Skip to main content

System Access & Authorization Control Policy

You are granted limited access to WeSalute systems and application as a WeSalute Team Member, contractor, and associate. Access is always provisioned on a minimum-necessary (least-privilege) basis.

Your access to WeSalute systems and third party accounts owned by WeSalute will only be granted on a need-to-use basis, as deemed by the responsibilities of the position held and the duties of that position. Access control and management is divided into multiple phases of an account lifecycle: creation, privilege management, authorization, password management, audit, and revocation.

Authorization: Role Based Access Control

  • In most cases, WeSalute Team Members are granted access to WeSalute systems according to their role and/or team.

  • SystemsOps, along with ExecutiveOps, and Team Managers are jointly responsible for maintaining a list of roles and associated access scope for Team Members.

  • If a WeSalute Team Member requires access outside of the standard for their role or team, either they or their Managers may initiate an access request, following the policy outlined Creation : Access Requests below.

First Party Account Requirement

All Team Members (full-time, part-time, contractors, freelancers, and/or agencies) that have access to systems, including but not limited to production applications, internal systems, internal documentation, internal tooling, etc. are required to be provisioned and use a First Party Account while working with WeSalute.

First Party Accounts are defined as, created and maintained by WeSalute SystemsOps and are provisioned with the @wesalute.com domain.

Use of First Party Accounts for Personal Affairs

First Party Accounts are not to be used for personal communications, access management, authorization, and/or representation of WeSalute. Access to your WeSalute account may be revoked and placed under review at any time for security and investigative purposes.

Using personal accounts (email addresses, usernames, digital representation) for the purpose of representing WeSalute is strictly prohibited and will result in disciplinary action.

Account Creation: Access Requests

  • Team Member(s) must accept the WeSalute's Acceptable Use Policy before access will be granted.

  • All Access Requests must be documented and logged by submitting a ticket to the WeSalute Help Center

  • Access requests for WeSalute Team Members are made by Team Members and their Managers.

  • Access requests should be made to the WeSalute Team Member or Team Members who manage the relevant resource(s).

  • A Team Members will not be granted access unless SystemsOps can qualify that the additional access is necessary to complete a business task.

  • When granting access, Team Members will ensure grants are scoped to the minimum breadth and duration to complete the relevant business task.

  • Root access or admin access will not be granted unless absolutely necessary to perform the job function.

Privilege Management

  • WeSalute Security Team will determine and maintain appropriate assignment of privilege within WeSalute's production, development and test applications and environments.

  • WeSalute Security Team will determine and maintain appropriate assignment of privilege within WeSalute's databases.

  • WeSalute Security Team will determine and maintain appropriate assignment within supporting infrastructure.

Account Audit

  • The responsible team will conduct quarterly audits of accounts, privileges and password management, and is required to document findings in and changes in Jira, including Jira Service Desk.

  • The Account Audit will be released on a quarterly basis via Confluence.

Revocation: Role Changes & Termination

  • Managers must notify WeSalute Security Team if a Team Member has been terminated or changes role.

  • In the case of Termination, the former Team Member's access is required to be revoked within reasonable timelines as defined by company procedural commitments in Vanta for SOC2 Compliance.

  • In the case of a Role Change, the Team Member's access should be revised within reasonable timelines as defined by company procedural commitments in Vanta.

  • In some cases, access will be revoked as a disciplinary measure for policy violation.

Team Member Connection to WeSalute Systems

Introduction

WeSalute operates a BeyondCorp model enabling Team Members to work from untrusted networks, such as residential internet service providers ("ISP"), shared networks (coffee shops, airports, co-working spaces, etc.), and corporate networks without sacrificing network security, operations, and monitoring. The WeSalute BeyondCorp model provides user- and device-based authentication and authorization to systems, services, and core infrastructure. This provides the ability for Team Members to authenticate and access from virtually anywhere and any device under WeSalute Asset Management Policy, while following enterprise security protocols, anywhere.

Last-Mile Connectivity Policy

SystemsOps is responsible for configuration, monitoring, and deployment of WeSalute BeyondCorp model. Team Members with issues related to connection to systems, services, or authentication are encouraged to contact SystemsOps for support.

As a condition of employment all Team Members are asked to perform internet speed tests during the interview stage to meet the minimum requirements of internet connectivity.

Internet Speed tests can be performed via Cloudflare Speed Test

Notice

SystemsOps is not responsible for providing support for the "last-mile" of internet connectivity. Connection to the internet is the individual Team Members responsibility. Any issues with connecting to the internet, not WeSalute systems, must be resolved by the individual Team Member.

