Document Version: 1.1

Author: Richard D’Lonesteen

Date Created: 12/08/2023

1. Purpose

The purpose of this Access Control Policy is to establish the rules for granting, reviewing, and revoking access to all sensitive and critical information assets within ChattyAI. This policy ensures that access to assets is managed and controlled in a way that supports the confidentiality, integrity, and availability of all data.

2. Scope

This policy applies to all employees, contractors, and third-party agents of ChattyAI who have any form of access to the company’s information systems and physical locations.

3. Policy

3.1 General Requirements

• Role-Based Access Control (RBAC): Access to information systems must be based on the user’s role within the company and strictly limited to the minimum necessary to perform job responsibilities.
• Least Privilege: Users are granted the least amount of privilege necessary for their function.
• Multi-Factor Authentication (MFA): MFA is required for access to all internal systems, especially those involving sensitive data.

3.2 User Access Management

• Authorization: All access must be approved by the department manager or security administrator.
• Access Provisioning: The IT department is responsible for the creation, issuing, and removal of access credentials.
• Access Review: Access rights shall be reviewed at least bi-annually or upon significant changes in employment status or job function.

3.3 Secure Authentication

• Users must adhere to the password policy, which requires complex passwords that are changed regularly.
• Sessions must timeout after a period of inactivity, requiring re-authentication.

3.4 Monitoring and Logging