access rights), A.8.2 (privileged access rights), A.8.3 (information access restriction), A.8.5 (secure authentication) |
This policy sets the requirements for granting, using, reviewing, and
revoking access to BackupExperts systems and to the customer systems
that BackupExperts accesses in the course of service delivery.
Applies to:
- All BackupExperts personnel and contractors.
- All accounts on BackupExperts-controlled systems (Hetzner-hosted apps,
basement infrastructure, BackupExperts work accounts).
- All accounts that BackupExperts holds on customer systems.
- All authentication material — passwords, API keys, certificates —
in use for either of the above.
- Least privilege. No account holds entitlements beyond those
required for the role for which it was provisioned.
- MFA mandatory. Multi-factor authentication is enforced on every
human account where the underlying system supports it. Where it
does not, this is recorded as a control gap on the affected
system in the Risk Register.
- Strong authentication material. Passwords are generated with
sufficient entropy (≥ 20 random characters or equivalent passphrase
strength) by the password manager and are never reused across
accounts. Shared secrets are avoided; where they exist, they are
rotated when any party changes.
- Centralised credential storage. All BackupExperts-held
credentials live in the BackupExperts self-hosted Vaultwarden
instance. No credentials are stored in browsers, in plain-text
files, in chat messages, or in personal password managers used for
non-BackupExperts purposes.
- Separation of accounts. Personal accounts and BackupExperts
work accounts are not mixed. The work device, while personally
owned (BYOD), uses a dedicated BackupExperts profile / separate
work account where the platform supports it.
- Logged privileged access. Every privileged action on systems
that hold customer data is logged. Logs are retained for the
period stated in the Statement of Applicability
(planned).
BackupExperts does not currently operate a centralised identity
provider (IdP). Each in-use system holds its own account database,
with MFA enforced per system. The de-facto register of all in-use
accounts is the BackupExperts Vaultwarden instance. This arrangement
is recorded as risk R-008 in the Risk Register
with a stated treatment plan.
For as long as this arrangement persists, the following compensating
controls apply:
- An account inventory is maintained in Vaultwarden as the source of
truth for the Joiner / Mover / Leaver procedure
(planned).
- Each customer system is treated as a separately-administered identity
domain; access reviews iterate through each system rather than
through a single IdP report.
- Generated by Vaultwarden and stored only in Vaultwarden.
- Minimum strength: ≥ 20 random characters, mixed case + digits +
symbols where the system permits.
- Reset on any suspicion of compromise.
- Never shared by email, chat, or telephone.
- Enforced on every account where supported.
- TOTP secrets are stored in Vaultwarden alongside the corresponding
account; hardware tokens (where used) are listed in the asset
inventory.
- Recovery codes are stored in Vaultwarden in the same vault item as
the account.
- Treated as confidential authentication material under §5.1.
- Generated with the narrowest scope the target system permits.
- Rotated on a defined cadence and on personnel change.
- For tenant Wiki.js API tokens used by
wiki-cms, see the per-tenant
variable convention in .env (the value never enters the wiki or
the repository).
¶ 6. Customer credential handover
When a new customer hands over administrative credentials to
BackupExperts:
- The customer is sent a Vaultwarden Send link as the standard
channel for one-time encrypted secret transfer.
- Where the customer cannot use Vaultwarden Send, BackupExperts
accepts the credentials over an alternative channel only on the
condition that those credentials are rotated immediately on
receipt and the new credentials are stored in Vaultwarden. The
rotation is recorded in the customer's onboarding document.
- Credentials received in the clear (email, chat, voice) without
immediate rotation are treated as a security event under the
Incident Response Policy.
- Customer credentials are stored in a Vaultwarden vault scoped to
that customer.
Personnel changes at BackupExperts and at customer-side
administrative contacts are handled per the Joiner / Mover / Leaver
procedure (planned). Where Vaultwarden
sharing relationships are used to give a customer contact access to
shared secrets, those shares are revoked on departure.
Privileged access — root, administrator, write access to backup
targets, write access to the wiki-cms repository on the canonical
branch — is governed by the Privileged Access
(planned) page. Key requirements:
- Privileged credentials are separate from routine credentials on the
same system where the platform supports it.
- Use of privileged credentials is logged and reviewed.
- Backup-target privileged credentials are never the same as
source-system credentials, so that compromise of one cannot
eliminate the other.
Access on every in-use system is reviewed at least quarterly:
- The Information Security Officer iterates through the Vaultwarden
account inventory and confirms each entry is still required.
- For customer systems, the review confirms BackupExperts' active
account list against the customer's expectations.
- Accounts no longer required are disabled (preferred) or deleted, and
the corresponding Vaultwarden entry is updated.
- Review outcomes are recorded in the access review log
(planned).
The personal laptop used for BackupExperts work (BYOD) shall have:
- Full-disk encryption (BitLocker) enabled and verified.
- Microsoft Defender real-time protection enabled and updated.
- Operating system on a supported version with security updates
applied within 14 days of release.
- Screen lock with idle timeout ≤ 10 minutes.
- BackupExperts work account separated from personal account at the
OS level where feasible.
The BYOD arrangement and its compensating controls are recorded as
risk R-007 in the Risk Register.
- Access review log (planned) — every
quarterly review.
- Training log (planned) — acknowledgement
of this policy on joining and after material change.
- Incident register entries — for any access-related security event.