The purpose of the Access Control and User Access Management Policy (the "Policy") is to establish and maintain access rights management procedures to prevent unauthorized access to data under Voyages Encore Travel Inc.’s (“Encore”) control. These procedures are to be utilized for all Encore internal/external access, media, paper, technology platforms, and backup media.
This policy applies to all information, electronic and computing devices, network resources, mobile devices, and telecommunication systems used to conduct Encore business or interact with internal networks and business systems, whether owned or leased by Encore, the employee, or a third party. It is applicable to all employees, contractors, consultants, ary workers, and other personnel (the "Users") at Encore and its subsidiaries. Compliance with this policy is required in accordance with Encore policies and standards, local laws, and regulations.
Approve and provide formal support for this policy.
Review and approve any exceptions to the requirements stated in this policy.
Take proactive measures to reinforce compliance with this policy by all stakeholders.
Provide the following approvals upon review, when needed:
Using a privileged account when accessing non-security functions
Shared logins
Develop and maintain this policy.
Assist all employees in comprehending the requirements outlined in this policy.
Promptly evaluate and report any instances of non-compliance with this policy to the Service Desk (servicedesk.encore.ca).
Perform regular access reviews business-wide.
Produce system generated lists of users via Snipe-IT, and cross reference the Privileged Access Management (“PAM”) pages within Confluence to identify users who have privileged access.
Coordinate meetings with each manager to review the appropriateness of the access of their team, and will ensure that access will be removed or altered.
Ensure relevant evidence is collected.
Upon onboarding a new employee, submit a HRIS ticket with the required details.
Access to information computing resources is limited to personnel with a business requirement for such access. Access rights shall be granted or revoked in accordance with this policy.
Upon hire, HR will submit a HRIS ticket which provides the new user’s name, email alias (if it will vary from the standard alias), and the security settings to be used. Access to software is provisioned by the application owner, based on the Principle of Least Privilege (“PoLP”). The HRIS ticket will act as documentation of this provisioning.
Modifications to access must be approved by the Business Owner (also referred to as the “Data Owner”) of the system and the user’s manager. IT will only process access requests and modifications via a Service Desk ticket, with the required approvals in place. The Service Desk ticket will act as documentation of this modification of access.
User identity must be validated via a manual DUO push notification prior to modifying any authentication credential, such as performing password resets, provisioning new tokens, or generating new keys.
Prior to account creation, IT should verify that the account does not violate any Encore security or system access control policies such as segregation of duties, fraud prevention measures, or access rights restrictions.
New employees are not to be granted access to any Encore systems until after they have completed all HR onboarding tasks, which includes the approved Background Check, signed Employment Agreement, and signed Employee Handbook. Once the HR onboarding tasks have been completed, an HRIS ticket will be submitted to relevant system Business Owners to grant the new hire access to the systems required for their role.
Role, title and/or reporting structure changes must be communicated in writing to Human Resources and the Encore Service Desk (servicedesk.encore.ca) to review and amend user access rights accordingly.
Existing user accounts and access rights must be reviewed at least quarterly to identify dormant accounts and accounts with excessive privileges.
All logins will be unique and tied to an individual or service.
When shared accounts are necessary, the following measures are in place:
Shared logins require approval from the Director of IT.
Passwords for shared accounts are securely stored in an encrypted vault on a restricted server by IT, following the Password Policy.
The use of shared accounts is monitored whenever possible, including recording the time of access, the reason for accessing the shared user account, and the individual accessing the account. If the shared user account has administrative privileges, monitoring logs must be protected and access restricted.
To mitigate risks associated with shared accounts, the following guidelines are in place:
Minimize the use of shared accounts and encourage individual user accounts whenever possible.
Document and maintain a list of authorized users with access to shared accounts, clearly defining their roles and responsibilities.
Implement stringent controls, such as two-factor authentication and strong password policies, for shared account access.
Regularly review the necessity of shared accounts, disabling or removing them when they are no longer required.
Test accounts must adhere to the following guidelines:
Test accounts used by multiple users are avoided when possible, and can only be created if justified by the relevant business leader and approved by the application owner. Formal requests for test accounts must be submitted to the Director of IT and the Service Desk.
Test accounts have an expiry date, with a maximum duration of 6 months. The continuation of test accounts beyond this date are re-evaluated every 90 days and approved accordingly.
Test accounts are disabled or deleted when they are no longer necessary.
Passwords for all systems must adhere to the settings outlined in the Password Policy.
Annually, as well as upon hire, all employees are provided user awareness training regarding the safety and security of their passwords.
Access shall be restricted based on a user’s need to know and will be set to “deny all” unless specifically allowed.
The use of a PIN or a ‘secret question’ may not be used as a stand-alone mode of authentication.
Passwords are required to be encrypted in transit and encrypted or hashed in storage.
Password resets for the network are restricted to IT.
Unique usernames and passwords are required to authenticate all users. Users are required to use non-privileged accounts or roles when accessing non-security functions. Exceptions are approved by the Director of IT.
Production systems are configured to authenticate users through multi factor authentication methods, where available.
Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuses of the organization’s assets.
Individual access to systems and assets will be provisioned via defined roles, where possible.
Network access and permissions will be restricted based on a user's role.
A user can exercise a permission or gain access only if the user has selected or been assigned a role.
All roles must be authorized.
A user can only exercise a permission or gain access that is authorized for the user's active role.
The IT department shall establish conditions for group and role membership.
Inactive user accounts will be disabled after 45 days.
Access is removed within 24 hours of termination, in accordance with the Termination Checklist. Notification to IT will include an indication of when to block access to the network or to lock the user’s account.
If the employee is not terminated but no longer requires access, a ticket should be created to remove access. Access should be removed no later than the date of no longer requiring access.
Access to privileged accounts (or other administrator accounts) shall be restricted and accounts shall be reviewed at least quarterly. This includes access to antivirus settings.
Vendor and contractor access (aka third-party access) will be restricted based on role and least privilege. Third party access to critical systems shall be time-delimited and monitored. Vendor accesses must be approved by the Business Owner and the Director of IT.
Contractor/consultant/vendor representatives must sign a Non-Disclosure Agreement ("NDA") before obtaining approval to access Encore systems and applications.
The Service Desk must receive notification of the contractor/consultant/vendor representative's name at least two weeks before their access requirement.
The Service Desk must be informed at least 1 business day in advance when terminating the access privileges of a contractor/consultant/vendor representative.
These accounts won’t follow a specific naming convention, but they will be placed into dedicated organizational units (“OU”) and will have relevant descriptions.
Remote connections via ManageEngine will only be initiated after obtaining explicit consent from the end user. These sessions will be used exclusively for troubleshooting purposes and can remain active until the task is successfully completed.
IT shall authorize and monitor the use of guest/anonymous and temporary accounts.
Temporary access must be removed immediately after the user has completed the authorized task.
User accounts assigned to contractors are set to expire according to the contract’s expiry date.
The user access review process is intended to ensure that users, via a role assignment or via direct access, are appropriately provisioned access.
User Access Reviews of all systems are conducted at least quarterly.
The following procedures will be used to review access for all applications/software or components that house non-public data. Evidence of these procedures must be documented and retained within a ticket. Evidence includes system generated listing of the users per system and approval/sign off of the review:
The Cyber Security Analyst will produce system generated lists of users via Snipe-IT, which shows which employees have access to a system.
The Privileged Access Management (“PAM”) pages within Confluence will be used to cross reference the users who have privileged access.
Include a screenshot of the parameters used to create the lists, such as a script or a screenshot of selection criteria.
The Cyber Security Analyst will then set up meetings with each manager to review the appropriateness of the access of their team, and will ensure that access will be removed or altered.
If needed, modification of access will occur in line with the modification requested and both the request and a screenshot showing the resulting change are required to be retained.
Physical access to Encore facilities shall be restricted by using appropriate access control and identification mechanisms. A review of physical access rights shall be performed at least quarterly to check the appropriateness of current access and remove access no longer required.
