# Access Control Policy ## Document Control | Field | Detail | |---|---| | Policy ID | POL-AC-001 | | Version | 1.0 | | Owner | CISO | | Framework | ISO 27001:2022 | | Company | CloudData Inc. | | Classification | Internal | ## Purpose This policy establishes mandatory access control requirements to protect CloudData Inc. cloud infrastructure and customer data assets in accordance with ISO 27001:2022. ## Scope All employees, contractors, and third parties accessing CloudData Inc. systems, APIs, and cloud environments (AWS, GCP). ## Policy Statements **PS-01 [ISO 27001:2022 A.5.15]** All access to production cloud environments must be granted on a least-privilege basis. Standing privileged access is prohibited; just-in-time (JIT) access via Privileged Access Management (PAM) tooling shall be enforced. **PS-02 [ISO 27001:2022 A.8.5]** Multi-factor authentication (MFA) must be enforced for all user accounts accessing cloud management consoles, VPNs, and code repositories. Password-only authentication is prohibited. **PS-03 [ISO 27001:2022 A.5.18]** Access rights must be reviewed quarterly by the system owner. Accounts inactive for more than 30 days must be automatically disabled via IAM lifecycle policies. **PS-04 [ISO 27001:2022 A.8.2]** Service accounts must not be shared between applications. Each service account must be assigned a single, documented purpose and rotated every 90 days. ## Exceptions Exceptions require written approval from the CISO and must be documented in the Risk Register with a defined remediation date not exceeding 90 days. ## Enforcement Violations result in immediate account suspension. Repeat violations are escalated to HR for disciplinary action. Compliance is audited bi-annually via automated IAM reports.