1. Overview ShowsHappening is committed to protecting its information and assets from unauthorised access, modification, destruction, and theft. Access control policies and procedures are established to manage access to information and assets within the organisation. This policy outlines the measures that must be taken to ensure that access is granted only to those who have a legitimate need for it.

  2. Scope This policy applies to all employees, contractors, and third-party vendors who have access to ShowsHappening’s information systems and assets.

  3. Access Control Procedures 3.1 User Authentication All users must be authenticated before they can access the company's systems and assets. Authentication will be achieved through the use of strong passwords, two-factor authentication where applicable, or biometric authentication.

    3.2 Access Requests All access requests must be authorized by the CTO

    3.3 User Access Review All user access will be reviewed periodically to ensure that access rights are still appropriate for the user's role and responsibilities. Managers will be responsible for reviewing access for their direct reports at least annually.

    3.4 Access Termination Access to company systems and assets must be terminated immediately upon an employee's termination or transfer. Managers must ensure that all assets, including electronic devices, are returned by the employee.

    3.5 Separation of Duties Separation of duties will be implemented to ensure that no single user has access to all aspects of a system or asset. This will prevent unauthorized access, modification, or destruction of data.

    3.6 Password Management All passwords must be managed securely, and users must not share their passwords with anyone. Passwords must be changed at least every 90 days, and users must not reuse passwords.

    3.7 Third-Party Access Third-party vendors must be authorized before they are granted access to company systems or assets. Access will be granted only for the duration of the contract, and all access will be reviewed periodically.

  4. Compliance ShowsHappening is committed to complying with all relevant regulations, laws, and standards. This policy will be reviewed and updated periodically to ensure that it complies with any changes in regulations or industry standards.

  5. Policy Enforcement Failure to comply with this policy may result in disciplinary action, up to and including termination of employment. Any suspected violations of this policy should be reported to the employee's manager or the CIO.

  6. Policy Review This policy will be reviewed annually to ensure that it is still relevant and effective. Any changes to this policy must be approved by the CIO or their delegate.

  7. Access to Microsoft Azure

    7.1 No direct access will be given to databases which reside on Azure. When access to a database is requested, all personal information will be anonymized or a test database is used. Any employee which would need to work on ShowsHappening projects will be doing so through API calls.

    7.2 Azure database is only limited to specific IPs owned by ShowsHappening Directors, or the IPs reserved to Azure services. Database passwords should not be less than 25 characters and should contain lowercase, uppercase, numbers and special symbols. No passwords should be easily identifiable and should only contain random characters. Such passwords should be generated by secure tools, such as Azure tools that enable someone to generate extra strong keys that are very difficult to compromise.

    7.3 FTP access to resources should only be provides through secure communication channels, and passwords to such resources should not be less than 25 characters, and should contain lowercase, uppercase, numbers and special symbols. No passwords should be easily identifiable and should only contain random characters. Such passwords should be generated by secure tools, such as Azure tools that enable someone to generate extra strong keys that are very difficult to compromise.

    7.4 Blob container access on Azure should only be available through secure channels and should make use of accesskeys which are automatically generated by Azure.

    7.5 Full Access to Azure portal where all Showshappening development resources should only be available to ShowsHappening directors or to CTO. All Azure passwords should have 2FA authentication with a correct mobile number setup. Whenever access should be given to a specific application to some developer, only limited access without any admin priviliges to that specific resources should be given.