Политика управления доступом и пользователями

1. Purpose

The purpose of this policy is to ensure that access to company systems, applications, infrastructure, and information assets is granted, managed, reviewed, and revoked in a secure and controlled manner.

This policy supports the principles of least privilege, need-to-know access, and accountability.

2. Scope

This policy applies to:

• Employees
• Contractors
• Consultants
• Temporary personnel
• Third-party users

and all systems owned, managed, or operated by the organization.

3. Access Control Principles

The organization follows:

Least Privilege

Users shall receive only the minimum access necessary to perform their job duties.

Need-to-Know

Access to sensitive information shall be granted only when required for legitimate business purposes.

Separation of Duties

Critical functions should be separated when practical to reduce risk.

4. User Account Management

Account Creation

New accounts must:

• Be approved by management
• Be associated with a specific individual
• Use unique credentials

Shared accounts should be avoided whenever possible.

Account Modification

Access changes shall occur when:

• Job responsibilities change
• Projects change
• Permissions require adjustment

All changes must be documented.

Account Deactivation

Access shall be revoked promptly when:

• Employment ends
• Contracts expire
• Access is no longer required

Inactive accounts may be disabled after a defined period.

5. Authentication Requirements

Password Standards

Passwords must:

• Be at least 12 characters when supported
• Be unique
• Not be reused across critical systems

Password managers are encouraged.

Multi-Factor Authentication

MFA shall be enabled wherever technically feasible, especially for:

• Administrative accounts
• Cloud platforms
• Email systems
• Production environments

6. Privileged Access Management

Administrative access shall be restricted.

Requirements include:

• Named accounts
• MFA enabled
• Periodic review
• Logging of administrative actions

Privileges should be elevated only when necessary.

7. Access Reviews

Management shall periodically review user access rights.

Reviews should verify:

• Access remains appropriate
• Privileges are justified
• Unused accounts are removed

Review frequency:

• At least annually
• More frequently for critical systems where practical

8. Remote Access

Remote access shall require:

• Secure authentication
• Encryption in transit
• MFA where supported

Public or unsecured devices should not be used to access sensitive systems unless appropriate safeguards exist.

9. Third-Party Access

Third-party access shall:

• Be approved
• Be limited in scope
• Be time-bound when possible
• Be removed when no longer required

10. Monitoring and Logging

Access activities may be logged and monitored.

Examples include:

• Authentication attempts
• Administrative actions
• Access changes
• Security-related events

Logs shall be retained according to operational requirements.

11. Exceptions

Exceptions to this policy require documented management approval and risk acceptance.

12. Enforcement

Violations of this policy may result in:

• Access revocation
• Disciplinary action
• Contractual remedies
• Legal action where appropriate

13. Review

This policy shall be reviewed annually and updated as needed to address business, technology, and regulatory changes.