Access control

Introduction


Access control is concerned with determining the allowed activities of legitimate users, including employees and contractors, mediating attempts by users to access a resource in a system. Altus Group designs our access control configurations to avoid the leakage of permissions to an unauthorized entities/user. 



Our guiding principles 


  • Access to systems and data is explicitly provisioned according to the “least privilege” principle. 

  • Access is implemented according to the “segregation of duty” principle 

  • Users are required to authenticate themselves before accessing network resources or host systems 

  • Access authorization is provided by a central trusted authority 

  • Access authorizations are defined using Role-Based-Access-Control (RBAC) or equivalent 

  • Access attempts to company systems and data are logged 

  • Unauthorized access is prevented using appropriate network level protection and access control 



User access management 


Altus Group user access is provisioned through an account-provisioning system that is integrated with Altus Group's internal database. Access privileges are granted based on job roles and, where appropriate, require management approval. 

  • Assign access rights based on a business need-to-know basis.  

  • Privileged access is assigned carefully and with the least amount of privilege required.  

  • Rights are revoked when there is no longer a business need for the employee or contractor to have the access.  

  • Secure log-on procedures to control access to applications and systems, including multi-factor authentication (MFA) is enforced 



Privileged access management


Privileged access control is implemented so that access to privileged functions and systems is restricted to authorized personnel only and privileged access is provided in compliance with the “need-to-know” and “least privilege principle.” 



Access request and provision


Our access request and provisioning controls are designed to avoid unauthorized disclosure of data. Provisioning access is considered as a sensitive process requiring vigilance and following an established process. 

  • Access request to an asset and its approval is a formal process documenting expectations, approval, duration, and any complementary information necessary to the process  

  •  Approval processes require manager's approval and asset owner's approval 

  • Access rights is provisioned, by default, in accordance with job roles and responsibilities and asset’s owner requirements  

  • Access is provisioned using Role-Based-Access-Control (RBAC)  

  • Default access assignment rules is documented and regularly reviewed 



Review of access rights


Altus Group regularly reviews network, operating system accounts, cloud/SaaS and software access, with regard to the appropriate users access levels. In the event of employee terminations, deaths, or resignations, Altus Group processes are designed so that appropriate actions to promptly terminate network, logical, and physical access are followed. 



Network access 


Altus Group has designed network protection to enforce the zero-trust principle on our network for the protection and control of both Altus Group and customer data at rest and during its transmission. This is enforced as follows: 

  • Network access configuration enforces environment segregation 

  • Network filtering techniques is used to limit the exposure of assets  

  • Network access rules are reviewed periodically 



Access controls for source code 


Altus Group source code is the mainstay of Altus group business and unauthorized access can have a negative impact on Altus Group businesses, as such access to source codes must be controlled. 

  • Access to source code is only for authorized persons 

  • Access to source code repositories requires MFA for all users 

  • Access to source code is logged and monitored 

  • Guest access is not authorized 



Access to production environment 


Changes in the production environment can have an unintended impact on business processes therefore:  

  • A formal user access provisioning process is implemented to assign or revoke access rights for all user types to all systems/ services in the production environment  

  • Access to production environments is encrypted 

  • Access is logged and monitored actively 

  • Access to production environments is considered as a privileged access and complies with privileged access requirements  



External users (third-party) access


Third-party access to Altus Group’s systems and data is controlled and monitored to prevent unauthorized access or breaches and access is only granted on a need-to-know basis and access is terminated when it is no longer required. 

  • Third-party access requests follow a formal approval process  

  • Third parties must authenticate with a unique username and password and use MFA or an approved target source  

  • Third parties are granted authorization to specific required data, systems or networks  

  • Third-party access is granted based on the least privilege principle 

  • Third-party activities and access to data, systems, or networks is monitored to detect any unauthorized activities 

  • Periodic reviews and audit of all third-party access logs are carried out  

  • Third-party access is terminated when it is no longer required  


Trust Center quick links
Access controlAssurance standardChange managementCorporate governanceCryptographic standardHR securityIncident response planMobile devices and laptopsNetwork securityPhysical and environmental securityRisk managementSecure development