Access Control

Link to the Access Request form

Access to sensitive or internal systems is critical for the security and confidentiality of Rocket.Chat. This policy and procedure help to ensure that only authorized individuals have access to these systems and that access is granted based on job responsibilities. It is the responsibility of all employees to follow this policy and report any suspected security breaches.

Scope

This policy applies to all employees, contractors, and third-party vendors who require access to sensitive or internal systems within the organization.

Policy

Access to sensitive or internal systems must be requested through the company's Security department.

Except for common platforms and systems that are part of the onboarding access provision, all requests for access must be approved by the employee's manager and the Security department.

Access to sensitive or internal systems will only be granted to authorized personnel who require access to perform their job responsibilities.

Access to sensitive or internal systems will be reviewed periodically to ensure continued access is necessary.

Employees who leave the organization must have their access to sensitive or internal systems terminated immediately.

Procedure

Requesting Access

• The employee must complete an access request form, which can be obtained via our Access Request Form.

• The employee's manager must review and approve the request.

• The Security department will review the request and verify the employee's need for access.

• The Security department will grant access to the requested systems if approved.

Note: For new employees (first access) the People team will be responsible for granting access to a set of systems as part of the onboarding process. Those systems are listed here.

Reviewing Access

• Access to sensitive or internal systems will be reviewed periodically to ensure continued access is necessary.

• Managers must notify the Security department of any changes to an employee's job responsibilities that may impact their need for access to sensitive or internal systems.

• If access is no longer necessary, the Security department will revoke access to the systems.

Termination of Access

• When an employee leaves the organization, the employee's manager must notify the People and Security department immediately.

• People and Security department will revoke the employee's access to sensitive or internal systems.

• All company's equipments (when applied) and data hold by the employee must be returned to the company.

Review of Accounts and privileges

Purpose is to periodically review who has access to what and perform changes if necessary.

• Frequency - quarterly

• Scope: Assets classified as Tier 1 within Asset Register. (Tier 1 is composed by Rocket.chat critical systems such as Core Development systems, databases, Infrastructure providers, Finance and critical operational systems).

Roles and responsibilities

• Engineer Manager from Security team: responsible for periodic review with asset owners or designated person to make sure the task is being executed.

• Owner or designated person - access the system(s) and check for the list of all users to:

  • 1) Verify if all member are active rocketeers.

  • 2) Check if their level of access is appropriate to their use/role (regular user/admin/ ...).

  • 3) Make the removal or changes as needed.

  • 4) Update the checklist to confirm the review was done.

For Tier 2 and 3 applications, the review of access and privileges shall be done annually by the asset owners or designated person.

For Network components the access and privilege review is required twice a year.

Checklist used to document the review process is available within folder entitled Access and Privilege control_checklists.