Access Control Policy

Document Owner: Pobl Tech Limited (T/A Pobl)

Overview

This policy defines how access to systems, services, and data is managed within Pobl.

Its purpose is to ensure that only authorised users can access information and systems, and that access is appropriate to each individual’s role. This supports the protection of client platforms and reduces the risk of unauthorised access, misuse, or data exposure.

Access control forms a core part of our wider information security approach.

Scope

This policy applies to:

All employees, directors, contractors, and temporary users
All systems, platforms, and environments managed or accessed by Pobl
All client systems and data accessed as part of service delivery

This includes development environments, hosting platforms, CMS platforms, cloud services, and internal support tools.

Access control principles

Access is managed in line with the following principles:

Role-based access control
Least privilege
Separation of duties
Accountability and auditability

Users are granted only the level of access required to perform their role, and no more.

User roles and permissions

Access levels are defined based on role and responsibility.

Typical roles include:

Content or editorial users
Administrators
System or infrastructure administrators

Elevated or system-level access is restricted to a small number of named individuals and must be approved by senior technical staff.

Account provisioning and removal

User accounts are created only following appropriate authorisation.

All access is assigned to named individuals
Shared accounts are not permitted

Access is removed promptly when:

A user leaves the organisation
A user’s role changes
Access is no longer required

This applies across both internal systems and client environments.

Authentication and credentials

Access to systems requires secure authentication.

Passwords are managed in line with Cyber Essentials guidance
Multi-factor authentication is enabled where supported, particularly for administrative access

Credentials must not be shared and should not be reused across systems.

Access review and monitoring

Access rights are reviewed:

When roles change
Following incidents or concerns
As part of regular governance and security reviews

Where supported, system access and administrative actions are logged, providing a clear audit trail for accountability and investigation.

Remote access

Remote access to systems is secured through authenticated connections and approved devices.

Administrative access over public or unsecured networks is avoided wherever possible.

Third-party access

Where third-party access is required:

Access is granted on a role-specific and time-limited basis
Permissions are restricted to what is necessary
Access is reviewed regularly and removed when no longer required

Policy review

This policy is reviewed:

At least annually
Following significant changes to systems, services, or security requirements
Following major incidents or identified risks
Governance
Document owner

The owner of this policy is the Technical Director, Pobl Tech.

Responsibilities

The Document Owner is responsible for:

Ensuring the policy remains accurate and up to date
Approving updates and changes
Ensuring the policy is communicated and applied across the organisation
Approval

This policy has been reviewed and approved by senior management.

Approval confirms that the policy:

Reflects current working practices
Aligns with legal and contractual obligations
Is appropriate for the scale and nature of services delivered

Review schedule

This document will be reviewed:

At least annually
Following significant changes to systems, services, or regulatory requirements
Following major incidents or material changes in risk
Distribution

This policy is available to relevant staff and can be provided to clients or auditors where required.

Final note

Access control is a fundamental part of how we protect systems and data.

By ensuring that access is controlled, monitored, and regularly reviewed, we reduce risk and maintain the integrity and security of the services we deliver.