Access to data / services used by Infinity Works is tightly controlled via a number of methods below.
Data and services includes, but is not limited to:
- Document and file repositories (e.g. Google Drive)
- Collaborative tools (e.g. Confluence)
- Delivery Tracking Tools / Agile Life-cycle Management Tools (e.g. JIRA)
- Cloud Services (e.g. AWS, Azure, Google Cloud Platform)
Client-provided services are exempt from this policy, although all Infinity Works staff and contractors must comply with the customer's Access Control Policy.
This policy applies to all Infinity Works employees and contractors.
The administrators of each system are responsible for allocating and authorising user access rights to that system.
Privileges are allocated on a need-to-use and event-by-event basis and can be initiated via email or Slack.
The ISMS Comittee periodically reviews system access for all internal systems to check:
- That users have been deactivated or removed as appropriate.
- Unauthorised privileges have not been obtained.
- Adhere to the Password Policy
- Adhere to the Laptop Policy
- Adhere to the Information Sensitivity Policy
- We only use systems which require authentication and follow best practice for authentication.
- Wherever possible, Google Authentication is used to simplify account management.
- Multi-factor authentication is required for Google, GitHub and AWS accounts, and is recommended for use wherever possible
- Infinity Works considers all networks to be untrustworthy.
- Infinity Works does not operate a trusted network (intranet) in order to control access to services.
- Access control is provided by mechanisms which can operate on untrusted networks.
The ISMS Committee will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the ISMS Committee in advance.