Access management policy
Last revision on March 26, 2024
1. Policy Statement
Protecting access to IT systems and applications is critical to maintain the integrity of Random Team (the “company”) technology and data and prevent unauthorised access to such resources.
Access to the company systems must be restricted to only authorized users or processes, based on the principle of strict need-to-know and least privilege.
Access controls are necessary to ensure only authorized users can obtain access to a company’s information and systems.
Access controls manage the admittance of users to system and network resources by granting users access only to the specific resources they require to complete their job related duties.
2. Purpose
The objective of this policy is to ensure the company has adequate controls to restrict access to systems and data.
3. Scope
This policy applies to all employees of Random Team, and all contractors, consultants, temporary employees and business partners.
Employees who deliberately violate this policy will be subject disciplinary action up to and including termination.
4. Definitions
Access Control: means the process that limits and controls access to resources of a computer system.
Access Privileges: means systems permissions associated with an account, including permissions to access or change data, to process transactions, create or change settings, etc.
Administrator Account: means user account with privileges that have advanced permissions on an IT system that are necessary for the administration of this system. For example, an administrator account can create new users, change account permissions, modify security settings such as password settings, modify system logs, etc.
Application and Service Accounts: means user accounts that are not associated with a person but an IT system, an application (or a specific part of an application) or a network service.
Nominative User Accounts: means user accounts that are named after a person.
Non-disclosure Agreement: means a contract between a person and Random Team stating that the person will protect confidential information covered by the contract, when this person has been exposed to such information.
Privileged accounts: means system or application accounts that have advanced permissions (as compared to regular user account permissions) on such systems or applications. Examples of user accounts with privileges include: administrative and super admin accounts.
System or Application Accounts: means accounts created on IT systems or applications, which are associated with specific access privileges on such systems and applications.
Users: means employees of Random Team, and all contractors, consultants, temporary employees and business partners
5. Guiding Principles – General Requirements
Random Team will provide access privileges to its technology (including networks, systems, applications, computers and mobile devices) based on the following principles:
Need to know – users or resources will be granted access to systems that are necessary to fulfill their roles and responsibilities.
Least privilege – users or resources will be provided with the minimum privileges necessary to fulfill their roles and responsibilities.
Requests for users’ accounts and access privileges must be formally documented and appropriately approved.
Requests for special accounts and privileges must be formally documented and approved by the system owner.
Where possible, Random Team will set user accounts to automatically expire at a pre-set date. More specifically :
When temporary access is required, such access will be removed immediately after the user has completed the task for which the access was granted.
User accounts assigned to contractors will be set to expire according to the contract’s expiry date.
User accounts will be disabled after 3 months of inactivity.
Access rights will be immediately disabled or removed when the user is terminated or ceases to have a legitimate reason to access Random Team systems.
A verification of the user’s identity must be performed by the CTO, Help Desk, or designate before granting a new password.
Existing user accounts and access rights will be reviewed at least annually to detect dormant accounts and accounts with excessive privileges. Examples of accounts with excessive privileges include:
An active account assigned to external contractors or employees that no longer work for Random Team.
An active account with access rights for which the user’s role and responsibilities do not require access. For example, users that do not have authority or responsibility to approve expenses should not have access with approval permissions within a financial system.
System administrative rights or permissions (including permissions to change the security settings or performance settings of a system) granted to a user who is not an administrator.
Unknown active accounts.
All access requests for system and application accounts and permissions will be documented using the ticketing system in place.
6. Guiding Principles – Privileged Accounts
A nominative and individual privileged user account must be created for administrator accounts, instead of generic administrator account names.
Privileged user accounts can only be requested by managers or supervisors and must be appropriately approved.
7. Test Accounts
Test accounts can only be created if they are justified by the relevant business area or project team and approved by the application owner, through a formal request to the CTO or the IT Help Desk.
Test accounts must have an expiry date (maximum of 6 months). Maintaining test accounts beyond this date must be re-evaluated every 90 days and approved appropriately.
Test accounts will be disabled / deleted when they are no longer necessary.
8. Contractors
Contractors will be required to sign a Non-disclosure Agreement (“NDA”) prior to obtaining approval to access Random Team systems and applications.
The name of the contractor must be communicated to the IT Help Desk at least 2 business days before the person needs access.
Random Team will maintain a current list of external contractors having access to Random Team systems. The need to terminate the access privileges of the contractor must be communicated to the IT Help Desk at least 1 business day before the contractor need for such access ends.
9. Access Control Requirements
All users must use a unique ID to access Random Team systems and applications. Passwords must be set in accordance with the Password Policy.
Alternative authentication mechanisms that do not rely on a unique ID and password must be formally approved.
Remote access to Random Team systems and applications must use two-factor authentication where possible.
System and application sessions must automatically lock after 30 minutes of inactivity.
Last updated