Nested Knowledge

Bringing Systematic Review to Life

User Tools

Site Tools

Trace:
wiki:policies:access

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
wiki:policies:access [2023/09/28 18:15]
kholub 		wiki:policies:access [2024/01/24 19:42] (current)
katcow [Revision History]
Line 36: Line 36:
 Users will be granted access to systems and proprietary data on a need-to-know basis, following PoLP. That is, users or groups of users will only receive access to systems and information that are required for performing their job duties. If it's determined that a user or group needs access to a system or information, the access level (user vs. admin, read vs. write) is set according to the minimal set of information & actions needed in job duties. Job duties are identified by administrators granting access as those outlined in job description or, if not part of job description, written communication from a director. Users will be granted access to systems and proprietary data on a need-to-know basis, following PoLP. That is, users or groups of users will only receive access to systems and information that are required for performing their job duties. If it's determined that a user or group needs access to a system or information, the access level (user vs. admin, read vs. write) is set according to the minimal set of information & actions needed in job duties. Job duties are identified by administrators granting access as those outlined in job description or, if not part of job description, written communication from a director.
  
-**Shared Accounts: **+=== Shared Accounts: ===
  
 The use of shared credentials by Nested Knowledge employees and contractors is prohibited. The use of shared credentials by Nested Knowledge employees and contractors is prohibited.
Line 47: Line 47:
  
 Individuals who are not employees, contractors, consultants, or business partners must not be granted a user-ID or otherwise be given privileges to use Nested Knowledge internal information systems unless the written approval of a Department Lead has been obtained. Before any third party or business partner is given access to this Nested Knowledge computers or internal information systems, a confidentiality, non-disclosure, or other similar agreement defining the terms and conditions of such access must have been signed by a responsible manager at the third party organization. Individuals who are not employees, contractors, consultants, or business partners must not be granted a user-ID or otherwise be given privileges to use Nested Knowledge internal information systems unless the written approval of a Department Lead has been obtained. Before any third party or business partner is given access to this Nested Knowledge computers or internal information systems, a confidentiality, non-disclosure, or other similar agreement defining the terms and conditions of such access must have been signed by a responsible manager at the third party organization.
 +
 +=== Access for Law Enforcement and Authority: ===
 +
 +Nested Knowledge will not disclose information unless:
 +
 +  * Making such a disclosure is a legal obligation, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved.
 +  * A serious risk of imminent harm to individuals exists that justifies compliance with the Data Disclosure Requests
 +
 +Request for data disclosure shall be immediately escalated to the Chief Technology Officer and the Information Security Team via email or Slack alert.
 +
 +When the Data Disclosure Request is related to personal information of a Nested Knowledge Customer, Nested Knowledge will request that the Authority send the request directly to the customer. Should the Authority agree, Nested Knowledge will provide assistance to the customer so that they can fulfill the Request.
  
 === Unauthorized Access: === === Unauthorized Access: ===
Line 61: Line 72:
   * Social media accounts   * Social media accounts
   * Company-issued devices (laptops)   * Company-issued devices (laptops)
 +
 +=== Network Devices ===
 +
 +Nested Knowledge does not manage network devices in its production environment, which are handled by AWS. See Remote Working Environmental Controls for internal systems.
  
 ===== IV. Audit Trails and Logging ===== ===== IV. Audit Trails and Logging =====
Line 98: Line 113:
 === Remote Working Environmental Controls: === === Remote Working Environmental Controls: ===
  
-Equipment should be located and/or protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.+Equipment should be located and/or protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. At a minimum, remote employees must: 
 + 
 +  * Update default router administrator password 
 +      * Following our [[:wiki:policies:password|]] 
 +  * Disable remote access to the router 
 +  * Enable wireless encryption (WPA2/3) on their home network 
 +  * Store company devices behind locked doors
  
-For cloud-related access protocols, please refer to our [[:wiki:policies:cloud|Cloud Security Policy]].+Employees will be trained upon hire and updated on an annual basis. For cloud-related access protocols, please refer to our [[:wiki:policies:cloud|Cloud Security Policy]].
  
 ==== Compliance Statement ==== ==== Compliance Statement ====
Line 109: Line 130:
  
 ^Author^Date of Revision/Review^Comments| ^Author^Date of Revision/Review^Comments|
-|K. Holub|9/28/2023|Annual Review|+|K. Holub|12/18/2023|Remote working controls added| 
 +|K. Cowie|01/24/2023|Review and minor revisions to workstation policy|
 |K. Kallmes|1/20/2022|Approved; removed chain of trust language| |K. Kallmes|1/20/2022|Approved; removed chain of trust language|
 |P. Olaniran|10/6/2022|Minor revisions| |P. Olaniran|10/6/2022|Minor revisions|
-|K. Cowie|01/24/2023|Minor revisions to workstation policy| 
  
 [[:wiki:policies|Return to Policies]] [[:wiki:policies|Return to Policies]]
  
  
wiki/policies/access.1695924918.txt.gz · Last modified: 2023/09/28 18:15 by kholub

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki