- Corporate Security
- Governance, Risk & Compliance
- Information Security
The purpose of this document is to define rules for access to various systems, equipment, facilities, and information, based on business and security requirements for access.
Access to all physical areas in the organization is allowed, except for areas where privilege must be granted by the authorized person (item “Privilege access management”).
This Policy specifies rules for access to systems, services, and facilities, while the Data Handling Policy defines rules for access to individual documents and records.
The users of this document are all Resolver employees.
It is Resolver’s policy to ensure the principles of ‘least privilege’ and ‘need to know’ are applied consistently across the management of access to information assets, information systems, business processes, and premises. For this Policy, these principles are defined as follows:
Least Privilege: The principle that entities are only granted access to the information, systems, locations, and/or processes required to enable the successful completion of an authorized job role/activity; and
Need to Know: The principle that individuals are only permitted to have access to and knowledge of information assets for which they have a valid and authorized business purpose.
In addition to the above, the following general activities underpin Resolver’s approach to Access Control for information, information systems, business processes, and premises:
All Resolver buildings have some means to control authorized access either through automated access control systems or mechanical locking mechanisms and controlled security keys. Entry to server rooms is further limited to that person who requires access to these areas to perform their roles. In addition:
Physical security considerations for Resolver occupied buildings are further described in the “A.11 Resolver Corporate Physical Security Policy“
All Resolver personnel should be aware of the potential consequences of a breach of physical security and are to ensure that:
Individuals visiting Resolver premises are recorded and monitored as appropriate. The supervision and awareness of visitors is the responsibility of all staff, as outlined below:
Individuals not directly employed by Resolver may be granted access to Resolver-controlled information assets provided they have been approved by the ITSO and can satisfy procedural and administrative requirements. All Resolver staff must ensure compliance with the following procedures when giving non-Resolver individuals access to Resolver-controlled information assets:
Access to system data, including applications, utilities, and event/sys log information is limited to authorized individuals, in accordance with the Resolver Standard on IT Account Management.
Privileges with respect to the above-mentioned user-profiles (granting or removing access rights) are allocated by the IT department personal in coordination with the user direct manager and Company CISO or Information Security Department.
When allocating privileges, the person responsible must consider business and security requirements for access (defined in risk assessment), as well as the classification of information that can be accessed with such privileges, in accordance with the Information Classification Policy.
Owners of each system and owners of facilities for which special access rights are required must review whether the access rights granted are in line with business and security requirements; reviews should be performed based on the intervals found in the Periodic Active Users Access review process document.
Upon change of employment or termination of employment, the HR Department must immediately inform the IT Department and the employee’s direct manager, who would have approved privileges for the employee in question.
Upon change of contractual relations with external parties who have access to systems, services, and facilities, or upon expiration of the contract, the contract owner must immediately inform the responsible persons who approved privileges for the external parties in question.
The access rights for all the persons who have changed their employment status or contractual relationship must immediately be removed or changed by the IT Department.
DevOps accounts may potentially have access to customer information and activities, which could affect Confidentiality, Integrity, and Availability (CIA) of Resolver’s production environments.
It is critical for DevOps accounts to go through a formal approval process before being granted access credentials; the approval process should be documented in a DevOps Jira ticket.
The version control system (VCS) allows us to manage changes to files over time. We are using version control to version code, binary files, and digital assets. This includes version control software, version control systems, or version control tools.
Source control or Source Code Management system (SCM) refers to tracking and managing changes to software source code. This ensures that developers are always working on the right version of the source code.
Only approved removable media may be used for Resolver business purposes. Access to and the use of removable media must comply with the requirements stated in the A.6.2_Resolver_Mobile_Device_&_Teleworking_Policy document.
Remote access to Resolver’s information assets and information systems will be conducted in accordance with the A.6.2_Resolver_Mobile_Device_&_Teleworking_Policy_document.
All policies require the participation of staff and contractors to be successful. Any employee or contractor found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
This document is valid as of July 2020.
The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
EFFECTIVE ON: September 2020
REVIEW CYCLE: Annual at least and as needed
REVIEW, APPROVAL & CHANGE HISTORY: Last time reviewed and approved in August 2020 by Resolver’s Information Technology Security team.