Access

Control Policy
Version 1.0
GeeksForLess Inc confidential
04/22/2019

The information on this document is the property of GeeksForLess. Not to be reproduced or disclosed without written approval.
1
Table of Contents

Table of Contents.............................................................................................................................................. 2
1 Introduction .............................................................................................................................................. 2
2 Scope ........................................................................................................................................................ 2
3 Roles and Responsibilities......................................................................................................................... 3
4 Definitions................................................................................................................................................. 3
5 Access Accounts ........................................................................................................................................ 3
5.1 Account privileges ............................................................................. Error! Bookmark not defined.
5.1.1 User accounts .............................................................................................................................. 4
5.1.2 Administrative accounts.............................................................................................................. 4
5.2 Access Authorization ......................................................................... Error! Bookmark not defined.
5.3 Access revocation ............................................................................................................................ 4
6 Access Control Methods ........................................................................................................................... 5
7 Cloud Systems ............................................................................................. Error! Bookmark not defined.
8 Remote access .......................................................................................................................................... 5
9 Penetration Testing .................................................................................................................................. 6
10 Revision control ................................................................................................................................... 6

1 Introduction

This document details the approach to managing access to GeeksForLess facilities, systems, and
information. Such access is required by GeeksForLess employees and contractors to carry out their
responsibilities in as effective and efficient manner as possible without compromising security.

2 Scope

This policy covers all GeeksForLess owned, or leased, or purchased as a service networks, computers,
laptop, electronic devices, IT systems, databases, rooms, facilities, parking lots, offices.

2.1 Out of Scope

Systems, or equipment, or facilities, or any other items that are owned by a GeeksForLess customer, not
controlled by GeeksForLess, and are a subject to customers’ policies, procedures, and controls.

The information on this document is the property of GeeksForLess. Not to be reproduced or disclosed without written approval.
2
3 Roles and Responsibilities

Dmytro Dolyna, CISO – responsible for development of this policy and enforcement of the policy;

Alex Mukhin, Manager IT Infrastructure – responsible for implementing secure access controls;

Kateryna Fedotova, HR Manager – responsible for job roles documentation and provisioning;

Senior Management – responsible for job roles creation and required access approval.

Victor Bilyk, Physical Security Manager – responsible for the enforcing the policy in terms of physical access.

4 Definitions

• Staff - Any contractor, or employee of GeeksForLess Inc. or/and subsidiary companies.

• Visitor - Any non-staff person such as cleaning, maintenance, provider or client personnel who is
within GFL facility.
• User(s) – Those having administrative, privileged or end user computing access.
• GFL- GeeksForLess Inc and subsidiary companies.
• Management - GFL staff members with work status (or acting rank) that implies personnel
supervision.
• Senior management - GFL staff members with work status of Department Manager or higher.
• Reasonable access - Access which staff member requires to perform one or more tasks that fall
under the employee’s established area of responsibility and which is restricted in such a manner as
to prevent any activities which fall outside the employee’s established level of responsibility.
• Secure and sensitive areas - data center, executive area, human resources department.
• Critical computer systems – computer systems with potential to damage company’s reputation,
compromise confidential data, bring financial impact or otherwise significantly harm the company
or its clients if misused.
• Priority 1 - activities to be performed immediately.
• Priority 2 - activities to be performed within 24 hours.
• Priority 3 - activities to be performed within 5 business days.

5 User Accounts

GFL staff members are only granted reasonable access to any facility, system, network, application,
database or other management interface. Root access is only granted to the staff members who passed the
root test. Granting access to a facility, computer system and/or property pass is a matter for approval by a
Senior Manager.

The information on this document is the property of GeeksForLess. Not to be reproduced or disclosed without written approval.
3
 5.1 Generic accounts

All user accounts under all circumstances must be personally identifiable. Usage of generic or shared
accounts is prohibited. Sudo must be used when root access to systems is required.

5.2 Administrative accounts

The allocation of privilege rights (e.g. local administrator, domain administrator, super-user, root
access) shall be restricted and controlled and not provided by default.

