Purpose

The purpose of this policy is to establish a framework for access control within AppCan Ltd. This policy outlines the requirements for access control, including the procedures for granting, managing, and revoking access to AppCan’s resources.

Scope

This policy applies to all employees, consultants, partners, and stakeholders who access organisational resources, including but not limited to information systems, applications, data, and physical facilities.

Policy

Access control is one of the most critical components of information security. To ensure authorized access, the following policy statements must be adhered to:

1. Access control shall be implemented based on the principle of “least privilege,” which means that individuals should only have access to the resources necessary to perform their job functions. This principle shall be applied to all access to organizational resources.

2. Access to organizational resources shall be granted based on the “Need to Know” principle. This principle mandates that individuals shall only access those resources that are necessary to perform their specific job functions.

3. All access to organizational resources shall be assigned, managed, and revoked based on a formalized procedure. Access requests shall be approved by a formal authorization process that ensures compliance with the principles outlined in this policy.

4. Access shall be granted based on job roles and duties, which shall be documented in an official job description. The supervisor of the requesting individual shall verify that the access requested is necessary for the job role and then approve the request. Any deviation from the organizational job role shall require approval by the Information Security Officer.

5. Strong authentication mechanisms, such as passwords, multifactor authentication, and biometric authentication, shall be implemented to authenticate users accessing the organization’s resources.

6. Access control systems, including access control lists and firewalls, shall be implemented to control access to information systems and resources.

7. Access control logs shall be generated and monitored periodically to detect and investigate any unusual access activity.

8. Access to physical facilities shall be monitored and controlled, and access control logs shall be generated and monitored.

9. The organization shall periodically review and update access control procedures to ensure they remain current, relevant, and effective.

Exceptions

Exceptions to this policy shall be approved by the Information Security Officer or their designee. Approved exceptions shall be documented and reviewed annually.

Enforcement

Any employee, contractor, vendor, or stakeholder found to violate this policy shall be subject to disciplinary action, up to and including termination of employment or contractual relationship with the organization.

Implementation

The Chief Information Officer is responsible for implementing the Access Control Policy.