Access Control Policy

1. Overview

This policy establishes the access control requirements for InContext Solutions' information systems, applications, and data. Access control is a fundamental security measure that ensures only authorized individuals can access organizational resources, and only to the extent necessary to perform their assigned duties.

The objective of this policy is to minimize the risk of unauthorized access, data breaches, and insider threats by defining clear procedures for granting, managing, reviewing, and revoking access across all systems and environments.

2. Scope

This policy applies to:

• Personnel — All employees, contractors, consultants, temporary workers, and other individuals affiliated with InContext Solutions or its third-party partners
• Systems and applications — All information systems, business applications, databases, cloud services, network infrastructure, and development environments owned or operated by InContext Solutions
• Data — All data classifications including public, internal, confidential, and restricted data as defined by organizational data management standards
• Access methods — All forms of access including on-premises, remote, programmatic, and third-party access

3. Access Control Principles

All access control decisions at InContext Solutions are governed by the following principles:

• Least Privilege — Users are granted the minimum level of access required to perform their job functions. No access is granted by default; all access must be explicitly authorized.
• Need-to-Know — Access to information is restricted to individuals who require that information to fulfill their specific responsibilities. Organizational role alone does not constitute sufficient justification for broad access.
• Separation of Duties — Critical functions are divided among different individuals to reduce the risk of fraud, error, or misuse. No single individual should control all aspects of a critical transaction or process.
• Defense in Depth — Multiple layers of access controls are implemented so that the failure of a single control does not result in unauthorized access. Controls include network segmentation, application-level permissions, and data-level restrictions.
• Default Deny — Access is denied by default. Systems and applications are configured to reject access unless an explicit allow rule is in place.

4. User Account Management

Account Provisioning

User accounts are provisioned through a formal request and approval process:

1. The hiring manager or department head submits an access request specifying the systems, applications, and roles required for the new user
2. The request is reviewed and approved by the appropriate system owner or data custodian
3. The IT team creates the account with the approved access levels
4. The new user receives credentials through a secure channel and is required to change their initial password upon first login

All provisioned accounts must comply with the password standards defined in the Password Construction Policy.

Account Modifications

Changes to existing access levels follow the same request and approval process as initial provisioning. Modifications include role changes, transfers between departments, and requests for additional system access. The previous access levels are reviewed during any modification to ensure they remain appropriate.

Offboarding and Deprovisioning

The offboarding process includes:

• Disabling or deleting the user's accounts across all systems, applications, and cloud services
• Revoking VPN and remote access credentials
• Recovering company-owned devices and access tokens
• Revoking access to shared resources, collaboration platforms, and email distribution lists
• Reviewing and reassigning ownership of any shared accounts or resources held by the departing individual

Shared and Generic Accounts

The use of shared or generic accounts is prohibited except where a documented business justification exists and compensating controls (such as enhanced logging and individual accountability mechanisms) are in place. All shared accounts must have a designated owner responsible for their use and review.

5. Role-Based Access Control (RBAC)

Role Definitions

Access to systems and data is managed through defined roles that correspond to job functions. Each role specifies:

• The systems and applications the role may access
• The level of access within each system (read, write, execute, administer)
• The data classifications the role is authorized to access

Role Assignment

Users are assigned to roles based on their job function and department. Role assignments are approved by the user's manager and the relevant system owner. Users may hold multiple roles where business needs require, provided that separation of duties requirements are not violated.

Role Hierarchy

Roles are organized hierarchically where appropriate. Higher-level roles inherit the permissions of subordinate roles. Role inheritance is carefully managed to prevent privilege accumulation that would violate the principle of least privilege.

Periodic Role Reviews

Role definitions are reviewed at least annually to ensure they remain aligned with current business processes and organizational structure. Roles that are no longer required are deprecated and removed. Users assigned to deprecated roles are migrated to appropriate active roles.

6. Privileged Access Management

Privileged accounts (including administrator, root, and service accounts with elevated permissions) present a heightened risk and are subject to additional controls.

Administrative Account Controls

• Privileged accounts are issued separately from standard user accounts. Administrators use standard accounts for daily work and elevate to privileged accounts only when performing administrative tasks.
• The number of privileged accounts is kept to the minimum necessary to support operations.
• All privileged account activity is logged and monitored.

Just-in-Time Access

Where technically feasible, privileged access is granted on a just-in-time basis. Users request elevated permissions for a defined duration and purpose, and access is automatically revoked upon expiration.

Privileged Access Workstations

Administrative tasks on critical systems are performed from designated privileged access workstations that are hardened, restricted from general internet browsing, and subject to enhanced endpoint monitoring.

Break-Glass Procedures

Emergency access procedures are documented for situations requiring immediate privileged access outside normal approval workflows. Break-glass accounts are:

• Stored securely with credentials accessible only through documented emergency procedures
• Monitored continuously, with all usage triggering immediate alerts to the Information Security team
• Subject to post-incident review and re-securing after each use

Enhanced Monitoring

All privileged sessions are subject to enhanced monitoring, including session recording where technically feasible, real-time alerting on anomalous activity, and regular review of privileged account usage logs by the Information Security team.

