Access Control Policy
Explore Roboto Studio's Access Control Policy. Learn about our measures to ensure secure and authorized access to critical systems and data.
1.0 Purpose
The purpose of this policy is to establish direction and requirements for access to Roboto Studio data, information and systems, and to ensure that users have the appropriate access levels to access information on systems, databases, local and remote files, and applications.
2.0 Scope
This policy covers access to all business processes and data, information systems and other IT resources owned or operated by Roboto Studio. Any information not specifically identified as the property of other parties transmitted or stored on Roboto Studio IT resources is the property of Roboto Studio.
This policy applies to all employees, whether employed on a full-time or part-time basis by Roboto Studio, contractors, and vendors (collectively referred to as "individuals" and "users").
3.0 Policy
The following subsections outline the access control standards that constitute the policy.
3.1 Control of Access to Information Systems
User access to information systems and IT assets shall be authorized based on their job roles and responsibilities and according to business requirements.
Access control to information systems and services shall cover all stages of the user access life-cycle: from granting and modifying user access to terminating access. Access to systems and IT assets shall be granted based on:
- Valid access authorization from the immediate supervisor or system owner.
- The concept of least privilege, allowing only authorized access for users (orprocesses acting on behalf of users), including privileged users, based on their jobfunctions and intended system usage.
- Considering the separation of duties between individuals to prevent maliciousactivity without collusion and other attributes required by the organization.
- Restricting user accounts from installing software on devices.
- Access to sensitive information such as personal information shall be restricted.
- Critical access such as privileged access, access to sensitive information shall belogged, and access to these logs shall be restricted.
- Administration, system and generic accounts being strictly controlled and givenbased on authorization from designated personnel. Roboto Studio shall authorize and monitor the use of guest/anonymous and temporary accounts.
- Temporary and inactive accounts that are no longer required and accounts of terminated or transferred users shall be deactivated promptly.
- Account access privileges (including service and generic accounts) shall be reviewed periodically.
- Access approval: Roboto Studio shall follow a documented formal access approval process for granting or changing access privileges.
- Unnecessary services such as unused file sharing, web application modules or service functions must be disabled by the organization.3.2 User Authentication and Secure Log-on Procedures
- Access to the Roboto Studio information systems shall be controlled using password authentication or a public/private key system with a strong passphrase.
- Access control shall be centralized for all its assets through a directory service or single sign-on for organization asset.
- All users shall be assigned a unique user ID whenever possible and generic accounts should be avoided. The initial password provided by the administrator shall be changed at first login.
- Common device identifiers like Media Access Control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers, are used to uniquely identify individual, group, role, service, or device, based on authorization from a designated individual.
- Users shall not share their passwords with others or reveal the same to others under any circumstances. Passwords for user and administrator accounts shall be changed periodically, as applicable.
- Account lockout (temporary or unlimited) should be applied, whenever possible, after a defined number of unsuccessful login attempts.
- Users shall be automatically logged off from the information systems after a defined period of inactivity.
- At a minimum password shall be at least eight (8) characters long. For improved security, longer passwords should be used.
- Passwords shall contain alphanumeric and special characters (i.e., consider using passwords containing both upper- and lower-case characters (e.g., a-z, A-Z), have digits and punctuation characters as well as letters, e.g., 0-9, !@#$%^&*()_+|~- =\`{}[]:";'<>?,./)
- Prohibit password reuse for a defined number of generations.
- Implement multi-factor authentication (MFA) for both privileged and non-privilegedaccounts, where possible.
- Appropriate personnel shall administer and manage administrator and systemaccount passwords.
- User identity shall be verified before resetting any authentication credentials.
- Passwords for default system accounts shall be modified or disabled before installinga system on the network.
- Inventory of its authentication along with Multi Factor authentication (MFA) for thirdparty applications and administrative accounts shall be enforced on all organization assets, reviewed and updated on an annual basis.
- Multi Factor authentication (MFA) shall be enforced for all administrative accounts, networks and third party applications
Version History
A list of all the versions including their version, author, date and comments.
Version | Author | Date | Comments |
---|---|---|---|
0.1 | Joe Pindar (Fresh Security) | 2022-05-16 | First Draft |
1.0 | Joe Pindar (Fresh Security) | 2022-06-01 | Sign Off |
1.1 | Joe Pindar (Fresh Security) | 2023-10-01 | Add policy review schedule. Review for best practice alignment. |