Skip to content
Book a Demo

System Access Control Policy

Last Updated: July 9, 2024

Background

Access to Breakout Learning Inc systems and applications is limited for all users, including but not limited to workforce members, volunteers, business associates, contracted providers, and consultants. Access by any other entity is allowable only on a minimum necessary basis. All users are responsible for reporting an incident of unauthorized use or access of the organization's information systems.

Purpose

The purpose of this procedure is to provide a policy and guideline for creating, modifying, or removing access to the company’s network and data by creating, changing or deleting the network account configuration for a User.

Scope

This policy and defined process is used to allow access to the company’s data and systems to individuals who meet the requirements defined in this policy. This policy governs individuals who are granted access that is necessary to support the business. This policy relates to all data used, processed, stored, maintained, or transmitted in and through the company’s systems.

Policy

Access Establishment and Modification - Role-Based

 

Requests for access to Breakout Learning Inc Platform systems and applications are made formally using the following process:

  • A Breakout Learning Inc workforce member initiates the access request by creating an Issue in the Breakout Learning Inc ticketing system.
    • User identities must be verified prior to granting access to new accounts.
    • Identity verification must be done in person where possible; for remote employees, identities must be verified over the phone.
    • For new accounts, the method used to verify the user's identity must be recorded on the Issue.
  • The Security Officer will grant or reject access to systems as dictated by the employee's role and job title.
    • If additional access is required outside of the minimum necessary to perform job functions, the requester must include a description of why the additional access is required as part of the access request.
    • If the request is rejected, it goes back for further review and documentation.
    • If the review is approved, the request is marked as “Done”, and any pertinent notes are

added.

 

Access Reviews

 

All access to Breakout Learning Inc systems and services is reviewed and updated on a regular basis to ensure proper authorizations are in place commensurate with job functions. The process for conducting reviews is outlined below:

  1. The Security Officer initiates the review of user access by creating an Issue in the Breakout Learning Inc Ticketing System
  2. The Security Officer is assigned to review levels of access for each Breakout Learning Inc workforce member.
  3. If user access is found during review that is not in line with the least privilege principle, the Security Officer may modify user access and notify the user of access changes.
  4. Once the review is complete, the Security Officer then marks the ticket as “Done”, adding any pertinent notes required.




Cloud Service Customers

 

Breakout Learning Inc's network services will clearly specify the requirements for user access to each individual cloud service provider utilized (See Appendix B).

  • Breakout Learning Inc will ensure that access to these cloud services can be restricted per this policy, including limiting access to the cloud services, specific functions within a cloud service, and Breakout Learning Inc data maintained within the service.
  • If the use of utility programs is permitted, Breakout Learning Inc will identify and approve utility programs that are permitted for use within its cloud computing environment. This includes a thorough evaluation to ensure these programs do not interfere with the established controls of the cloud service.
  • Breakout Learning Inc, in collaboration with the cloud service provider, will regularly review and audit the usage of utility programs to verify compliance with security policies and to identify any potential risks or vulnerabilities.

 

Cloud Service Providers

 

Breakout Learning Inc will provide access controls to allow its cloud service customers to enforce their access restrictions to the cloud service, cloud service functions, and the data they store within the service.

  • The use of utility programs capable of bypassing normal operating or security procedures will be strictly limited to authorized personnel who require them for legitimate business purposes. Breakout Learning Inc will identify the requirements for such programs used within its cloud service. This includes:
    • Assessing the impact of these programs on system and application controls.
    • Ensuring that the use of utility programs capable of overriding controls is strictly restricted to authorized personnel.
    • Implementing adequate measures, such as strong access controls and authentication mechanisms to prevent unauthorized usage.
    • Conducting regular monitoring and auditing of utility program usage to ensure compliance with established access controls and to promptly detect and address any security or compliance issues.
  • Virtual environments of cloud service customers will be protected from unauthorized access by other cloud service customers or unauthorized individuals. Breakout Learning Inc will enforce the logical segregation of cloud service customer data, virtualized applications, operating systems, storage, and network infrastructure for:
    • Separation of Breakout Learning Inc's internal administration from resources used by its cloud service customers.
    • Separation of resources used by different cloud service customers in multi-tenant environments, where Breakout Learning Inc will implement robust information security controls to ensure appropriate isolation of resources utilized by different tenants. These controls mitigate the risks associated with sharing infrastructure among multiple customers.
  • When cloud service customers supply and run third-party software within Breakout Learning Inc’s cloud services, Breakout Learning Inc will assess and address the risks associated with the execution of such software to prevent any unauthorized access or interference within the cloud services.

