Policies
Policies
Security
Security
Google Drive Security
Google Drive Security
google-cloud-security-and-compliance-whitepaper.pdf
Source: ChatGPT
Google Drive is a cloud-based storage service that allows users to store, share, and collaborate on files. Security is a top priority for Google Drive, and the company has implemented a number of measures to ensure that users' data is safe and secure.
One of the key security features of Google Drive is encryption. All files that are stored on Google Drive are encrypted both in transit and at rest. This means that when files are transferred to and from Google Drive, they are encrypted to protect against unauthorized access. Additionally, files are encrypted while they are stored on Google Drive servers, so even if someone were to gain access to the servers, they would not be able to read the files.
Another important security feature of Google Drive is access control. Users can set permissions for files and folders, allowing them to control who can view, edit, or download their files. Additionally, Google Drive supports two-factor authentication, which adds an extra layer of security to the login process. This helps to prevent unauthorized access to users' accounts, even if someone knows their password.
Google Drive also has a number of security features in place to protect against data loss. For example, all files stored on Google Drive are automatically backed up, so that users can restore their files in case of a problem. Additionally, Google Drive supports versioning, which allows users to view and restore previous versions of files.
Google also has a number of compliance and regulatory standards, such as HIPAA, SOC 2, ISO 27001, SOC 3, and PCI DSS, which are adhered to ensure the data is safe and secure.
Google also regularly audits its systems and infrastructure to ensure that they are secure and that any vulnerabilities are identified and addressed. Additionally, Google employs a team of security experts who monitor the systems to detect and respond to potential security threats.
In addition to these security features, Google also has a number of policies in place to ensure that users are aware of the risks associated with storing data in the cloud, and to provide guidance on how to best protect their data.
In summary, Google Drive is a secure platform that employs encryption, access control, and other security measures to protect users' data. Additionally, Google is also compliant with several regulatory standards and regularly audits its systems to ensure that they are secure. Users are also provided with guidelines and best practices to help protect their data.
Security and Governance
Security and Governance
Stride has adopted technology that is industry-leading in its security controls. We have overlaid that system technology with a governance plan that allows for sufficient checks and balances while mitigating material risk. Here are our current safeguards:
Client Account Access:
A client team at Stride is typically made up of the following roles:
AL: Accounting Lead (day/day bookkeeper)
Financial Partner: Client Relationship Director of Operations / Partners (as necessary)
Approval Controls: The primary approval controls come with respect to the separation of duties that we will set up in bill.com. Separation of duties at Stride is defined as an individual entering the bill cannot create vendors and issue payment. Approval is required before any payments can be made (includes internal approval and client approval if applicable).
QuickBooks Online -- Nearly all of Stride's clients are on the QuickBooks Online (QBO) platform. All QBO data is stored in the cloud. For a full detail of the QBO security standards, please click here. There are full audit trails and access is limited to only team members associated with your account.
Bill.com -- Clients that use Bill.com, which we integrate into QBO for our clients at Stride, have a highly secure platform for bill pay. Bill.com promotes six categories of security that you can access more information on here. Access to bill.com is limited to the account team associated with each client and the administrator of that account (often the client). We have also enabled Multi-Factor Authentication for Bill.com and both our team and the client are notified of any attempts at unauthorized access Expensify - For many clients, Stride implements Expensify to manage credit card charges and reimbursement. Expensify uses bank-level security to keep client data safe. There is a rigorous approach that Expensify has taken to data and you can read more about it here.
Password Security
We use 1Password for secure password protection at Stride. 1Password data is kept safe by AES-GCM-256 authenticated encryption. The data entrusted to 1Password is effectively impossible to decrypt. Secure random numbers, Encryption keys, initialization vectors, and nonces are all generated using cryptographically secure pseudorandom number generators. To learn more about 1Password security, click here. Only the small team assigned to a client account has access to the passwords via 1Password and there is an audit ability to see login history.
Secure File Sharing and Storage via Google Drive: Google Drive is our centralized repository for client files. Access to Drive is controlled by passwords generated via and stored in 1Password. Access and file sharing, with both internal and external constituents, is Identity-based with requisite permissions. Stride has implemented Multi-Factor Authentication (MFA) for both GSuite email and Google Drive (except certain alias-based mailboxes) We do not use or share any individual client data with other clients or in support of other clients.
Security Awareness Training: Users at Stride undergo regular Information Security Awareness Training complete with simulated phishing exercises and content-based training on existing and emerging threats.
Cyber Insurance: Stride carries a comprehensive cyber insurance policy that protects Stride and its clients in the event of a cyber breach. The insurance policy will cover the cost of recovering from the breach as well as any 3rd party expenses.
