1. Purpose
The purpose of this policy is to define how Bayarcash manages user access and permissions to its information systems and data. Proper access control ensures the confidentiality, integrity, and availability of company and customer data while minimizing risks of unauthorized access.
2. Scope
This policy applies to:
- All employees, contractors, vendors, and third-party partners with access to Bayarcash systems.
- All applications, databases, networks, and IT infrastructure managed by Bayarcash.
- Physical and logical access to facilities, servers, and devices.
3. Policy Statement
Bayarcash will:
- Grant access based on the principle of least privilege.
- Require strong authentication and authorization mechanisms.
- Ensure timely provisioning, modification, and deactivation of user accounts.
- Maintain logs and audits for all access and user management activities.
4. Roles & Responsibilities
| Role | Responsibility |
|---|---|
| IT / Security Team | Manage user account creation, modification, and deletion. Monitor access logs and report anomalies. Enforce password policies, MFA, and other authentication controls. |
| Managers / Department Heads | Approve user access requests based on job roles and responsibilities. Review access periodically to ensure appropriateness. |
| Employees / Users | Use only authorised accounts for system access. Protect credentials and report any suspected compromise. Comply with Bayarcash security policies and procedures. |
5. User Account Management
| Activity | Description |
|---|---|
| Account Provisioning | Accounts are created only after manager approval. Each user is assigned a role with defined access privileges. Temporary accounts must have an expiration date. |
| Account Modification | Access changes (role updates, department changes) must be approved by the user’s manager. Changes are logged with date, time, and responsible personnel. |
| Account Deactivation / Termination | Accounts must be disabled immediately upon termination of employment or contract. Access for contractors or temporary staff must expire automatically after contract end. Regular audits ensure inactive or orphan accounts are removed. |
6. Access Control Principles
- Role-Based Access Control (RBAC): Users are granted access according to job roles.
- Segregation of Duties (SoD): Conflicting duties are separated to prevent fraud or error.
- Least Privilege: Users are given minimum access necessary to perform their tasks.
- Need-to-Know: Sensitive data access is restricted to authorized personnel only.
7. Authentication & Password Policy
- Users must use strong passwords: minimum 12 characters, mix of upper/lowercase, numbers, and symbols.
- Multi-Factor Authentication (MFA) is mandatory for all critical systems and remote access.
- Passwords must be changed every 90 days or immediately if compromised.
- Shared accounts are strictly prohibited.
8. Monitoring & Auditing
- All user activity, login attempts, and access changes are logged.
- Regular audits verify compliance with this policy.
- Anomalies, suspicious access, or policy violations must be reported immediately to the IT Security Team.
9. Privileged Access Management
- Privileged accounts (administrators, system owners) are restricted and monitored.
- Privileged access must be approved by IT Security and logged for auditing.
- Temporary elevation of privileges requires formal approval and time-limited access.
10. Physical Access Control
- Access to server rooms, data centers, and secure areas is limited to authorized personnel only.
- Access logs for physical entry are maintained and reviewed periodically.
- Visitors must be logged and escorted at all times.
11. Training & Awareness
- All employees receive training on access control policies during onboarding and annually thereafter.
- Users are educated on phishing, password hygiene, and secure account practices.
12. Compliance
- Non-compliance may result in disciplinary action, including termination.
- All access control practices comply with applicable regulations and industry standards (e.g., ISO 27001, PCI DSS, GDPR).
13. Policy Review
- This policy is reviewed annually or following significant organizational or technological changes.
- Updates are approved by executive management and the IT Security Team.