Recognize recommends the following settings to enhance security for your organization's account:
-
Enable SSO and Force SSO login
- Force SSO will limit users ability to connect to Recognize using the login and password of your SSO identity provider only.
- Enable a User Sync
- The Recognize user sync is a process that provides a way for companies to keep their Recognize user directory in sync with their corporate user directory.
- Once initial settings are established, the user sync options allow you to manage your users in Recognize automatically.
- With User Sync enabled, this will automatically lock user email addresses (and other data coming from the sync) so they cannot be edited manually by users from within their Recognize accounts.
- Enable “Disable signups”
- With this setting turned on, you remove the ability for users to sign up independently from your user import and have increased control over users within your Recognize instance.
- Disable “Allow user to invite others”
- With this setting turned off, you remove the ability for users to invite others to your organization’s account, allowing Company Admins to have full control over what users are provisioned in your account.
-
Ensure only the expected authentication mechanisms are enabled and disable all other log-in options.
- eg. If using SSO sign in, disable passwords and social sign-in options
- Enable “Limit sending to within company only”
- When enabled, recognitions may only be sent to existing users in your organization.
- Enable “Limit new recognition to be accessible only to your organization”
- If this setting is turned off, it will allow new recognitions to be accessible to the public (Google & other search engines, Linkedin, etc.).
Other Recommendations to Secure Your Account:
-
Limit Company Admin Access in Recognize
- “With great power comes great responsibility” - Any user with a Company Admin role in Recognize has access to view and potentially modify your organization's platform data. Restricting admin privileges to only select individuals who require it will reduce any risk of accidental changes or modifications that are otherwise difficult to identify or control.
-
Require Approvals
- When configuring Badges, Recognize provides an option to implement a process by which Company Admins or Managers can approve such Recognitions before they are sent to a recipient.
- For customers using Rewards, we recommend that you enable approvals to proactively monitor rewards activity. For clients who wish to use an approval process, we also recommend assigning a designated Rewards Manager.
-
Enable a Two-Factor Authentication method within your Organization
- Two-Factor Authentication generates time-sensitive tokens or passcodes that add a second layer of protection from a traditional password alone. This helps protect users against identity hijacking and further sensitive data loss and is considered best practice for data protection.