Organizational Memory
Security card, MethodKit for Memory & Reminiscence
Card 57 of 66 · MethodKit for Memory & Reminiscence
  • ThemeGovernance, Legal & Risk
  • CardCard 57 of 66
  • Questions5 to explore
Governance, Legal & Risk

Security

From physical location to computer systems

Security is the set of measures between your organization's most important assets and the people or events that could compromise them.

Security for most organizations sits at the intersection of physical and digital. Physical security covers the office, equipment, and access to sensitive spaces. Digital security covers accounts, data, systems, and the people who can access them. Both are worth mapping, and the biggest risks are usually at the boundary between the two.

A practical starting point is access: who can get into the building, who has administrator accounts on core systems, who knows the passwords to shared accounts, and what happens to all of that when someone leaves. Access that is not actively managed is access that is not actually controlled.

Incident response is the piece most organizations do not have. When a breach or security incident occurs, the first hour is the most important and the most chaotic. Even a simple written checklist of who to contact and what to do first is more useful than nothing.

What to capture

For this part of the company brain, what is worth writing down and keeping current. The goal is not a complete archive but a living record that new people can read and returning people can trust.

Access map

Who has access to what: physical spaces, administrator accounts, shared credentials, and sensitive systems, with a process for removing access when people leave.

Device & account policy

How devices are managed, what two-factor authentication is in place, how software is kept updated, and what the policy is on personal devices used for work.

Critical asset inventory

The systems, data sets, and physical assets the organization most needs to protect, and the specific controls in place for each.

Incident response plan

The steps to follow if a security incident occurs, including who is notified, in what order, and who is responsible for each action.

Questions to explore

Use these on your own or in a group. There are no right answers, only better conversations.

  1. Who currently has administrator access to your core systems, and when was that list last reviewed?

  2. What would happen to your operations if your primary cloud account were compromised tonight?

  3. Is there a process for revoking all access when an employee or contractor leaves?

  4. Are there shared passwords that multiple people use, and is there a way to change them quickly if needed?

  5. Has the organization ever done a basic security review, and if so, how much has changed since then?

Things to notice

  • Offboarding checklists that mention access revocation but have no one assigned to actually carry it out leave former employees and contractors with live credentials long after they have left.
  • Shared passwords in email chains, chat messages, or documents mean that a breach of one system immediately exposes others.
  • Security measures that slow down legitimate work get quietly disabled or worked around, which means the control is not real even though it appears to be in place.