The purpose of this policy is to establish guidelines and procedures for implementing logical access control measures to protect sensitive information and resources within the organization. This policy covers access control, authentication, and auditing requirements.

Scope

This policy applies to all employees, contractors, vendors, and third-party users who have access to the organization’s information systems, networks, applications, and data.

Policy

Access Control

Access Rights

Access to information systems, networks, applications, and data shall be granted based on the principle of least privilege. Users shall only be given access rights necessary to perform their assigned duties.

User Accounts

User accounts shall be created for authorized individuals and assigned unique identifiers. User account creation, modification, and termination shall follow the organization’s defined procedures.

User Responsibilities

Users shall be responsible for maintaining the confidentiality and integrity of their credentials (e.g., passwords, tokens). Sharing of user accounts or credentials is strictly prohibited.

Privileged Access

Access to administrative or privileged functions shall be restricted to authorized personnel only. Privileged accounts shall be carefully managed, and their usage shall be monitored.

Remote Access

Remote access to organizational resources shall be protected using secure mechanisms such as virtual private networks (VPNs) or secure remote access solutions. Remote access privileges shall be granted based on business needs and subjected to strict authentication requirements.

Authentication

Passwords

User passwords shall be complex, unique, and periodically changed.

We have the following password/passphrase policy:

  • Length: 10 characters
  • Complexity:
    • at least one Upper case character
    • at least one lower case character
    • at least one Number or Special character

Multi-Factor Authentication (MFA)

MFA shall be implemented for all critical systems and sensitive data access. It requires users to provide multiple forms of authentication, such as passwords, tokens, or biometrics.

Account Lockout

Account lockout mechanisms shall be implemented to prevent brute-force attacks. After a defined number of failed login attempts, the user account shall be temporarily or permanently locked.

Session Management

User sessions shall be automatically terminated after a period of inactivity. Users shall be required to re-authenticate when accessing resources after a session timeout.

Auditing

Audit Logging

Information systems shall generate and store audit logs to track user activities, system events, and security-related incidents. The logs shall capture relevant details such as user ID, date and time, and actions performed.

Monitoring and Analysis

Audit logs shall be regularly reviewed to detect unauthorized access attempts, unusual activities, or policy violations. Automated monitoring tools are employed to facilitate timely detection and response.

Incident Reporting

Any security incidents or suspected breaches shall be reported promptly to the appropriate personnel or designated incident response team. Incident response procedures shall be followed to investigate and mitigate any identified issues.

Enforcement

Staff members found in policy violation may be subject to disciplinary action, up to and including termination.

Distribution

This policy is to be distributed to all Ambassify staff using, supporting, and configuring desktop workstations.