Nested Knowledge

Bringing Systematic Review to Life

User Tools

Site Tools

Trace:
wiki:policies:access

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
wiki:policies:access [2023/05/25 15:10]
katcow 		wiki:policies:access [2024/01/24 19:42] (current)
katcow [Revision History]
Line 10: Line 10:
 === Affected Systems: === === Affected Systems: ===
  
-This policy applies to all computer and communication systems owned or operated by Nested Knowledge and its subsidiaries. Systems include company shared drives, purchased software, as well as access to the Nested Knowledge AutoLit review platform. Similarly, this policy applies to all platforms (operating systems) and all application systems. Reviews developed in the AutoLit software by parties external to Nested Knowledge are not covered in this policy.+This policy applies to all computer and communication systems owned or operated by Nested Knowledge and its subsidiaries. Systems include employee computers, company shared drives, purchased software, as well as access to production software deployment environments. Similarly, this policy applies to all platforms (operating systems) and all application systems. Reviews developed in the AutoLit software by parties external to Nested Knowledge are not covered in this policy.
  
 ===== III. Access Control Policy ===== ===== III. Access Control Policy =====
Line 21: Line 21:
   * Unique user identifier   * Unique user identifier
   * Password   * Password
 +  * MFA device (Authenticator applications or physical device)
 +      * Dictated by [[:wiki:policies:dualauth|MFA Policy]]
  
 === System Access Controls: === === System Access Controls: ===
Line 28: Line 30:
 === Administrative Privileges: === === Administrative Privileges: ===
  
-Access to Nested Knowledge Systems is managed by internal administrators who approve employees and contractors. For sensitive information, admin privileges are granted to limited personnel.+Access to Nested Knowledge Systems is managed by internal administrators who approve employees and contractors. For sensitive information, admin privileges are granted to limited personnel by company directors Existing administrators follow the Principle of Least Privilege (PoLP), per our Need-to-Know policy, when adding new administrators.
  
 === Need-to-Know: === === Need-to-Know: ===
  
-Users will be granted access to proprietary data on a need-to-know basis. That is, users will only receive access to such information when required for performing their jobs.+Users will be granted access to systems and proprietary data on a need-to-know basis, following PoLP. That is, users or groups of users will only receive access to systems and information that are required for performing their job duties. If it's determined that a user or group needs access to a system or information, the access level (user vs. admin, read vs. write) is set according to the minimal set of information & actions needed in job duties. Job duties are identified by administrators granting access as those outlined in job description or, if not part of job description, written communication from a director.
  
-**Shared Users**+=== Shared Accounts===
  
 The use of shared credentials by Nested Knowledge employees and contractors is prohibited. The use of shared credentials by Nested Knowledge employees and contractors is prohibited.
Line 40: Line 42:
 === Removal of Users: === === Removal of Users: ===
  
-Individuals who are terminated, removed, or no longer in need of access to Nested Knowledge information systems will be removed from all systems within 24 hours in most cases, and within 72 hours under special circumstances. Individual’s data contributions will be retained and anonymized.+Individuals who are terminated, removed, or no longer in need of access to Nested Knowledge information systems will be removed from all systems within 24 hours in most cases, and within 72 hours under special circumstances.
  
 === Access for Non-Employees: === === Access for Non-Employees: ===
  
 Individuals who are not employees, contractors, consultants, or business partners must not be granted a user-ID or otherwise be given privileges to use Nested Knowledge internal information systems unless the written approval of a Department Lead has been obtained. Before any third party or business partner is given access to this Nested Knowledge computers or internal information systems, a confidentiality, non-disclosure, or other similar agreement defining the terms and conditions of such access must have been signed by a responsible manager at the third party organization. Individuals who are not employees, contractors, consultants, or business partners must not be granted a user-ID or otherwise be given privileges to use Nested Knowledge internal information systems unless the written approval of a Department Lead has been obtained. Before any third party or business partner is given access to this Nested Knowledge computers or internal information systems, a confidentiality, non-disclosure, or other similar agreement defining the terms and conditions of such access must have been signed by a responsible manager at the third party organization.
 +
 +=== Access for Law Enforcement and Authority: ===
 +
 +Nested Knowledge will not disclose information unless:
 +
 +  * Making such a disclosure is a legal obligation, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved.
 +  * A serious risk of imminent harm to individuals exists that justifies compliance with the Data Disclosure Requests
 +
 +Request for data disclosure shall be immediately escalated to the Chief Technology Officer and the Information Security Team via email or Slack alert.
 +
 +When the Data Disclosure Request is related to personal information of a Nested Knowledge Customer, Nested Knowledge will request that the Authority send the request directly to the customer. Should the Authority agree, Nested Knowledge will provide assistance to the customer so that they can fulfill the Request.
  
