Access Control Policy
Last Updated: 2026-02-12 Standard: ISO 27001:2022 -- A.9 Access Control Review Cycle: Annually
1. Purpose#
This policy defines the principles and requirements for controlling access to cloak.business information systems, data, and services. It ensures that only authorized individuals and systems can access resources, and that access is limited to the minimum necessary for each role.
2. Scope#
This policy applies to:
- All user accounts on the cloak.business platform
- All administrative and operational access to infrastructure
- All API access and programmatic integrations
- All personnel, contractors, and third-party service providers with access to systems
3. Principles#
Least Privilege#
Every user, service, and system component is granted only the minimum access rights necessary to perform its intended function. No account has broader permissions than its role requires.
Need-to-Know Basis#
Access to information is granted based on a demonstrated need related to a specific role or task. Access to sensitive data is not provided by default.
Separation of Duties#
Critical operations require involvement from more than one individual or system. No single person has unrestricted access to all components of a sensitive process.
Default Deny#
Access is denied by default. Permissions must be explicitly granted through defined authorization processes.
4. User Access Management#
Account Provisioning#
| Requirement | Implementation |
|---|---|
| Unique identity | Every user has a unique account; shared accounts are not permitted |
| Registration | Accounts are created through a verified registration process |
| Role assignment | Users are assigned roles with predefined permission sets |
| Initial access | New accounts receive the minimum permissions for their role |
Role-Based Access Control (RBAC)#
Access is managed through a role-based system. Each role defines a set of permissions appropriate to its function:
| Principle | Description |
|---|---|
| Role hierarchy | Roles are structured from least to most privileged |
| Permission sets | Each role has a defined, documented set of allowed actions |
| Role assignment | Users are assigned exactly one role at a time |
| Escalation | Role changes require authorization and are logged |
Account Deprovisioning#
- Accounts are deactivated promptly when access is no longer required
- User-initiated account deletion removes all associated data permanently
- Deprovisioned accounts cannot be reactivated; a new account must be created
5. Authentication#
Password Requirements#
| Requirement | Standard |
|---|---|
| Minimum length | Strong passwords required |
| Complexity | Mix of character types enforced |
| Storage | Passwords hashed with industry-standard algorithms and salting |
| Reuse | Password reuse is discouraged |
Multi-Factor Authentication (MFA)#
Optional multi-factor authentication is available for all accounts and recommended for all users:
| Factor | Description |
|---|---|
| Time-based one-time password (TOTP) | Compatible with standard authenticator apps |
| Email verification | One-time codes sent to the registered email address |
| Backup codes | Single-use recovery codes generated at MFA enrollment |
Session Management#
- Sessions are time-limited and expire after a defined period of inactivity
- Users can view and revoke active sessions
- Session tokens are cryptographically signed and validated on each request
6. API Access Control#
API Key Management#
| Requirement | Implementation |
|---|---|
| Unique keys | Each API key is unique and tied to a specific user account |
| Scoped permissions | API keys inherit the permissions of the associated user role |
| Rate limiting | API requests are rate-limited to prevent abuse |
| Revocation | API keys can be revoked immediately by the user or administrator |
Programmatic Access#
- All API access requires authentication via API keys or session tokens
- Unauthenticated API requests are rejected
- API access is logged for audit purposes
7. Infrastructure Access Control#
Administrative Access#
- Administrative access to infrastructure is restricted to authorized personnel
- Administrative sessions use encrypted connections
- Privileged operations are logged and auditable
- Administrative credentials are managed separately from user-facing systems
Service-to-Service Communication#
- Internal services communicate over isolated, non-public interfaces
- Service authentication ensures only authorized components interact
- Network-level controls restrict communication paths between services
8. Access Reviews#
| Review Type | Frequency | Scope |
|---|---|---|
| User access review | Quarterly | Verify that all user roles and permissions remain appropriate |
| Administrative access review | Quarterly | Confirm that privileged access is limited to authorized personnel |
| API key audit | Quarterly | Identify and revoke unused or orphaned API keys |
| Third-party access review | Annually | Evaluate and reauthorize access for external service providers |
9. Monitoring and Logging#
Access Logging#
All access-related events are logged, including:
- Successful and failed authentication attempts
- Role changes and permission modifications
- API key creation, usage, and revocation
- Administrative actions on infrastructure
- Account creation, modification, and deletion
Anomaly Detection#
- Unusual access patterns (e.g., geographic anomalies, rapid authentication failures) are flagged for review
- Automated alerts notify administrators of potential unauthorized access attempts
- Logs are retained for a defined period in accordance with the data retention policy
10. Review#
This policy is reviewed:
- Annually as part of the ISMS management review
- After security incidents involving unauthorized access
- When access requirements change due to business or regulatory developments
Revision History#
| Version | Date | Changes |
|---|---|---|
| 1.0 | 2026-02-09 | Initial policy publication |
Document maintained by cloak.business Contact: support@cloak.business