System Access Control Policy
Breakout Learning Inc
Background
Access to Breakout Learning Inc systems and applications is restricted to authorized users, including workforce members, volunteers, business associates, contracted providers, and consultants. Access by any other entity is allowable only on a minimum necessary basis. All users are responsible for reporting incidents of unauthorized use or access to the organization's information systems.
Purpose
This policy outlines the procedure and guidelines for creating, modifying, or removing access to Breakout Learning Inc systems and data. The policy governs individuals who are granted access necessary to support business operations, while also addressing the use of personal devices (BYOD) within Breakout Learning Inc’s infrastructure.
Scope
This policy applies to all individuals who access Breakout Learning Inc data and systems, including users accessing systems through personal devices under the BYOD policy. It includes the management of access to all data processed, stored, maintained, or transmitted through Breakout Learning Inc systems.
Policy
Access Establishment and Modification - Role-Based
- Requests for access to Breakout Learning Inc systems are initiated using the organization’s ticketing system.
- User identities are verified either in person or remotely through a secure process for remote workers.
- The Chief Information Security Officer (CISO) grants or denies access based on roles, job titles, and the principle of least privilege.
- Any additional access outside of job functions requires proper documentation and justification.
- All requests, approvals, and denials are recorded and tracked.
Multi-Factor Authentication (MFA)
- MFA is enforced for all systems that handle sensitive data and for any system that offers MFA as an option, including access via personal devices under the BYOD policy.
Session Timeout and Inactivity
- Sessions will automatically log off after a predefined period of inactivity, and sessions will log out upon browser exit to ensure systems are inaccessible when unattended.
Concurrent Sessions
- Google Workspace tools are utilized to manage and detect suspicious concurrent sessions, ensuring secure access.
Credential Rotation (Secrets, Access Keys, etc.)
- Credentials such as secrets, access keys, and passwords must be rotated periodically based on a defined schedule.
- Credential changes are logged for auditing in the version control system.
BYOD (Bring Your Own Device) Policy
- Personal devices are allowed to access Breakout Learning Inc systems only if they meet specific security requirements, including:
- Encryption of the device’s hard drive.
- Compliance with the company’s MFA and password policies.
- Use of an approved password manager (1Password).
- Devices must have security measures like firewalls and anti-malware software enabled.
- Access to sensitive systems from personal devices requires strict monitoring and logging of activities, and personal devices must adhere to the session timeout policy.
- Users accessing systems from their own devices must also report any security incidents or suspected compromises to the Chief Information Security Officer immediately.
Access Reviews
- Access levels are reviewed regularly to ensure the principle of least privilege is maintained.
- The Chief Information Security Officer conducts periodic access reviews and makes modifications as necessary, documenting the changes in the ticketing system.
Cloud Service Providers
- Access controls for cloud services are managed through Terraform, ensuring strict access and logging mechanisms are in place.
- Breakout Learning Inc enforces logical segregation of resources in cloud environments and reviews access regularly to ensure compliance.
Workforce Clearance
- User access is based on the minimum necessary data required to perform legitimate job responsibilities. The principle of least privilege is enforced for all systems.
Unique User Identification
- Each user is assigned a unique login ID and must comply with strong password requirements.
- Default accounts are disabled, and shared accounts are prohibited.
- Passwords are stored securely using a hashing algorithm, such as pbkdf2, bcrypt, or scrypt.
Automatic Logoff
- Systems are set to log off after a predefined period of inactivity, ensuring that sensitive systems are inaccessible when unattended.
Disabling Accounts
- User accounts are disabled immediately upon termination, following the process defined in Appendix A.
Employee Workstation Use
- All company workstations, including those used under BYOD, must comply with the organization’s security policies, including encryption and the use of firewalls.
- Personal devices are not permitted to access company systems unless they meet the security standards outlined in the BYOD policy.
Employee Termination/Offboarding Procedures
- Upon termination, the Chief Information Security Officer is notified, and access is disabled within one business day.
- User accounts that have been inactive for an extended period may be deactivated as part of regular access reviews.
APPENDIX A: Disabling Accounts
- Accounts identified as high risk will be disabled, with the duration and timing based on the risk assessment.
APPENDIX B: Access Requirements for Cloud Service Providers
- All cloud access roles are managed through Terraform, ensuring that access modifications are strictly controlled, logged, and auditable.
Revision History
Version |
Date |
Editor |
Approver |
Description of Changes |
1.1 |
2024/10/01 |
Nikita Rogatnev |
Joshua Oster-Morris |
Standardized role titles across all relevant policies, replacing previous variations |
1.0 |
2024/01/01 |
Joshua Oster-Morris |
Jake Shepherd |
Initial version |