🛂 Access control
Maintain security and control of internal team tools and to segment access according to role
These apply to the tools we use as a team. These do not describe processes or procedures about customer data.
- Google Apps (@flexpa.com) is used for identity management - only full time employees may have access
- When a full-time employee joins, they are granted an @flexpa.com identity that must revoked immediately should employment end for any reason
- Where available, we make use of SSO capabilities from third party vendors to support using our @flexpa.com logins
- Where available, we enable and require 2FA to be used
- Where available, we enable and require password complexity
- When employment ends, all access must be terminated promptly
Access control requests
During on-boarding and off-boarding a formal access control request must be created on GitHub. This request takes the form of a Github issue on the flexpa/flexpa repository.
The access control request is our log of what access we granted or revoked and when. It is critically important that it is created and processed in a timely manner.
For off-boarding specific processes and tasks please also review Off-boarding