 === Unauthorized Access: === === Unauthorized Access: ===
  
-Employees are prohibited from gaining unauthorized access to any other information systems or in any way damaging, altering, or disrupting the operations of these systems. System privileges allowing the modification of ‘production data’ must be restricted to ‘production’ applications.+Employees are prohibited from gaining unauthorized access to any other information systems or in any way damaging, altering, or disrupting the operations of these systems. Quarterly review and automated alerting will enforce.
  
 === Access Reviews: === === Access Reviews: ===
  
-Nested Knowledge will perform quarterly access reviews on accounts for all internal systems, including but not limited to:+Nested Knowledge will perform quarterly access reviews on accounts for all inventoried systems, including but not limited to:
  
-  * Nested Knowledge application (AutoLit+  * Cloud services providers (AWS
-  * Shared Google Drives +  * Cloud-based applications (Hubspot, Gitlab, etc.) 
-  * Google Meets calendar invites +  * Google GSuite (mail, drive, meets, etc.) 
-  * Time tracking application+  * Social media accounts 
 +  * Company-issued devices (laptops) 
 + 
 +=== Network Devices === 
 + 
 +Nested Knowledge does not manage network devices in its production environment, which are handled by AWS. See Remote Working Environmental Controls for internal systems.
  
 ===== IV. Audit Trails and Logging ===== ===== IV. Audit Trails and Logging =====
Line 67: Line 85:
   * Method of access   * Method of access
  
-All privileged commands must be traceable to specific user accountsAudit trails for confidential systems should be backed up and stored in accordance with Nested Knowledge back-up and disaster recovery plans. All system and application logs must be maintained in a form that cannot readily be viewed by unauthorized persons. All logs must be audited on a periodic basis. Audit results should be included in periodic management reports.+All privileged commands must be traceable to specific user accountsAudit trails for confidential systems should be backed up and stored in accordance with Nested Knowledge back-up and disaster recovery plans. All system and application logs must be maintained in a form that cannot readily be viewed by unauthorized persons. All logs will be audited on a quarterly basis.
  
 === Methods of Audit Logs === === Methods of Audit Logs ===
  
-Security incidents are logged by firewalls, servers, anti-virus solutions, intrusion detections systems, applications, and databases, Logs are performed by automated tools for IDS.+Security incidents are logged by firewalls, servers, anti-virus solutions, intrusion detections systems, applications, and databases. Audits are performed by automated tools where provided, else manual review.
  
 === Frequency of Audit Logs === === Frequency of Audit Logs ===
  
-Audit logs are reviewed monthly or ad-hoc; logs are retained for one year. We examine the data types collected from end users to ensure compliance with privacy laws and regulations+Audit logs are reviewed quarterly or ad-hoc; logs are retained for one year. We examine the data types collected from end users to ensure compliance with privacy laws and regulations.
- +
-=== Segregation of Duties: === +
- +
-Segregation of duties exist between individuals responsible for approving, granting, monitoring, and reviewing access logs.+
  
 ===== V. Remote Access Policy ===== ===== V. Remote Access Policy =====
Line 85: Line 99:
 === Remote Access (application): === === Remote Access (application): ===
  
-The Nested Knowledge application is run in a VPC (for details, see Network Security Policy). This network is only accessible by release engineers who are granted SSH keys. These keys may be revoked or refreshed at any time, as necessitated by personnel changes or incidents.The VPC is only accessible through a single bastion host.+The Nested Knowledge application is run in a VPC (for details, see Network Security Policy). This network is only accessible by release engineers who are granted SSH keys. These keys may be revoked or refreshed at any time, as necessitated by personnel changes or incidents.The VPC is only accessible through a single bastion host. Every access to the production environment configuration results in alert emails to release engineers & engineering management.
  
