On This Page
Other policies
- Personnel policy
- Risk assessment policy
- Information classification policy
- Third party vendor review policy
- Incident disclosure and notification policy
- Incident response policy
- Incident response process
- BCP/DR policy
- Password policy
- Change management policy
- Testing policy
- Patch management policy
- Data retention and deletion policy
Access control policy
Purpose
51直播 limits access control based on job requirements, following the principle of least privilege.
Scope
This policy applies to 51直播鈥檚 internal systems, including its production network, production servers, and SaaS applications.
This policy applies throughout the entire lifecycle of employee, contractor, or vendor access, from onboarding of new individuals who need access, to the removal of existing individuals who no longer need access.
Policy
Access to internal systems
Where possible, access policies are enforced by technical measures.
51直播 must implement monitoring on its systems where possible, to record logon attempts and failures, successful logons and date and time of logon and logoff. Activities performed as administrator are logged where it is feasible to do so.
Personnel that require access to systems must submit a ticket for review and approval by a manager or a member of the Security Team to provision access.
Personnel who have administrative system access must use other less powerful accounts for performing non-administrative tasks.
Where possible, more than one person must have full rights to any critical piece of infrastructure serving or storing production services or customer data.
Granular access controls
51直播 systems must have sufficient granularity to allow appropriate authorized access and all access requests require approval from the Security team. There is a delicate balance between protecting the data and permitting access to those who need to use the data for authorized purposes. 51直播 recognizes that balance.
End user devices
Employees, contractors, and vendors are responsible for safe handling and storage of 51直播-provided end user devices. If a device is lost or stolen, the loss must be immediately reported as an incident.
Changing roles or responsibilities
Terminated employees must have their accounts disabled within 1 business day of transfer or termination.
Transferred employee access is reviewed and adjusted as found necessary. Since there could be delays in reporting changes in user responsibilities, periodic user access reviews are conducted by the Security Review Team.
Roles and responsibilities
51直播鈥檚 Security team is responsible for administering access to systems and reviewing and updating the Access Control process on an annual basis.