ACCESS CONTROL POLICY

Objectives

All information assets, and their supporting assets, shall be afforded such protection as is necessary to ensure their confidentiality, integrity, and availability can be maintained to acceptable levels. This shall include the selection and implementation of suitable controls to prevent loss or damage by unauthorized access, unauthorized amendment, and deliberate and/or accidental damage.

Scope

GrowMore Recruitment’s Access Control Policy includes the following:

Information Assets

All information assets (data) either owned by GrowMore Recruitment or entrusted to GrowMore Recruitment by a client/user under an agreement that specifically details GrowMore Recruitment’s data responsibility, including but not limited to:

• Information assets held, processed, or stored at Fozzy facilities under accounts owned by GrowMore Recruitment used to facilitate GrowMore Recruitment product offerings. 

Supporting Assets

All supporting assets (non-data) which by direct or indirect association are an integral part of ensuring the confidentiality, integrity, or availability of the information assets described above, including:

• GrowMore Recruitment personnel (including permanent, temporary, full-time and part-time employees, authorized contractors, and any third-party users of information systems)
• Hardware (including network infrastructure, laptop computers, desktop computers, storage infrastructure, and mobile devices)
• Software (including operating systems, commercially available software applications, and software applications developed internally by GrowMore Recruitment)

Documentation and Records

All policies, processes, procedures, work instructions and records related to the management, use, control and disposal of the information assets and any supporting assets detailed above.

Policy

General Access Control Policy Statements: 

• GrowMore Recruitment shall operate all access control activities upon the principle that default permissions are set as “deny all”, and specific permission is needed to enable specific access to be granted, in line with the individual’s role and bona-fide business needs.
• Each Asset Owner shall be responsible for reviewing, authorizing, and recording the details of those persons who have legitimate access to their asset(s). Access permissions shall be reviewed frequently to ensure they remain accurate and current and are adjusted as necessary.
• All access and privileges shall be promptly and fully revoked at the point when an employee leaves the employment of the organization. A similar obligation shall be placed upon the organizations responsible for contractors or third-party users.
• The level of protection and access to an information asset shall be in line with:
  • The business need for the individual to access the asset
  • The security classification of the asset
  • The security of the environment in which the information asset is to be accessed
  • The security clearance and competencies of the persons requiring access
  • The requirements of the GrowMore Recruitment Acceptable Use Policy
• All access controls shall be configured and managed to record both successful and unsuccessful access events. Access control records shall be reviewed on a regular basis, and any suspicious activities logged as an Information Security Incident for prompt investigation.
• Active sessions should be terminated when no longer needed.
• Any unattended equipment or login session shall be locked to protect any unauthorized access.

User Identification and Authentication

• All users accessing information assets electronically shall have a unique User ID assigned by GrowMore Recruitment, which shall be used to access only those information assets for which the user has been specifically authorized and has a bona fide and ongoing business need.
• Users shall not use generic User ID details to access information assets, nor shall they use super-user accounts, e.g. supervisor or administrator privileges, unless such privileged account access is essential under the prevailing circumstances.
• Users shall ensure their User ID is supported by personal passwords which fully comply with the GrowMore Recruitment Password Management Policy.

Remote Access Policy by Internal Users

• GrowMore Recruitment shall ensure all network connections to IT systems and information assets are at all times protected from unauthorized access, while simultaneously permitting and recording the legitimate connections of authorized internal users. A request for access shall be reviewed by the asset owner and records of access granted shall be maintained and retained.
• Remote access shall only be authorized via GrowMore Recruitment-owned equipment, and using the pre-installed connection configuration (e.g. VPN) installed thereon. No user shall attempt to connect to GrowMore Recruitment networks or IT systems using non-Company equipment or non-approved software or utilities unless permitted by the Acceptable Use of Mobile Devices.
• All internal users shall receive appropriate communications and formal training to support the approved method of connecting remotely.

Remote Access Policy by External Users

• GrowMore Recruitment shall ensure all network connections to IT systems and information assets are at all times protected from unauthorized access, while simultaneously permitting and recording the legitimate connections of authorized external users. A request for access shall be reviewed by the asset owner and records of access granted shall be maintained and retained.
• Remote access shall only be authorized via equipment that has been verified as being acceptable for facilitating remote connections, and upon which a pre-installed connection configuration (e.g. VPN) agreed by GrowMore Recruitment has been installed. No user shall attempt to connect to GrowMore Recruitment networks or IT systems using non-approved equipment or non-approved software or utilities.
• All external user connections for which a valid business case has been authorized shall be controlled by a GrowMore Recruitment firewall, router or equivalent network security device. External users shall not be permitted to use GrowMore Recruitment networks as a route of tough connectivity to a destination outside GrowMore Recruitment.
• All external user connections shall be protected by anti-virus (AV) software (as detailed within the Acceptable Use Policy). Such software should be identical to the AV software currently authorized for use by the GrowMore Recruitment, or if not, shall be subject to review and acceptance by GrowMore Recruitment prior to the external connection being authorized.

Termination of Remote Access Connectivity

• At the point of termination of an employee, contractor, or third-party user, all remote access in place shall immediately be revoked by the Technology Lead upon receipt of an approved request seeking revocation. The Technology Lead shall regularly review authorized access to the asset and immediately remove any internal user who no longer has a valid business need to access the asset concerned.
• At the point of contract termination with an external organization (including clients, contractors, and suppliers), all remote access in place shall immediately be revoked by the Technology Lead upon receipt of an approved request seeking revocation. 

Responsibilities

• The Technology Lead shall be responsible for reviewing, authorizing (or denying), and managing all access to their asset(s). They shall be responsible for undertaking frequent reviews to ensure all access permissions remain valid for bona fide business reasons.
• The Technology Lead shall escalate any information security incidents arising as a result of access control breaches or failures.
• All employees, contractors, third-party users, and external users of company information systems shall comply with the requirements of this Access Control Policy at all times. Any failure to adhere to the requirements of this Policy shall result in disciplinary action.