Publication Summary

Title	Dynamic Access Control Policy
Author(s)	Alessandro Cardinali
Issued by	CEO
Version doc. Review freq.	0.1 Yearly
Date of issue	December 11, 2023
Owner	CEO/Founder
Document status	Draft – Final Draft - Final
Approval Date	n/a
Classification	Internal

Change Log

Version	Date	Author	Comments
0.1	October 23, 2023	Olaf Jacobson	First draft document

Table of Contents

Publication Summary 2

1 Introduction 4

1.1 Purpose of this document 4

1.2 Areas of the standard addressed 4

2 Dynamic access control policy 5

2.1 Within the organization 5

2.2 Sharing information outside the organization 6

Introduction

As part of its normal business operations, Soon Technologies B.V. creates and processes a wide variety of types of information, including documents, spreadsheets, databases and web content. Ensuring the correct level of access to these resources is a cornerstone of our information security policy, particularly where sensitive information, such as PII (Personally Identifiable Information) is involved.

In order to protection this information in an effective and achievable way, Soon Technologies B.V. may make use of a number of tools which provide dynamic access management capabilities both within and outside the organization. The purpose of this policy is to set out guidance for their applicability and the high-level rules that must be followed when utilising such tools.

This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Soon Technologies B.V. systems.

The following policies and procedures are relevant to this document:

• Access Control Policy

• Information Classification Procedure

• Mobile Device Policy

• Remote Working Policy

• User Access Management Process

• Network Security Policy

• Cloud Services Policy

Purpose of this document

The Dynamic Access Control Policy describes how dynamic access techniques may be used to secure information.

Areas of the standard addressed

The following areas of the ISO/IEC 27001 standard are addressed by this document:

• A.5 Organizational controls

• A.5.1 Policies for information security

• A.8 Technological controls

• A.8.3 Information access restriction

Dynamic access control policy

Soon Technologies B.V. policy is to use dynamic access control methods to enhance classical access management techniques (for example using access control lists) rather than to replace them, particularly for the protection of sensitive information.

In general, dynamic access control techniques should be considered in the following circumstances:

• The level of control provided by static access control methods (such as role-based access control (RBAC)) does not meet requirements

• Sensitive information is to be shared outside the organization

• Access requirements could be subject to change (particularly sudden or frequent change) after access is granted

• A higher degree of control over activities such as copying and printing of the information is needed

• Audit requirements for access and change to the information are particularly stringent (for example to meet legislative obligations)

It is the responsibility of the asset owner to decide when enhanced access controls should be used, and to define the exact nature of those controls.

Within the organization

In general, access to internal resources will be controlled using a role-based access control approach, in line with our Access Control Policy.

However, where there is a specific need, dynamic access controls will be used to provide an additional layer of restriction on how and when sensitive resources may be accessed, and to increase the granularity and level of detail of the audit trail. This will be particularly relevant where legislative requirements such as Sarbanes Oxley must be met.

Where appropriate, sensitive resources located in the cloud (such as AWS, Microsoft Azure, Google Cloud) will also be secured using the relevant dynamic access control technology (for example attribute based access control (ABAC) within AWS).

The use of dynamic access control features will be considered as part of the risk assessment and design of new systems and business processes.

The Soon Technologies B.V. information classification scheme will be used to guide the application of such techniques, with particular emphasis on the protection of PII.

The potential for dynamic access controls that have been applied to information to be used to reduce the impact of a breach will be actively considered as part of incident management activities.

Sharing information outside the organization

Where there is a requirement to share sensitive information outside the organization, the first step must be to put in place an appropriate non-disclosure agreement (NDA).

To supplement the legal protection provided by an NDA, technical controls over the provided information should be considered as part of a risk assessment. These may vary according to the type and format of the information shared, and the functionality of the software tools available, but could include:

• Access restrictions according to:

• IP address

• Location

• User name

• Company

• Date range (including document expiration)

• Time of day

• Devices used

• Controls over information usage:

• Encryption

• Copying content

• Printing

• Logging access and usage

• Saving

• Sharing

• Dynamic watermarking

• Screen grabbing

• Ability to revoke access completely

• Raising an alert to the asset owner if misuse is detected

The specific controls implemented in any given situation must be documented and communicated to the receiving party, unless there are justifiable reasons not to do so.