Access Control Policy
This policy defines how access to LEF systems and data is granted, reviewed, and revoked.
| Owner | Information Security Officer |
| Contact | infra@lef.tec.br |
| Version | 1.1 |
| Last updated | 2025-03-26 |
| Review cadence | Annual (or after major changes) |
1. Purpose
Section titled “1. Purpose”Define the principles, roles, and procedures that govern access to LEF’s information systems and data, ensuring that access is limited to authorized individuals based on business needs and risk.
2. Scope
Section titled “2. Scope”This policy applies to all LEF employees, contractors, and third parties who access LEF systems, networks, and cloud services.
3. Access Control Principles
Section titled “3. Access Control Principles”- Access is granted on a need-to-know and least privilege basis.
- All access must be individualized and authenticated.
- Elevated access (e.g., administrative privileges) is strictly controlled.
4. Authentication and VPN Access
Section titled “4. Authentication and VPN Access”- All access to LEF internal systems is performed through a personal VPN connection, protected by Multi-Factor Authentication (MFA).
- VPN credentials are unique, time-bound, and reviewed regularly.
- VPN access is disabled on a project basis or in the event of dismissal, after concluding offboarding procedures.
- OIDC (OpenID Connect) is the default authentication method and is used wherever supported.
5. Document and File Access
Section titled “5. Document and File Access”- Document storage and collaboration are handled through Microsoft Teams and Microsoft 365 services (OneDrive, SharePoint).
- Some documents are hosted in LEF’s private cloud and made available per project.
- Permissions are granted per project or functional role.
- Confidential files are only accessible by authorized team members and protected by Microsoft 365 or private cloud security settings.
6. Account and Identity Management
Section titled “6. Account and Identity Management”- User accounts are created and assigned upon onboarding, based on project or departmental needs.
- Shared accounts are prohibited.
- Periodic access reviews are conducted by the Information Security Officer.
7. Access Revocation and Review
Section titled “7. Access Revocation and Review”- Access is removed immediately when no longer needed.
- Access rights are reviewed at least quarterly to ensure ongoing alignment with user roles.
- Any anomaly or policy breach results in access suspension pending review.
8. Responsibilities
Section titled “8. Responsibilities”- Information Security Officer: Oversees policy enforcement, access reviews, and security monitoring.
- Managers: Ensure access is requested and justified for team members.
- Employees and Contractors: Use credentials responsibly and report any security issues immediately.
9. Policy Review
Section titled “9. Policy Review”This policy is reviewed annually or after any significant system, staffing, or compliance change.
Records / evidence
Section titled “Records / evidence”- Access requests and approvals:
- Periodic access reviews:
- Access revocation/offboarding confirmations:
Exceptions and risk acceptance
Section titled “Exceptions and risk acceptance”If an exception is required, document the rationale and track the decision as a risk treatment/acceptance item.