Access control policy

1. Purpose

This document establishes mandatory requirements for HLD Group personnel, contractors, and third parties with access to HLD Group systems, facilities, or data. It supports our information security management system (ISMS), regulatory obligations, and customer contractual commitments.

Compliance with this policy is a condition of access to company resources. Exceptions require documented approval from the Chief Information Security Officer (CISO) or delegate and must include compensating controls.

2. Scope

This policy applies globally to all HLD Group employees, contractors, consultants, interns, and agency staff ("Personnel"). It covers all information assets owned, leased, or processed by HLD Group, including cloud services, customer environments under our management, development systems, corporate IT, and removable media.

Where a customer contract or applicable law imposes stricter requirements, the stricter requirement prevails. Customer-specific security addenda form part of the compliance baseline for assigned personnel.

• Corporate and production information systems
• Endpoints, mobile devices, and removable media used for company business
• Collaboration tools, email, and messaging platforms
• Source code repositories, CI/CD pipelines, and artefact stores
• Physical offices, co-working facilities, and data centre space under our control

3. Definitions

• Information asset — any data, system, application, or service that stores, processes, or transmits information
• Sensitive data — confidential, restricted, regulated, or customer data requiring heightened protection
• Privileged access — administrative or elevated rights that can alter security configuration or access unrelated data
• Security incident — a confirmed or suspected breach of policy, loss of confidentiality, integrity, or availability
• Compensating control — alternative safeguard that achieves equivalent risk reduction when a primary control cannot be met

4. Access control principles

HLD Group implements defence-in-depth access controls aligned to least privilege, separation of duties, and need-to-know. Access rights are tied to job function, not individual preference, and are revoked when no longer required.

Default-deny is applied to new systems unless a documented business case and approval path exists. Shared accounts are prohibited except for break-glass scenarios with dual control and full session logging.

• Role-based access control (RBAC) for all production and corporate systems
• Attribute-based restrictions for highly sensitive datasets (customer production, CUI, PHI where applicable)
• Just-in-time elevation for administrative tasks with automatic expiry
• Quarterly access recertification for privileged and customer-facing roles

5. Identity provisioning lifecycle

6. Privileged access management

Privileged accounts are separate from standard user accounts, named per individual, and stored in a privileged access management (PAM) or vault solution where technically feasible.

Administrative sessions to production are logged, time-bound, and require MFA. Production data access for support is limited to ticketed change windows or customer-approved break-glass.

• No standing domain or cloud root access for daily work
• Password rotation and session recording for break-glass accounts
• Monthly review of privileged group membership

7. Authentication requirements

Authentication mechanisms must meet or exceed standards in the Password & Authentication Policy. Federated SSO is preferred over local accounts. Legacy systems without SSO require documented risk acceptance.

8. Access reviews and audits

System owners conduct quarterly access reviews; results are stored as evidence for SOC 2 and ISO audits. Anomalies (dormant accounts, excessive rights, orphan accounts) are remediated within 14 days.

Internal audit and external assessors may sample access logs; personnel must cooperate with investigations.

9. Customer and multi-tenant environments

Access to customer tenants is segregated per contract. Engineers receive least-privilege roles in customer identity systems; cross-customer access is prohibited unless explicitly authorised for platform operations with logging.

Roles and responsibilities

Enforcement, exceptions, and review

Violations may result in access suspension, disciplinary action up to termination, contract remedies for third parties, and referral to law enforcement where appropriate.

Exception requests must be submitted in writing, include business justification, risk assessment, expiry date, and compensating controls. Exceptions are reviewed at least quarterly.

This policy is reviewed at least annually and upon significant regulatory, organisational, or technology changes. Version history is maintained in the compliance repository.