1. Purpose and Scope
The purpose of this Access Management Policy is to establish guidelines and procedures for managing access to Speak Ai Inc.'s ("Speak Ai") information systems and data. This policy aims to ensure that access is granted appropriately based on the principle of least privilege, and that it is managed and monitored effectively to protect the confidentiality, integrity, and availability of information.
2. Policy Statement
Speak Ai is committed to protecting its information assets by ensuring that access to its systems and data is controlled and restricted to authorized individuals only. This policy outlines the processes for granting, reviewing, and revoking access, as well as the responsibilities of all users in maintaining secure access controls.
3. User Access Management
User Account Creation: Access to Speak Ai’s internal systems and data will only be granted to individuals with a legitimate business need. To prevent brute force attacks, account creation requests are limited to 5 requests within 1 minute from the same IP address.
Authentication: All users must authenticate using strong authentication methods, including complex passwords and, where applicable, two-factor authentication (2FA). Speak Ai supports 2FA through Google Workspace and is currently adding Microsoft Single Sign-On.
Authorization: Access rights will be assigned based on the user's role and responsibilities, ensuring adherence to the principle of least privilege.
Account Lockout: User accounts will be locked out for a period of 30 minutes after 6 failed login attempts to prevent brute force attacks. Additionally, login requests are limited to 3 requests within 1 minute from the same IP address to further enhance security.
4. Access Reviews and Audits
Regular Reviews: Access rights will be reviewed regularly to ensure that they remain appropriate.
Audit Logs: Speak Ai will maintain audit logs of access to critical systems and data. These logs will be reviewed periodically to detect any unauthorized access attempts or anomalies.
5. Access Revocation
Termination of Access: Access rights will be revoked immediately upon termination of employment or contract. Managers are responsible for notifying the IT Security Team to deactivate accounts and remove access.
Role Changes: Access rights will be adjusted appropriately if a user changes roles within the organization. This ensures that users retain access only to the resources necessary for their new role.
6. Privileged Access Management
Definition of Privileged Access: Privileged access refers to accounts with elevated permissions that allow for administrative control over systems and data.
Controls for Privileged Accounts: Privileged accounts must be strictly controlled and monitored. Users with privileged access must use separate accounts for administrative tasks and regular activities.
Monitoring and Review: Privileged account usage will be closely monitored, and access will be reviewed more frequently than standard user accounts.
7. Remote Access
Multi-Factor Authentication: Remote access requires multi-factor authentication to ensure an additional layer of security.
8. Third-Party Access
Vendor and Partner Access: Third-party vendors and partners who require access to Speak Ai's systems must comply with this Access Management Policy. Access will be granted based on contractual agreements and will be limited to the minimum necessary.
Monitoring and Audits: Third-party access will be monitored and audited to ensure compliance with Speak Ai's security policies and procedures.
9. Responsibilities
IT Team: Responsible for implementing and maintaining access controls, conducting regular access reviews, and ensuring compliance with this policy.
Chief Technology Officer (CTO): Responsible for approving access requests, conducting periodic reviews of user access, and notifying the IT Security Team of any role changes or terminations.
All Users: Responsible for adhering to access management policies, safeguarding their authentication credentials, and reporting any suspicious activities or security incidents.
10. Policy Review
This policy will be reviewed annually or as needed to ensure its effectiveness and alignment with industry best practices and regulatory requirements. Changes to the policy will be communicated to all users.
11. Contact Information
For any inquiries or issues related to this Access Management Policy, please contact the IT Team at [email protected].