Back to Security Policies
Access Control Policy
Requirements for managing access to information systems and data
Version 1.0
Document Information
- Company: PrivionGRC, Inc.
- Effective Date: October 17, 2025
- Version: 1.0
- Policy Owner: Matt Fishman, CEO
- Review Frequency: Annual
Contact Information
- Email: mfishman@priviongrc.com
- Location: San Diego, CA
1. Purpose
This Access Control Policy establishes requirements for managing access to PrivionGRC information systems, applications, and data to ensure that only authorized individuals have access to resources appropriate to their role and responsibilities.
2. Scope
This policy applies to:
- All PrivionGRC employees, contractors, and vendors
- All information systems and applications (production, staging, development)
- Customer data and business-critical information
- Administrative and privileged access
- Physical and logical access controls
3. Policy Statement
Access to PrivionGRC systems and data shall be:
- Granted based on principle of least privilege
- Approved by authorized managers or system owners
- Reviewed regularly to ensure appropriateness
- Revoked immediately upon termination or role change
- Protected by strong authentication mechanisms
4. User Account Management
4.1 Account Provisioning
New Employees:
- Access requests submitted via IT ticketing system
- Manager approval required before provisioning
- Role-based access assigned based on job function
- Accounts activated on start date, not before
Contractors/Vendors:
- Limited access based on specific needs
- Time-limited accounts (expiration date set)
- Sponsor/manager approval required
- Additional restrictions as appropriate
Access Request Requirements:
- Employee/contractor name and email
- Job role and department
- Specific systems/applications needed
- Business justification
- Manager/sponsor approval
4.2 Account Modification
Access changes require:
- Formal request via IT ticketing system
- Manager approval
- Documentation of reason for change
- Review of existing access before adding new access
4.3 Account Termination
Voluntary Termination:
- HR notifies IT on resignation notice
- Access revoked on last working day
- Exit interview includes device/credential return
Involuntary Termination:
- HR notifies IT immediately
- Access revoked before termination notification
- All credentials disabled within 1 hour
Role Change:
- Access reviewed and adjusted within 24 hours
- Old access removed if no longer needed
- New access provisioned as appropriate
5. Authentication Requirements
5.1 Password Standards
All passwords must meet these minimum requirements:
- Minimum length: 12 characters
- Complexity: Mix of uppercase, lowercase, numbers, and special characters
- No common words or dictionary terms
- No personal information (name, birthday, etc.)
- Unique passwords for each system
- No password reuse for 12 generations
5.2 Multi-Factor Authentication (MFA)
MFA is REQUIRED for:
- All user accounts (employees, contractors)
- Administrative/privileged access
- Access to production systems
- Access to customer data
- Remote access (VPN, cloud services)
- Email and collaboration tools
Approved MFA Methods:
- Time-based One-Time Password (TOTP) - Preferred
- SMS text codes (allowed but not recommended)
- Hardware security keys (YubiKey, etc.)
- Biometric authentication (where supported)
MFA is NOT required for:
- Read-only access to non-sensitive systems
- Public documentation repositories
- Marketing websites
5.3 Session Management
- Session timeout: 30 minutes of inactivity
- Absolute timeout: 12 hours (re-authentication required)
- Concurrent sessions: Limited to 3 devices per user
- Screen lock: Required after 10 minutes of inactivity
6. Role-Based Access Control (RBAC)
6.1 User Roles
Access is granted based on predefined roles:
| Role | Description | Access Level | MFA Required |
|---|---|---|---|
| Viewer | Read-only access | View data only | |
| User | Standard user | Create/edit records | |
| Admin | Organization admin | Full org management | |
| DPO | Data Protection Officer | Multi-org access | |
| License Admin | License holder manager | Billing, org management | |
| Super Admin | Platform administrator | Full system access |
6.2 Principle of Least Privilege
- Users granted minimum access necessary for job function
- Admin access only when specifically required
- Temporary elevated access for specific tasks
- Regular review to remove unnecessary permissions
7. Privileged Access Management
7.1 Administrative Access
Administrative accounts must:
- Be separate from regular user accounts (no shared use)
- Require MFA (no exceptions)
- Be logged and monitored extensively
- Be reviewed monthly for appropriateness
Privileged Access Includes:
- Database administrator (DBA) access
- Infrastructure/cloud admin (AWS, Supabase, Netlify)
- Source code repository admin
- Production system access
- Customer data access
7.2 Service Accounts
Service accounts must:
- Have descriptive names indicating purpose
- Use API keys or certificates (not passwords)
- Be documented with owner and purpose
- Be reviewed quarterly
- Be rotated annually or when owner changes
7.3 Emergency Access
"Break-glass" emergency accounts:
- Stored securely (sealed envelope or password manager)
- Require multiple approvals to use
- Trigger immediate alerts when accessed
- Require full audit and documentation after use
8. Access Reviews
8.1 Regular Reviews
| Review Type | Frequency | Scope | Owner |
|---|---|---|---|
| User access | Quarterly | All users | Manager + IT |
| Admin access | Monthly | Privileged accounts | CTO |
| Service accounts | Quarterly | All service accounts | IT |
| Terminated users | Weekly | Cleanup check | IT |
| Vendor access | Quarterly | All third-party access | Procurement + IT |
8.2 Review Process
- IT generates access reports
- Managers review and approve/deny
- Inappropriate access is removed immediately
- Results documented and retained for audit
9. Remote Access
9.1 Approved Remote Access Methods
Approved:
- HTTPS web applications (with MFA)
- VPN (when required for infrastructure access)
- SSH with key-based authentication (production systems)
Prohibited:
- Direct database access (blocked by firewall)
- RDP without VPN (not allowed)
9.2 Remote Work Requirements
Employees working remotely must:
- Use company-approved devices
- Enable full-disk encryption
- Use MFA for all accounts
- Not share credentials with family members
- Lock screen when away from device
- Report lost/stolen devices immediately
12. Access Logging and Monitoring
All access events must be logged:
- Successful logins
- Failed login attempts
- Privilege escalations
- Access to sensitive data
- Administrative actions
- Account changes (creation, modification, deletion)
Log Retention: 1 year minimum (2 years for privileged access)
Failed Login Attempts
Account Lockout:
- After 5 consecutive failed login attempts: Account automatically locked for 15 minutes
- Security alert generated
- User must reset password if pattern continues
After 10 failed attempts in 24 hours:
- Account locked permanently
- IT helpdesk intervention required
- Incident investigation initiated
16. Policy Compliance
16.1 Monitoring
IT will monitor for:
- Unauthorized access attempts
- Policy violations (password sharing, MFA bypass)
- Unusual access patterns
- Insider threat indicators
16.2 Violations
Policy violations may result in:
- First offense: Written warning + mandatory training
- Second offense: Access suspension + manager review
- Third offense: Termination of employment/contract
- Criminal activity: Law enforcement notification
18. Related Policies
- Information Security Policy
- Password Policy
- Incident Response Policy
- Remote Work Policy
- Acceptable Use Policy
- Data Classification Policy
For Questions Regarding This Policy
Contact Matt Fishman, CEO: mfishman@priviongrc.com
San Diego, CA