Data Access Controls Policy
Purpose:This policy aims to ensure that customer data and digital assets stored during the Salesforce implementation process are accessed only by authorised personnel and are protected against unauthorised access.
Scope:This policy is relevant to all employees, contractors, and third parties who have the potential to access customer data stored in Salesforce Sales Cloud, Notion, and Google Drive.
Principles of Access Control: Access to customer data will be granted based on the priciple of "need-to-know." Only individuals requiring specific data for their job functions will be given access. Users will also be given minimal access necessary to perform their tasks, limiting potential exposure of sensitive information.
Specific Access Control Measures: Every user completing an engagement must do so using a distinct username. Their identity will be verified using a unique password generated through the 'Lastpass' security-as-a-service platform. Additionally, multi-factor authentication (MFA) will be implemented wherever feasible. Users will receive roles, dictating their permissions. Periodic checks will ensure these roles correspond to the user's current job functions. Temporary access, when provided, will last only as long as required and will be rescinded once its purpose is served
System-Specific Controls: Utilise Salesforce's built-in access control mechanisms, including profiles, permission sets, and sharing settings. Monitor and log all access to detect any unauthorized attempts or breaches. Employ Notion's user permissions to create a hierarchy of access ranging from "Can View" to "Full Access." Use Google Drive's sharing settings to restrict access to specific files and folders. Regularly audit shared items to ensure that only necessary individuals have access.
Breach Protocol: In the event of unauthorised access, the incident will be immediately reported to the IT and security teams, and the affected systems will be audited to understand the extent and nature of the breach. Necessary actions, including password resets and access revocations, will be undertaken, and affected customers will be informed based on regulatory and ethical obligations.
Review and Updates: The Data Access Controls Policy will be reviewed annually or after any significant change to company processes and tools or any security breach.