Visitors shall be escorted by authorized personnel throughout the duration of their visit while accessing Encore’s facilities, and their entry shall be recorded.
Employees who are going on a leave of absence must notify their manager and HR representative in writing at least two weeks prior to the start of the leave.
If the employee is going on a leave of absence for more than two weeks, their account will be disabled until they return to work. The employee’s manager will be notified before the account is disabled.
Should an employee require an extension of their leave beyond the initially approved duration, they must provide written notice to both their manager and HR representative at least one week before the conclusion of their original leave period. This notification allows HR to request IT to extend their system access
The supervisor of a terminated employee must:
Notify Human Resources (HR) of the separation on or before the employee’s termination date.
HR will notify IT of the date and time of the termination, and then complete the offboarding checklist to be sent to IT.
IT will disable AD accounts within one business day, and all service accounts within 5 business days, of receiving proper notification or upon the date designated in HR’s request.
Accounts shall remain disabled for 90 days, at which time IT will permanently delete the account.
The supervisor must notify HR and IT either via telephone, in person, or through instant messaging software, so network access can be revoked at once.
The Information Security Office will verify compliance to this policy through various methods, including but not limited to: business tool reports, internal, and external audits. All those found in violation of the policy may be subject to disciplinary action up to and including termination.
System owners must have documented procedures for access control and must be able to produce the documented procedures when required for auditing purposes.
Evidence of account approval, termination, and disabling must be available when required for auditing purposes.
Performance management and reporting procedures will be in place to monitor the performance of Identity and Access management.
“Access Control” – means the process that limits and controls access to resources of a computer system.
“Access Privileges” – means the systems permissions associated with an account, including permissions to access or change data, to process transactions, create or change settings, etc.
“Administrator Account” – means a user account with privileges that have advanced permissions on an IT system that are necessary for the administration of this system. For example, an administrator account can create new users, change account permissions, modify security settings such as password settings, modify system logs, etc.
“Application and Service Accounts” – means user accounts that are not associated with a person but an IT system, an application (or a specific part of an application) or a network service.
“Employee” – means all salaried and hourly paid Employees including the Steering Committee, Contractors, Consultants, Temporaries, Interns, Agents and other workers at Voyages Encore Travel Inc., including all personnel affiliated with third parties. Can be referred to by the pronoun ‘their’, ‘they’ or ‘them’.
"Encore" – for the purpose of this policy, refers to Voyages Encore Travel Inc. and Encore Travel Americas.
“Principle of Least Privilege” (PoLP) – means that a security architecture is designed so that each entity/user is granted the minimum system resources and authorizations that are needed to perform its function.
“Privileged Accounts” – means system or application accounts that have advanced permissions (as compared to regular user account permissions) on such systems or applications. Examples of user accounts with privileges include administrative and super user accounts.
“Multi-Factor Authentication” (MFA) - an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyber attack.
“Nominative User Accounts” – means user accounts that are named after a person.
“Non-disclosure Agreement” (NDA) – means a contract between a person and Voyages Encore Travel Inc. stating that the person will protect confidential information (as defined in the Record Classification and Handling Policy) covered by the contract when this person has been exposed to such information.
“Steering Committee” – means the Chief Executive Officer; Chief Technology Officer; Head of Strategy, Growth & Corporate Development; Head of Product; Head of Commercial Strategy; and Head of Travel Technology & Operations.
“System or Application Accounts” – means user IDs created on IT systems or applications, which are associated with specific access privileges on such systems and applications.
“Their”, “They” or “Them” – means the person or entity previously referred to.
“Users” – means employees, consultants, contractors, agents, and authorized users accessing Voyages Encore Travel Inc. IT systems and applications.
“Vendor” – means a person or company that sells goods or services for a profit. They can operate in a business-to-consumer (B2C) or business-to-business (B2B) environment.
“Virtual Private Network” (VPN) – means a mechanism for creating a secure connection between a computing device and a computer network, or between two networks, using an insecure communication medium such as the public Internet.