Controls & Security
This page documents access controls, cybersecurity practices, and data backup procedures for SHHA systems.
Items marked TODO need information filled in. These questions originated from Andrea's controls review.
Access Controls — Who Has Access to What?
Microsoft 365 Admin Access
| Global Administrator | TODO: Who currently has Global Admin access? (There should be a primary and a backup.) |
| User / Group management | Anna (office staff) manages day-to-day membership. IT admin handles mailbox permissions. |
| Who manages access? | TODO: Is there a documented process for granting/revoking admin access? Who approves changes? |
Other System Access
| System | Primary Access | Backup Access |
|---|---|---|
| QuickBooks | TODO | TODO |
| Membership Database | TODO | TODO |
| Gusto (Payroll) | TODO | TODO |
| SHHA Website (admin) | TODO | TODO |
| Square | TODO | TODO |
| Domain registrar | TODO | TODO |
| Google accounts | TODO | TODO |
Cybersecurity
Current Practices
- TODO: Do we enforce multi-factor authentication (MFA) for Microsoft 365 admin accounts?
- TODO: Do we enforce MFA for all licensed users?
- TODO: How do we handle password policies? (complexity requirements, rotation schedule)
- TODO: Is there an incident response plan if an account is compromised?
- TODO: Do we have phishing awareness guidelines for staff and volunteers?
Data Access
- TODO: How do we manage overall data access security? (e.g., conditional access policies, device restrictions)
- TODO: Are there any data classification policies (confidential vs. public)?
- TODO: How is sensitive financial data protected? (QuickBooks access, payroll data in Gusto)
Data Backup
Cloud-Based Systems
Most SHHA data resides in cloud services. Each provider has its own backup/redundancy:
| System | Backup Approach |
|---|---|
| Microsoft 365 (email, SharePoint) | Microsoft provides built-in redundancy and retention policies. TODO: Do we have a separate backup solution (e.g., third-party M365 backup)? What are our retention policy settings? |
| QuickBooks Online | Intuit maintains backups. TODO: Do we also export periodic backups locally? |
| Gusto | Gusto maintains payroll records. TODO: Do we keep local copies of payroll reports? |
| SHHA Website | TODO: Who backs up the website? How often? Where are backups stored? |
| Membership Database | TODO: How is the membership database backed up? |
Local Data
- TODO: Is any critical data stored only on local computers (office PCs) and not in the cloud?
- TODO: If so, how is that data backed up?
Other Security Considerations
- TODO: Do we have cyber liability insurance?
- TODO: When was the last security review or audit of our systems?
- TODO: Are there any compliance requirements (e.g., state HOA data retention laws)?