Approval for the use of such accounts shall only be provided explicitly, upon written request
from a senior via a ticketing system and must be documented by the system owner.

Privileged accounts must not be used for standard activities; they are for program installation and
system reconfiguration, not for program use, unless it is otherwise impossible to operate the
program.

Root access to computer systems is only granted upon passing a platform/technology specific root test.

5.3 Access Revocation

When an employee leaves the company, certain procedures must be followed to ensure the security of the
company’s systems. All access cards and other company’s assets are returned. The card is rendered invalid
before the employee has a chance to misuse it. Access to critical computer systems is revoked before the
employee has a chance to misuse it.

Priority 1 activities:

The employee is allowed to gather personal belongings and is escorted by a manager while doing so. They
are not given access to their workstation. The employee is then escorted from the campus. Access to
critical computer systems is revoked before the employee has a chance to misuse it.

Priority 2 activities:

Access to critical systems, such as databases and internal web-based control panels, which are not
accessible externally, is revoked. Access to critical servers not accessible externally is revoked.
Administrative passwords are changed if the employee had knowledge of them. Administrative passwords
and/or access to networking equipment are changed or access is revoked if the employee had this type of
access.

Priority 3 activities:

Access to less critical systems that are not accessible externally is revoked.
The information on this document is the property of GeeksForLess. Not to be reproduced or disclosed without written approval.
4
6 Access Control Methods

6.1 Physical access controls

Access to the campus, buildings and separate rooms is restricted by the use of personalized contactless
identifiers (pass cards) or biometric readers. The database of such identifiers includes information about
the user such as name, position, working hours, property authorized to take in/out, manager, etc.

There are facilities access to which is restricted with additional mechanical locks and/or pin pads. The keys
are stored securely by the physical security guards.

Access of the vehicles is solely permitted upon approval by a Senior Manager and documenting of unique
identifiers.

6.2 Information systems access controls

Access to all systems is restricted with a password. Password must comply with the Password Policy.
Password Policy is enforced using systems configuration and programming methods. Some critical systems
may require two factor identification using a physical token (key-fob) or digital token (mobile application).

Access to systems and online resources is additionally limited by the use of the following:

• Firewalls and ACLs;

• Network segmentation;
• VLANs;
• File system permissions;
• Database access rights;
• User account privileges limitations;
• Limitations based on time and location.

User access is monitored for suspicious activities, accounts may be blocked automatically if deemed
compromised.

Accounts are periodically reviewed for compliance to reasonable access criteria.

7 Remote access

Employees and contractors are generally not permitted to work remotely and are required to report to the
office. The access to systems is also prohibited from the outside by default. However sometimes there is a
business need for remote access such as business traveling, sickness or any other sircumstances preventing
the employees form physically attending the office. In such cases upon management approval the access is
granted to required systems based on reasonable access criteria. Access is provided through VPN facility
requiring user based authentication. Measures are taken to isolate remote users’ connections.

The information on this document is the property of GeeksForLess. Not to be reproduced or disclosed without written approval.
5
8 Records retention

After employee’s termination his workstation or mobile device or files on the servers may still be valuable
for the company. All the records and data terminated employee used is to be reviewed by respective
manager and decision is made whether the records are necessary and need to be preserved for future
reference. When a manager copies necessary data or in case if such data is deemed useless it is to be
destroyed in a proper manner depending on the nature of information and media. Electronic media is to be
low level formatted before its usage in another project or by another employee.

After revoking access to e-mail from terminated employee his e-mail address is to be forwarded to his
manager or the employee who fills his position. Terminated employee’s e-mail address is to be terminated
after all the measures are taken to ensure no correspondence is lost or misaddressed.

9 Penetration Testing

GFL must take measures to test the access to computer systems regularly in order to ascertain the
effectiveness of existing controls and expose any weaknesses. Tests of the critical systems must be
conducted at least annually.

10 Revision control

Date By Action Pages

04/22/2019 Dmytro Dolyna Created. All

The information on this document is the property of GeeksForLess. Not to be reproduced or disclosed without written approval.
6