An important part of protecting calendar security is to be conscientious about calendar access. A calendar admin can regularly review the list of shareable links and account users in Settings > Sharing to make sure that all access is up-to-date and appropriate for each person's role.
When viewing the list of links and users in Settings > Sharing, you might notice that one person has two (or more) access points:
In the example above, Annie has both account-based access and an assigned calendar link. Notice also that she has Modify permission via the link, but she has Administrator access through her account access.
We recommend that each user have only one way to access the calendar. Limiting access to one method makes it easier to keep track of calendar access, ensure that it's kept up-to-date, and revoke access when someone is no longer authorized to have it.
Sometimes when setting up the calendar, an admin might start with one access method, then switch to another. It's fine to switch methods, but be sure to revoke old access points when they're no longer needed.
For example, perhaps Annie was first given a link with Modify permission. Then she was added as an account user, but she shouldn't have Administrator permission.
Here's what the calendar admin needs to do:
If you notice that one person has two (or more) lines in the Sharing list:
On a regular basis, visit Settings > Sharing, review the list, and keep all access points up to date for a more secure calendar.