Skip to main content

AccessControlPolicy

Access Control Policy
Last updated: January 20, 2023

Introduction

  • Centralized access control is key to ensuring that the correct Zoracom staff-members have access to the correct data and systems and at the correct level. Zoracom access controls are guided by the principle of least privilege and need. These controls apply to information and information processing systems at the application and operating system layers, including networks and network services. Our customers trust us with maintaining security, availability and confidentiality of their data and this policy outlines the steps we take to protect customer data and mitigate risks that might arise from unauthorised access to information systems.

Scope

  • This policy applies to specific systems that, from an access standpoint, have significant implications to Zoracom's ability to render its service commitments. Zoracom is a technology company.
  • As a tech company, the systems critical to achieve our service commitments include:
  • Production Infrastructure: Systems that run our software in order to provide our service
  • Change Management: Systems that store, version, and track changes to the source code of our software
  • Official Email: We rely on our official email for both internal and external official communication.

Principles of least priviledge

  • Zoracom operates its access management under the principle of least required privilege. Under least privilege, a staff member should only be granted the minimum necessary access to perform their function.
  • An access is considered necessary only when a Zoracom staff member cannot perform a function without that access. If an action can be performed without the requested access, it's not considered necessary. Least privilege is important because it protects Zoracom and its customers from unauthorized access and configuration changes and in the event of an account compromise by limiting access

Staff access to Zoracom system

  • Access to Zoracom systems will be granted on a need basis. The needs are dependent on the roles and responsibilities of a staff member, and the requirements to perform their duties effectively.
  • By default, Zoracom staff members are granted access to Zoracom systems according to their role and/or team. Ability to grant access to systems is restricted to the administrators of the system.
  • If a Zoracom staff member requires access outside of the default for their role or team, either they or their managers may request additional access to the administrators of the respective systems.
  • The system administrator evaluates the request and makes a decision regarding the access request. When granting such access, the administrator will limit the granted access to the minimum level that allows the requester to perform the intended business operation.
  • Managers must notify the management or HR if a Zoracom staff member has been terminated, or if their role or team has changed.
  • If a staff member is terminated, their system access is made inaccessible by respective system administrators within the timelines described in our Process Configuration
  • All staff access to systems is reviewed periodically (as described in our Process Configuration) and changes are made if necessary to ensure that all access is appropriate as per the guidelines in this policy.