Sign in Subscribe
By devsecopsbook

Access Control & IAM Policy

Document Version: 1.0
Last Updated: July 19, 2025
Policy Owner: Security & Compliance Team

1. Purpose

This policy establishes standards and controls to ensure that access to systems, applications, and data is authorized, authenticated, and appropriate for each user’s role. It ensures compliance with SOC 2 Trust Services Criteria related to logical access (CC6.x) and system operation monitoring (CC7.1).

2. Scope

This policy applies to all employees, contractors, vendors, and third-party users who access DevSecOpsBook-managed systems, services, and infrastructure (including on-premise and cloud-based environments).

3. Policy Statements

3.1 Least Privilege & Role-Based Access (RBAC) — [CC6.1]

  • Access is provisioned based on business need and job responsibility.
  • Role-based access controls (RBAC) are enforced for all systems.
  • Privileged access (e.g., admin/root) is restricted and requires business justification.

3.2 Identity Verification & Authentication — [CC6.1, CC6.3]

  • All users must authenticate via a secure authentication method (SSO or MFA) before accessing systems.
  • Multi-Factor Authentication (MFA) is mandatory for administrative and production-level access.

3.3 Access Requests & Approvals — [CC6.1]

  • All access requests must be formally submitted and approved by the appropriate manager and system owner.
  • Access grants must be documented, auditable, and retained for a minimum of 1 year.

3.4 Access Reviews — [CC6.3]

  • Access rights are reviewed quarterly by system owners to validate ongoing business need.
  • Inactive accounts (no login for 90+ days) are flagged for deactivation.

3.5 Termination & Revocation — [CC6.1, CC6.3]

  • User access must be revoked immediately upon termination, role change, or contract end.
  • HR and IT collaborate to ensure timely deprovisioning through the access control system.

3.6 Shared Accounts Prohibited — [CC6.1]

  • Shared or generic accounts are prohibited. Each user must use a unique, auditable identity.

3.7 Logging & Monitoring — [CC7.1]

  • All access to sensitive systems and data is logged and monitored continuously.
  • Logs include user ID, timestamp, source IP, accessed resource, and action performed.
  • Anomalies or unauthorized access attempts trigger alerts for investigation.

4. Exceptions

Exceptions must be documented, risk-assessed, approved by the Security Officer, and reviewed quarterly.

  • Acceptable Use Policy
  • Change Management Policy
  • Incident Response Policy
  • CI/CD Security Policy

6. References

  • SOC 2 Trust Services Criteria: CC6.1, CC6.3, CC7.1
  • NIST SP 800-53: AC-2, AC-3, AC-5, AC-6, AC-7

Subscribe to devsecopsbook

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe