xcPEP Access Management Policy

xcPEP Access Management Policy

 

1. Purpose and Scope

This Access Management Policy defines the controls and procedures for granting, reviewing, and revoking access to all systems, applications, data, and resources related to the xcPEP SaaS platform. The policy aims to ensure that access is granted only to authorized individuals based on their job function and legitimate business need, adhering to the principles of least privilege and segregation of duties.

2. Principles of Access Control

  • Least Privilege: Users are granted the minimum level of access necessary to perform their job functions.
  • Need-to-Know: Access to sensitive information is restricted to only those individuals who require it to perform their responsibilities.
  • Segregation of Duties: Critical tasks are separated such that no single individual can complete a high-risk operation without collusion.

3. User Lifecycle Management

  • Provisioning:
    • New user accounts are created only upon formal request and approval, linking to documented business needs.
    • Access rights are assigned based on predefined roles.
    • For customer users, account creation is managed through the xcPEP platform, with administrative controls for customer administrators.
  • De-provisioning:
    • Access to systems and data is promptly revoked (e.g., within 24 hours) upon an employee's termination, role change, or departure of a contractor.
    • Customer user accounts can be deactivated/deleted by customer administrators. Upon service termination, all customer data and associated user accounts are de-provisioned as per the xcPEP Data Retention and Deletion Policy.
  • Modification: Changes to user permissions or roles require formal approval and are logged.

4. Authentication

  • Primary Authentication: Users authenticate to the xcPEP platform using secure usernames and passwords. We support integration with industry-standard Single Sign-On (SSO) protocols, such as SAML 2.0, allowing customers to leverage their existing identity providers.
  • Strong Authentication: Multi-Factor Authentication (MFA) is mandatory for all administrative access to xcPEP systems and underlying infrastructure (AWS consoles, VPNs). MFA is also available and highly recommended for all end-users.
  • Password Policy: We enforce a robust password policy (e.g., minimum length, complexity requirements, prevention of reuse) in line with our xcPEP Information Security Policy.
  • User Database Management: User databases are securely managed within our controlled environment, with appropriate encryption and access restrictions.

5. Authorization (Role-Based Access Control - RBAC)

  • Role Definition: Predefined roles within the xcPEP application and underlying infrastructure dictate specific functionalities and data access permissions.
  • Assignment: User accounts are assigned to specific roles based on their responsibilities.
  • Granular Control: The system allows for granular control over application functionality access based on roles, attributes, or hierarchical structures for all users.
  • Regular Review: User access rights and role assignments are regularly reviewed (e.g., quarterly) to ensure continued appropriateness.

6. System Access

  • Access to underlying AWS infrastructure (servers, databases, network devices) is strictly controlled and limited to authorized personnel.
  • Access is typically established via secure channels (e.g., SSH, RDP) over a secure VPN connection, using multi-factor authentication.
  • Use of jump servers or bastion hosts for indirect access to production environments.

7. Session Management

  • Secure session IDs are generated for user sessions.
  • Configurable active and inactive session timeouts are enforced to automatically terminate idle sessions, reducing the risk of unauthorized access.
  • Mechanisms are in place to prevent session hijacking and fixation.

8. Logging and Monitoring

All access attempts (successful and failed), privilege escalation attempts, and significant user activities are logged and continuously monitored for suspicious patterns. Audit trails are maintained for a defined retention period.

9. Responsibilities

  • System Administrators: Responsible for implementing and maintaining access controls.
  • Security Team: Responsible for defining access control policies, monitoring, and auditing.
  • Human Resources: Responsible for notifying IT of employee onboarding, role changes, and termination.

10. Policy Review and Updates

This xcPEP Access Management Policy is reviewed at least annually and updated as necessary to reflect changes in our systems, security posture, and regulatory requirements.