Secure Devices: Stride team members’ devices are protected by industry-leading Endpoint Detection and Remediation utilities (EDR) also known as Next Generation AntiVirus. The devices are also regularly patched and maintained according to industry best practices from Microsoft and Apple. The Philippines team specifically is using company issued laptops set up with an industry-leading EndPoint Protection product. The team connects to the Philippines office via a secure VPN office network and then connects to US-restricted sites using a secure proxy server
Bill.com security policy
Bill.com security policy
Shared Agreement on Bill.com Set up:
Security Rules: there are seven roles, each with a specified level of security as noted below; all security is established at the client level with the exception of the Accounting and Admin roles that have access for all clients. Those users who process and approve bills will access Bill.com via their individual login. Those who do not, will access Bill.com via the Accounting alias email that is available in 1PW and these instructions will be released once established.
AL - approval authority
Minette - approval authority
FP - process authority
Accounting@ - read only authority
Admin@ - Jam
Security Levels:
USER - update individual levels as noted above - delete all except those 6 roles above, if not a AL, FP, or Minette
ROLE - AL, AOM, FP, Accounting and Admin
APPROVAL GROUP = AL and Minette
BANKING = Authorized users will be the AL, Minette and FP (US location is required for some set-ups)
The leadership team at Stride appreciates your help in keeping Stride safe and secure.
Shared Agreements
Shared Agreements
Stride Engagements Signatory
Stride Engagements Signatory
Generate SOW with signatory options:
Added a new field SOW Signee on the SOW Airtable.
Please add/remove personnel who need to act as assignees.
A lot of GMs don't have phone numbers populated in Resource the table in Operations base. It would be a good idea to populate their phone number.
Alternatively, if we have a Stride helpline number, I can add that as default (in case no phone number is found on the resource record) in the scenario code.
MEC - Shared Agreements and Commitments
MEC - Shared Agreements and Commitments
SHARED AGREEMENTS – Clarifying Points on shared commitments:
MEC Close Roles & Responsibilities
FP – responsible for establishing clear target dates pre-close, and milestone dates are achieved timely
AL – responsible for honoring agreed-upon target dates, or clearly communicating to CSM the reason for the delay
Minette – responsible for reporting out on progress metrics during the close
MEC Client Tracker Guide
AL Review - once AL completes its comprehensive review of the financial reports - alert FP
FP Review - once CSM completes their review, including any changes - Alert AL
Telemetry Report - once Telemetry report is sent to the client
Key points:
Everyone is responsible for updating the tracker timely
Everyone is responsible for alerting colleague when ready via Asana - Internal
Everyone is sent a visible report with a link to the External Drive - Financial Reports
General Best Practices
Target Dates - the purpose of these dates is to measure our internal proficiency, and is not intended to consider external delays
Locking Books - objective is to influence the client to lock books; if they need to unlock for a particular purpose (i.e. historical clean up), then a request should be sent to Deb/Minette to unlock the books for QC purposes. The password should NEVER be released.
Timing of locking books - the best practice is for the AL to lock the books prior to sending to the CSM, and if changes are required, they are communicated to the AL for completion.
MFR and Telemetry Reports - CSM determines when and how the MFR review is conducted. The MFR is done AFTER the Visible report is released. If an exceptional material adjustment is required in the current period, the reproduction of the financial reports will be considered – perhaps at an additional charge pending on the reason for the change.
Suspense Items – Suspense items are to be addressed prior to the close, entering the month with a clean slate. If there are aged items, or new items needing client input during the close that are not provided timely, the AL/CSM should proceed with the close and address the suspense items post-close.
Overtime Shared Agreement
Overtime Shared Agreement
Overtime is only required when there is a critical or urgent need as a way to honor our commitment to balance family and work life. In the event overtime becomes required, here are the guidelines to follow:
Types of Overtime:
Regular Overtime - work performed in excess of 8 hours on regular day
Holiday Overtime - work performed during a holiday
Rest Day Overtime - work performed during the employees rest day (weekends)
Employees may be allowed to perform overtime work when there is an urgent and necessary work to be performed in order to avoid serious loss or damage or where the completion or continuation of the work is necessary to prevent serious obstruction to the operation.
Level of priority should either fall per below category
Critical - Tasks that cannot be delayed without affecting the work due date
Urgent - Tasks that have to be dealt immediately and requires completion or respond within 24 hours completion
Employees to provide complete details of overtime work
Date when overtime will be rendered
Number of overtime hours
Client name for whom the work will be rendered
Specify function
Details of work
Priority (Critical/Urgent)
Task Due Date
Overtime work must be pre-approved by the immediate superior, or their manager if the direct supervisor is not readily available.
AL to be approved by Minette
Request for approval should be made via email sent to employees immediate superior prior the time or schedule of overtime We will allow the employee to send the request via quick messaging or slack, when deemed necessary and in consideration with the time consumed of providing the notification for prior approval (via email), given the complete details of the overtime work.
If the overtime work is found urgent
During critical period (Ex. MEC)
If there is a need to extend the number of overtime hours
Any employee who renders an overtime work without prior approval, shall not be entitled to an overtime compensation.
Kindly refer to the attached file for the format of which the employees will send when seeking prior approval. Thank you!
Payroll Communication - Shared Agreement
Payroll Communication - Shared Agreement
Goals: Develop a shared agreement that a status update is provided on in progress items that falls into the classification of Payroll process.
Things to consider:
Definitions:
Critical - Anything urgent by nature that needs to be resolved within 1 to 2 days.
