Access Control Policy

1. Purpose, scope, and users

The purpose of this document is to define rules for access to various systems, equipment, facilities, and information, based on business and security requirements for access.

Access to all physical areas in the organization is allowed, except for areas where privilege must be granted by the authorized person (item “Privilege access management”).

This Policy specifies rules for access to systems, services, and facilities, while the Data Handling Policy defines rules for access to individual documents and records.

The users of this document are all Resolver employees.

2. Reference documents

  • ISO/IEC 27001:2013 standard, controls A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.5, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.3
  • ISO/IEC 27701:2019 standard clause 5
  • EU GDPR Article 32.
  • Information Security and Privacy Policy.
  • Statement of Applicability.
  • Data Handling Policy.

3. Access control principles

It is Resolver’s policy to ensure the principles of ‘least privilege’ and ‘need to know’ are applied consistently across the management of access to information assets, information systems, business processes, and premises.  For this Policy, these principles are defined as follows:

Least Privilege: The principle that entities are only granted access to the information, systems, locations, and/or processes required to enable the successful completion of an authorized job role/activity; and

Need to Know: The principle that individuals are only permitted to have access to and knowledge of information assets for which they have a valid and authorized business purpose.

In addition to the above, the following general activities underpin Resolver’s approach to Access Control for information, information systems, business processes, and premises:

  • The 1_Resolver_Information_Security_Policy must be read by all Resolver employees.
  • Appropriate authorization levels must be defined and obtained in advance of account activation during the onboarding process, deactivation, or change to authorization levels for all accounts.
  • A role-based approach should be used to grant access to all Resolver information assets.
  • All users including System Administrators are assigned individual, unique accounts to ensure traceability of actions.
  • User accounts are reviewed at predefined intervals to ensure that authorization levels continue to be commensurate with the individual’s roles: Periodic Active Users Access review process.

4. Physical access controls

All Resolver buildings have some means to control authorized access either through automated access control systems or mechanical locking mechanisms and controlled security keys.  Entry to server rooms is further limited to that person who requires access to these areas to perform their roles. In addition:

  • Where electronic entry passes are utilized, they are individually assigned, with access logged and reviewed as appropriate; and
  • Server rooms have additional control of entry mechanisms, such as smart fob readers.

Physical security considerations for Resolver occupied buildings are further described in the “A.11 Resolver Corporate Physical Security Policy

All Resolver personnel should be aware of the potential consequences of a breach of physical security and are to ensure that:

  • Security doors are fully secured post entry or exit.
  • The last staff member to leave the premises is to check that:
    • All doors are closed and secured; and
    • Any building alarm is set/activated on the exit.

5. Visitors, contractors, and third-parties

Individuals visiting Resolver premises are recorded and monitored as appropriate.  The supervision and awareness of visitors is the responsibility of all staff, as outlined below:

  • Visitors to Resolver facilities are to have their name, purpose of visit, and time of entry recorded.
  • Visitors will be issued with a temporary pass, which must be worn at all times while on Resolver’s premises.
  • Visitors will be escorted at all times and are not to be given access to areas unrelated to their business with Resolver.
  • “Tailgating” through security doors by unauthorized individuals is not permitted.
  • Visitors to Resolver sites must be authorized for entry into secure areas (i.e. computer rooms) and such visits must be recorded appropriately.

Individuals not directly employed by Resolver may be granted access to Resolver-controlled information assets provided they have been approved by the ITSO and can satisfy procedural and administrative requirements. All Resolver staff must ensure compliance with the following procedures when giving non-Resolver individuals access to Resolver-controlled information assets:

  • Visitors may be granted controlled access to Resolver information systems and premises to facilitate the successful completion of their agreed role.  This role must be documented and approved by senior management before access is granted.
  • Access to information (in whatever form) is to be controlled and appropriate to the individual in the context of ‘Least Privilege’ and ‘Need to Know’.
  • When access to protectively marked information is required, signed non-disclosure agreements must be put in place before access is granted.
  • Any electronic access passes issued to individuals must be recovered on completion of the visit, project, or contract as appropriate.  Unrecovered passes must be deactivated.