 === Remote Access (internal): === === Remote Access (internal): ===
  
-Nested Knowledge has no internal network for employees, therefore remote access is not applicable. Should Nested Knowledge establish a network, access to the network through remote access will be managed by a Virtual Private Network (VPN). The VPN will request for username and password or some other form of advanced authentication. Remote access must conform at least minimally to all statutory requirements including but not limited to HCFAHRS-323C, and HIPAA.+Nested Knowledge has no internal network for employees, therefore remote access is not applicable. Should Nested Knowledge establish a network, access to the network through remote access will be managed by a Virtual Private Network (VPN). The VPN will request for username and password or some other form of advanced authentication. Remote access must conform at least minimally to all statutory requirements including but not limited to HCFA and HRS-323C.
  
 === Workstation Access Control System: === === Workstation Access Control System: ===
  
-All workstations used for this business activity, no matter where they are located, must use an access control system approved by Nested Knowledge. Active workstations are not to be left unattended for prolonged periods of time, where appropriate. When a user leaves a workstation, that user is expected to properly log out of all applications and networks, and remove confidential information from desks, printers, and faxes. Users should avoid use of public charging stations.+All workstations used for this business activity, no matter where they are located, must use an access control system approved by Nested Knowledge. Employees must use company-issued devices for completing their work. Active workstations are not to be left unattended for prolonged periods of time, where appropriate, which is enforced through MDM. When a user leaves a workstation, that user is expected to properly log out of all applications and networks, and remove confidential information from desks, printers, and faxes. Users should avoid use of public charging stations and internet access.
  
-When accessing Nested Knowledge systems from a personal computer, authorized users are responsible for preventing access to any of our computer resources or data by non-authorized Users.The authorized user bears responsibility for and consequences of misuse of the authorized user’s access.+When accessing Nested Knowledge systems, authorized users are responsible for preventing access to any of our computer resources or data by non-authorized Users. The authorized user bears responsibility for and consequences of misuse of the authorized user’s access.
  
-=== Remote Work Licenses: ===+=== Remote Working Environmental Controls: ===
  
-Remote workers must follow software licensing restrictions and agreements on all software used to process Nested Knowledge information at alternative work sites. +Equipment should be located and/or protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized accessAt a minimum, remote employees must:
- +
-=== Remote Working Environmental Controls===+
  
-Equipment should be located and/or protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access+  * Update default router administrator password 
 +      * Following our [[:wiki:policies:password|]] 
 +  * Disable remote access to the router 
 +  * Enable wireless encryption (WPA2/3) on their home network 
 +  * Store company devices behind locked doors
  
-For cloud-related access protocols, please refer to our [[:wiki:policies:cloud|Cloud Security Policy]].+Employees will be trained upon hire and updated on an annual basis. For cloud-related access protocols, please refer to our [[:wiki:policies:cloud|Cloud Security Policy]].
  
 ==== Compliance Statement ==== ==== Compliance Statement ====
  
-All Employees and Contractors who access Nested Knowledge’s information systems will be provided with and required to review the Remote Access Policy.Employees who deliberately violate this policy will be subject to disciplinary action up to and including termination.+All Employees and Contractors who access Nested Knowledge’s information systems will be provided with and required to review the Remote Access Policy. Employees who deliberately violate this policy will be subject to disciplinary action up to and including termination.
  
 ===== Revision History ===== ===== Revision History =====
  
 ^Author^Date of Revision/Review^Comments| ^Author^Date of Revision/Review^Comments|
-|K. Holub|11/18/2021| |+|K. Holub|12/18/2023|Remote working controls added| 
 +|K. Cowie|01/24/2023|Review and minor revisions to workstation policy|
 |K. Kallmes|1/20/2022|Approved; removed chain of trust language| |K. Kallmes|1/20/2022|Approved; removed chain of trust language|
 |P. Olaniran|10/6/2022|Minor revisions| |P. Olaniran|10/6/2022|Minor revisions|
-|K. Cowie|01/24/2023|Minor revisions to workstation policy| 
  
 [[:wiki:policies|Return to Policies]] [[:wiki:policies|Return to Policies]]
  
  
wiki/policies/access.1685027412.txt.gz · Last modified: 2023/05/25 15:10 by katcow

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki