MAIKAI CYBER SECURITY POLICY
Outline
This policy has been produced to support Maikai in assuring Cyber Policy is adhered to at every level of the organisation. Additionally, this policy will outline the roles and responsibilities of Maikai employees when it comes to cybersecurity.
​
Aim
The aim of the Policy is as follows:
Detail the duties and responsibilities of relevant individuals.
​
Detail the confidentiality, privacy and security policies.
​
Detail the policy exemption process.
​
Detail the training assurance requirements.
​
1. Specific Policies
Information security: The following points outline how Maikai will handle information as an organisation:
​
Access control: Only Maikai employees are authorised to access information/data held by Maikai.
​
All Maikai employees must have a Maikai.org email account to access Maikai information.
​
Access control is granted solely by authorisation of the Policy Holder.
​
User Authentication: User authentication is required by login every time the Maikai system is accessed. Monthly two-factor authentication is required.
​
Accountability: Every Maikai employee is responsible for the information that they have access to. Breaches in information sharing policy can lead to termination of employment. The following safety points are to be enforced:
​
It is the responsibility of Maikai to deliver annual training on the information security policy.
​
It is the responsibility of Maikai Employees to ensure that Information Security policy is adhered to.
​
Information Classification. Each document must be explicitly labelled as for its classification, this is to ensure that appropriate security controls are applied to protect confidentiality, integrity and availability. The categorisations as below:
​
Public – Information that can be openly shared without risk to the organisation.
​
Internal – Sensitive information intended for internal use within the organisation.
​
Confidential – Highly sensitive information requiring restricted access to authorised personnel.
​
Restricted – Extremely sensitive information with a limited distribution to a predefined group.
​
Data Privacy: The purpose of the data privacy section is to establish guidelines and practices that safeguard the privacy of individuals and protect the personal information collected, processed, and stored by Maikai.
Principles: Maikai adheres to the following privacy principles.
Lawfulness, Fairness And transparency: Ensure that the processing of personal data is lawful, fair and transparent to the data subjects.
​
Purpose limitation: Specify the purposes for which personal data is collected and ensure that it is not used for unrelated purposes.
​
Data minimisation: Collect only the necessary personal data required for the intended purpose.
​
Accuracy: Ensure that personal data is accurate and kept up to date.
​
Storage limitation: and adhere to specific timeframes for retaining personal data.
​
Data Collection and Conest: Clearly communicate to individuals the purposes for collecting their personal data and obtain explicit consent before processing. Specify the methods for obtaining and documenting consent, and ensure that individuals can withdraw consent at any time.
​
Data Security: Implement security measures to protect personal data from unauthorised access, disclosure, alteration and destruction. This includes encryption, access controls, and regular security assessments.
​
Data Subject Rights: Respect and facilitate the exercise of data subject rights, including the right to access, rectification, erasure, and data portability.
​
Third-Party Data Processing: If personal data is shared with third parties, ensure that appropriate contractual agreements are in place to safeguard the privacy and security of the date. Conduct due diligence checks on third-party data processors regarding their data protection practices.
​
Data Privacy Officer (DPO): The data privacy officer is responsible for overseeing compliance with data protection laws, providing guidance, and acting as a point of contact for data subject and regulatory authorities. The DPO is to be appointed by the Policy Holder.
​
Current DPO -
​
Appointment Date – 18/02/2024
​
Review Date – 18/08/2024
​
Personnel security: The purpose of this section is to establish measures and guidelines for ensuring the trustworthiness and reliability of individuals who have access to the organisation’s information assets.
​
Employment screening: The processes below outline the screening process all employees, contractors and third-party personnel must go through before granting them access to sensitive information.
​
Reference Checks.
​
Verification of role within external organisation.
​
Principle of minimum access: Maikai operates using the principle of minimum access. This means that employees and external users will have the least access possible whilst still enabling them to perform their roles effectively.
​
User Authentication: Complex passwords are essential, Maikai Policy is no password less than 8 characters, containing a number and a symbol. Additionally, multi-factor authentication is likely to be implemented by 2025.
​
Training and awareness: Maikai will undertake annual training sessions to outline the overall personnel security policy for employees to adhere to.
​
Reporting of security incidents: It is every employees responsibility to report any incidents that they believe have breached Maikai policy. The process is outlined below.
​
Record all appropriate data.
​
Inform your line manager.
​
Transfer all data requested to your line manager.
​
Be prepared to support any further investigation.
​
Personnel Changes: When an employee changes their position or leaves Maikai it is the responsibility of the DPO to ensure that their access is changed/revoked in a timely manner to ensure that the risk of breaching policy is kept to a minimum.
​
Remote working Security: When working from outside the office it is the employee's responsibility to ensure that they are utilising a VPN to protect the sensitive information that they have access to. Any breach of policy as a result of utilising insecure networks is the employee’s responsibility.
​
Disciplinary actions: Any breach of personal policy will incur disciplinary actions. The severity of the action will be reflective of the breach. The disciplinary actions include but are not limited to, retraining, suspension, or termination of employment.
​
Confidentiality agreements: It is the responsibility of Maikai employees to understand the nature of the work and the consequences of breaking confidentiality agreements. Breaking a confidentiality agreement will incur disciplinary actions that include but are not limited to, retraining, suspension, or termination of employment.
​
Business Continuity Management: The purpose of this section is to establish a framework for ensuring the resilience of critical business functions, information systems, and data in the face of disruptive events.
​
Risk assessment and Business impact analysis: Monthly risk assessments and business impact analysis must be conducted to identify potential threats and assess the impact of disruptions on critical business processes. The findings must be used to prioritise business continuity efforts.
​
Business Continuity planning: Maikai will create a framework of developing and maintaining comprehensive business continuity plans that outline strategies, roles, and responsibilities for responding to and recovering from disruptive incidents. Ensuring that plans are regularly tested and updated.
​
Critical Infrastructure and systems: The identification and prioritisation of critical infrastructure, systems, and data necessary for the continuity of essential business functions is essential and must be kept up to date. Redundancy and failover mechanisms are in place to ensure continuity.
​
Emergency response and incident management: Below is the procedure for effective emergency response and incident management.
​
Incident Identification & Classification
​
Level 1 (low) – Incidents with minimal impact and limited scope.
​
Level 2 (medium) – Incidents with moderate impact and scope that may effect multiple systems or departments.
​
Level 3 (high) – Critical incidents with significant impact and scope that require immediate attention and escalation
​
Incident reporting – Report to Line Manager.
​
Incident report team – The incident response team (IRT) is responsible for coordinating the response to security incidents. The team consists of designated members from relevant departments.
​
Incident triage and assessment – The IRT conducts an initial triage and assessment to determine the severity, scope, and impact of the incident. This includes identifying affected systems, data and potential vulnerabilities.
​
Incident response plan activation – Based on the assessment, the IRT activates the appropriate incident response plan. The plan outlines specific actions, roles, and responsibilities for responding to and mitigating the incident.
​
Incident containment and mitigation – The IRT works to contain the incident and prevent further damage or unauthorised access. This may involve isolating affected systems, disabling compromised accounts, or implementing temporary security measures.
​
Evidence Preservation – During the incident response process, the IRT ensures the preservation of evidence for forensic analysis and potential legal proceedings. This includes documenting all actions taken, preserving log files, and capturing relevant information.
​
Communication and Notification -The IRT communicates with relevant stakeholders, including senior management, employees, customers, regulatory authorities and law enforcement as necessary. Clear and timely communication is critical to manage the incident effectively.
​
Post-Incident Review and Analysis – After the incident is resolved, the IRT conducts a post-incident review and analysis to identify lessons learned, root causes, and opportunities for improvement. Recommendations are documented and incorporated into the organisation’s security practices.
​
Documentation and reporting – All incident response activities including assessments, actions taken, and outcomes are documented for future reference and reporting. Incident reports are compiled and shared with relevant stakeholders and regulatory authorities as required.
​
Business continuity Manager: Due to the size of the responsibility associated with business continuity management Maikai will have a business continuity manager always appointed. ​
Logical Access Security: The purpose of this section is to establish guidelines and measures to ensure the secure management and control of electronic access to information systems, applications, and data within Maikai.
Password Policy: See section 7/c
Role-Based Access Control: Access will be assigned based on job roles and responsibilities operating under the principle of minimum access. Access will be regularly reviewed and updated to reflect changes within the organisation and individual roles.
User Account Creation: Maikai will take responsibility for the creation of all Maikai users. This will take place before employment has begun and all respective vetting procedures have been followed.
User Account Termination: Maikai will ensure the prompt termination of user accounts upon termination or change in employment circumstances. Additionally, a review will be conducted every 6 months to identify and deactivate dormant accounts.
User Account Suspension: Maikai retains the right to suspend any account based on violations of any information policy. Account reactivation will only occur when the policy holder deems it appropriate, and all relevant procedures have been followed.
Systems Management Security: The purpose of this section is to establish guidelines and measures to ensure the secure configuration, monitoring and maintenance of information systems within Maikai
Standardised Configurations: All Maikai employees are to utilise both the Maikai SharePoint and Maikai teams for information systems.
Change Control Procedures: All changes to the Maikai SharePoint and Teams functionality must be approved by the policy holder.
Security Patches: Maikai systems will be subject to ongoing security assessments to ensure that the system is secure for the nature of the information stored within. Regular updates to the systems might take place and therefore is essential that Maikai employees react and adhere to the changes in functionality/process.
Vulnerability Scanning: Maikai will conduct regular vulnerability scans on systems and network infrastructure to ensure systems are secure and appropriately protected against threats.
-
Event Logging: The systems Maikai utilise allow for monitoring all actions that take place on the system.
-
Data Backup: Data Backup systems are implemented to ensure the integrity of information in case of system compromise.
-
Training programmes: It is Maikai’s responsibility to provide training programs for system administrators and IT staff on secure systems management practices. Once the training has been completed it is the responsibility of the employee to ensure these practices are adhered to.
-
Cloud Security: The purpose of this section is to establish guidelines and measures to ensure the secure adoption, configuration and ongoing management of cloud services within the organisation. Cloud services currently in use – Microsoft SharePoint.
-
Data Classification: Ensure any data uploaded to the cloud adheres to data sensitivity and regulatory requirements. Additionally, ensuring appropriate levels of encryption and access controls for each respective data classification.
-
Identity Management: Access to SharePoint will be restricted to Maikai employees only, with exception to individuals authorised by the Policy Holder.
-
Access Controls: Adhering to the principle of minimum access.
-
Continuous Compliance Monitoring: It is the responsibility of the DPO to ensuring that all activity conducted on the cloud are compliant with both data and cyber security procedures adopted by Maikai or by relevant stakeholders.
-
Incident Response Plan: See Section 8/d/1-10.
-
Network Segmentation: A robust segmentation of the cloud space is required to ensure that client/personal data is not shared with the incorrect individual/organisation.
-
Accounts and Devices: Only devices that are used regularly will have access to SharePoint. If a device does not use SharePoint for over a month the device will have to go through authentication procedures.
-
Software Security: The purpose of this section is to establish guidelines and measures to ensure that software utilised by Maikai is done so in a manner that is secure and ensures the effective utilisation of software assisting critical business operations. Additionally, to articulate the purposes and objectives of the software security policy.
-
Automatic software updates: Maikai will ensure that all systems software is regularly updated through the use of automatic software updates. It is the responsibility of Maikai to ensure that all company systems are utilising the most up-to-date software to ensure security systems are current.
-
Firewalls: Firewalls are deployed at Maikai’s network perimeter to regulate incoming and outgoing traffic based on predefined security parameters. Their purpose is to prevent unauthorised access, protect sensitive information and mitigate cyber threats such as malware, hacking attempts and denial of service attacks. It is the responsibility of Maikai to ensure that systems firewalls are running and allowing appropriate traffic through. If inappropriate traffic is noticed by Maikai employees, this must be reported as soon as possible.
-
Redundant Software: Maikai will conduct a review every 6 months on company systems to ensure that software no longer in use is removed. This will aid in decluttering the systems still in use and present less of a risk to malware/cyber-attacks.
-
Autoplay/Autorun: By default, autoplay/autorun will be disabled on all Maikai systems.
-
Password Policy: The purpose of this section is to establish guidelines and requirements for creating, managing, and securing user passwords withing Maikai. By implementing strong password practices, Maikai aims to safeguard sensitive information, prevent unauthorised access, and maintain the integrity of Maikai systems.
-
Password Length: Passwords must be at least 12 characters in length.
-
Complexity Requirements: Passwords must include a combination of uppercase and lowercase letters, numbers and special characters.
-
Password Changes: Users are required to change their passwords every 6 months. This will be automated by Maikai systems and is not the responsibility of the employee to remember.
-
Password Expiry: User accounts will be locked after five unsuccessful login attempts. Accounts can be unlocked by contacting your line manager.
-
Multi-factor Authentication: MFA will be implemented for access to Maikai systems. Authorised MFA means are as follows:
-
A managed enterprise device.
