Access Management Policy
The policy supports:
Protection of sensitive assets such as game source code, unreleased intellectual property, player personal data (e.g., accounts, behavioral analytics, payment details), backend databases, and production game servers.
Prevention of unauthorized access, privilege escalation, insider threats, or data exfiltration in a fast-paced game development and publishing environment.
Implementation of least privilege, need-to-know, and segregation of duties principles.
All users: employees, contractors, temporary staff, management, interns, and third parties (e.g., outsourced developers, vendors) with any access to Company resources.
All systems and assets: cloud infrastructure (AWS/GCP/Azure), game servers, backend services, APIs, databases, CI/CD pipelines, development workstations, Unity/Unreal projects, internal tools, repositories (e.g., GitHub/GitLab), office networks, VPNs, and any repositories or storage containing Company or player data.
All access types: logical (digital systems, applications, data) and physical (office access if relevant).
Full lifecycle: provisioning (onboarding), modification (role changes), periodic review, and deprovisioning (offboarding/termination).
Exclusions: Access to player client-side applications (managed via app stores), but Company systems interfacing with player data are fully in scope.
Granted only on a demonstrated business need (least privilege).
Approved formally and documented.
Time-bound or role-based where possible.
Regularly reviewed and promptly revoked when no longer required.
Protected by strong authentication and monitoring.
Senior management is committed to providing resources for effective access management and continual improvement.
Least Privilege: Users receive only the minimum permissions required for their role.
Need-to-Know: Access limited to information essential for job functions.
Segregation of Duties (SoD): Critical functions (e.g., code commit + deploy, access approval + review) separated to prevent fraud or error.
Role-Based Access Control (RBAC): Preferred model; permissions tied to job roles (e.g., Developer, DevOps, QA, Admin).
Just-in-Time / Just-Enough Access: Temporary elevated privileges where feasible (e.g., sudo-like for admins).
Multi-Factor Authentication (MFA): Mandatory for all remote access, privileged accounts, and sensitive systems.
Senior Management: Approve policy; ensure resources; review access management effectiveness in management reviews.
CISO / Security Lead: Own policy implementation; oversee access reviews; handle exceptions; report metrics.
HR / People Team: Notify Security of onboarding, role changes, terminations within 24 hours.
IT / DevOps / Security Team: Provision/deprovision access; manage identity provider (e.g., Okta, Azure AD, Google Workspace); conduct reviews; monitor logs.
Department / Team Leads: Request and justify access for team members; confirm ongoing need during reviews.
All Users: Use access only for authorized purposes; report lost credentials or suspicious activity immediately; complete access training.
Third Parties: Subject to contractual access controls; access limited and monitored.
Access requests submitted via ticketing system or approved form.
Require business justification and manager approval.
Security verifies against role templates; apply least privilege.
MFA enforced before first login.
Log all provisioning actions.
Role changes trigger immediate review and adjustment of access.
Temporary access (e.g., contractors) expires automatically.
Privileged accounts (e.g., admin, root, production deploy) limited in number.
Use dedicated privileged accounts; no shared credentials.
Require justification, time-limited elevation, and logging.
Conduct formal reviews at least quarterly (or semi-annually for low-risk systems).
Team leads attest to ongoing need; Security validates.
Remove or reduce unnecessary access within 14 days of identification.
Document reviews and remediation.
Immediate revocation upon termination/resignation (within 24 hours).
HR triggers process; Security executes disable/delete.
Revoke third-party access upon contract end.
Audit revocation logs.
Enforce strong passwords or passphrases + MFA.
Use centralized identity provider (SSO where possible).
Lock accounts after failed attempts; monitor for anomalies.
Log all access attempts, grants, changes, and revocations.
Retain logs per retention policy; review for anomalies.
Integrate with SIEM for alerts on suspicious activity.
Exceptions (e.g., temporary broad access for debugging) require documented risk assessment, compensating controls (e.g., enhanced monitoring), and CISO/CTO approval.
Time-bound (max 30–90 days); tracked and reviewed.
All users receive annual access management training.
Developers trained on secure credential handling and least privilege in code.
Non-compliance may result in disciplinary action, up to termination or legal action.
Policy reviewed annually or after significant changes (e.g., new cloud provider, major breach, regulatory update).
Audits verify effectiveness (internal/external).
Governing Law: This policy is governed by the laws of Singapore.By working with us, employees/contractors agree to follow this policy.