6. Logical access to systems

Access to system data, including applications, utilities, and event/sys log information, is limited to authorized individuals in accordance with the Resolver Standard on IT Account Management.

6.1 Privilege access management

Privileges with respect to the above-mentioned user profiles (granting or removing access rights) are allocated by the IT department personnel in coordination with the user’s direct manager and Company CISO or Information Security Department.

When allocating privileges, the person responsible must consider business and security requirements for access (defined in risk assessment) and the classification of information that can be accessed with such privileges, per the Information Classification Policy.

6.2 Regular review of access rights

Owners of each system and owners of facilities for which special access rights are required must review whether the access rights granted are in line with business and security requirements; reviews should be performed based on the intervals found in the Periodic Active Users Access review process document.

6.3 Change of status or termination of the contract

Upon change of employment or termination of employment, the HR Department, via the HRIS system, preferably in an automatic way, must immediately inform the IT Department and the employee’s direct manager (who would have approved privileges for the employee in question) of its intent to remove or change the employee’s account or access privileges with immediate effect. If the employee’s direct manager requests holding on the account (not disabling) or its access privileges for some additional time, an exception request must be raised by the employee’s direct manager (through a Zendesk or other IT ticketing system) to IT Department, stating the reason for the exception, with a copy to Information Security. The duration of the exception must be as short as possible to accommodate the reason for the exception request and typically (10) working days. However, these exceptions can be granted for longer than 10 days, depending upon the business requirements, on a case by case basis.

Upon change of contractual relations with external parties with access to systems, services, and facilities, or upon contract expiration, the contract owner must immediately inform the responsible persons who approved privileges for the external parties in question.

Unless otherwise, when there is an approved exception request for it, the access rights for all the persons who have changed their employment status or contractual relationship must immediately be removed or changed by the IT Department.

7. Access to production environments on the infrastructure level

·       !!! ONLY DevOps Team members have access to production environments!!!

·       Access permissions should be approved by Company CISO or Company CTO.

·       Granting access permissions should be approved by DevOps Director.

7.1 DevOps Privilege access management

DevOps accounts may potentially have access to customer information and activities, which could affect the Confidentiality, Integrity, and Availability (CIA) of Resolver’s production environments.

It is critical for DevOps accounts to go through a formal approval process before being granted access credentials; the approval process should be documented in a DevOps Jira ticket.

8. Version and Source Control access restriction and protection

A version control system (VCS) allows us to manage changes to files over time. We are using version control to version code, binary files, and digital assets. This includes version control software, version control systems, or version control tools.

Source control or Source Code Management system (SCM) refers to tracking and managing changes to software source code. This ensures that developers are always working on the right version of the source code.

  • VCS and SCM (at Resolver it’s one system) are one of the most critical systems that contain company Intellectual Property (IP) and it is essential to follow the ‘least privilege’ and ‘need to know’ principles while granting access permissions to this resource.
  • Access to VCS and SCM should be protected using Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA)

9. Use of removable media

Only approved removable media may be used for Resolver business purposes. Access to and the use of removable media must comply with the requirements stated in the A.6.2_Resolver_Mobile_Device_&_Teleworking_Policy document.

10. Remote access

Remote access to Resolver’s information assets and information systems will be conducted in accordance with the A.6.2_Resolver_Mobile_Device_&_Teleworking_Policy_document.

11. Non-Conformance

All policies require the participation of staff and contractors to be successful. Any employee or contractor found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

12. Validity and document management

This document is valid as of August 2023.

The owner of this document is an IInfosec & Compliance Lead who must check and, if necessary, update the document at least once a year.

When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:

  • The number of incidents arising from the unclear definition of the ISMS scope.
  • The number of corrective actions taken due to an inadequately defined ISMS scope.
  • Time put in by employees implementing the ISMS to resolve dilemmas concerning the unclear scope.

EFFECTIVE ON: August 2023

REVIEW CYCLE: Annual at least and as needed