1. Purpose and Scope
The purpose of this Access Management Policy is to establish guidelines and procedures for managing access to Speak Ai Inc.'s ("Speak Ai") information systems and data. This policy aims to ensure that access is granted appropriately based on the principle of least privilege and that it is managed and monitored effectively to protect the confidentiality, integrity, and availability of information.
2. Policy Statement
Speak Ai is committed to protecting its information assets by ensuring that access to its systems and data is controlled and restricted to authorized individuals only. This policy outlines the processes for granting, reviewing, and revoking access, as well as the responsibilities of all users in maintaining secure access controls.
3. User Access Management
User Account Creation: Access to Speak Ai’s internal systems and data will only be granted to individuals with a legitimate business need.
Authentication: All users must authenticate using strong authentication methods, including complex passwords and, where applicable, multi-factor authentication (MFA). Speak Ai supports MFA through Google Workspace and is expanding additional authentication integrations.
Authorization: Access rights will be assigned based on the user's role and responsibilities, ensuring adherence to the principle of least privilege.
Security Controls: Security measures are in place to prevent unauthorized access, including rate-limiting authentication attempts and automated detection of suspicious login behavior.
4. Access Reviews and Audits
User Access Reviews:
Standard user accounts are reviewed quarterly to ensure appropriate access levels.
Privileged user accounts undergo monthly reviews to maintain strict security controls.
Audit Logs: Speak Ai maintains detailed audit logs of access to critical systems and data. Logs are reviewed at the following frequencies:
Real-time monitoring through automated security tools (AWS Security Hub, GitHub Dependabot).
Daily log analysis for security insights.
Weekly security reviews for compliance verification.
Comprehensive monthly audits to detect anomalies and patterns.
5. Access Revocation
Termination of Access: Access rights will be revoked immediately upon termination of employment or contract. Managers are responsible for notifying the IT Security Team to deactivate accounts and remove access.
Role Changes: Access rights will be adjusted appropriately if a user changes roles within the organization. This ensures that users retain access only to the resources necessary for their new role.
6. Privileged Access Management
Definition of Privileged Access: Privileged access refers to accounts with elevated permissions that allow for administrative control over systems and data.
Controls for Privileged Accounts:
Privileged accounts must be strictly controlled and monitored.
Users with privileged access must use separate accounts for administrative tasks and regular activities.
Monitoring and Review:
Privileged account usage is logged and reviewed.
Privileged access reviews are conducted monthly.
7. Remote Access
Multi-Factor Authentication (MFA): Remote access requires multi-factor authentication to ensure an additional layer of security.
Encrypted Communications: Secure protocols such as TLS 1.2+ are used for all remote connections.
8. Third-Party Access
Vendor and Partner Access: Third-party vendors and partners who require access to Speak Ai's systems must comply with this Access Management Policy. Access will be granted based on contractual agreements and will be limited to the minimum necessary.
Monitoring and Audits: Third-party access will be monitored and audited to ensure compliance with Speak Ai's security policies and procedures.
9. Responsibilities
IT Team: Responsible for implementing and maintaining access controls, conducting regular access reviews, and ensuring compliance with this policy.
Chief Technology Officer (CTO): Responsible for approving access requests, conducting periodic reviews of user access, and notifying the IT Security Team of any role changes or terminations.
All Users: Responsible for adhering to access management policies, safeguarding their authentication credentials, and reporting any suspicious activities or security incidents.
10. Policy Review
This policy will be reviewed annually or as needed to ensure its effectiveness and alignment with industry best practices and regulatory requirements. Changes to the policy will be communicated to all users.
11. Contact Information
For any inquiries or issues related to this Access Management Policy, please contact the IT Team at [email protected].