Contracting & Compliance
      Back to home
      1. Help Center
      2. Veonics® Portal Users Manual
      3. Contracting & Compliance

      User Rights & Access Review Process

      Our User Rights Pipeline is reviewed every 90 days, ensuring that the right people, with the right level of access, have access to needed critical systems and customer data.

      🔐 Veonics® Portal User Rights & Access Review Process

      📌 Overview

      eXpress badging® is committed to safeguarding customer data by enforcing strict user rights controls across all systems, local and SaaS instances ther require user authenication.  Access to sensitive data and systems is granted only on a least privilege basis and reviewed every 90 days to ensure continued alignment with business roles and compliance standards such as NIST CSF 2.0. This process reduces risk, ensures accountability, and provides verifiable compliance evidence during audits and client vetting. 

      🧩 User Rights Lifecycle

      user_rights_ticketing_screenshot

      Our process follows a structured lifecycle, ensuring traceability and accountability for all access decisions.

      1. Access Request Submitted

        • Requests must come from HR, department leadership, or an authorized system admin.

        • Justification for access is required and reviewed.

      2. Approval & Provisioning

        • Access is granted only after management approval.

        • Roles are assigned using the principle of least privilege.

        • Credentials and MFA setup are documented in HubSpot ticketing.

      3. Quarterly 90-Day Review

        • Department Heads review each user’s access quarterly.

        • Reviews confirm whether to Keep, Modify, or Revoke access.

        • Documentation and supporting evidence (screenshots, notes) are attached in HubSpot.

      4. Suspended

        • When users temporarily do not require access to high-security systems—for instance, during maternity leave, PTO, FMLA, or extended absences—their privileges are placed in a Suspended status. Access remains restricted until their need for these systems resumes and reinstatement is approved.

        • A temporary stage during disip[inary review.

      5. Access Revocation

        • When employment ends or access is no longer required, rights are revoked immediately.

        • Proof of revocation is documented and closed in the HubSpot pipeline.

        • Includes Provisioning denials

      6. Audit & Evidence

        • HubSpot pipeline tickets serve as the compliance record.

        • Reports can be exported quarterly to demonstrate review outcomes.

      📊 90-Day Review Checklist

      Each review follows a structured checklist to ensure consistency:

      ✅ Verify user status (active, reassigned, terminated).
      ✅ Confirm access matches role (least privilege).
      ✅ Review all system access and rights assignment

      • MS Windows
      • Veonics Portal Prod & QA
      • AWS Instances
      • QuickBooks
      • HubSpot
      • Fortra Cybersecurity
      • Google Analytics (IP protection)
      • Another Saas and local systems that require user access to meet cybersecurity compliance.

      ✅ Ensure MFA is enabled where supported and is PII security-related .
      ✅ Decide: Keep / Modify / Revoke access.
      ✅ Document the decision and attach supporting evidence.

      📖 Related Article: Security Roles & Responsibilities in the Veonics® Ecosystem

      🔒 Compliance Alignment

      • NIST CSF 2.0 → PR.AC (Access Control), DE.CM (Monitoring), RS.MI (Mitigation).

      • SOC2 Principle → Logical & Physical Access Controls.

      • HIPAA → Minimum Necessary Standard.

      Last Edited 09/22/2025