High - Requests that impact an external matter (client, vendor, client customer, etc.)
Mod - Requests that impact an internal matter
Low - Requests that are informational, but don't have a direct impact on meeting an objective
Organizational Agreement:
Same as BOSS instructions; complete information (use templates provided), assign a priority - be clear on their timeline (i.e. "Client expects response within 2 days") - as much information and clarity upfront as possible - BOSS-Payroll should not have to ask for clarity
BOSS team can triage or determine if the task in queue will be triage to the Payroll Pillar
If no priority is assigned by Ops/submitter, BOSS will not triage the task
If urgent matter, contact BOSS lead in Slack to notify them of the urgency
If Critical/High, Assigned party will respond within 2 to 4 hours (within the working time enclosed)
If "In Progress' or "Critical/High", BOSS - Payroll can request a daily status update to check the progress
Application / Tools Policies
Application / Tools Policies
1Password Application Policy
1Password Application Policy
Purpose: To make sure Stride clients/team members have correct access to 1Password.
Policy / Process:
Upon On-boarding of a new client or team member, he/she/they will be given user access or credentials on how to access 1Password.
Clients - Invite as Guests and assign to their client vault
Clients will be limited to 2 users. If clients want to add additional users, additional fees will apply.
Managers - add access to Manager's Group and all active client vaults
FP - add assigned client's vaults
AL- add access to assigned Pod Group and pod client vaults
Payroll - add access to HR PR Service Dept. Group and those clients with Payroll services
Client Admin Support - add access to all active client vaults
Accounting Implementation Lead - add access to all active onboarding client vaults
Client Onboarding Manager - add access to the product manager to all active onboarding client vaults
Contractor and CFO - add access depending on the project assigned (per request only)
Vault Creation
CLIENT VAULT
Groups
Client - Guest own vault (View, Edit, Export)
Owners - Full Access
Administrator - Manage, View, Edit, Export
Managers - View, Edit, Export
Finance Partner - View, Edit, Export
Client Admin Support - View, Edit, Export, Manage
HR PR Service Dept. - View, Edit
Pod Group (1 - 7) - View, Edit, Export
People
Client (user-guest) - View, Edit, Export
Client Onboarding Manager - Full Access (during onboarding and will be removed after)
Accounting Implementation Lead - View, Edit, Export (during onboarding and will be removed after)
STRIDE VAULT - adding group or people depending on the needs
Groups
Owners - Full Access
Administrator - Manage, View, Edit, Export
Managers - View, Edit, Export
Finance Partners - View, Edit, Export
Client Admin Support - View, Edit, Export, Manage
HR PR Service Dept. - View, Edit
Pod Group (1 - 7) - View, Edit
People
Team Member - View, Edit (if necessary)
Contractor - View, Edit (if necessary) NOTE: For Client / Guest users can only access one (1) vault.
EMPLOYEE VAULT - adding group or people depending on the needs, mostly people added is the owner’s name
Groups
Owners - Full Access
Administrator - Manage, View, Edit, Export
Directors / Managers - View, Edit, Export (Operation team)
Finance Partners - No Access
HR PR Service Dept. - No Access
Pod Group (1 - 7) - No Access
Contractor - No Access
People
Team Member (vault owner) - View, Edit, Manage
PRIVATE VAULT
Avoid creating a private vault.
For employees who created or used private vaults in their 1Password login, kindly transfer all credentials to the assigned/created vault under your name if leaving or resigning.
For Off-boarding of a client or team members he/she/they will be removed to vaults added
Clients - Need to be removed from Client vaults and Delete/Suspend User access
Team Member - Need to be removed from Groups and Vaults and Delete/Suspend User access
Contractor - Need to be removed from Groups and Vaults and Delete/Suspend User access
For Off-boarding Clients FPs/ALs need to communicate with Clients that their access will be removed on the termination date. it should be indicated in the “Initiate Offboarding Communication {AM owner}” letter from Offboarding Communication in Guru. Example of client communication to be added in the Initial offboarding communication letter: “Please be informed that 1Password vault access will be deleted on the date of termination, kindly make sure all credentials are copied or saved on the security app you will be using moving forward. Kindly let us know if you want to request a copy and we will have it exported and sent to you. Furthermore, please be advised that your client vault will be deleted 3 months after the termination date."
For Off-boarding employees/team members “Jam” will check the login credentials in the employee’s vault and will transfer necessary application login to Stride common email to avoid access loss or delete or unsubscribe unnecessary accesses.
Accounting Operational Policies
Accounting Operational Policies
Suspense Clearing Account Policy
Suspense Clearing Account Policy
Purpose: Provide guidelines on how to manage suspense items needing client inputs.
Policy:
Obtain agreement on a workday that open suspense items may be addressed with them
Contact client on agreed upon date for review
If no response within 24 hours of set date, close the month*
Review items with client prior to the next close
Reclass the item in the new current month
***If materiality threshold is > $10k and no response in 24 hours, then escalate to CSM for resolution
Insurance
Insurance
Report abuse