-
An app on a trusted device – Microsoft Authenticator.
-
A physical token
-
A known or trusted device
-
Default Passwords: All default passwords on systems will be changed to Maikai-specific workstation passwords.
-
Alternate Passwords: It is Maikai policy that each user does not utilise the same password for multiple systems. Alternate passwords across systems will be enforced, any subsequent passwords must adhere to the password policy detailed in sections 7 & 13.
-
Compromised Passwords: This will outline the password-compromised response process that each employee will have to follow.
-
User report/system alert - Users should promptly report any suspicious activities or unauthorised access. Security systems, such as intrusion detection or monitoring tools, may trigger alerts related to unusual login patterns.
-
Suspicious Account Activity – Account activity will be monitored by the DPO for signs of suspicious account activity. Additionally, a number of automated detection tools will be utilised to reduce the workload.
-
Confirming the compromise – The reported incident or security alert will be investigated to determine if a password compromise has occurred. The authenticity of the report will be validated by additional verification steps.
-
Affected account identification – the user accounts affected by the password will be identified. Cross-referencing of user reports, system alerts and any available logs will be utilised to assess the scope of the incident.
-
Account lockout – Temporary lockouts of affected accounts will be initiated to prevent further unauthorised access. A number of automated mechanisms will be enforced temporary lockouts after a 5 failed login attempts.
-
Password Reset – A mandatory password reset will be initiated for compromised accounts; this will be communicated through secure channels.
-
Communication with users – Affected users will be notified about the compromise, the actions take and the need to reset their passwords.
-
Root cause analysis – A thorough investigation will be conducted to determine the root cause of the password compromise.
-
Incident severity assessment – an assessment of the severity of the incident will be conducted to understand the scope of the compromise and any actions that should be taken to rectify the security breach.
-
Vulnerability mitigation – identified vulnerabilities or weaknesses will be rectified to ensure the compromise does not happen again.
-
Security awareness retraining – retraining will be conducted throughout the organisation to ensure that employees thoroughly understand the security policies and procedures that are designed to mitigate the threats of these incidents.
-
Automatic Deny list: Maikai has adopted the standard reject list of a number of passwords due to the lack of security they offer. The list can be found by following this Link. This list is likely to be updated with every review of the Maikai Cyber policy.
-
Throttling mitigation: To mitigate the threat of throttling, there is a time restriction each user is subject to with each unsuccessful attempt at a login. After 10 attempts in 5 minutes a user account will be temporarily locked.
-
Locking accounts: Accounts will be locked after 10 unsuccessful attempts. And will only be authorised to be unlocked by the DPO.
-
Application Usage and Downloads: This section aims to outline the process of downloading and utilising various applications that will be working alongside and with Maikai information & Data.
-
User Request: Users seeking to install or download specific applications onto Maikai systems. Requests should include details such as the application name, purpose, and justification for use.
-
Application Review and approval: Each requested application will have to be assessed for security compliance and business relevance. The assessment will have to be evaluated by the DPO, IT managers and other relevant individuals.
-
Compliance Checks: The application will have to comply with organisational policies, industry regulations and all relevant legal requirements. The application will also have to adhere to Maikai data privacy and security standards.
-
Risk Tolerance: Due to the sensitive nature of Maikai projects the overall decision lies with the CEO and an application despite adhering to all policy can be rejected on the discretion of the CEO.
-
Maikai Data Backup Process: This section will outline the process which Maikai adopts to backing up all critical business information and applications to ensure business continuity in the event of critical incidents.
-
Data Identification: All business-critical data, databases, files and critical applications will be stored in two locations to ensure Maikai remains operational in the event of a system failure. Data in these two locations will be classified based on sensitivity, criticality and regulatory requirements.
-
Priority Assessment: Risk assessments will be carried out monthly to determine the potential business impact of data loss. This impact will assign priority to data based on its importance to business operations.
-
Backup Frequency: Maikai will conduct a monthly backup of all data stored on Maikai systems. Critical/sensitive data will be subject to daily backups.
-
Retention Policy: Maikai will retain all sensitive data for 1 year post contract fulfilment, at which point it will be destroyed in the appropriate manner. This will be informed by industry regulation changes, legal requirements and business needs.
-
Automated Backup systems: An automated backup system is in place to minimise manual areas and ensure consistency. Additionally, the backup system will ensure version control across all projects/data.
