Access Control Policy

Objective

The objective of this Policy is to establish the rules for granting, managing and revoking access to the Company’s information systems and data.

Scope

This Policy applies to all permanent employees, contractual employees and third-party users with access to the Company’s information systems.

Policy Statement

Access to the Company’s information systems and data will be granted according to the least privilege principle, guaranteeing that the users have the minimum access level necessary to accomplish their duties.

Roles and Responsibilities

• IT Department: responsible for the implementation and maintenance of the access control measures.
• Managers: responsible for approval of access requests.
• Employees: responsible for responsible use of their access privileges and reporting of every security incident.

Access Control Principles

• Least Privilege: the users’ access will be limited to the information and resources necessary for their duties.
• Role-based Access Control: the access permissions will be granted according to the user’s role within the Company.

Access Control Measures

• Authentication: the users must authenticate themselves by using robust passwords and multi-factor authentication (MFA).
• Authorization: the access permissions will be granted according to the predefined roles and responsibilities.
• Monitoring and Audit: annual audits will be conducted to ensure compliance with the Access Control Policy.

Incident Management

Every suspected or confirmed security incident must be reported immediately to the IT Department. An investigation will be conducted by the Operational Security Centre and the appropriate measures will be applied.

Compliance with the Policy

Non-compliance with this Policy may result in disciplinary measures up to cancellation of the contract of employment.

Contact

For any questions or requests for information, we invite you to contact the person below, who will be happy to assist you.

IT Director: Patrick Pilote