1. Objective

1. This policy is to provide guidelines in controlling access to information systems, data and facilities to ensure that both logical and physical access to information is controlled. 

2. Scope

2.1 This policy applies to all company-owned/managed information systems, data, and facilities.

3. Provisions

1. System/Information Access 

1. Access to any system, facility or data is denied by default unless authorized.

2. Access level is determined by specific job function and business needs.

3. An Access Control Matrix or List shall be developed and maintained for all systems, particularly those containing restricted, client, or personal information and data. This matrix/list shall document role-based authorized access on an individual basis. It is mandatory that the Access Control Matrix/List be continually updated and maintained to accurately reflect current access permissions.

4. System access changes require mandatory approval from your direct  Manager/VP, the System Owner, and IT Security. The IT security/IT Director/VP of IT retains authority to review and immediately revoke access at any time, particularly in response to security incidents, policy violations, or audit findings. 

5. The use of generic accounts across the Company is generally prohibited. However, under exceptional, controlled circumstances, the use of generic accounts may be approved by IT Security.

6. Access matrix/list must be reviewed at least once a year or when rights are altered or removed.

2. Systems/Information De-registration

1. If a member of staff changes role or their contract is terminated, the assigned manager should ensure that a user’s access to the system/information has been reviewed or, if necessary, removed as soon as possible by the current leavers/change process. These include access to client systems.

2. If any system/information rights are altered or removed, the relevant documentation will need to be updated accordingly.

3. Access of any team member who is subject to preventive suspension shall immediately be requested for suspension by their immediate Managers or HR.

4. Team members who are deemed to have violated company security policies shall be subject to disciplinary actions or termination as per company's table of offenses. Access of such team members shall be reviewed, suspended, or terminated as required. 

3. Systems Authentication Requirements

1. Company-hosted or subscribed Application systems (homegrown/off the shelf/Software-As-Service), that require users to access/log in must have SAML (Security Assertion Markup Language) based  SSO (Single Sign On) capability, which is compatible and integrated with the latest centralized authentication platform used by the Company.  

2. Both existing systems or new systems that are not capable of Single Sign On (SAML/OIDC/Federation) will need to undergo a per-system risk assessment and should be evaluated for replacement upon contract expiration and/or technology/hardware refresh. Risk assessment shall be conducted by the IT Security head and process owner and any approval to use non-compatible technology will be based on the latest Approval Matrix . The considerations include

1. OAuth authentication through other directory systems connected to the company’s existing centralized authentication platform. (eg, Google and Microsoft online)

2. LDAP or Radius authentication connected to the current centralized authentication platform

3. Multi factor (MFA/2FA) features

4. Cost implications

5. Number and specific designation of users including the security of their devices

6. Importance and sensitivity of data being processed

3. Any other systems not capable with 3.3.1 of supporting SSO via SAML or are restricted in implementation due to cost/incompatibilities should fall under the following consideration.

1. Oauth authentication through other directory systems connected to the company’s existing centralized authentication platform. (eg, Google and Microsoft online)

2. LDAP or Radius authentication connected to the current centralized authentication platform

3. Multi factor (MFA/2FA) features

4. Log on Considerations

1. All systems should be accessed by secure authentication of user validation. As a minimum, this should entail the use of a username and a Password.

2. Passwords will comply with the company standards' level of complexity.

1. Minimum 16 Characters

2. In the event that the system cannot support 16 characters, the maximum supported characters must be used.

3. Passphrase type of password complexity should be used if applicable. Otherwise, use a mix of Alphanumeric, numbers and special characters.

4. Changed at least every 90 days 

3. Passwords will be delivered directly to the intended user or via their immediate superior.

4. End users are to change passwords immediately upon receipt. (newly designated or password changed per request)

5. After a successful logon, users should ensure that equipment is not left unattended and active sessions are terminated or locked as necessary. Systems should be logged off, closed down or terminated as soon as possible. 

6. System log-on data, including usernames, passwords and any other authentication, should never be copied, shared, or disclosed to anyone other than the designated user

7. Login via autofill or auto-submit features, including those from password managers, must be manually initiated by the user to ensure the context is verified before credentials are submitted

5. Physical Access and Control

1. Identification

1. Team members should wear their company ID badges and visitors/external parties must wear the issued Visitor ID badges within company premises 

2. People who are not displaying ID badges should be challenged. Any person not known to location personnel must be challenged in order to establish who they are and whether authorization has been provided for them to be there. If there is any doubt about the identity of the individual, the appropriate security manager should be contacted to confirm the individual’s identity.

3. All Company/Contracted Cleaners must have and display appropriate identification and be made aware of the requirements within this procedure.

