Access Controls
Access controls define how to limit access to a system or any other virtual resources in the company. The below table contains a list of points concerning access controls in XTRF Management Systems Ltd.
Topic | Description |
---|---|
UNIQUE USER IDS | All XTRF Management Systems Ltd. employees have unique user IDs with certain user rights regarding access to office space, data, systems. The employees are not allowed to share user's IDs. Moreover, there are no generic users IDs. |
TRACKING USER IDS | Internal system events are logged by a unique user ID. |
PROTECTING CLIENT-SENSITIVE INFORMATION | Protection of all client data is a key responsibility and obligation of XTRF Management Systems Ltd. All client information is kept securely. For more details go to the Security Policy article. |
PERSONAL ACCOUNTS MANAGEMENT | In XTRF Management Systems Ltd. the Office Managers are in charge of managing personal accounts in case of any changes. The internal procedure requires to inform the XTRF Administration Specialist about that: a written application is delivered with information how to manage the account - set up, delete or modify it. |
PRIVILEGED AND ADMINISTRATIVE ACCOUNTS | In XTRF there are privileged and administrative accounts limited to the XTRF Administration personnel. |
AUDITING PRIVILEGED ACTIVITY | All privileged actions on systems which process sensitive information are logged in the event log. |
STORING THE APPLICATION EVENT LOGS | Application event logs, which capture users' activity, identify sources of security events and record violations, are stored within the standard Linux logging mechanisms. |
RETENTION PERIOD FOR APPLICATION AND SYSTEM LOGS |
|
PRODUCTION DATA STORAGE | Production data is always stored in the production environments. Bear in mind that the production data is never stored or use in any of the non-production environments, for example test environment, development environment, staging site. Bug fixing: If the bug cannot be reproduced outside the production environment, the production environment may be accessed by a trained XTRF Support Team. In that case, the XTRF Support Team access is fully controlled by a client. |