Access Control Policy (A.9.1.1)
All information assets, and their supporting assets, shall be afforded such protection as is necessary to ensure their confidentiality, integrity, and availability can be maintained to acceptable levels. This shall include the selection and implementation of suitable controls to prevent loss or damage by unauthorized access, unauthorized amendment, and deliberate and/or accidental damage.
Breezy’s Access Control Policy includes the following:
All information assets (data) either owned by Breezy or entrusted to Breezy by a client/user under an agreement that specifically details Breezy’s data responsibility, including but not limited to:
- Information assets held, processed, or stored at Amazon Web Service facilities under accounts owned by Breezy used to facilitate Breezy product offerings
All supporting assets (non-data) which by direct or indirect association are an integral part of ensuring the confidentiality, integrity, or availability of the information assets described above, including:
- Hardware (including network infrastructure, laptop computers, desktop computers, storage infrastructure, and mobile devices)
- Software (including operating systems, commercially available software applications, and software applications developed internally by Breezy)
- Breezy personnel (including permanent, temporary, full-time and part-time employees, authorized contractors, and any third-party users of information systems)
Documentation and Records
All policies, processes, procedures, work instructions and records related to the management, use, control and disposal of the information assets and any supporting assets detailed above.
General Access Control Policy Statements
- Breezy shall operate all access control activities upon the principle that default permissions are set as “deny all”, and specific permission is needed to enable specific access to be granted, in line with the individual’s role and bona-fide business needs.
- Each Asset Owner shall be responsible for reviewing, authorizing, and recording the details of those persons who have legitimate access to their asset(s). Access permissions shall be reviewed frequently to ensure they remain accurate and current and are adjusted as necessary.
- All access and privileges shall be promptly and fully revoked at the point when an employee leaves the employment of the organization. A similar obligation shall be placed upon the organizations responsible for contractors or third-party users.
- The level of protection and access to an information asset shall be in line with:
- ~The business need for the individual to access the asset
- ~The security classification of the asset
- ~The security of the environment in which the information asset is to be accessed
- ~The security clearance and competencies of the persons requiring access
- ~The requirements of the Breezy Acceptable Use Policy
- All access controls shall be configured and managed to record both successful and unsuccessful access events. Access control records shall be reviewed on a regular basis, and any suspicious activities logged as an Information Security Incident for prompt investigation.
- Active sessions should be terminated when no longer needed.
- Any unattended equipment or login session shall be locked to protect any unauthorized access.
User Identification and Authentication
- All users accessing information assets electronically shall have a unique User ID assigned by Breezy, which shall be used to access only those information assets for which the user has been specifically authorized and has a bona fide and ongoing business need.
- Users shall not use generic User ID details to access information assets, nor shall they use super-user accounts, e.g. supervisor or administrator privileges, unless such privileged account access is essential under the prevailing circumstances.
- Users shall ensure their User ID is supported by personal passwords which fully comply with the Breezy Password Management Policy.
Remote Access Policy by Internal Users
- Breezy shall ensure all network connections to IT systems and information assets are at all times protected from unauthorized access, while simultaneously permitting and recording the legitimate connections of authorized internal users. A request for access shall be reviewed by the asset owner and records of access granted shall be maintained and retained.
- Remote access shall only be authorized via Breezy-owned equipment, and using the pre-installed connection configuration (e.g. VPN) installed thereon. No user shall attempt to connect to Breezy networks or IT systems using non-Company equipment or non-approved software or utilities unless permitted by the Acceptable Use of Mobile Devices.
- All internal users shall receive appropriate communications and formal training to support the approved method of connecting remotely.
Remote Access Policy by External Users
- Breezy shall ensure all network connections to IT systems and information assets are at all times protected from unauthorized access, while simultaneously permitting and recording the legitimate connections of authorized external users. A request for access shall be reviewed by the asset owner and records of access granted shall be maintained and retained.
- Remote access shall only be authorized via equipment that has been verified as being acceptable for facilitating remote connections, and upon which a pre-installed connection configuration (e.g. VPN) agreed by Breezy has been installed. No user shall attempt to connect to Breezy networks or IT systems using non-approved equipment or non-approved software or utilities.
- All external user connections for which a valid business case has been authorized shall be controlled by a Breezy firewall, router or equivalent network security device. External users shall not be permitted to use Breezy networks as a route of through connectivity to a destination outside Breezy.
- All external user connections shall be protected by anti-virus (AV) software (as detailed within the Acceptable Use Policy); such software should be identical to the AV software currently authorized for use by the Breezy, or if not, shall be subject to review and acceptance by Breezy prior to the external connection being authorized.
Termination of Remote Access Connectivity
- At the point of termination of an employee, contractor, or third-party user, all remote access in place shall immediately be revoked by the Information Security Manager and/or Asset Manager upon receipt of an approved Access Control Form requesting revocation. The Asset Manager shall regularly review authorized access to the asset and immediately remove any internal user who no longer has a valid business need to access the asset concerned.
- At the point of contract termination with an external organization (including clients, contractors, and suppliers), all remote access in place shall immediately be revoked by the Information Security Manager and/or Asset Manager upon receipt of an approved Access Control Form requesting revocation. The Asset Manager shall regularly review authorized access to the asset, and immediately remove any external user who no longer has a valid business need to access the asset concerned.
- The respective Asset Owner shall be responsible for reviewing, authorizing (or denying), and managing all access to their asset(s). They shall be responsible for undertaking frequent reviews to ensure all access permissions remain valid for bonafide business reasons.
- The Information Security Manager shall escalate any information security incidents arising as a result of access control breaches or failures.
- All employees, contractors, third-party users, and external users of company information systems shall comply with the requirements of this Access Control Policy at all times. Any failure to adhere to the requirements of this Policy shall result in disciplinary action.
- All employees must request any/all Access grants/revocations via the Access Control Form.