Fluid Attacks policy on revoking access | Fluid Attacks

Access Revocation

When talent go on vacation or leave the company, it is essential to revoke their access to the information and systems that are available to them. At Fluid Attacks, we have a two-step process for access revocation:

  1. Deactivating the IAM account: By doing this, users lose access to all company applications and client data. This includes platform, mail, etc.

  2. Removing Git repository access: Users can no longer see confidential information from the repository, such as registry images, private issues, merge requests, etc.

It is worth noting that easy access revocation is fundamental when dealing with sensitive data in an organization. That is why we have put so much effort into making this process as simple as possible.

This process must be completed in a 24-hour period.


Talent Termination Checklist

This is the detailed checklist that must be followed each time a talent leaves our company.


High-level Process

  1. The administrative assistant preps termination paperwork for cases in which it applies (letter of dismissal, reports, inventory list, among others).
  2. Terminated employees are dismissed in OKTA, Time Doctor, Google Suite, EasyLlama, and applications based on the role, to remove the logical access. Additionally, for cases in which it applies the access to the office and building are removed.
  3. Communicate to relevant stakeholders and identify hand-off plans for cases in which it applies.
  4. Return hardware and sanitize as needed.
  5. Wrap-up financial items.


Logical Access to Systems

The talent analyst requests the deactivation of corporate systems through the Help channel. Based on the role, the Head of Service or the Security Manager should deactivate some other access.
  1. Okta
  2. Google Suite
  3. Easy Llama
  4. Time Doctor
  5. JAMF (For cases in which it applies)
  6. Other tools/systems depending on the role


Physical Access

The talent analyst request the deactivation for the cases in which it applies:
  1. Remove access to building
  2. Remove access to office

Hardware

The administrative assistant or somebody from administration team collects the hardware:
  1. Collect Laptop
  2. Collect Keyboard, mouse and other devices assigned by Fluid Attacks Inc


Requirements

  1. 023. Terminate inactive user sessions
  2. 114. Deny access with inactive credentials
  3. 144. Remove inactive accounts periodically