Access Control Policy

1. Purpose
The purpose of this Access Control Policy is to safeguard the company’s information, systems, and physical resources by ensuring that access is granted only to authorized individuals based on their roles and responsibilities.

2. Scope
This policy applies to all employees, contractors, temporary staff, and third-party personnel accessing Prompt Personnel Pvt Ltd’s systems, networks, applications, and facilities.

3. Objectives

• To restrict access to sensitive and critical resources to authorized personnel only.
• To ensure compliance with regulatory and legal requirements.
• To mitigate risks associated with unauthorized access and data breaches.

4. Access Control Principles

• Need-to-Know Basis: Access is granted only to information and resources essential for an individual’s job functions.
• Role-Based Access Control (RBAC): Access rights are assigned based on the user’s role within the organization.
• Least Privilege Principle: Users are given the minimum level of access required to perform their tasks.

5. User Access Management

5.1 User Registration and Deregistration

• New users must be approved by their respective department heads before access is granted.
• Access rights for terminated or resigned employees must be revoked within 24 hours.

5.2 User Authentication

• All users must authenticate via a secure method, such as unique IDs, strong passwords, or multifactor authentication (MFA).
• Passwords must adhere to the following guidelines:
  • Minimum length: 12 characters.
  • Must include uppercase letters, lowercase letters, numbers, and special characters.
  • Must be changed every 90 days.

5.3 Privileged Access

• Privileged accounts (e.g., administrators) must use MFA for access.
• Privileged accounts are reviewed monthly for appropriate usage and access.

6. Physical Access Control

• Physical access to company premises, data centers, and restricted areas is granted using access cards or biometric systems.
• Visitors must register at the reception and be accompanied by an authorized employee at all times.
• Surveillance systems must monitor critical areas, with recordings stored for at least 30 days.

7. Monitoring and Logging

• Access to systems and data is monitored and logged.
• Logs are reviewed periodically for unauthorized access attempts or unusual activities.
• Audit logs must be retained for a minimum of one year.

8. Remote Access

• Remote access is allowed only through a secure VPN or similar encrypted channels.
• Devices accessing the company network remotely must comply with company security policies, including up-to-date antivirus software and secure configurations.

9. Responsibilities

Employees:

• Use access rights responsibly and only for authorized purposes.
• Report any suspicious activity or security incidents to the IT department immediately.

IT Department:

• Ensure the implementation and enforcement of this policy.
• Conduct periodic reviews and audits of access rights and controls

10. Non-Compliance

Failure to comply with this policy may result in disciplinary action, including suspension or termination of employment, and legal action in severe cases.

11. Review and Updates

This policy will be reviewed annually and updated as needed to reflect changes in technology, regulatory requirements, and business needs.