Access Control Policy

• Table of Contents

  • EDC Inc Access Control Policy
  • Purpose
  • Scope
  • Policy
  • General Access Control Requirements
  • Physical Access Control
  • Electronic Access Control
  • Access to Servers and Databases
  • Access Control Exceptions
  • Policy Compliance
  • Policy Review and Modification
  • Contact Information
  • Summary

“`html

EDC Inc Access Control Policy

Purpose

The purpose of this Access Control Policy is to establish the rules for granting, reviewing, and revoking access to EDC Inc’s resources. This policy ensures that access to corporate resources is managed securely and in accordance with the company’s internal controls and compliance requirements.

Scope

This policy applies to all employees, contractors, and third-party partners who have access to EDC Inc’s information systems and physical premises. It encompasses all forms of access, including but not limited to electronic access to networks and databases, physical access to buildings, and access to the company’s proprietary and sensitive information.

Policy

General Access Control Requirements

• User and service accounts must be provisioned through Active Directory, ensuring centralized authentication and authorization.
• All access must be aligned with the principle of least privilege, granting users the minimum level of access necessary to perform their job functions.
• Access to systems and data must be approved by the appropriate departmental IT Director or Manager.
• Access rights must be reviewed on a regular basis, at least quarterly, to ensure they remain appropriate.
• EDC Inc’s CMDB must be used as the inventory management tool to track and manage all assets and their associated access controls.
• The Change Audit Board (CAB) must review and approve any significant changes to access control permissions.

Physical Access Control

• Corporate Physical Security is responsible for managing physical access to EDC Inc’s premises.
• All visitors must be logged and escorted while on company property.
• Access to secure areas is restricted to authorized personnel only, and access logs must be maintained and reviewed regularly.

Electronic Access Control

• IT Security Operations is responsible for overseeing electronic access controls across the organization.
• Multi-factor authentication (MFA) is required for access to sensitive systems and data.
• IT Monitoring Operations is tasked with monitoring access patterns and identifying any unusual or unauthorized access events.
• IT-SOC (Incident Management) is responsible for responding to and managing access-related security incidents.

Access to Servers and Databases

• IT Server Operations is responsible for managing access to server infrastructure.
• IT Database Operations is responsible for managing access to database systems.
• Each server must be patched every 30 days by IT Server Operations, unless an “IT Exception” is approved by IT Security.
• OS patching is managed by IT Server Operations and must adhere to the established patch management policy.

Access Control Exceptions

• Any exceptions to this policy must be documented and approved by IT Security.
• Exceptions must be reviewed on a case-by-case basis and must be justified by business needs.
• All exceptions must be tracked and reviewed periodically to ensure they are still relevant and necessary.

Policy Compliance

• IT Audit and Compliance is responsible for ensuring compliance with this Access Control Policy.
• Violations of this policy may result in disciplinary action, up to and including termination of employment or contracts.
• Regular audits will be conducted to ensure adherence to the policy and to identify any areas for improvement.

Policy Review and Modification

This policy will be reviewed annually or as needed due to changes in regulatory requirements, business needs, or technology advancements. Any modifications to this policy must be approved by the Change Audit Board (CAB) and communicated to all affected parties.

Contact Information

For questions or additional information regarding EDC Inc’s Access Control Policy, please contact the appropriate department as follows:

• IT Server Operations: it-server-ops@edcinc.com
• IT Server Build Operations: it-server-build@edcinc.com
• IT-SOC (Incident Management): it-soc@edcinc.com
• Corporate Physical Security: corp-sec@edcinc.com
• IT Security Operations: it-sec-ops@edcinc.com
• IT Monitoring Operations: it-mon-ops@edcinc.com
• IT Database Operations: it-db-ops@edcinc.com
• IT Audit and Compliance: it-audit@edcinc.com

Summary

EDC Inc’s Access Control Policy is a comprehensive framework designed to secure access to the company’s resources. By adhering to the principles of least privilege, regular review, and compliance with internal and external requirements, EDC Inc maintains a robust security posture. This policy is a living document that will evolve with the changing landscape of security threats and technological advancements. All employees and associates are expected to understand and comply with this policy to ensure the protection of EDC Inc’s assets and the integrity of its operations.

“`

101 comments