78 lines
3.4 KiB
Markdown
78 lines
3.4 KiB
Markdown
Title: Access Control Policy
|
|
Document ID: [POL-ACCESS-001]
|
|
Version: 0.2 Draft
|
|
Status: Draft
|
|
Owner: CISO (Paul Jenkins)
|
|
Approver: CEO (Paul Hague)
|
|
Classification: Internal
|
|
Effective date: [DD Month YYYY]
|
|
Review date: [DD Month YYYY]
|
|
|
|
# Access Control Policy
|
|
|
|
## Purpose
|
|
|
|
This policy defines BlackDice's high-level requirements for controlling access to information, systems, services, and administrative interfaces.
|
|
|
|
## Scope
|
|
|
|
This policy applies to personnel, contractors, service accounts, systems, cloud platforms, Kubernetes environments, CI/CD systems, endpoints, and third parties within the ISMS scope.
|
|
|
|
## Objectives
|
|
|
|
- limit access to authorised users and approved system identities
|
|
- enforce least privilege and need-to-know principles
|
|
- reduce the risk of unauthorised access, misuse, and privilege escalation
|
|
|
|
## Principles / Policy Statements
|
|
|
|
Access to information and systems must be granted only where there is an approved business need.
|
|
|
|
Privileges must be assigned using least privilege and separated where appropriate to reduce the risk of unauthorised or unsafe activity.
|
|
|
|
Authentication methods must be appropriate to the sensitivity and exposure of the system or service being accessed.
|
|
|
|
BlackDice should reduce unnecessary reliance on standalone passwords by favouring centrally managed identity, single sign-on, and stronger authentication approaches where practical.
|
|
|
|
Multi-factor authentication must be used for privileged, remote, cloud administrative, internet-facing, and other high-risk access unless a formally approved exception exists. Where technically available, BlackDice should enable multi-factor authentication more broadly across workforce access.
|
|
|
|
Default credentials must not remain in use on production or operational systems. Any default password identified on an in-scope system or service must be changed before use.
|
|
|
|
Privileged access to cloud management planes, production systems, Kubernetes administration, and CI/CD tooling must be subject to stronger control and increased oversight.
|
|
|
|
Access rights must be reviewed at planned intervals and when roles, responsibilities, or employment status change.
|
|
|
|
Shared accounts should be avoided unless formally justified, controlled, and traceable.
|
|
|
|
Where passwords remain necessary, BlackDice should support secure password management practices and avoid relying primarily on complexity rules or routine password expiry as the main control measure.
|
|
|
|
## Roles and Responsibilities
|
|
|
|
- [Role] must define and oversee access control requirements.
|
|
- Managers must approve access according to business need.
|
|
- System owners must ensure access models are suitable for their systems.
|
|
- Users must protect their credentials and use access only for authorised purposes.
|
|
|
|
## Compliance / Exceptions
|
|
|
|
Exceptions must be documented, risk-assessed, approved, and reviewed through the exception management process.
|
|
|
|
## Monitoring and Review
|
|
|
|
Compliance should be monitored through access reviews, joiner-mover-leaver activities, incident handling, and audit.
|
|
|
|
## Related Documents
|
|
|
|
- Information Security Policy
|
|
- Identity and Authentication Standard
|
|
- Secrets Management Standard
|
|
- Joiner Mover Leaver Procedure
|
|
- Access Review Procedure
|
|
|
|
## Version Control
|
|
|
|
| Version | Date | Description of Change | Author |
|
|
| --- | --- | --- | --- |
|
|
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
|
|
| 0.2 Draft | [DD Month YYYY] | Expanded to include explicit MFA, default credential, SSO, and password management principles. | ChatGPT |
|