Skip to content

Latest commit

 

History

History
70 lines (50 loc) · 4.53 KB

Access_Control_Policy.md

File metadata and controls

70 lines (50 loc) · 4.53 KB

ACCESS CONTROL POLICY

Classification Level

Publicly available

Review Information

Mandatory Review Period

Yearly

Date of Last Review

October 1, 2024

Introduction

An access control policy helps employees and external parties understand who is allowed to access what client and user data and under what circumstances and conditions they can access that data.

Goal Statement

At present, we are a small company (literally everyone in the company knows everyone else on a first name basis). The unfortunate reality is that, no matter how much we may know, like, or trust an individual we know personally, they have the capacity to take harmful actions. Beyond that, there is risk that an employee's identity (from a system perspective) may be compromised allowing an attacker the same level of access as an employee. In general, we mitigate these kinds of risks by collecting as little data as possible so that, even in the event of a breach, nothing of value would be lost. However, we do offer a service whose value is in its availability and providing too much access to everyone could result in a loss of that availability to our clients. To that end we need some basic guidelines indicating who should have access to what, and how, when, and why that access should change.

Background Statement

We, at Fonticons, Inc., know our culture but it is entirely reasonable for others planning to use our technology to desire to understand our goals and commitments around security and privacy. Some of our policies have been de facto in nature, e.g., you simply can't get access to something because so-and-so wouldn't give it to you. While this is arguably effective for a company of our size, having a de jure policy that others can consider is appropriate for the space in which we work.

Definitions

Terms

  • The word "we" shall mean Fonticons, Inc., all Fonticons, Inc. employees and any individuals contracting with Fonticons, Inc. to complete work.
  • The word Fonticons will be synonymous with Fonticons, Inc. for the purposes of this policy.
  • Employee shall mean an individual directly employed by Fonticons, and all contractors, consultants, temporary employees, or business partners.
  • Fonticons products/services refers to any and all paid or free products and/or services offered by Fonticons.
  • Client shall mean a person or entity who installs or configures part or all of Fonticons product/service for use on a website or product not owned or otherwise controlled by Fonticons.
  • Fonticons system shall mean any computers, communication systems, platforms, and any other information technology systems used by Fonticons, to provide the Font Awesome product and service.
  • Font Awesome product shall mean the icons, their digital representation, and associated icon functionality present in code.
  • Font Awesome service shall mean the technologies that make the Font Awesome product available to clients, users, and site users.

Policy

  1. This policy applies to all employees.
  2. This policy applies to all Fonticons systems.
  3. All Fonticons systems must implement or otherwise leverage an authentication and authorization scheme that can limit access based on authentication information.
    1. To facilitate this policy Fonticons must maintain a valid, up-to-date inventory of their systems as part of their asset inventory.
  4. Authorization level must be commensurate with the role and/or business related activities, e.g., an icon designer does not typically require admin access to the logging database.
  5. Any employee or pro clients accessing Fonticons systems (with the exception of the free and or public aspects of the system) must be authenticated to said system and only be able to access those items to which they have appropriate authorization.
  6. System access must not be granted to any employee without appropriate approval from a manager or the head of security.
  7. System access must be granted only on a need-to-know basis.
  8. Employees are prohibited from gaining unauthorized access to any other information systems or in any way damaging, altering, or disrupting the operations of these systems.

Procedures

  1. An employee that detects any violation of this policy must report the issue to their supervisor, the head of security, or the CTO.
  2. Intentionally or maliciously violating this policy is a serious offense and grounds for termination of employment.
  3. Any system not in compliance with this policy must have compliance activities identified and prioritized.
    1. Prioritization of compliance must be documented and produced upon request.