The purpose of this policy is to detail access management controls across the technological environment at PAS Ltd. This policy will aid the company in managing access to its information systems.


This policy applies to all information systems used throughout the company, whether managed centrally or in a distributed fashion. This policy applies to all individuals who intend to access the company's information systems and data, including any relevant third-party service providers and hosted/cloud-based systems.


Access to the company's electronic information resources is managed in a manner that maintains the confidentiality, integrity, and availability of the company's resources, but also in a manner that complies with any applicable legal and regulatory requirements.


Authentication: The process of verifying the identity of a user or device, often as a prerequisite to allowing access to resources in an information system.

Authorisation: Access privileges granted to a user, program, or process or the act of granting those privileges

Multi-Factor Authentication (MFA): Authentication using two or more factors to achieve authentication. Factors include:

  1. Something you know (e.g. password/personal identification number (PIN));
  2. Something you have (e.g., token generation device); or (iii) something you are (e.g., biometric).

Least Privilege: The principle that a security architecture is designed so that each entity is granted the minimum system resources and authorisations that the entity needs to perform its function.

Privileged Access Management (PAM): The process of managing and protecting credentials to accounts that have some level of administrative access to devices or systems, including local administrator accounts and superusers.

User: Individual or (system) process, acting on behalf of an individual, authorised to access a system

Organisation User: An organisational employee or an individual whom the organisation deems to have equivalent status of an employee.

Non-Organisation User: A user who is not an organisational user

Privileged User: A user that is authorised (and, therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.

Policy Statement

Access Management is the process of identifying, tracking, controlling, and managing user access rights to information systems.  Any user who requests access to systems, applications, or data, must have their identity authenticated.  Additionally, user access should be further restricted following the principle of Least Privilege, and in alignment with any company defined segregation of duties.

User account provisioning must include creation of unique credentials for new users and disablement and revocation of a terminated user’s access privileges upon termination.

Privileged access must only be provided to users as needed.  Users with privileged user accounts must also have an organisational user account, which follows the principle of least privilege, and must use this organisational user account for their day-to-day job functions.  Privileged user accounts must only be used when elevated privileges are required by the system or application.

Where there is any requirement for shared usage of an account this must be signed off by the Managing Director and all usage must be audited and traceable to an individual authorised user account.

All remote access to the company's network must utilize a secure solution, which employs multi-factor authentication, and a secure network encryption protocol.

Multi-Factor Authentication

PAS Ltd has enabled Multi-Factor Authentication which provides a common method of protection for companies like ours, that utilise and store sensitive, personal, and financial information.