Access Control Policy

1.1 Purpose

This Access Control Policy establishes the standards, procedures, and controls governing access to Blue Whale Apps’ information systems, applications, data repositories, and physical facilities. The policy ensures that access rights are granted, modified, and revoked in accordance with business requirements, regulatory obligations, and security best practices to protect organizational assets and customer information from unauthorized access, modification, disclosure, or destruction.

1.2 Scope

This policy applies to:

• All employees, contractors, consultants, temporary workers, vendors, and third parties requiring access to Blue Whale Apps systems or facilities
• All information technology assets including servers, workstations, applications, databases, network devices, and cloud services
• Physical access to company facilities and secure areas
• Remote access connections and mobile device access
• Administrative and privileged accounts

1.3 Definitions

Access Control

Security measures that regulate who or what can view or use resources in a computing environment.

Principle of Least Privilege

Security concept requiring users be granted minimum access rights necessary to perform job functions.

Privileged Account

User account with elevated permissions allowing administrative functions or access to sensitive systems.

User Entitlement

Specific permissions, roles, or access rights assigned to a user account.

Access Certification

Periodic review process validating appropriateness of assigned access rights.

1.4 Policy Statements

1.4.1 Access Authorization and Provisioning

Access to Blue Whale Apps systems and data shall be authorized based on documented business need and the principle of least privilege. All access requests require approval from the resource owner and appropriate management authority before provisioning.

New user accounts are created only after completion of hiring or contractor onboarding process, submission and approval of access request form, verification of employment status with Human Resources, and acknowledgment of security policies and acceptable use requirements.

Each user receives a unique identifier tied to their identity for accountability, audit trail purposes, and non-repudiation.

1.4.2 Access Review and Entitlement Certification

User access rights and entitlements are reviewed and certified quarterly to verify continued appropriateness based on current job responsibilities. The certification process includes review of all active accounts and assigned permissions, validation that access aligns with current job function, identification and removal of unnecessary or excessive privileges, and documentation of review findings and remediation actions.

Access reviews are conducted by resource owners and managers with oversight from the Security Officer. Discrepancies identified during reviews are remediated within 10 business days.

1.4.3 Access Termination and Revocation

Upon termination, resignation, or end of contract, all access rights are revoked immediately on the separation date. The access revocation process includes same-day actions to disable or delete user accounts across all systems, revoke VPN and remote access capabilities, disable email account or convert to forwarding, revoke physical access badges and facility keys, remote wipe of company-issued mobile devices, and collection of company equipment and assets.

Human Resources notifies IT and Security teams of pending terminations at least 24 hours in advance when possible. For immediate terminations, notification occurs as soon as the decision is made to enable same-business-day revocation. IT confirms completion of access revocation and documents actions taken.

1.5 Responsibilities

• Chief Technology Officer: Approve this policy and major updates, provide resources for policy implementation, review access control metrics and audit findings.
• Security Officer: Oversee policy implementation and compliance, conduct periodic access reviews and audits, approve privileged access requests, investigate access control violations, maintain access control documentation.
• IT Department: Implement technical access controls, provision and deprovision user accounts, configure role-based access controls, generate access review reports, coordinate termination procedures with HR.
• Human Resources: Notify IT of new hires, terminations, and role changes, verify employment status for access requests, maintain employee records supporting access decisions.
• Managers and Resource Owners: Approve access requests for team members, participate in quarterly access certification, report access control issues or concerns, ensure team members have appropriate access.
• Users: Use systems only for authorized purposes, protect credentials and authentication factors, report suspected unauthorized access, comply with access control requirements.

1.6 Compliance

This policy supports compliance with ISO/IEC 27001:2022 (A.5.15, A.5.18, A.8.2, A.8.3), NIST Cybersecurity Framework (PR.AC), and SOC 2 Type II Trust Services Criteria (CC6.1, CC6.2, CC6.3). Violations of this policy may result in disciplinary action up to and including termination, revocation of system access privileges, legal action for willful violations, and notification to law enforcement for criminal activity.

1.7 Related Documents

• Information Security Policy
• Password Policy
• Acceptable Use Policy
• Third Party Management Policy
• Physical Security Policy
• Incident Response Policy