-
Encryption: All data when in transit between backup sites will be encrypted to the standard required by the classification of the data, and by legal frameworks.
-
Incremental and Full Backups: Incremental backups will take place at the close of play every day. Full Backups will take place once a month to ensure no disruption of Maikai routine.
-
Recovery testing: Recovery testing will take place every quarter, where the DPO will recover all data critical to Maikai business activity
-
Policy exemption process: Policy exemptions are only granted by the policy holder, and are at their discretion.
-
Formal Request submission: A formal request for a policy exemption must take place. Include details such as the policy section, the rationale for the exemption, potential risks, and proposed alternative measures to mitigate those risks.
-
Risk assessment: The policy holder will assess the potential risks associated with granting the exemption considering the impact on security, compliance and overall organisational objectives.
-
Approval Documentation: All exemption requests are documented comprehensively, including the reason for the request, potential risks, and proposed mitigations.
-
Approval Notification: The decision must be communicated to all persons that the approval effects, specifying the conditions (if any) under which the exemption is granted and any additionally measures to be implemented.
-
Implementation Plan: A clear plan must be in place for implementing the exemption, outlining specific actions, responsibilities, and timelines.
-
Ongoing Monitoring: Any exemption must have a period of monitoring as it is a deviation from standard practice. This is to ensure that the exemption is not having an adverse effect on security, compliance and organisational objectives.
-
Periodic Review: Regular reviews must take place of active policy exemptions to assess their ongoing relevance and necessity.
-
Renewal Process: An exemption is only valid for a certain period of time, to be decided by the policy holder. If that period of time elapses and the exemption is still required the process will have to be started again.
-
Register of assets: This section provides a comprehensive overview of all organisational assets, including detailed information on their identification, ownership, financial details, usage, and maintenance. The Asset Register serves as a centralised repository for effective asset management and tracking within the organisation.
-
Asset identification: All assets must have a unique name or identification code for tracking purposes.
-
Asset location: The location of each asset within the organisation must be recorded.
-
Asset Categorisation: Assets must be categorised based on their type (IT equipment, furniture, vehicles)
-
Date of Acquisition: Document the date when the asset was acquired.
-
Manufacturer/supplier: Identify the manufacturer or supplier of the asset.
-
Model/Specification: Specify the model or technical specifications of the asset.
-
Serial Number: The serial number of the asset must be recorded.
-
Usage and Operational information: Date of when the asset was put into operational use.
-
Operational Status: It must be indicated whether the asset has been put into use.
-
Utilisation Metrics: Track usage metrics or operational statistics must be used.
-
Anti-virus and Malware Management: This section outlines the policies and procedures related to the deployment, configuration, and management of antivirus software within the organisation. It also addresses measures for the prevention, detection, and response to malware threats to ensure a secure computing environment.
-
Selection of Antivirus Solutions: Only trusted and reputable antivirus solutions are to be used on Maikai equipment.
-
Configuration Settings: The recommended settings by the antivirus manufacturer are to be always used.
-
Update frequency: The update frequency is to be dictated by the antivirus provider and is to be done whenever recommended.
-
Firewall Password Change: this section is to establish guidelines for the regular changing of passwords associated with the firewall system. By enforcing regular password changes, we aim to enhance the security posture of our network infrastructure and mitigate the risks associated with unauthorised access or breaches.
-
Frequency of Password Changes: Firewall Passwords must be changed regularly at intervals not exceeding 90 days. Exemptions to this schedule may be granted under specific circumstances, subject to approval from the DPO, such as during critical systems outages or security incidents.
-
Password Complexity Requirements: Firewall passwords must adhere to Maikai’s password complexity policy. Section 7/c. Passwords should not be reused within 6 months.
-
Responsibility for Password Management: It is the responsibility of the DPO and other designated system administrators or security personnel to ensure compliance with password change. Passwords should only be shared with authorised personnel on a need-to-know basis and through secure communication channels.
-
Change Procedures: When changing firewall passwords, the following procedures must be followed:
-
Notification of all relevant stakeholders about the upcoming password change
-
Log in to the firewall management interface using secure credentials.
-
Change the password following Maikai’s password change guidelines and policy. Section 7/c.
-
Update documentation and records to reflect the new password.
-
Conduct testing to ensure that the password change does not disrupt network operations.
-
Communicate the successful password change to relevant parties.
