System Access Control & Remote Access Policy

🔐 Controls include unique user IDs, session timeouts, least-privilege provisioning, strong authentication, supervised remote access, and encryption for all data transfers. This policy is reviewed regularly and aligned with NIST CSF 2.0.

---

🧾 Cheat-Sheet (Answers)

• Are electronic systems used? Yes — AWS-hosted Portal and internal systems.

• Access control policy approved & owned? Yes — leadership-approved; Technical Ops owner; communicated org-wide.

• Unique user IDs? Yes — no shared accounts.

• Inactive session timeout ≤ 15 min? Supported; configurable by Customer User Admin.

• Access grant/approval process? Yes — ticketed joiner/mover/leaver with approvals.

• Passwords required? Yes — required for all users; MFA for remote/support/admin access.

• Remote access permitted? Yes — company devices only, approved tools, supervised, segmented, encrypted.

• Remote access: company-owned equipment only? Yes — exclusively.

• Prevent copying to remote devices? Yes — file transfers require explicit approval and follow ticketed authorization; sessions are supervised and may restrict clipboard/file transfer as policy.

---

🧭 Scope & Definitions

• Scoped Systems and Data: Veonics® Portal production services (AWS), customer badge data & photos, and internal systems used to support those services.

• Constituents: Employees, contractors, and approved partners/customers with system access.

---

🧑‍⚖️ Governance & Ownership

• Approved by: Executive Leadership

• Policy Owner: Technical Operations Lead

• Review Cadence: At least annually, and quarterly for operational control checks (firewall/ACL, access reviews, session settings).

• Communication: Onboarding training + internal updates; enforced through EOS accountability.

Related:

• 🛡️ Endpoint Protection Policy

• 🔥 Firewalls & Network Security Controls

• 📶 WiFi Governance (see Wireless section below)

---

👤 Unique User IDs & Authentication

• Unique accounts are required for all access to systems handling Scoped Data (no shared logins).

• Passwords required for all users; privileged roles require strong authentication (MFA enforced for remote/support tools and admin access).

• Accountability: All activity is attributable to an individual user via logs.

Related:

• 🛡️ Endpoint Protection Policy

---

⏱️ Session Management

• Inactivity timeouts are supported; in the Veonics® Portal, session timeouts are configurable by the Customer User Admin.

• Standard: 15-minute timeout for privileged roles (customer admins may set stricter values per compliance needs).

---

🔄 Access Provisioning (Joiner/Mover/Leaver)

• Grant: Role-based, least-privilege access upon manager request and approval (ticketed).

• Change of Status: Permissions reduced/adjusted immediately on role changes.

• Termination: Accounts disabled within minutes of HR confirmation; credentials revoked; keys/devices recovered.

• Audit Logs: Access changes and user actions are logged for review.

Related:

• 👥 Security Roles & Responsibilities (internal)

• 🛡️ Endpoint Protection Policy

---

🌐 Remote Access (When, How, and By Whom)

• Permitted only when necessary, via company-owned, managed devices and approved tools.

• AWS / Cloud Admin Access: Restricted to authorized personnel with secure credentials; network isolation via VPCs and security groups.

• Third-Party Remote Support: Performed rarely using GoTo Assist for printer support; sessions are virtually escorted/supervised.

• File Transfer Controls: File transfers during support require explicit approval and are restricted to approved, ticketed needs.

• MFA: Required for remote support/admin accounts.

Related:

• 🤝 Remote Support Process: How do we enable remote technical support or training sessions

• 🔥 Firewalls & Network Security Controls

---

📶 Wireless Networking

• In Use with approved SSIDs, segmented access, and strong encryption (WPA2/WPA3).

• Governed by a documented WiFi policy; guest networks are isolated from production resources.

• 📘 Policy: Network of eXpress badging® → WiFi Governance

---

📨 Data Transfer & Encryption

• Electronic only: No physical media for Scoped Data.

• Approved channels:

  • 🔒 Secure Upload Center (Citrix ShareFile) – How to securely transfer ID badge project files

  • 🧭 Direct entry into Veonics® Portal – How is data entered into the Veonics Portal

• Email with PII: Automatically rejected and deleted; customers are instructed to resubmit via approved secure channels.

• Encryption: All transfers and storage use encryption in transit and at rest.

  • 🔎 Overview: Security at a Glance

---

🛡️ Network Boundaries: Firewalls & Reviews

• On-prem: SonicWall firewall protects internal perimeter; no “allow-any” rules.

• Cloud (AWS): Security Groups and (where applicable) AWS Network Firewall enforce least-privilege ingress/egress.

• Rule/ACL Reviews: Conducted quarterly and during change events; findings fed into remediation.

• Vulnerability Testing: Internal/external VAPT via Fortra VM; remediation tracked.

Related:

• 🔥 Firewalls & Network Security Controls

• 🛠️ Vulnerability Management & Remediation Process

---

🛰️ Oversight: DNS Filtering & Managed SOC

• 🌐 DNS Filtering: Blocks access to malicious/phishing/C2 domains at the network layer—preventing connections before payloads execute.

• 🛰️ Managed Security Operations Center (SOC): 24/7 monitoring and escalation across AV/EDR, DNS filtering, firewalls, remote access, and backups; proactive tuning and incident support.

Related:

• 🛡️ Endpoint Protection Policy

---

🧭 NIST CSF 2.0 Alignment (at a glance)

---

Last Updated: (set date)