Policies
Map.ca policy

Access Control Policy

How internal access to production systems, user data, and admin functions is granted, reviewed, and revoked.

Internal access is structured. The Access Control Policy defines the least-privilege default, the role-based access tiers, the MFA requirement, the quarterly access review, the immediate-revocation triggers (departure, role change, security incident), and the audit-log requirements that connect access events to identifiable individuals.

It applies to Map.ca staff, contractors, vendors with production access, and the security team that operates the access-control system.

Requirements

  • Default to least privilege.
  • Review access quarterly and on every role change.

Prohibitions

  • Do not share credentials between people.
  • Do not grant indefinite admin access without review.

Related policies

Security PolicyHow Map.ca protects accounts, infrastructure, secrets, and operational data day to day.Audit Logging PolicyWhat Map.ca logs for audit purposes, how those logs are protected, retained, and used.Vendor Security PolicySecurity requirements Map.ca holds vendors to before, during, and after engagement.