Team Members are responsible for establishing internet connectivity to WeSalute on a personal basis no matter their physical location. Expectations for Internet Connectivity must meet the minimum bandwidth capabilities to perform daily operations. Generally a minimum of 40mbps download / 10 mbps upload is necessary to use WeSalute Systems to performant capacity. Internet Connection must be able to perform the follow operations with stability to qualify as meeting the Last-Mile Connectivity Policy:

  • ability to perform Voice over Internet Protocol ("VOIP") connections without service degradation

  • ability to perform video conferencing without service degradation

  • ability to perform remote access management without service degradation

  • ability to connect and perform operations on internal communication systems without service degradation

  • ability to perform any asset management or operations aligned with a Team Members' individual Roles & Responsibilities outlined in their employment.

  • ability to perform on-call or on-shift responses related to operations

Exceptions

Exceptions to this policy must be reviewed by SystemsOps and PeopleOps with final approval from ExecutiveOps.

Exceptions to this policy are granted during emergency incident response or during PTO periods.

Non-Compliance & Disciplinary Action

Team Members in non-compliance will be given a verbal warning by their Manager on the first signs of connectivity degradation impacting operations.

SystemsOps performs occasional fleet wide internet connectivity tests to sure operational capacity. Workstations whom connectivity does not meet the minimum requirements will have the workstation's owner's manager alerted to the connectivity issue. SystemsOps will also alert the Team Member to the issue and provide knowledgable best-practices to internet connectivity.

Ongoing internet connectivity issues after a verbal warning impacting operational performance will be alerted to PeopleOps, whom will provide a written document of notice to be logged in the Team Members HRIS record.

Continued Internet Connectivity Violations, regarded as a serious violation of operational effectiveness, may face disciplinary actions up and including .

WeSalute Team Members will not be disciplined for widespread connectivity outages, acts of god, medical emergencies impacting access to internet connectivity, required business travel which impacts internet connectivity, and/or personal emergencies leading to lose or degradation internet connectivity.

Team Member Authentication to WeSalute Systems

Authentication

Each WeSalute Team Member has a unique user ID and password that identifies him/her as the user of a WeSalute asset or application. All assets, applications and vetted third party platforms may be required to have two-factor authentication configured.

Violation

Shared credentials is a violation of SOC2 Policies and will result investigative action. If a shared credential is required to execute a workflow please contact SystemsOps via the WeSalute Help Center. We will work with you to create a safe and secure authentication infrastructure.

Password, Key, and Certificate Management

As specified in the Acceptable Use Policy and Password Policy, WeSalute Team Members must use complex passwords and multi-factor authentication for all WeSalute-related accounts. User passwords must conform with the restrictions set forward in the WeSalute Password Policy. Please see Acceptable Use Policy and Password Policy for further details and guidance. WeSalute Security is responsible for issuing and revoking SSH keys in all environments. WeSalute SystemsOps is responsible for issuing, renewing, and revoking public web and internal SSL certificates.

Customer Data

Team Members that require access to customer data must have an individual account. This account, as well as actions performed with it, will be subject to additional monitoring at the discretion of ExecutiveOps and SystemsOps, subject to applicable regulations and third-party agreements. At a minimum, Team Members with access to customer data can expect that their actions in customer data systems (e.g. an internal admin tool) will be logged, with the logs stored centrally for at least 12 months.

Guest Access to WeSalute Systems

Occasionally, guests will have a legitimate business need for access to the corporate network and/or systems. When such need is demonstrated, temporary guest access to company systems is permitted. This access, however, must be severely restricted to only those resources that the guest needs at that time, and disabled when the guest's work is completed. This is a fallback plan with First Party Account Requirement being preferable.

Disciplinary Action

Team Members who violate the System Access & Authorization Control Policy may face disciplinary consequences in proportion to their violation. WeSalute ExecutiveOps will determine how serious a Team Member's offense is and take the appropriate action:

  • For minor violations, Team Members may only receive verbal reprimands.

  • For more serious violations that lead to security incidents, Team Members may face severe disciplinary actions up to and including . Serious violations will always be logged in the company's HRIS.

  • WeSalute Team Members will not be disciplined for surfacing deficiencies or misconfigurations that contradict this policy.

Policy Review, Disciplinary, & Responsibility

Responsibility

Each WeSalute Team Member is responsible for surfacing technical misconfigurations and deficiencies to the WeSalute Security Team for immediate resolution. The Security team is responsible for ensuring this policy is followed.

This mean you!

Thank you for helping create a secure workspace. Security is all our responsibilty.

warning

This Policy currently does not have the required policy footer content standard on WeSalute Policies. This may be intentional by the nature of the content.