Access Control Policy¶
Aligned with ISO/IEC 27001:2022
1. Purpose¶
The purpose of this policy is to ensure that access to information, systems, applications, and cloud services is controlled based on business and security requirements.
This policy defines how access is granted, reviewed, modified, and revoked to prevent unauthorized access to company and customer information.
2. Scope¶
This policy applies to:
| Audience | Coverage |
|---|---|
| Employees | All staff |
| Contractors | All contractors |
| External service providers | All third parties with system access |
In-scope systems:
- AWS environments (CI/CD, application services, production and staging)
- Google Workspace
- Source code repositories (e.g., GitHub/GitLab)
- Slack
3. Principles¶
The company applies the following access control principles:
| Principle | Description |
|---|---|
| Least Privilege | Users receive only the minimum access necessary. |
| Need-to-Know | Access is granted only when required for business purposes. |
| Role-Based Access Control (RBAC) | Access is assigned based on job roles. |
| Segregation of Duties | Critical tasks require separation of responsibilities. |
| Default Deny | Access is denied unless explicitly granted. |
4. User Access Management¶
4.1 User Registration¶
- All access must be formally requested and approved.
- Access requests must be approved by the relevant manager and system owner.
- Each user must have a unique identifier (no shared accounts unless technically required and documented).
4.2 Privileged Access¶
Privileged access includes:
- AWS IAM Admin roles
- Production database access
- Infrastructure modification rights
- Google Workspace Super Admin
Controls for privileged access
- Privileged access must be approved by management.
- MFA is mandatory for all privileged accounts.
- Use of privileged access must be logged.
- Privileged access is reviewed quarterly.
4.3 Access to Production Systems¶
- Production access is restricted to authorized personnel only.
- Development and production environments must be separated.
- Direct production changes are prohibited unless:
- Approved
- Logged
- Documented
5. Authentication Controls¶
- MFA is required for:
- AWS accounts
- Google Workspace
- Admin accounts
- Passwords must:
- Meet minimum length requirements (e.g., 12 characters)
- Not be reused across systems
- Single Sign-On (SSO) is used where possible to centralize control.
6. Access Review¶
- Access rights are reviewed:
- At least quarterly for privileged users
- Annually for standard users
- Managers must confirm continued access need.
- Unnecessary access must be removed immediately.
7. Joiner, Mover, Leaver Process¶
7.1 New Employees (Joiners)¶
- HR notifies IT/security before start date.
- Access is provisioned based on job role.
- Employee must complete security awareness training.
7.2 Role Changes (Movers)¶
- Access rights must be reviewed and adjusted when roles change.
- Previous access must be removed if no longer required.
7.3 Termination (Leavers)¶
- Access must be revoked on or before the last working day.
- Accounts must be disabled immediately.
- Company devices must be returned.
- Shared secrets and credentials must be rotated if necessary.
8. Third-Party Access¶
- Third-party access must:
- Be approved
- Be time-limited where possible
- Be subject to NDA or contractual security terms
- Third-party accounts must be reviewed regularly.
9. Logging and Monitoring¶
- Access to critical systems must be logged.
- Logs must be retained according to the Logging Policy.
- Suspicious access attempts must be investigated.
10. Responsibilities¶
| Role | Responsibility |
|---|---|
| Management | Approve access requests. |
| System Owners | Define access levels. |
| IT/Security | Implement and review access. |
| Employees | Protect credentials and report incidents. |
11. Policy Violations¶
Failure to comply with this policy may result in disciplinary action.
12. Review and Maintenance¶
This policy shall be reviewed annually or when significant system changes occur.