2. Proximity Cards

1. Proximity cards should only be used by the registered user and must not be lent out or given to other staff, regardless of their seniority. 

2. Proximity cards issued to personnel who no longer work for the company must be deactivated and recovered immediately.

3. Any card lost/not returned will be charged for a fee accordingly.

4. Temporary proximity card is valid within 24 hours only or depends upon the defined request by their immediate Managers.

5. Temporary employees//OJT shall be granted proximity cards registered under their names.

3. Offices and Facilities

1. Main doors or entrance must be equipped with biometric systems or proximity card systems, or a combination of both, to ensure proper authentication prior to entry. 

2. CCTV systems must be able to cover all entrance and exit doors leading outside the company premises.

3. Direct access to secure locations, or access to adjoining offices that could provide access must be locked and secured using appropriate locking mechanisms.

4. All non-company-owned laptops, home computers are strictly prohibited inside the production areas unless proper authorization is secured from the IT Security Head. Personal laptops and computers, and mobile devices must be authorized and categorized as a Bring Your Own Device (“BYOD”) prior to being allowed inside the production areas and must maintain adequate security setu,p including antivirus, personal firewalls, encryption, system lock/login and any additional security applications determined necessary by Infint-O in place prior to connection to the company network. Infinit-O also has the right to install additional security applications and monitoring systems to BYOD devices that will be used for company data processing and not allow access to production areas until this has been installed. This includes but is not limited to Authentication, Endpoint Protection, Patch management, and Mobile Device management applications.

5. Requests for BYOD enrollment shall be coursed through the ticketing system for approval.   

6. Personal phones and authorized BYOD devices (Bring Your Own Devices) are allowed to be used within the production area for business use only. This includes 2FA authentication, Email, Chat, Voice, other camera functions,and processing use.

7. Doors and windows must not be left open.

4. Datacenter/Server Rooms. 

1. Data Centers/Server rooms must be equipped with biometrics or proximity card systems, or a combination of both, and it should be installed with CCTV systems.

2. Non-authorized personnel members (also includes Visitors/3rd Party contractors) that will need access to the server room are to be manually logged for recording purposes, accompanied at all times inside the server room.

3. Doors and windows must not be left open.

5. Public Delivery

1. Delivery of items must be conducted only at the designated receiving area.

2. Items will be inspected as per Support Services and Procurement procedures.

3. Incoming assets (company-owned, rented, or client-owned) must be registered in accordance with the company's asset management procedures. 

6. External Parties

1. External parties should be logged/recorded accordingly. 

2. 3rd party or Visitors requiring access to any production facilities are required the following:

1. Required to present ID prior to assigning a company visitor’s ID, before accessing production facilities if needed

2. Sign a non-disclosure agreement and must be accompanied at any point in time inside any production processing facility. (Company-based NDA will be considered in case we have a pre-established NDA with the said 3rd party.)

3. Access to Server rooms will need additional approval from the IT head.

4. Disclose any recording/communication capable devices like cameras, Cellphones, and laptops to the reception are,a and will be prohibited from using such devices unless required for business use.  Usage of such devices must be in the presence of accompanying team members.

3. Network connection is only allowed to the designated guest Wifi/network only. 

4. External parties are prohibited from accessing any information processing facilities.

5. Access to any internal data will require approval from:

1. The designated information owner for non-client-related data.

2. Designated Manager and/or VP in charge of Private or Client-related Data 

3. IT Security and IT Director for all network and IT infrastructure-related Data

4. Breach of Policy 

1. Breaches of this policy and/or security incidents can be defined as events which could have, or have resulted in, loss or damage to company assets, or an event which is in breach of the company’s security procedures and policies. All company employees, partner agencies, Third Parties and vendors have a responsibility to report security incidents and breaches of this policy immediately through the company’s QISMS reporting system (third parties, partners or vendors may relay the report to their direct contact. This obligation also extends to any external organization contracted to support or access the Information Systems of the Company.

2. The Company will take appropriate measures to remedy any breach of the policy and its associated procedures and guidelines will be dealt with under the disciplinary procedures.

5. Responsibilities

1. Vice presidents and Directors are responsible for ensuring that all staff and managers are aware of security policies and that they are observed. Managers need to be aware they have a responsibility to ensure staff have sufficient, relevant knowledge concerning the security of information and systems. Designated owners of systems, who have responsibility for the management of systems and inherent information, need to ensure that staff have been made aware of their responsibilities toward security. Designated owners of systems and information need to ensure they uphold the security policies and procedures.

6. Distribution

1. Team Members

2. Team Leaders/ Managers/Directors

3. Execom

7. References