Access Rights Review Policy

1. Purpose

To ensure that all user access to Synthetic Users company systems, applications, and data is appropriate and aligns with their current job responsibilities, thereby enhancing security and minimizing unauthorized access risks.

2. Scope

This policy applies to all employees, contractors, and third-party users who have access to the company’s information systems, including (but not limited to) Heroku, AWS, GitHub, Notion, and Intercom.

3. Responsibilities

• Management: Oversee the implementation of this policy and ensure compliance.

• IT Administrator (or Assigned Personnel): Execute the access rights review process and maintain records.

• Employees: Use access privileges responsibly and report any discrepancies.

4. Authentication and Access Controls

• All system access requires Single Sign-On (SSO) with Multi-Factor Authentication (MFA).

• Permissions are managed using Role-Based Access Control (RBAC) to ensure users only have access to the resources necessary for their role.

• Default access is limited to the minimum necessary privilege.

5. Access Rights Review Process

• Frequency: Access rights shall be reviewed semi-annually (twice a year) or whenever there is a significant change in staff roles.

• Process Steps:

a. Listing Access Rights: Compile a list of all users and their current access rights to systems and data.

b. Review: Management reviews the list to confirm that access levels are appropriate for each user’s role.

c. Adjustment: Modify or revoke access rights that are no longer necessary.

d. Documentation: Record any changes made, including the date and reason for the adjustment.

6. Onboarding and Offboarding

• New Employees: Grant access rights based on their job requirements upon joining.

• Departing Employees: Revoke all access rights immediately upon termination or resignation.

7. Role Changes

• Review and adjust access rights whenever an employee changes roles within the company to ensure they have necessary and appropriate access only.

8. Temporary Access

• If temporary access is required, it must be approved by management and set with an expiration date.

9. Reporting and Compliance

• Employees should report any unauthorized access or security breaches immediately.

• Non-compliance with this policy may result in disciplinary action.

10. Review and Update of the Policy

• This policy shall be reviewed annually and updated as needed.

• Access review logs and documentation will be retained for a minimum of 12 months for audit purposes.

Implementation Tips

• Simple Tools: Use a basic spreadsheet to track user access rights if dedicated software isn’t available.

• Communication: Inform all team members about this policy to ensure everyone understands their responsibilities.

• Consistency: Stick to the review schedule and document all actions taken during each review.