Access Control Policy

Document ID: DPWAT-ISMS-POL-003
Version: 1.0
Owner: ISMS Manager / CISO (RMSI) — Timo Andreas Bejan
Approved by: Administrator (ADM) — Anna Boros
Effective date: 2025-10-15
Next review: 2027-02-01 (or on major change)

1. Policy

DP WAT ensures that access to information and systems is:

• authorized,
• appropriate to role (least privilege),
• reviewed periodically,
• promptly removed on offboarding or role change.

2. Identity and authentication

• Each user must have a unique account (no shared accounts unless formally approved).
• MFA is required for all in-scope systems where available.
• Passwords and credentials must be stored in an approved password manager (DP WAT standard: iCloud Keychain and 1Password, as applicable).

3. Provisioning, changes, and removal

• Access must be requested and approved (see 04.02-access-request-changes-and-offboarding).
• Offboarding: access is removed immediately when employment/contract ends (or earlier if required).
• Access changes are recorded in the access register.

4. Privileged access

• Privileged roles (admin, owner) must be restricted to named individuals.
• Where feasible, administrators should avoid using privileged access for routine daily work.
• If separation is not feasible for a given SaaS tool, DP WAT applies compensating controls: MFA, logging, and periodic access review.
• Segregation of duties and dual control are applied for security-critical privileged access where feasible (see 03.15-segregation-of-duties-and-dual-control-policy).

5. Access reviews

• Perform access reviews at least annually for critical systems (e.g., Google Workspace, GitHub org(s), Cloudflare, AWS if in-scope), or more frequently if significant access changes occurred.
• During access reviews, spot-check audit logs for anomalies (failed logins, unusual activity, admin actions).
• Reviews must be documented (who reviewed, what changed, audit log findings, date).