fbpx

System Access Control Policy

Table of Contents

Background

Access to Social Workshop Ltd systems and applications is controlled for all users, including but not limited to employees, volunteers, business associates, contracted providers, and consultants.  Access by any other entity is allowable only on a minimum necessary basis.  All users are responsible for reporting an incident of unauthorised use or access of the organisation’s information systems.

Purpose

The purpose of this policy is to provide a procedure and guideline for creating, modifying, or removing access to the Company’s systems, network and data by creating, changing or deleting the account configuration for a User.

Scope

This policy and defined process is used to allow access to the company’s data and systems to individuals who meet the requirements defined in this policy.  This policy governs individuals who are granted access that is necessary to support the business.  This policy relates to all data used, processed, stored, maintained, or transmitted in and through the Company’s systems.

Joiners

A joiner in this context is anybody who starts working with Social Workshop Ltd, whether as an employee, contractor or anybody else with access to the company’s IT systems, such as a key supplier.

Process

The following are tasks which need to be completed by the hiring manager within Social Workshop Ltd, and/or the prospective employee/contractor:

  • Agree job/project specifications
  • Obtain and confirm any necessary credentials
  • Obtain references as necessary
  • Contract of employment signed by both parties
  • Joiner must complete Social Workshop’s cyber security compliance assessment before any work can commence.  This will ensure suitable antivirus and password management are in place on any device that will be used for work purposes.
  • Joiner must also complete security awareness and compliance training as part of their onboarding process.
  • IT systems accounts are created by a member of the Compliance Team and recorded in the Company’s Information Security Management System (ISMS).
    • New user accounts should follow the practice of issuing the least-privileged access – only systems and permissions therein will be issued to new users.
    • See Password Policy for guidance on password standards, and methods of transmission for user accounts
  • Joiners test their level of access and confirm they have what they need to commence working on behalf of the company.
 
Access Reviews

All access to Social Workshop Ltd systems and services is reviewed and updated at least on an annual basis to ensure proper authorisations are in place commensurate with job functions.  The process for conducting reviews is outlined below:

  1. The Compliance Team initiates the review of user access by creating an entry in the ISMS review timetable.  A review my be conducted across any/all of the 5 following areas: access levels, hardware inventory, firewall rules, software installed and software versions
  2. The Compliance Team will review the items above for each Social Workshop Ltd user.
  3. If user access is found during review that is not in line with the least privilege principle, the Compliance Team may modify user access and notify the user of access changes.
  4. Once the review is complete, the Compliance Team date stamps the review and adds any pertinent notes required.
 
Workforce Clearance
  • The level of security assigned to a user of Social Workshop Ltd’s information systems is based on the minimum necessary amount of data access required to carry out legitimate job responsibilities assigned to a user’s job classification.
  • All access requests are treated on a “least-access principle.”
  • Social Workshop Ltd maintains a minimum necessary approach to access to Customer data.
 
Unique User Identification
  • Access to the Social Workshop Ltd systems and applications is controlled by requiring unique User Login IDs and passwords for each individual user.
  • Multifactor authentication is used whenever available
  • Password requirements mandate strong password controls.
  • Passwords are not displayed at any time and are not transmitted or stored in plain text.
  • Default accounts on all production systems, including root, are disabled.
  • Shared accounts are not allowed within Social Workshop Ltd systems or cloud services.
 
Automatic Logoff
  • Users are required to make information systems inaccessible by any other individual when unattended by the users (e.g. by using a password protected screen saver or logging off the system).
 
Acceptable Use

Leavers

A leaver is somebody who will no longer be working with Social Workshop Ltd, and therefore does not require their access to company systems any longer.

It is the policy of Social Workshop Ltd that following the departure of a member of staff, all user accounts that the ex-employee/contractor/etc. was privy to will be disabled either by deletion or by a change of password.  An out of office response will be enabled and any received email will be redirected to the relevant Departmental Head or deleted, whichever is applicable.

It will be the responsibility of the Compliance Team to remove any software access permissions to restrict further access to the Organisation.  Where keys and access tokens were not the property of the Company, it is the responsibility of the Compliance Team to ensure those tokens have been disabled.

Upon leaving the Comapny, the ex-employee/contractors/collaborators will be reminded of this security policy document, and reminded of their obligations concerning privacy and protecting the company’s data assets.

Process

  • If requested by the Compliance Team, all leaver’s passwords must be revealed
  • The leaver will set an appropriate out-of-office auto response if they have a company email address.
  • The leaver will surrender all access keys and tokens to their line manager
  • It is the responsibility of the Compliance Team to ensure all accounts relating to the leaver have been disabled. For example;
    • Slack
    • Gmail
    • Drive
    • Airtable
    • Miro
    • Zapier
    • Mailchimp
    • Manychat
    • Facebook Business Manager
    • Falcon
    • AWS
    • SSH
    • Github
  • The Company Information Security Management System (ISMS) will be updated accordingly to record that leaver access rights have been revoked
  • The leaver’s line manager should also carefully think about any other information that may need to be reviewed or any secret material which may need to be rotated as a result of the leaver’s departure.  Examples could be;
    • Contact lists the leaver had access to
    • Other communication methods the leaver had access to, for example VoIP telephony systems
    • SSH key pairs which may need to be rotated on servers
  • The Compliance Team will coordinate with the appropriate Social Workshop Ltd employees to terminate access to any non-production systems managed by those employees within 1 business day of termination/separation.

Revision history

VersionDateDescription of Changes
V1August 15th, 2022Initial Creation
V1.1August 30th, 2022Publication