Purpose and Scope
The purpose of this policy is to define procedures to onboard and offboard users to technical infrastructure in a manner that minimizes the risk of information loss or exposure. This policy applies to all technical infrastructure within the organization. This policy applies to all full-time and part-time partners, employees and contractors.
Background
In order to minimize the risk of information loss or exposure (from all internal and external sources), Shuffl is reliant on the principle of least privilege. Account creation and permission levels are restricted to only the resources needed to perform job duties. When a user’s role within the organization changes, those accounts and permission levels are changed/revoked to fit the new role and disabled when the user leaves the organization altogether. All personnel are required adhere to strict non-disclosure and confidentially agreements with respect to data.
Policy
During onboarding:
Hiring Manager informs HR upon hire of a new employee.
HR emails IT to inform them of a new hire and their role.
IT creates a checklist of accounts and permission levels needed for that role.
The owner of each resource reviews and approves account creation and the associated permissions.
IT works with the owner of each resource to set up the user.
During offboarding:
Hiring Manager notifies HR when an employee has been terminated.
IT terminates access within five business days from receipt of notification.
When an employee changes roles within the organization:
Hiring Manager will inform HR of a change in role.
HR and IT will follow the same steps as outlined in the onboarding and offboarding procedures.
Review of accounts and permissions:
Each month, IT and HR will review accounts and permission levels for accuracy.
Standard Controls Satisfied
TSC CC6.1, CC6.2, CC6.3