Access Management Policy: Business Tools/Services

Objective:

The purpose of this policy is to establish guidelines for access management to third-party tools and services used by Outleap. The policy aims to ensure the security and privacy of the organization's data and systems while granting access to authorized personnel.

Account Creation and Administration:

New accounts for third-party tools/services shall be created using the email address tech@leapfinance.com
For existing accounts, the email address tech@leapfinance.com shall be designated as the admin/owner of the account, where applicable.
Exception in below cases
- Payment is done per email ID subscription, and there is no separate owner/billing account. (Not centralised)
- Sensitive data which can’t be shared with other employees (for example, HR tools like Keka, etc)

Login with Gmail shall be the preferred method of authentication, where supported by the third-party tool/service. Whenever feasible, employees should use their Leap Finance Gmail accounts for these tools.
In cases where login with Gmail is not feasible, strict password policies shall be enforced. Passwords must meet the following requirements:

Minimum password length: 10 characters
Use a combination of uppercase and lowercase letters, numbers, and special characters.
Passwords must be changed every 90 days.

Password Sharing:

Employees must avoid sharing passwords with each other, even within the organization. Each employee shall be responsible for maintaining the confidentiality of their login credentials.

Avoid Common Team Email IDs:

Access to third-party tools/services should not be shared using common team email addresses.

Nomination of Access Owners for Team Level Executables:

In cases where access through a common team email ID is required to set up team-level executables, a single employee shall be nominated as the access owner. This individual will be responsible for managing access and sharing information with the team as needed.

Knowledge Transfer and Account Dependencies:

Prior to an employee's departure from the organization, the employee is responsible for providing necessary knowledge transfer (KT) and dependencies associated with their personal third-party tool/service accounts to their replacement or relevant team member.

Account Cleanup after Employee Exit:

The IT team shall ensure the immediate cleanup of access for any employee who leaves the organization. The IT team will follow an exit checklist to revoke access to all third-party tools/services associated with the employee's account.
For tools where the IT team does not have access to perform user access cleanup, the respective reporting manager has to ensure access cleanup.

Regular Review and Cleanup:

The IT team, in collaboration with the concerned departments, shall regularly review access permissions to third-party tools/services and perform cleanup activities to ensure compliance with this policy.

Exceptions and Support:

In the event of any exceptions or support requirements related to access management for third-party tools/services, employees can reach out to IT Team or designated personnel for assistance.

Policy Compliance:

Non-compliance with this policy may result in disciplinary action, up to and including termination of employment, as per the organization's policies.

Policy Review:

This policy will be reviewed periodically to ensure its effectiveness and relevance. Updates will be made as necessary to address any changes in tools, services, or security requirements.

Note:

All employees are expected to read, understand, and adhere to this Access Management Policy for Third-Party Tools/Services. It is the responsibility of each employee to ensure the security and privacy of the organization's data and systems while using these tools/services.