Access Control Policy¶
| Owner | Classification | Review Date | Status |
|---|---|---|---|
| CDO Office | Internal | April 2027 | Active |
| Field | Details |
|---|---|
| Document Type | Policy |
| Document Reference | SP-ACP-001 |
| Version | 1.3 |
| Owner | CISO |
| Classification | Confidential |
| Review Cycle | Annual |
Introduction¶
Access control is fundamental to Simpaisa's information security strategy. This policy defines the requirements for managing access to information systems, applications, and data assets to ensure that access is granted only to authorised individuals based on legitimate business needs.
This policy applies to all employees, contractors, third-party suppliers, and any other individuals who require access to Simpaisa's information systems and resources.
Business Requirements for Access Control¶
Access to Simpaisa's information systems shall be controlled based on business and security requirements. The principles of least privilege and need-to-know shall be applied when granting access rights.
All access to information systems shall be formally authorised by the appropriate business owner and implemented by the IT team in accordance with this policy.
User Access Management¶
User Registration and Deregistration¶
A formal user registration and deregistration process shall be implemented for granting and revoking access to all information systems.
-
All new user accounts shall be formally requested and approved before provisioning
-
User identities shall be verified before access is granted
-
Each user shall be assigned a unique identifier (user ID) for accountability
-
Group or shared accounts shall only be used where there is a documented business justification
Access Provisioning¶
Access rights shall be provisioned in accordance with the access control rules defined by system and data owners.
-
Access shall be granted on a least-privilege basis
-
Access requests shall be documented and approved by the relevant manager and system/data owner
-
Access rights shall be reviewed before provisioning to ensure they do not conflict with segregation of duties requirements
Access Removal¶
Access rights shall be removed promptly when no longer required.
-
Access shall be removed immediately upon termination or role change
-
IT shall be notified by HR of all terminations and role changes without delay
-
Access removal shall be confirmed and documented
Privileged Access Management¶
Privileged access rights (administrative access) shall be strictly controlled and monitored.
-
Privileged accounts shall be separate from standard user accounts
-
Privileged access shall only be granted where there is a clear business need
-
Use of privileged accounts shall be logged and regularly reviewed
-
Default and vendor-supplied passwords shall be changed before systems are deployed
External Authentication¶
External users requiring access to Simpaisa systems shall be subject to the same access control requirements as internal users.
-
External access shall be approved by the relevant business owner
-
Multi-factor authentication shall be required for all external access
-
External access sessions shall be time-limited where technically feasible
Supplier Access¶
Third-party supplier access shall be managed in accordance with supplier agreements.
-
Supplier access rights shall be defined in the relevant contract or service agreement
-
Supplier access shall be reviewed at least annually or upon contract renewal
-
Supplier access shall be revoked immediately upon contract termination
Customer Access¶
Customer access to Simpaisa platforms shall be managed through defined onboarding and offboarding processes.
-
Customer access rights shall be defined based on the subscribed service tier
-
Customer accounts shall be subject to the same authentication requirements as internal users
-
Customer access shall be revoked upon account closure or suspension
Access Review¶
All access rights shall be reviewed regularly to ensure they remain appropriate.
-
Access reviews shall be conducted at least every six months for standard users
-
Privileged access reviews shall be conducted quarterly
-
Access review results shall be documented and remediation actions tracked to completion
Limited Access¶
Access to particularly sensitive systems and data shall be restricted to the minimum number of users necessary.
-
Sensitive data access shall require explicit approval from the data owner
-
Access to production environments shall be restricted and monitored
-
Emergency access procedures shall be documented and controlled
System and Application Access Control¶
Access to systems and applications shall be controlled through appropriate technical measures.
-
Systems shall enforce strong authentication for all user access
-
Session timeout and automatic lock shall be enforced on all systems
-
Failed login attempts shall be logged and lockout mechanisms applied after a defined number of failures
-
Access to system utilities and administrative functions shall be restricted to authorised users only
Access Privilege Assignment by Role¶
The following table defines the access privileges assigned by role across Simpaisa's systems:
| Role | Access Level | Systems | Resources |
|---|---|---|---|
| CTO | Administrator | All Systems | All Resources |
| CNO | Administrator | All Systems | All Resources |
| IT Administrator | Administrator | Infrastructure & Security Systems | Servers, Network, Security Tools |
| System Owner | Full Access | Assigned Systems | Assigned Resources |
| Developer | Read/Write | Development & Test Environments | Code Repositories, Dev Databases |
| Operations Staff | Read/Write | Operational Systems | Business Applications, Data relevant to role |
| Finance Staff | Read/Write | Finance Systems | Financial Data |
| HR Staff | Read/Write | HR Systems | Personnel Data |
| Standard User | Read | Business Applications | Data relevant to role |
| External Supplier | Limited | Contracted Systems Only | Contracted Resources Only |
| Customer | Restricted | Customer Portal | Own Account Data |