This Access Control Policy explains the implementation and management of access control to protect the confidentiality, integrity, and availability of Redgate’s information assets.
This Policy applies to all Redgaters, contractors, suppliers, and third-party entities that have access to Redgate’s information systems and data.
Access to systems is managed by the IT Operations team or Business System Owners, with requests for access to Restricted information requiring approval by the information owner. Elevated privileged access to critical systems requires approval by first line management and above and the Security Team.
Access to critical systems shall be audited annually.
Upon notification (by the People Team) of an employee termination or departure, all access to our critical systems must be revoked within 24 hours. Access to non-critical systems will be revoked within a week.
All activities shall be confirmed against the support ticket for audit purposes.
For Redgate staff transfers between departments, current employee access that is no longer required will be revoked. Appropriate access will be provisioned by the IT Operations Team based on the new role and at the request of the new Line Manager.
Unless there is a clear, documented business case for not doing so:
Logical access shall require unique username/password combinations (where passwords meet our Password Policy requirements) or SSH keys (where appropriate). Multi Factor Authentication (MFA, 2FA) should be used where available.