7. Multi-Factor Authentication (MFA)

Where MFA Is Required

Multi-factor authentication is mandatory for:

• All remote access to InContext Solutions systems, including VPN connections
• All privileged and administrative accounts
• All cloud service management consoles and portals
• All access to systems containing confidential or restricted data
• All externally facing applications and services

Approved MFA Methods

InContext Solutions approves the following multi-factor authentication methods, in order of preference:

• Hardware security keys (FIDO2/WebAuthn)
• Authenticator application-based time-based one-time passwords (TOTP)
• Push notifications through approved mobile authentication applications

SMS-based one-time passwords are not approved as a primary MFA method due to known vulnerabilities in SMS delivery.

Exceptions

Exceptions to MFA requirements must be documented and approved by the Information Security team. Exceptions are time-limited, reviewed quarterly, and require compensating controls to be in place for the duration of the exception.

8. Access Reviews

Standard Account Reviews

Access rights for all standard user accounts are reviewed on a quarterly basis. During each review:

• System owners verify that each user's access remains appropriate for their current role
• Access that is no longer required is promptly revoked
• Findings are documented and exceptions are escalated to the Information Security team

Privileged Account Reviews

Privileged accounts are reviewed on a monthly basis by the Information Security team. Reviews verify that:

• Each privileged account remains necessary and is assigned to an active employee
• Privileged access levels are appropriate and have not accumulated beyond what is required
• Activity logs for privileged accounts are reviewed for anomalies

Annual Recertification

All access across the organization undergoes a formal recertification annually. Department heads and system owners certify that the access assigned to each user within their scope is accurate and necessary. Uncertified access is revoked.

Review Documentation

All access reviews are documented including the reviewer, date of review, findings, and actions taken. Review records are retained for a minimum of three years to support audit and compliance requirements.

9. Service Account Management

Service Account Inventory

A complete inventory of all service accounts is maintained, including the system or application each account supports, its permission level, and its designated owner.

Ownership and Accountability

Every service account must have a designated human owner who is responsible for:

• Justifying the continued need for the account
• Ensuring the account operates with least privilege
• Participating in periodic reviews of the account's access and activity

Password and Credential Management

Service account passwords and credentials are:

• Rotated on a schedule not to exceed 90 days, or more frequently where risk warrants
• Stored in an approved secrets management solution, never in plaintext within code or configuration files
• Unique to each service account; credential sharing between service accounts is prohibited

Restrictions

Service accounts are prohibited from interactive logon. Service accounts must not be used for manual or ad-hoc access to systems. Where interactive logon is detected, the account is flagged for immediate review by the Information Security team.

10. Remote Access

VPN Requirements

All remote access to InContext Solutions' internal network and systems must be conducted through an approved Virtual Private Network (VPN) connection. Split tunneling is disabled on all VPN configurations.

Approved Remote Access Methods

Remote access is limited to methods approved by the Information Security team, including:

• Corporate VPN with multi-factor authentication
• Approved cloud-based virtual desktop infrastructure
• Approved remote support tools for IT administration

Session Management

Remote access sessions are subject to:

• Automatic timeout after 30 minutes of inactivity
• Maximum session duration limits as defined by system configuration
• Re-authentication requirements when resuming timed-out sessions

Device Compliance

Devices used for remote access must comply with InContext Solutions' endpoint security requirements, including:

• Current operating system with latest security patches applied
• Approved endpoint protection software active and up to date
• Full disk encryption enabled
• Screen lock configured with a maximum inactivity timeout of 5 minutes

For additional device security requirements, refer to the Mobile Device Security Policy.

11. Third-Party Access

Vendor Access Provisioning

Third-party access is granted only after the vendor has been evaluated and approved in accordance with the Vendor Onboarding Policy. All third-party personnel must sign a non-disclosure agreement before receiving access to any InContext Solutions systems or data.

Access Constraints

Third-party access is:

• Limited to the specific systems and data required to fulfill the contracted scope of work
• Time-limited with defined start and end dates; access expires automatically and must be renewed through a formal request
• Restricted to approved access methods with multi-factor authentication required

Monitoring

Third-party access activity is logged and monitored. Anomalous or unauthorized activity triggers alerts and may result in immediate access suspension pending investigation.

Access Revocation

12. Compliance and Enforcement

Compliance Measurement

The Information Security team verifies compliance with this policy through:

• Periodic access reviews and recertification as described in this policy
• Internal and external audits of access control configurations and procedures
• Automated monitoring and alerting for policy violations
• Review of access-related incident reports

Exceptions

Any exception to this policy must be submitted in writing and approved by the Information Security team prior to implementation. Exceptions must include:

• A documented business justification
• A risk assessment of the exception
• Compensating controls to mitigate the identified risk
• A defined expiration date not to exceed 12 months, after which the exception must be re-evaluated

Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. Contractors and third parties found in violation may have their access immediately revoked and their engagement reviewed for potential termination.

Revision History