-
Monitoring and enforcement: Regular audits and monitoring is conducted to verify compliance with password change policies. Non-compliance may result in disciplinary action up to and including termination of employment or contract.
-
Exceptions: Exceptions to this policy may be granted on a case-by-case basis, subject to approval from the designated authority. All exceptions must be documented and justified with appropriate reasoning.
-
Policy Review: This policy shall be reviewed annually or more frequently if deemed necessary to ensure its effectiveness and relevance in mitigating security risks associated with firewall password management.
-
Policy awareness: All employees, contractors, and relevant stakeholders shall receive training on this policy upon its implementation and subsequent updates. Additionally, this policy shall be made accessible through the organisation's internal documentation repository.
-
Compromised Firewall Password Response: The purpose of this policy section is to establish guidelines and procedures for responding to instances where a firewall password has been compromised. The prompt detection and mitigation of compromised passwords are critical to safeguarding the security and integrity of our network infrastructure.
-
Detection of Compromise: Any suspicion or confirmation of a compromised firewall password must be reported immediately to the designated IT security or network administration team.
-
Response Procedures: Upon detection of a compromised firewall password, the following procedures must be followed:
-
Immediately disable the compromised account associated with the compromised password.
-
Assess the extent of the compromise and identify any unauthorised access or suspicious activities.
-
Change the compromised password following the organisation's password change guidelines.
-
Investigate the root cause of the compromise to determine the source of the breach and implement corrective measures.
-
Perform a thorough review of firewall logs and monitoring systems to identify any anomalies or signs of further compromise.
-
Implement additional security controls or measures to prevent similar incidents from occurring in the future.
-
Notify relevant stakeholders, including management, IT security personnel, and affected users, about the incident and the steps taken for resolution.
-
Communication and Reporting: All incidents involving compromised firewall passwords must be documented and reported by the organisation's incident response procedures. Communication about the incident, its impact, and the remediation efforts should be transparent and timely.
-
Lessons Learned and Remediation: Following the resolution of the incident, conduct a post-incident review to identify lessons learned and areas for improvement. Update relevant policies, procedures, or security controls based on the findings of the post-incident review to strengthen the organisation's resilience against future incidents.
-
Escalation Procedures: In cases where the compromise poses a significant risk to the organisation's security or operations, escalate the incident to higher management or relevant authorities as per the organisation's escalation procedures.
-
Policy awareness: All employees, contractors, and relevant stakeholders shall receive training on this policy section as part of their cybersecurity awareness training program. Additionally, this policy section shall be made accessible through the organisation's internal documentation repository.
-
Compliance: Failure to comply with this policy section may result in disciplinary action as outlined in the organisation's disciplinary policy.
-
Document Control: This policy section shall be maintained and updated by the designated authority responsible for information security or network administration
-
Approval: This policy section has been reviewed and approved by CEO David Ellis, on 25/2/23. Any revisions to this policy section must be approved by the same authority.
-
Approval of Individuals to Administrator Roles: The purpose of this policy is to define the criteria and procedures for approving individuals to administrator roles within the organisation's systems, networks, and applications. This policy aims to ensure that only authorised personnel with the requisite skills, knowledge, and trustworthiness are granted administrative privileges, thereby minimising security risks and maintaining the integrity of organisational assets.
-
Authorisation Process: All requests for granting or modifying administrative access must be submitted through an official authorisation process, which may include completing a formal request form or utilising an automated request and approval system. Requests for administrative access should be justified based on job responsibilities and the principle of least privilege, ensuring that individuals only receive the level of access necessary to perform their duties effectively.
-
Approval Authority:
-
Approval for granting administrative access shall be obtained from the designated authority, which may vary depending on the level of access being requested and the organisational structure.
-
Assess the extent of the compromise and identify any unauthorised access or suspicious activities Approval authority may be delegated to department heads, project managers, or IT administrators, as appropriate, provided that they have the necessary expertise to assess the legitimacy of the request.
-
Criteria for Approval: Individuals requesting administrative access must meet the following criteria:
-
Employment status: Must be an active employee, contractor, or authorised third-party representative with a legitimate business need for administrative access.
-
Job role: Must hold a position that requires administrative privileges to perform assigned duties effectively.
-
Training and certification: Must have received appropriate training and certification relevant to the systems, networks, or applications for which access is being requested.
-
Trustworthiness: Must demonstrate a commitment to information security best practices and adherence to organisational policies and procedures.
