3.1 Access Control

3.1.1 Principle of Least Privilege

The core of our access control policy is based on the principle of least privilege. This principle necessitates that employees are only granted access to the information and resources that are absolutely necessary for their job function. We take an approach that minimizes the risk of unauthorized access to confidential information by limiting access privileges amongst our staff.

To operationalize this, we categorize all the information resources within our organization based on their sensitivity and confidentiality, and access to these resources is granted on a "need-to-know" basis. We maintain a record of all access permissions, detailing who has access to what resources, and this information is continually updated to reflect changes in job functions and responsibilities.

3.1.2 Regular Review and Update of Access Permissions

As part of our commitment to maintaining robust security, we implement regular procedures to review and update access permissions. This ensures that only the necessary personnel have access to sensitive information and that this access is revoked when no longer required, such as when an employee changes roles or leaves the organization.

Regular audits of access rights are carried out by our Information Security team. The purpose of these audits is to identify any discrepancies or anomalies in access rights and to ensure that all access rights are justified and approved by the appropriate personnel.

3.1.3 Logging and Monitoring Access

Our access control policy also includes procedures for logging and monitoring access to sensitive resources. These logs provide a record of who has accessed what information and when, which can be crucial in identifying and investigating potential security incidents.

These logs are regularly reviewed as part of our routine security monitoring activities. Our security team uses advanced analytic tools to identify patterns and trends that might indicate suspicious activity, and alerts are generated for immediate follow-up if any suspicious activity is detected.

3.1.4 Additional Controls for Privileged Accounts

Privileged accounts, such as those held by system administrators, have a high level of access to our information systems. Therefore, we apply additional controls to these accounts to mitigate the risk of unauthorized access or misuse.

These controls include the use of multifactor authentication, which requires users to provide at least two forms of identification before access is granted. This could be something they know (like a password), something they have (like a smart card), and/or something they are (like a fingerprint).

In addition to multifactor authentication, we also require privileged users to undergo more frequent password changes, and we monitor these accounts more closely for signs of suspicious activity. This rigorous approach helps ensure the integrity and security of our most sensitive information systems.