External Web Account Management

Without policies for handling 3rd party SaaS website logins, managing access to these services quickly devolves into chaos when people leave your organization.

Policy

All 3rd party services that your organization relies on must be associated with a master email account. Ideally, the email account is a group account that multiple people or an entire team have access to (e.g., webmaster@example.com, marketing@example.com, hr@example.com).

When your organization has lost a password, you then should be able to reset the password and access the reset instructions from the master email account.

If a service allows for multiple logins per account, then the master email account must also be included as a login, with full admin privileges. In this case, it's OK to set up individual accounts for people in your organization with appropriate permissions set.

Use different passwords for each account. It's helpful to keep a list of these master accounts' passwords in a spreadsheet or document stored in a private location, preferably on a network drive behind your organization's firewall. Make it a habit to keep that document up-to-date.

The Problem

Consider 3rd party services like these (all usually crucial to your organization's and website's operations):

  • Web hosting
  • Domain name registar
  • Content management system
  • CRM
  • Google AdWords
  • Google Analytics
  • Google FeedBurner
  • Google Apps
  • Facebook
  • Google+
  • Twitter
  • HootSuite
  • GitHub
  • MailChimp
  • Typekit

When a person at a company uses a 3rd party service like these, they will sometimes opt to use their own individual company email address as the primary login. This becomes a problem after an employee leaves, and your organization is stuck not being able to access a 3rd party account.

Last updated: