Initial commit

01-policies/access-control-policy.md

@@ -0,0 +1,77 @@
+Title: Access Control Policy
+Document ID: [POL-ACCESS-001]
+Version: 0.2 Draft
+Status: Draft
+Owner: CISO (Paul Jenkins)
+Approver: CEO (Paul Hague)
+Classification: Internal
+Effective date: [DD Month YYYY]
+Review date: [DD Month YYYY]
+
+# Access Control Policy
+
+## Purpose
+
+This policy defines BlackDice's high-level requirements for controlling access to information, systems, services, and administrative interfaces.
+
+## Scope
+
+This policy applies to personnel, contractors, service accounts, systems, cloud platforms, Kubernetes environments, CI/CD systems, endpoints, and third parties within the ISMS scope.
+
+## Objectives
+
+- limit access to authorised users and approved system identities
+- enforce least privilege and need-to-know principles
+- reduce the risk of unauthorised access, misuse, and privilege escalation
+
+## Principles / Policy Statements
+
+Access to information and systems must be granted only where there is an approved business need.
+
+Privileges must be assigned using least privilege and separated where appropriate to reduce the risk of unauthorised or unsafe activity.
+
+Authentication methods must be appropriate to the sensitivity and exposure of the system or service being accessed.
+
+BlackDice should reduce unnecessary reliance on standalone passwords by favouring centrally managed identity, single sign-on, and stronger authentication approaches where practical.
+
+Multi-factor authentication must be used for privileged, remote, cloud administrative, internet-facing, and other high-risk access unless a formally approved exception exists. Where technically available, BlackDice should enable multi-factor authentication more broadly across workforce access.
+
+Default credentials must not remain in use on production or operational systems. Any default password identified on an in-scope system or service must be changed before use.
+
+Privileged access to cloud management planes, production systems, Kubernetes administration, and CI/CD tooling must be subject to stronger control and increased oversight.
+
+Access rights must be reviewed at planned intervals and when roles, responsibilities, or employment status change.
+
+Shared accounts should be avoided unless formally justified, controlled, and traceable.
+
+Where passwords remain necessary, BlackDice should support secure password management practices and avoid relying primarily on complexity rules or routine password expiry as the main control measure.
+
+## Roles and Responsibilities
+
+- [Role] must define and oversee access control requirements.
+- Managers must approve access according to business need.
+- System owners must ensure access models are suitable for their systems.
+- Users must protect their credentials and use access only for authorised purposes.
+
+## Compliance / Exceptions
+
+Exceptions must be documented, risk-assessed, approved, and reviewed through the exception management process.
+
+## Monitoring and Review
+
+Compliance should be monitored through access reviews, joiner-mover-leaver activities, incident handling, and audit.
+
+## Related Documents
+
+- Information Security Policy
+- Identity and Authentication Standard
+- Secrets Management Standard
+- Joiner Mover Leaver Procedure
+- Access Review Procedure
+
+## Version Control
+
+| Version | Date | Description of Change | Author |
+| --- | --- | --- | --- |
+| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
+| 0.2 Draft | [DD Month YYYY] | Expanded to include explicit MFA, default credential, SSO, and password management principles. | ChatGPT |