Skip to main content
DraftIndicative placeholder for the section owner — amend, replace, or confirm as the first definitive version.

Doc owner: TBD

Access Control Policy

Seeded from legacy Allied Information Security Policy (admin rights, device access control, account hygiene). Content carried over for review. Joiner/mover/leaver lifecycle, periodic access reviews, privileged access management, and service account handling are not covered in the legacy doc and need drafting.

Purpose

To ensure access to Allied systems and information is granted, reviewed, and revoked on a least-privilege, need-to-know basis.

Scope

Applies to all Allied digital systems and the identities (staff, contractors, services) that access them.

Roles and responsibilities

RoleResponsibility
Security OfficerOwns access and permissions management across Allied hardware, software and cloud resources. Reviewed upon every change of staff/terms and conditions of employment, or annually, whichever is sooner.
System ownersApply access controls to their systems and run periodic reviews

Administrator rights

Accounts for routine use must not have administrator privileges. A separate administrator account with a distinct password must be used for administrative tasks. When logged in as an administrator, the user must not browse the internet or access email, other than where strictly necessary for the administrative task that required admin log-in.

The Security Officer holds administrator credentials for all Allied devices. Day-to-day work — including the Security Officer's own — is carried out under a regular user account. Administrator credentials are used only when an administrative task requires them.

Device access control

All devices used to access company data must be secured with at least one of the following: 6-digit PIN, biometrics, or password.

Applications on the device that are used to access company data must be protected with additional access control: biometrics, unique PIN, or password (if using PIN or password it must be different from that used to access the device).

Account hygiene

  • User accounts must be removed from devices wherever they are not in regular use.
  • Multi-factor authentication is mandatory wherever possible — see POL-DIG-004 Password Policy.

Policy statements

TBD — gap analysis to add: identity lifecycle (joiner/mover/leaver), authorisation model, periodic access reviews (cadence and evidence), privileged access management, service accounts and machine identities, customer/partner-tenant access.

  • Systems Access Control Procedure — operational detail for granting, reviewing, and revoking access; identification and authentication; MFA; idle timeouts; third-party, service, and cloud accounts; privileged utilities; account disablement and termination.