Access Control Policy
| Property | Value |
|---|---|
| Document ID | POL-002 |
| Version | 1.0 |
| Status | Draft |
| Owner | Chief Information Security Officer (CISO) |
| Last Updated | 2026-01-11 |
| Next Review | 2027-01-11 |
| Related Controls | SOC 2: CC6.1-CC6.8 / ISO 27001: A.9.1-A.9.4 |
1. Purpose
This policy establishes requirements for controlling access to organizational information systems and data. It ensures that only authorized users have access to resources appropriate for their job functions, protecting against unauthorized access, modification, or disclosure of information.
2. Scope
This policy applies to:
- Users: All employees, contractors, and third parties requiring system access
- Systems: All applications, databases, servers, network devices, and cloud services
- Access Types: Logical access, physical access, remote access, privileged access
- Data: All organizational data regardless of classification level
3. Policy Statements
3.1 Access Control Principles
All access shall be governed by the following principles:
| Principle | Description |
|---|---|
| Least Privilege | Users receive only the minimum access required to perform their job functions |
| Need-to-Know | Access to information is granted only when there is a legitimate business need |
| Separation of Duties | Critical functions are divided among different individuals to prevent fraud |
| Defense in Depth | Multiple layers of access controls protect sensitive resources |
3.2 User Access Management
3.2.1 User Registration
- All users must have a unique identifier (user ID)
- Shared or generic accounts are prohibited except where technically required and approved
- User accounts must be associated with an identifiable individual
- Service accounts must have documented owners and justification
3.2.2 Access Provisioning
Access provisioning requires:
- Formal Request: Documented request from user's manager or authorized requestor
- Approval: Approval from data/system owner based on role requirements
- Verification: Confirmation of user identity and employment status
- Assignment: Access granted according to role-based access control (RBAC)
- Documentation: Record of access granted with date and approver
3.2.3 Access Review
| Review Type | Frequency | Scope | Owner |
|---|---|---|---|
| User Access Review | Quarterly | All user accounts | System Owners |
| Privileged Access Review | Monthly | Admin/root accounts | Security Team |
| Service Account Review | Semi-annually | All service accounts | IT Operations |
| Third-Party Access Review | Quarterly | Vendor/contractor accounts | Vendor Manager |
3.2.4 Access Revocation
Access must be revoked:
- Immediately: Upon termination (voluntary or involuntary)
- Same Day: Upon role change affecting access requirements
- Within 24 hours: Upon contractor/vendor contract end
- As Scheduled: Upon temporary access expiration
3.3 Privileged Access Management
Privileged accounts (administrator, root, database admin) require:
- Documented business justification for privileged access
- Approval from Security Team and system owner
- Separate privileged account from standard user account
- Enhanced monitoring and logging of privileged activities
- Multi-factor authentication (MFA) required
- Password vault or PAM solution for credential storage
- Session recording for critical systems (where feasible)
3.4 Remote Access
Remote access to organizational resources requires:
- VPN or zero-trust network access (ZTNA) for network-level access
- Multi-factor authentication
- Endpoint security controls (antivirus, encryption, patching)
- Compliance with Acceptable Use Policy
- Automatic session timeout after period of inactivity
3.5 Third-Party Access
Vendor and third-party access requires:
- Signed confidentiality/NDA agreement
- Security assessment of vendor (per POL-010)
- Documented access requirements and limitations
- Time-limited access with defined expiration
- Monitoring and audit logging of vendor activities
- Immediate revocation upon contract termination
3.6 Role-Based Access Control (RBAC)
The organization implements RBAC as follows:
| Component | Description |
|---|---|
| Roles | Defined based on job functions (e.g., Developer, Analyst, Admin) |
| Permissions | Specific access rights assigned to roles |
| Role Assignment | Users assigned to roles based on job requirements |
| Role Hierarchy | Inheritance of permissions where appropriate |
| Role Review | Periodic review and cleanup of roles and assignments |
3.7 Access to Source Code and Production
| Environment | Access Control Requirements |
|---|---|
| Production | Limited to authorized operations personnel; change management required |
| Source Code | Limited to development team; branch protection enforced |
| Database (Production) | Read access restricted; write access requires approval |
| Secrets/Keys | Vault-managed; no plaintext storage; audited access |
4. Roles and Responsibilities
| Role | Responsibilities |
|---|---|
| CISO / Security Lead | Define access control standards, approve exceptions, oversee access reviews |
| System Owners | Approve access to their systems, conduct access reviews, define roles |
| IT Operations | Implement access controls, provision/deprovision accounts |
| HR | Notify IT of employee changes (hires, transfers, terminations) |
| Managers | Request and approve access for their team members |
| Users | Protect credentials, report unauthorized access, request only needed access |
5. Implementation Checklist
Technical Controls
- Centralized identity provider (IdP) implemented (e.g., Okta, Azure AD, Supabase Auth)
- Role-based access control (RBAC) configured in all critical systems
- Multi-factor authentication enabled for all users
- Privileged Access Management (PAM) solution deployed
- VPN/ZTNA configured for remote access
- Session timeout configured (15-30 minutes of inactivity)
- Account lockout configured (5 failed attempts)
- Access logging enabled on all systems
Process Controls
- Access request workflow documented and implemented
- Access review schedule established
- Onboarding/offboarding procedures documented
- Role definitions documented for all job functions
- Third-party access agreements in place
6. Evidence Requirements
| Evidence Type | Description | Location | Retention |
|---|---|---|---|
| Access Request Records | Tickets/forms for access requests and approvals | Ticketing system | 3 years |
| Access Review Reports | Quarterly/monthly review completion reports | Document repository | 3 years |
| User Access Lists | Current access rights by system | IdP/system exports | Current + 1 year |
| Termination Records | Evidence of timely access revocation | HR system / tickets | 3 years |
| PAM Logs | Privileged session recordings and logs | PAM solution | 1 year |
| Role Definitions | Documented roles and permissions | RBAC documentation | Current version |
7. Related Documents
- Password & Authentication Policy (POL-003)
- Access Provisioning/De-provisioning Procedure (PROC-001)
- MFA Configuration Procedure (PROC-002)
- Third-Party/Vendor Security Policy (POL-010)
8. Exceptions
Exceptions to this policy require:
- Written request documenting business justification
- Risk assessment of the exception
- Approval from CISO and system owner
- Time-limited duration (maximum 12 months)
- Compensating controls where applicable
- Documentation in exception register
9. Version History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2026-01-11 | Security Team | Initial release |
10. Approval
| Role | Name | Signature | Date |
|---|---|---|---|
| CISO | _________________ | _________________ | ________ |
| IT Director | _________________ | _________________ | ________ |
This document is classified as INTERNAL. Unauthorized distribution is prohibited.