Skip to content
Security & Access

Access Control Policy

Version: 1.0
Effective Date: January 20, 2025
Last Updated: January 21, 2026
Status: Approved

1.0 OVERVIEW

The Company will establish specific requirements for protecting information, applications, databases, and information systems against unauthorized access. Access to critical data needs to be limited to users with a need-for-access to fulfill their job responsibilities.

2.0 PURPOSE & BACKGROUND

Information security is the protection of information against accidental or malicious disclosure, modification or destruction. Information is an important asset which must be managed with care.

Access controls are put in place to protect information by controlling who has the rights to use different information resources and by guarding against unauthorized use.

Formal procedures must control how access to information is granted and how such access is changed.

a. The purpose of this policy to define procedures to onboard and offboard users to technical infrastructure in a manner that minimizes the risk of information loss or exposure.

b. This policy applies to all technical infrastructure within the organization.

c. This policy applies to all full-time and part-time employees and contractors.

In order to minimize the risk of information loss or exposure (from both inside and outside the organization), the organization is reliant on the principle of least privilege. Account creation and permission levels are restricted to only the resources absolutely needed to perform each person’s job duties. When a user’s role within the organization changes, those accounts and permission levels are changed/revoked to fit the new role and disabled when the user leaves the organization altogether.

3.0 ELIGIBILITY

This policy applies to all Company employees, contractors, consultants, application, and system support staff with access to privileged administrative passwords. Contractual third-parties (vendors) and agents of the Company with any form of access to information and information systems is granted based on the principle of least privilege and business need, in accordance with ISO 27001:2022 requirements.

4.0 POLICY

Formal user access control procedures must be documented, implemented and kept up to date for each application and information system to ensure authorized user access and to prevent unauthorized access. They must cover all stages of the lifecycle of user access, from the initial request of new users to the final revocation of users who no longer require access. Each user must be allocated access rights and permissions to computer systems and data that:

  • Are commensurate with the tasks they are expected to perform.
  • Have a unique login that is not shared with or disclosed to any other user.
  • Have an associated unique password that is requested at each new login.

User access rights must be reviewed at regular intervals to ensure that the appropriate rights are still allocated and necessary. Database and System administration accounts must only be provided to users that are required to perform database and system administration tasks.

a. During onboarding:

i. Hiring Manager informs HR upon hire of a new employee.

ii. HR emails CTO to inform them of a new hire and their role.

iii. CTO creates a checklist of accounts and permission levels needed for that role.

iv. The owner of each resource reviews and approves account creation and the associated permissions.

v. CTO works with the owner of each resource to set up the user.

b. During offboarding:

vi. Hiring Manager notifies HR when an employee has been terminated.

vi. HR sends email to CTO with a list of users terminated and instructs VP of Engineering to disable their access.

vii. CTO terminates access within one business day from receipt of notification.

c. When an employee changes roles within the organization:

When an employee leaves the Company, their access to computer systems and data must be suspended/revoked at the close of business on the employee’s last working day.

i. Hiring Manager will inform HR of a change in role.

ii. HR and VP of Engineering will follow the same steps as outlined in the onboarding and offboarding procedures.

d. Review of accounts and permissions:

iii. Each month, CTO and HR will review accounts and permission levels for accuracy.

User Responsibilities

It is a user’s responsibility to prevent their userID and password being used to gain unauthorized access to Company systems by:

  • Ensuring that any device (PC, Desktop, Laptop, Server, Tablet, Mobile) they are using that is left unattended is locked or logged out.
  • Leaving nothing on display that may contain access information such as login names and passwords.
  • Informing the VP of Engineering of any changes to their role and access requirements.

Customer Data Access Control

  • User will not access or modify data except where necessary as directed by Customer to provide the services, or resolve or prevent errors.
  • Access to production accounts is restricted on a per-users basis and secured using a multi-factor authentication enabled VPN that is only accessible via secure management servers.
  • Customer to make direct request to their Account Manager in order to get additional provisions elevated.
  • Customers should ask their Account Manager about the possibility of introducing changes. The Account Manager transfers the request to the technical department. Developers create the solution and deploy it.

Multi-Factor Authentication

NEO requires the use of multi-factor authentication for:

  • Authentication through NEO Single Sign-On (SSO) provider / Auth0® Authentication Platform
  • All internal cloud applications
  • Network access for privileged accounts
  • Local access to privileged access accounts
  • Remote access to both privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system on which the user is gaining remote access

User Authentication for External Connections

Where remote access to the Company network is required, a request must be made via the CTO. Remote access to the network must be secured by VPN, and two-factor authentications consisting of a username and one other component separate from the system on which the user is gaining remote access.

**Supplier’s Remote Access to the Company Network
**
Partner agencies or 3rd party suppliers must not be given details of how to access the Company network without permission from Network Security. Any changes to supplier’s connections must be immediately sent to the CTO so that access can be updated or revoked.

All permissions and access methods must be controlled by Network Security via CTO.

Partners or 3rd party suppliers must contact the CTO before connecting to the Company network and a log of activity must be maintained. Remote access or remote access software must be disabled when not in use.

Application and Information Access

Access within software applications must be restricted using the security features built into the individual product. The IT Help Desk is responsible for granting access to the information within the system. The access must:

  • Be separated into clearly defined roles. Based on the Segregation of Duties (SOD) or the Data Classification Matrix (where applicable).
  • Give the appropriate level of access required for the role of the user.
  • Be unable to be overridden (with the admin settings removed or hidden from the user).
  • Be free from alteration by rights inherited from the operating system that could allow unauthorized higher levels of access.
  • Be logged and auditable (where possible).

5.0 ROLES & RESPONSIBILITIES

If any user is found to have breached this policy, they may be subject to the Company’s disciplinary procedures. If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s).

If you do not understand the implications of this policy or how it may apply to you, seek advice from HR, IT, or your Supervisor.

6.0 COMPLIANCE

In order for security measures to be effective, periodic reviews (Internal Audits) shall be performed to ensure compliance with the established guidelines, polices, and procedures. The Internal Audits will be initiated by the Information Security team and supported by the executive management team with cooperation from all employees, consultants, contractors or anyone doing work on behalf of NEO. Information Security will publish a report to the executive management team to include any deficiencies found during the audit. The report will include a plan of corrective actions to address the discrepancies and deficiencies discovered by the security review and audit. The frequency of these internal audits is dependent on the security domain and will be identified in the supporting subject matter policies.

Let's build your proposal
Powered by NEO AI - Intelligent Matching Technology