This policy ensures that access to sensitive information and systems is granted on the basis of least privilege and helps to mitigate the risk of unauthorized access.
Identity and Access Management (IAM)
Cenareo maintains documented processes for identity and access management (IAM) for internal and external users.
The IAM program is subject to regular reviews and updates to reflect technological changes, industry best practices, and regulatory requirements.
These processes cover the entire user lifecycle, including:
- New employees: accounts for new employees are created with appropriate access rights based on their role and responsibilities.
- Mutations: When an employee's role or department changes, their access rights are reviewed and adjusted accordingly.
- Layoffs: In the event of dismissal, all user accounts and access privileges are promptly deactivated or deleted.
- External users: access to external users (contractors, vendors, etc.) is granted on the basis of the principle of least privilege and the specific needs of their role.
Recertification of access
The access rights of all users (internal and external) are reviewed and recertified periodically to ensure that they are still needed and that they respect the principle of least privilege.
Role-based access control (RBAC)
We implement role-based access control (RBAC) as the primary method of managing user access to systems and applications. Under RBAC:
- Roles: predefined roles are established, each with a specific set of permissions and access rights aligned with typical professional functions and responsibilities. 1/2 Cenareo- SAS with a capital of 22175€ R.C.S Toulouse 789 137 650- APE: 789 137 650- APE: 6201Z VAT intra: 6201Z VAT intra: FR 789 137 650 Toulouse - Paris - Tunis - New York cenareo.com
- User assignment: Users are assigned roles based on the requirements of their work.
- Minimum privilege: Users are granted the minimum number of privileges necessary to effectively perform the tasks assigned to them.
User access review frequency
- Professional users: the access rights of professional users are reviewed at least once a year or in the event of a significant change in role or responsibilities.
- Privileged users: The access rights of privileged users (for example, system administrators) are reviewed quarterly due to the higher risk associated with their high permissions.
- Generic/shared accounts and system/service accounts: Access rights to generic/shared accounts and system/service accounts are reviewed twice a year to ensure that they are still needed and used appropriately.
Detecting unauthorized access
We have implemented controls to detect unauthorised access attempts. These controls are as follows:
- User Activity Monitoring: User activity on critical systems is monitored for suspicious behavior.
- Log Management: System logs are collected and analyzed for unauthorized access attempts.
- Access reviews: regular access reviews help identify discrepancies and potential abuses of access privileges.
- Strong password policies: Enforcing strong password policies and multi-factor authentication helps prevent unauthorized access.
Privileged access management
In addition to the access review processes described above, we are implementing additional controls for privileged access management:
- Just-in-Time Privileged Access (JIT): Granting elevated privileges only when needed for a specific task and returning to standard user privileges once the task is complete.
- Session monitoring: Monitoring privileged user sessions to detect suspicious activity.