-
Documentation and Accountability: All approvals and rejections of administrative access requests must be documented, including the rationale for the decision and the identity of the approving authority. Authorised individuals granted administrative access must sign an acknowledgement form agreeing to comply with the organisation's policies and guidelines governing the use of administrative privileges.
-
Regular Review and Recertification: Administrative access permissions shall be subject to regular review and recertification to ensure ongoing compliance with organisational policies and evolving business needs. Access privileges may be revoked or modified if the individual's job responsibilities change or if there are concerns regarding their adherence to security protocols.
-
Compliance: Failure to adhere to this policy may result in disciplinary action, up to and including termination of employment or contract, in accordance with the organisation's disciplinary policy.
-
Policy awareness: All employees, contractors, and relevant stakeholders shall receive training on this policy as part of their onboarding process and periodic cybersecurity awareness training initiatives.
-
Compliance: Failure to comply with this policy section may result in disciplinary action as outlined in the organisation's disciplinary policy.
-
Document Control: This policy section shall be maintained and updated by the designated authority responsible for information security or network administration
-
Approval: This policy section has been reviewed and approved by CEO David Ellis, on 25/2/23. Any revisions to this policy section must be approved by the same authority.
-
Approval of Individuals to Administrator Roles: The purpose of this policy is to establish guidelines and procedures for ensuring that administrative IT tasks are performed using designated administrator accounts rather than standard user accounts. This policy aims to enhance security, accountability, and traceability of administrative activities while minimising the risk of unauthorised access or misuse of privileged credentials.
-
Use of Administrator Accounts: Administrative IT tasks, including system configuration, software installation, patch management, and user account management, must be performed using designated administrator accounts. Standard user accounts should not be used to carry out administrative tasks unless explicitly authorised for specific, limited purposes by the IT security or network administration team.
-
Segregation of Duties:
-
Individuals performing administrative IT tasks should have their own unique administrator accounts, distinct from their standard user accounts.
-
Administrators should not share their credentials with other users and must ensure the confidentiality and integrity of their passwords at all times.
-
Administrative accounts shall be strictly reserved for performing administrative tasks, such as system configuration, maintenance, troubleshooting, and security-related activities.
-
Standard user accounts must be used for day-to-day operational tasks, including email communication, web browsing, document editing, and other routine activities.
-
Principle of Least Privilege:
-
Administrator accounts should only be granted the minimum level of privileges necessary to perform assigned administrative tasks effectively.
-
Access rights should be tailored to the specific job responsibilities of each administrator, with unnecessary privileges revoked to reduce the risk of potential misuse or exploitation.
-
Prohibited Use of Administrator Accounts: Under no circumstances should administrator accounts be used for non-administrative activities, such as accessing email, browsing the internet, or performing routine office tasks. Access to sensitive data or critical systems using administrative privileges for non-administrative purposes is strictly prohibited.
-
Administrator Access Reviews: Administrator access reviews shall be conducted on a regular basis, at least quarterly to ensure that access privileges remain appropriate and justified. Reviews may be more frequent for sensitive systems or in response to organisational changes, such as employee turnover or role changes.
-
Authorisation and Authentication Controls: Strong authentication mechanisms, such as multi-factor authentication (MFA), should be implemented for accessing administrator accounts to prevent unauthorised access. Authorisation controls, such as role-based access control (RBAC) or access control lists (ACLs), should be configured to restrict administrative access to authorised individuals and resources.
-
Logging and Monitoring: All administrative activities performed using administrator accounts must be logged and monitored using centralised logging and monitoring solutions. Logs should capture details such as the date, time, user ID, IP address, and actions performed during administrative sessions for auditing and forensic purposes.
-
Compliance: Failure to adhere to this policy may result in disciplinary action, up to and including termination of employment or contract, in accordance with the organisation's disciplinary policy.
-
Policy awareness: All employees, contractors, and relevant stakeholders shall receive training on this policy as part of their onboarding process and periodic cybersecurity awareness training initiatives.
-
Compliance: Failure to comply with this policy section may result in disciplinary action as outlined in the organisation's disciplinary policy.
-
Document Control: This policy section shall be maintained and updated by the designated authority responsible for information security or network administration
-
Approval: This policy section has been reviewed and approved by CEO David Ellis, on 25/2/23. Any revisions to this policy section must be approved by the same authority.
-
Distribution: All policy is distributed to all Maikai employees and contractors to ensure adherence at every level and for each individual to understand their role in ensuring compliance.