Access Control Policy

Created by Venkat Pothamsetty, Modified on Sat, 11 Oct at 8:33 AM by Venkat Pothamsetty

Access Control Policy

Purpose

The purpose of this policy is to establish consistent requirements for user access control, password security, and authentication management across all IT systems, applications, and cloud environments. The policy is intended to:

Prevent unauthorised access to Company systems and data
Support regulatory requirements and applicable data protection laws

Scope

This policy applies to:

All employees, contractors, vendors, and third parties with access to Company information systems, cloud platforms, corporate applications, and on-premises assets
All forms of identities, including privileged accounts, admin/root accounts, IAM identities, service accounts, and API keys

Policy Owner

The Information Security Team is responsible for maintaining this policy, ensuring periodic reviews, and monitoring compliance.

Access Control Principles

1. Least Privilege

Users and systems must be provisioned only with the minimum level of access required for their role
Elevated/privileged accounts must be restricted, monitored, and approved

2. Role-Based Access Control (RBAC)

User access should be managed through predefined groups and roles rather than direct assignments, where feasible

3. Access Reviews

Access rights must be reviewed at least quarterly for compliance with role requirements
Inactive or unused accounts must be promptly disabled or removed

4. Joiner–Mover–Leaver Process

Access provisioning, modification, and revocation must follow a documented lifecycle process
Departing employees must have all access removed within 24 hours of departure

Password Policy Requirements

Policy Setting	Requirement
Password Changes	Users are enabled to change their own passwords
Password Expiration	Enabled
Hard Password Expiry	Disabled
Maximum Password Age	90 days
Minimum Password Length	12 characters
Password Reuse Prevention	The previous 4 passwords cannot be reused
Character Requirements	- Lowercase letters required - Numbers required - Special symbols required - Uppercase letters required
Failed Login Attempts	Temporary lockout after 3 failed attempts
Lockout Duration	15 minutes
Root Account Access	MFA required
IAM User Access	MFA required for all users

Access Control Guidelines

All user accounts must follow the password requirements outlined above
Password changes:
- Users are permitted to change their own passwords
- Must meet all complexity requirements
- Cannot reuse previous 24 passwords
- Must be changed every 90 days
Password complexity:
- Minimum 12 characters in length
- Must contain at least one:
  - Lowercase letter
  - Uppercase letter
  - Number
  - Special symbol/character
Account security:
- Passwords expire after 90 days, requiring a reset
- Hard password expiry is disabled to prevent sudden account lockouts
- Failed login attempts should be monitored and logged
- Account lockout after 3 failed login attempts for 15 minutes
- Multi-factor authentication (MFA) is required for root account access
- MFA required for all IAM users
Password storage and transmission:
- Passwords must be stored in hashed format using strong cryptographic algorithms
- Passwords must be transmitted securely using encryption
- Plain-text passwords should never be logged or stored
Logging, Monitoring, and Compliance:
- All authentication and authorisation activities must be logged and protected from tampering
- Continuous monitoring must be performed using security monitoring tools or equivalent services
- Unauthorised access attempts, excessive login failures, or suspicious activity must trigger alerts
- Regular reviews (quaterly) of access reports, credential usage, and policy compliance must be conducted
- Exceptions must be formally documented, risk assessed, and approved by Security leadership

This policy will be reviewed annually and updated as necessary to reflect evolving security requirements and industry best practices.