eXpress badging® enforces documented policies, procedures, and controls to ensure all employees, contractors, and customer users are granted only the access they need — nothing more.
🔐 This is achieved through a least-privilege, role-based access model (RBAC), strict provisioning workflows, and quarterly reviews aligned with NIST CSF 2.0.
🟢 Policy Statement
-
Access is based on business need-to-know and the minimum necessary principle.
-
All access requires management approval and is logged in Jira/HubSpot.
-
Unique user IDs are required; shared accounts are prohibited.
-
Access is segmented by organization hierarchy within the Veonics® Portal, preventing cross-org data visibility.
-
All activity is logged, monitored by a managed SOC, and reviewed quarterly in EOS management and Hubspot ticketing resources
📋 Access Provisioning & Review SOP
1) Request & Approval (Joiner / Mover)
- Employees and authorized contractors
- Access requests submitted by an authorized manager to authorized Technical Support personnel via a HubSpot ticket.
-
Must include business justification, role requested, and org scope.
-
-
Department Head or Customer Admin approves.
-
Segregation of duties: Requestor ≠ Approver ≠ Provisioner.
2) Provisioning (Least Privilege)
-
Original customer access requests are submitted via the expressbadging.com website's Contact Us form, which creates HubSpot tickets for completion, or by email requests, spreadsheet upload using Upload Center, or by calling a Technical Support admin user.
-
Customer admin users can also create/edit/deactivate/delete users, with approved rights.
-
Assign a minimal role required (Customer, Subscription, Production, or Admin).
-
Assign the Organization within the Veonics® Portal hierarchy.
-
Controls enforced: password policy, MFA (where applicable), session timeout ≤15 min.
-
Acknowledgment of Acceptable Use & PII handling policy required.
3) Role Changes (Mover)
-
Requires a new ticket & approval.
-
Remove excess rights before assigning a new role.
-
Changes logged and linked to the ticket.
4) Termination / Deactivation (Leaver)
-
Accounts disabled within minutes of HR/customer confirmation.
-
Group/role removal, credential revocation, and audit trail are recorded.
-
Credentials are never reused.
5) Periodic Review & Monitoring
-
Quarterly access reviews by Department Heads/Customer Admins.
-
SOC monitors anomalies in access behavior.
-
Logs retained for compliance evidence.
6) Vendors & Contractors
-
Time-boxed access only; NDA required.
-
Minimal scope, supervised sessions, and immediate removal upon engagement end.
👥 Role-Based Access Map
| Role Type | Access Scope | Restrictions |
|---|---|---|
| Customer User | Scoped to their organization only | No cross-org visibility |
| Subscription User | EBS Employee, Internal subscription accounts | No access to Production accounts |
| Production User | EBS Employee, Internal We Print accounts | No access to Subscription accounts |
| Admin User | Technical Support with elevated rights | Subject to strict monitoring & break-glass procedures |
| Dev User | AWS Tech Stack, JIRA and bitbucket access, no customer live data access | Subject to PI protection and business continuity accountability |
🛠️ Technology Enablers
-
Veonics® Portal RBAC – role & org-based permissions.
-
AWS IAM – underlying cloud identity enforcement.
-
Managed SOC – 24/7 monitoring & anomaly detection.
-
Jira & HubSpot – access requests, approvals, and audit trails.
📊 NIST CSF 2.0 Alignment
| Function | Practice |
|---|---|
| Identify (ID) | Roles mapped in the Accountability Chart |
| Protect (PR) | MFA, session timeouts, least privilege |
| Detect (DE) | SOC monitoring & audit logs |
| Respond (RS) | Ticketed change management & incident workflow |
| Recover (RC) | Immediate deactivation & credential reassignment |
| Govern (GV) | Management-approved access control policies |