Authentication & Access Control Policy

Document Version & Control

  • Version: 1.0
  • Last Review Date: 6 Jan 2025
  • Next Review Date: [12 months from last review or upon significant changes]
  • Approver: CTO, DPO

Purpose & Scope
This Authentication & Access Control Policy establishes the standards and procedures for verifying user identities and assigning system privileges to ensure that only authorized personnel have appropriate access to our applications, infrastructure, and data. This policy applies to all employees, contractors, third-party vendors, and service accounts accessing production environments, systems containing client or applicant data, and administrative tools.

Compliance & References

  • Standards & Frameworks: ISO 27001: A.9 (Access Control), SOC 2 (Security), NIST SP 800-63 (Digital Identity Guidelines)
  • Regulations: PDPA (Singapore), GDPR (if applicable)
  • Related Internal Policies:
    • Information Security Policy
    • Data Management & Database Policies
    • Encryption & Key Management Policy
    • Incident Response & Breach Notification Policy
    • Change Management & Release Management Policies

Roles & Responsibilities

  • DPO: Ensures access control measures comply with regulatory and security requirements.
  • CTO: Oversees the technical implementation of authentication solutions, ensuring scalability and reliability.
  • Head of Engineering / DevOps Team: Implements and maintains user directories, MFA solutions, and role-based access control (RBAC).
  • HR / Onboarding Team: Coordinates provisioning and immediate de-provisioning of access for employees and contractors.
  • Internal Audit / Compliance Team: Conducts periodic reviews to ensure adherence to this policy and reports any non-compliance.

Authentication Requirements

  1. Unique User IDs:
    • Assign unique credentials to all users. Shared or generic accounts are not permitted unless approved by the DPO under exceptional circumstances.
    • System accounts must follow documented naming conventions and be clearly identified as non-human accounts.
  2. Multi-Factor Authentication (MFA):
    • MFA is required for all administrative and privileged accounts and for any remote access to production systems.
    • MFA should use at least two different factors (e.g., password + TOTP/HW token).
  3. Password/Passphrase Standards:
    • Follow AWS-recommended complexity guidelines (e.g., minimum length, mix of character types).
    • Rotate passwords monthly.
    • Do not share, write down, store passwords in plaintext, or transmit them over insecure channels.
  4. SSO Integration:
    • Currently, no SSO solutions are in use except via logging in using a Scout account which is linked to Vincere as a 3rd Party Integration (iFrame). If SSO is considered elsewhere in the future in other applications, it must integrate with MFA for critical systems.
  5. API & Service Account Authentication:
    • Service accounts and APIs must use secure authentication keys or tokens, stored and managed securely (e.g., a vault).
    • Rotate API keys or tokens every 90 days and immediately upon suspected compromise.

Access Control Requirements

  1. Role-Based Access Control (RBAC):
    • Grant access rights based on the principle of least privilege.
    • Define and document roles, ensuring users only receive the minimum permissions needed for their duties.
  2. Access Approval Process:
    • Use GitHub issues and project management workflows to document and track access requests.
    • Managers must approve new or elevated privileges. For sensitive data/systems, the DPO (or delegate) must also review and approve.
  3. Periodic Access Reviews:
    • Conduct quarterly reviews of user access rights.
    • Revoke or adjust access for individuals who no longer require it due to role changes or project completion.
  4. Separation of Duties (SoD):
    • Assign critical functions to separate individuals or roles to reduce fraud and error risk.
    • Implement dual-approval workflows for highly sensitive actions.
  5. Third-Party & Vendor Access:
    • Vendor access is typically temporary and must follow the same authentication and access control standards.
    • Review and revoke vendor access as soon as it is no longer needed.

Account Lifecycle Management

  1. Onboarding:
    • Provision access only after HR confirmation of employment or contract start.
    • Assign roles and permissions aligned with the user’s job function.
  2. Offboarding:
    • Immediately revoke all access upon termination of employment or contract completion.
    • Disable accounts, remove keys/tokens, and ensure no lingering privileges remain.
  3. Transfer / Role Change:
    • Adjust permissions following internal job transfers or role changes. Remove old, unnecessary permissions promptly.
  4. Dormant Accounts & Inactive Sessions:
    • Disable or remove accounts that remain inactive for 90 days.
    • Session timeouts are the same as for standard user sessions since there are no separate internal admin portals.

Monitoring, Auditing & Incident Response

  1. Logging & Audit Trails:
    • Log all authentication attempts (successful and failed) and administrative access changes.
    • Retain logs per the Logging & Audit Trail Policy and review them regularly for suspicious activity.
  2. Alerts & Notifications:
    • Configure alerts for unusual access patterns (e.g., multiple failed logins, access from unexpected locations).
    • Investigate anomalies and escalate to the security team if a breach is suspected.
  3. Incident Response:
    • Follow the Incident Response & Breach Notification Policy for suspected account compromises.
    • Immediately revoke compromised credentials and require password resets or re-issue MFA tokens.

Compliance & Audit

  • Regulatory Compliance:
    Ensure that all authentication and access control procedures comply with PDPA, GDPR (if applicable), and other relevant regulations.

  • Internal & External Audits:
    Support audits and provide evidence of compliance as needed.
    Remediate audit findings promptly.

  • Policy Exceptions:
    Document and approve any exceptions through a formal risk acceptance process overseen by the DPO and CTO.

Training & Awareness

  • Security Awareness Training:
    All staff must receive regular training on secure authentication practices, including the importance of not sharing passwords, handling MFA tokens securely, and reporting suspicious activity.

Policy Review & Maintenance

  • Review Cycle:
    Review this policy at least annually or after major changes in technology, regulations, or security incidents.
    Update processes, tools, and controls as needed based on lessons learned and industry best practices.

Copyright © 2024. All Rights Reserved by TechKnowledgey Pte Ltd. Scout is an AI-powered, all-in-one talent sourcing tool built for recruiters, by recruiters.