 

Workforce Clearance

 

  • The level of security assigned to a user to the organization's information systems is based on the minimum necessary amount of data access required to carry out legitimate job responsibilities assigned to a user's job classification.
  • All access is regulated by the role-based access control (RBAC) method, based on the Principle of Least Privilege.
  • Breakout Learning Inc maintains a least privilege approach for access to customer data.

 

Unique User Identification

 

  • Access to the Breakout Learning Inc Platform systems and applications is controlled by requiring unique User Login IDs and passwords for each individual user and developer.
  • Passwords requirements mandate strong password controls.
  • Passwords are not displayed at any time and are not transmitted or stored in plain text.
  • Default accounts on all production systems, including root, are disabled.
  • Shared accounts are not allowed within Breakout Learning Inc systems or networks.
  • Automated log-on configurations other than the company’s approved Password Management provider that store user passwords or bypass password entry are not permitted for use with Breakout Learning Inc workstations or production systems.

 

Automatic Logoff

 

Users are required to make information systems inaccessible by any other individual when unattended by the users (ex. by using a password protected screen saver or logging off the system).

Concurrent Sessions

 

Breakout Learning Inc limits the number of concurrent sessions, as follows:

 

Disabling Accounts

 

User accounts will be disabled as outlined in Appendix A.

 

Employee Workstation Use

 

All workstations at Breakout Learning Inc are company owned, and all are laptop products running Windows, Mac OSX or Linux.

  • Workstations may not be used to engage in any activity that is illegal or is in violation of company policies.
  • Access may not be used for transmitting, retrieving, or storage of any communications of a discriminatory or harassing nature or materials that are obscene or "X-rated". Harassment of any kind is prohibited. No messages with derogatory or inflammatory remarks about an individual's race, age, disability, religion, national origin, physical attributes, sexual preference, or health condition shall be transmitted or maintained. No abusive, hostile, profane, or offensive language is to be transmitted through the organization's system.
  • Information systems/applications also may not be used for any other purpose that is illegal, unethical, or against company policies or contrary to the company's best interests. Messages containing information related to a lawsuit or investigation may not be sent without prior approval.
  • Solicitation of non-company business, or any use of the company's information systems/ applications for personal gain is prohibited.
  • Users may not misrepresent, obscure, suppress, or replace another user's identity in transmitted or stored messages.
  • Workstation hard drives must be encrypted
  • All workstations have firewalls enabled to prevent unauthorized access unless explicitly granted.

 

Employee Termination/Offboarding Procedures

 

  • The Human Resources Department (or other designated department), users, and their supervisors are required to notify the Security Officer upon completion and/or termination of access needs and facilitate completion of the SOC 2.
  • The Human Resources Department, users, and supervisors are required to notify the Security Officer to terminate a user's access rights if there is evidence or reason to believe the following (these incidents are also reported on an incident report and is filed with the Privacy Officer):
    • The user has been using their access rights inappropriately;
    • A user's password has been compromised (a new password may be provided to the user if the user is not identified as the individual compromising the original password);
  • The Security Officer will terminate users' access rights within 1 business day of termination/ separation, and will coordinate with the appropriate Breakout Learning Inc employees to terminate access to any non-production systems managed by those employees.
  • The Security Officer audits and may terminate access of users that have not logged into the

organization's information systems/applications for an extended period of time.

APPENDIX A

 

Disabling Accounts

 

High Risk Users

 

Breakout Learning Inc will disable accounts of users that are deemed to pose a high risk to the company's systems. Accounts will be disabled for the given duration and within the defined time period given the specific risk(s)



APPENDIX B

 

Access Requirements for Individual Cloud Service Providers

(For Cloud Service Customers) Breakout Learning Inc's requirements for user access to each individual cloud service provider utilized are as follows:

<ACCESS REQUIREMENTS FOR INDIVIDUAL CLOUD SERVICE PROVIDERS>

Revision History