Access Control Policy

Purpose

Access to data / services used by Opus Works is tightly controlled via a number of methods below.

Data and services includes, but is not limited to:

• Document and file repositories (e.g. Google Drive)
• Collaborative tools (e.g. Confluence)
• Delivery Tracking Tools / Agile Life-cycle Management Tools (e.g. JIRA)
• Cloud Services (e.g. AWS, Azure, Google Cloud Platform)

Client-provided services are exempt from this policy, although all Opus Works staff and contractors must comply with the customer’s Access Control Policy.

Scope

This policy applies to all Opus Works employees and contractors.

Policy

User Access Management

The administrators of each system are responsible for allocating and authorising user access rights to that system.

Privileges are allocated on a need-to-use and event-by-event basis and can be initiated via email or Slack.

The ISMS Comittee periodically reviews system access for all internal systems to check:

• That users have been deactivated or removed as appropriate.
• Unauthorised privileges have not been obtained.

User Responsibilities

• Adhere to the Password Policy
• Adhere to the Laptop Policy
• Adhere to the Information Sensitivity Policy

Secure log-on

• We only use systems which require authentication and follow best practice for authentication.
• Wherever possible, Google Authentication is used to simplify account management.
• Multi-factor authentication is required for Google, GitHub and AWS accounts, and is recommended for use wherever possible

Network Access Control

• Opus Works considers all networks to be untrustworthy.
  • Opus Works does not operate a trusted network (intranet) in order to control access to services.
  • Access control is provided by mechanisms which can operate on untrusted networks.

Policy Compliance

Compliance Measurement

The ISMS Committee will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

Exceptions

Any exception to the policy must be approved by the ISMS Committee in advance.

Related Standards, Policies and Procedures

• Password Policy
• Information Sensitivity Policy
• Acceptable Usage
• Clear Desk

back