This Access Control and Termination Policy defines requirements for access and removal of access to Finch data, systems, facilities, and networks. From time to time, Finch may update this policy and implement different levels of security controls for different information assets, based on risk and other considerations. This policy is guided by security requirements specific to Finch including applicable laws and regulations.
This policy applies to all Finch assets or approved devices utilized by personnel acting on behalf of Finch or accessing its applications, infrastructure, systems or data. All personnel are required to read, accept, and follow all Finch policies and plans.
Finch adheres to the principle of least privilege, specifying that users of Finch systems will be given minimum access to data and systems based on job function, business requirements, or need-to-know.
Team management should document the physical and logical access control rules, rights, and roles for each user or group of users.
Access to systems and applications must be controlled by a secure log-on procedure to prove the identity of the user.
Users of Finch systems and applications will be provided with unique credentials (IDs, keys, etc.) that can be used to trace activities to the individual responsible for that account. Shared user accounts shall only be utilized in circumstances where there is a clear business benefit and when user functions do not need to be traced. Shared account password should only be stored in a Finch approved password manager.
Unique accounts and passwords are required for all users. Passwords must be kept confidential and not shared with multiple users. Where possible, all user and system accounts must have a minimum of eight characters including alpha (upper and lower case) and one numeric character. All accounts must use unique passwords not used elsewhere.
If a password is suspected to be compromised, the password should be rotated immediately and the security team should be immediately notified.
Passwords must only be stored using a Finch approved password manager. Finch does not hard code passwords or embed credentials in static code.
When available, multi-factor authentication should be used. Multi-factor authentication must be used for access to company email, version control tool and cloud infrastructure.