Access Control Policy

Confidentiality of all data, both InnoSpark.ai and Subscriber Data, shall be maintained through discretionary and mandatory access controls administered by InnoSpark.ai or the respective Subscriber, as applicable.

  1. Establish process for linking all access to system components (especially access with administrative privileges such as root) to each individual user.

  2. The IT Department shall be notified of all personnel leaving InnoSpark.ai’s employ by Talent (human resources) prior to or at the end of their employment. As soon as possible after notification, not to exceed twenty-four (24) hours, rights to all systems shall be removed unless a specific exception request is received from Talent, Legal or Information Security.

  3. Administrators shall only log into systems with user ids attributable to them or follow processes that wouldnot break attribution. For example, administrators shall use the su command to obtain root privileges, rather than login as root onto UNIX or Linux systems.

  4. Access to databases containing Subscriber Data, Personal Data, PII or SCI shall always be authenticated. This includes access by applications/services, administrators, and all other users or sources.

  5. All access shall be removed for users who administer or operate systems and services that process Personal Data and PII where their user controls are compromised (e.g., due to corruption or compromise of passwords, or inadvertent disclosure).

  6. The reissuance of de-activated or expired user IDs for systems or services that process Personal Data and PII shall not be permitted.

  7. All logins to the Subscription shall be secured through an encrypted connection (e.g., HTTPS) and appropriately authenticated.

  8. Ensure proper user management for all users as follows:

    1. Ensure that the Principle of Least Privilege using role-based access control (RBAC) is followed for all users.

    2. Control addition, deletion, and modification of usernames, credentials, and other identifier objects.

      1. Users (including temps, consultants, and contractors) shall formally request access to systems withonly the rights necessary to perform their job functions.

      2. A manager or above and the system owner shall formally approve user roles and access requests.System administrators shall act as the final gatekeeper to ensure access is granted appropriate to the identified role.

    3. Usernames shall follow a consistent naming methodology to allow for proper attribution (e.g., generally consisting of the first name and last name user’s full name).

    4. Inactive user accounts reviewed and disabled and/or remove at least every ninety (90) days. Exceptions shall be documented, reviewed, and approved by Information Security.

    5. Enable accounts used by vendors for remote maintenance only during the time period needed. Ensure all vendor activity is monitored.

    6. Ensure minimal, controlled use of administrator, local administrator, enterprise admin, and/or schema admin profiles.

    7. Avoid assigning security equivalences that copy one user’s rights in order to create another’s.

    8. Performance of periodic review of users’ access and access rights shall be conducted to ensure that they are appropriate for the users’ role.

    9. Remote access to InnoSpark.ai networks shall only to be granted to personnel and/or authorized third parties and shall use two-factor authentication (TFA) or multifactor (MFA) authentication.

    10. Two-factor authentication (TFA) or multi-factor authentication (MFA) shall be used for any services remotely accessible by personnel and/or authorized third parties (e.g. Office365, VPN, etc.), unless personnel and/or authorized third parties are connected to the protected corporate network.

  9. Remove external access to subscriber databases immediately upon notification that subscriber has terminated their relationship with InnoSpark.ai.

    1. Remove subscriber databases from system within thirty (30) days of subscriber termination.

    2. Overwrite or destroy all subscriber backup data within twelve (12) months of the subscriber’s termination date.

  10. Access to the Internet and other external services shall be restricted to authorized parties only based on the assigned role.

  11. Revalidation timeouts for SaaS products and services used by InnoSpark.ai personnel must be set to 12 hours or less, in compliance with NIST 800-63b.

Ensuring compliance with data protection regulations.

Need Help : contact@innospark.ai

Corporate Office : 716, ILD Trade Centre, Sector-47, Gurugram, Haryana- 122018, India
Sales Office : 202, EF3 Mall, Mathura Road, Sector 20A, Faridabad, Haryana- 121001, India

InnoSpark Services Private Limited © 2024. All rights reserved.
CIN: U62013HR2024PTC122886
GISTIN: 06AAHCI7384P1ZR