Access Management Policy

Policy date:  
9/8/2024

 WebPeak's Access Management Policy   

 

Introduction  

WebPeak understands that strict control of access to information and systems is essential to protect the confidentiality, integrity and availability of the company's assets. This access management policy defines the guidelines and procedures to ensure that access to systems and data is granted only to authorized individuals, in accordance with their responsibilities and operational needs. The policy complies with security best practices and international standards, including ISO 27001.

 

Objective  

The purpose of this policy is to establish an access management process that protects WebPeak's systems and information from unauthorized access, ensuring that only individuals with the appropriate authorization can access specific resources. The policy aims to minimize the risks associated with inappropriate or unauthorized access to the company's information systems.

 

Scope  

This policy applies to all information systems, networks, applications and data controlled by WebPeak. It includes, but is not limited to:

  • WebPeak employees.
  • Third parties, partners and suppliers who access WebPeak's systems or data.
  • Devices and networks used to access corporate information.

 

Access Management Guidelines  

Principle of Least Privilege  

Access to WebPeak's systems and data will be granted on the basis of the principle of least privilege, ensuring that individuals have only the access necessary to perform their specific functions. Access to sensitive information or critical systems will be restricted to a limited number of people based on their responsibilities.

Role-Based Access Control

WebPeak will use a Role-Based Access Control model to manage access permissions. Access will be granted based on users' job functions, ensuring that all individuals only have access to the resources they need to perform their duties.

Access Request and Approval Processes  

All access to systems and data must be formally requested and approved. The access request process includes:

  • Access request: Access must be requested via a system or access request form.
  • Approval: The requested access must be approved by the requester's direct manager and, in some cases, by the information security team.
  • Logging: All access requests and approvals must be logged for auditing and compliance purposes.

 

Access Review and Audit  

Access granted will be reviewed periodically to ensure that it is still necessary and in line with the employee's duties. The information security team will carry out regular audits to identify and revoke unnecessary or unauthorized access.

Password Management  

Passwords used to access WebPeak systems must be strong and unique, with minimum complexity requirements defined by the company. Periodic password changes are mandatory and the reuse of previous passwords is prohibited. The use of multi-factor authentication (MFA) is mandatory, especially for access to critical systems.

Disabling Access  

Access for employees who leave the company or change roles must be deactivated immediately. Automated and manual processes will be implemented to ensure that access is revoked in a timely manner, avoiding any risk of unauthorized access after the employee leaves.

Third-party access  

Access granted to third parties, partners and suppliers will be limited to the minimum necessary to fulfill their contractual obligations. All third-party access must be monitored and reviewed regularly, and must be subject to the same security guidelines applied to internal employees.

Access Monitoring  

Access to systems and data will be continuously monitored to detect suspicious or unauthorized activity. Access logs will be kept and reviewed regularly to ensure compliance with this policy and identify possible security threats.

Training and Awareness  

All WebPeak employees, as well as third parties with access to company systems, will receive training on access security practices, including the proper use of credentials and the importance of protecting access information. Ongoing awareness will be promoted to reinforce security policies.

Policy Review  

This policy will be reviewed annually or whenever there are significant changes to the IT infrastructure, information systems or applicable regulations. Any revisions will be approved by senior management and communicated to all relevant employees.

Secure Access

All access to the Webpeak environment is via VPN, with access credentials managed in our user directory.

Manufacturers and Solutions

Zoho Vault - Password Vault and Password Usage Control

Microsoft Active Directory - User directory

AD360 - Access audit manager.

Approved by  

Marcos Vinicius Custódio
Legal Responsible

 

webpeak - zoho partner
contato@webpeak.com.br
+55 11 3645-3623
São Paulo, SP
Florianópolis, SC
Talk to sales
Institutional
HomeAbout UsCasesAppsConsulting
Industries
Services
Retail
Finance
Services
NOC
Architecture
Web and Mobile
Digital Experience
AI, BI and RPA
Cloud Computing
Zoho
Partners
Zoho Corporation
Webflow
VTEX
Net2Phone
Manage Engine
MTCaptcha
Google
Cool
Service level agreement
Anti-corruption policy
PLD-FT policy
Privacy Policy
Terms and conditions of use
Security
Information Security Policy
Information Classification Policy
Encryption Key Management Policy
Backup Policy
Access Management Policy
Developed by the Webpeak Team, powered by Webflow
Sitemap
webpeak - zoho partnerwebpeak - zoho partnerwebpeak - zoho partnerwebpeak - zoho partner