# Access Control Policy

**Company:** [Company Name]
**Effective date:** [Date]
**Policy owner:** [Owner / Role]

## Purpose

This policy defines how [Company Name] grants, manages, and removes access to systems and data. The goal is simple: the right people have the access they need to do their jobs, nothing more, and access goes away when it is no longer needed.

## Scope

This policy covers all systems, applications, cloud services, networks, and data owned or operated by [Company Name], and everyone who uses them — employees, contractors, and third parties.

## Principles

- **Least privilege:** Grant the minimum access required for a role, and no more.
- **Need-to-know:** People see sensitive data only when their work genuinely requires it.
- **Accountability:** Every account ties to a known individual; shared accounts are avoided and, where unavoidable, tightly controlled and logged.
- **Default deny:** Access is not granted unless there is a clear reason.

## Account Lifecycle

| Stage | What happens | Target timeline |
|-------|--------------|-----------------|
| Provisioning | Access requested by a manager and approved by the system/data owner; granted per role. | Within [e.g., 1–2 business days] of start. |
| Changes | When someone changes role, access is re-evaluated; old access removed, new access added. | Within [e.g., 3 business days] of the change. |
| Deprovisioning | When someone leaves, all access is disabled and credentials revoked. | On the last working day, ideally within [e.g., a few hours] of departure. |

Requests, approvals, and removals should be recorded so they can be reviewed later.

## Authentication

- **Multi-factor authentication (MFA)** is required wherever the system supports it, especially for email, cloud admin consoles, VPN, and anything holding sensitive data.
- **Passwords / passphrases** should be long and unique to each service. Encourage a company-approved password manager so people are not reusing or writing down credentials.
- Do not force frequent arbitrary rotation; instead, change credentials when there is a reason to (suspected compromise, shared exposure, role change).
- Default and vendor-supplied passwords are changed before a system goes live.

## Privileged Access

- Administrative and other high-power accounts are limited to those who genuinely need them.
- Where possible, use a separate account for admin tasks rather than everyday work.
- Privileged actions are logged and reviewed.
- Grant elevated access for the shortest time necessary, then remove it.

## Periodic Access Reviews

System and data owners review who has access on a regular cadence — at least [e.g., every quarter] for sensitive systems and [e.g., annually] for the rest. The review confirms each person still needs their access and removes anything stale. Results and removals are recorded.

## Third-Party / Contractor Access

- Third parties get access only after a documented business need and appropriate agreement.
- Access is scoped tightly and time-limited to the engagement.
- Third-party accounts are included in periodic reviews and removed promptly when the work ends.

## Enforcement

Failure to follow this policy may lead to revoked access and, for staff, disciplinary action up to and including termination, consistent with [Company Name]'s HR policies and applicable law.

## Version History

| Version | Date | Author | Summary of changes |
|---------|------|--------|--------------------|
| 1.0 | [Date] | [Owner / Role] | Initial version. |
| | | | |

*Template by Cipherwire (cipherwire.biz). An original starting point, not legal advice — adapt it to your environment and have it reviewed before you rely on it.*