Information Security and Access Control Policy

Purpose

To protect the Company from loss, misuse, or unauthorized disclosure of its information — in any form or on any system — by defining how information assets are classified, who may access them, and what each employee's responsibilities are.

Policy

All information used by the Company, regardless of where it is stored or what format it is in, is a Company asset and must be protected from damage, loss, misuse, or inappropriate disclosure. This includes information in paper files, email, shared drives, business applications, databases, removable media, and handwritten notes.

Protecting Company information is the responsibility of every employee, manager, and authorized contractor or agent in the course of their work.

Access to any information resource must be limited to what an individual needs to perform their job. Access should be reviewed whenever an employee changes roles, and removed promptly when it is no longer needed — including at termination of employment.

Willful failure to comply with this policy may result in disciplinary action, up to and including termination, and may expose the individual to legal liability.

Definitions

  • Information resources — all data, records, reports, correspondence, and documents, whether created internally or obtained from outside the Company, in any format: paper, email, databases, spreadsheets, scanned images, recordings, or handwritten notes.
  • Software — all applications and systems used to create, process, or store Company information, whether developed internally or licensed from a vendor.
  • Hardware — computers, servers, mobile devices, storage media, and other equipment used to access or store Company information.

Information classification and ownership

  • The Company owns all information created or received in the course of Company business.
  • Each major category of information should have a designated owner (typically the department or manager responsible for that data), accountable for its accuracy and appropriate protection.
  • Managers and employees may be designated as custodians, responsible for day-to-day control of specific information assets (for example, a shared drive or application).
  • Information should be classified by its level of sensitivity (for example: public, internal, confidential, and restricted/highly confidential) so that appropriate controls — encryption, restricted access, retention rules — can be applied consistently.

A note on state privacy law: since this policy's source was written, a growing number of states have enacted comprehensive consumer/personal-data privacy laws (for example, California's CCPA/CPRA, and similar laws now in effect in numerous other states). Most of these laws exempt data about employees, job applicants, and contractors acting in an employment capacity from their consumer-facing requirements — but California is a notable exception: the CCPA/CPRA's employee-data exemption expired January 1, 2023, so California employee, applicant, and contractor personal information is now generally subject to the same substantive CCPA/CPRA obligations (notice, access/deletion rights subject to exceptions, and — from 2026 — risk-assessment requirements for high-risk processing such as automated decision-making in hiring) as consumer data. Confirm with Legal which state privacy laws apply to the Company's workforce data given where employees are located, and whether any HR systems or vendor data-sharing arrangements need adjustment as a result.

Access provisioning and account management

  1. Access to any system or data store at a level beyond basic read/view access (e.g., the ability to create, update, or delete records) requires management authorization and must be formally provisioned before use.
  2. Temporary elevated access must be approved by the relevant system or application owner and should be time-limited.
  3. Emergency access outside normal approval channels may be granted for a short, defined period (for example, up to 48 hours) but must be reported to IT/security management promptly and reviewed after the fact.
  4. Read-only access should otherwise be governed by the sensitivity classification of the resource and the individual's job function — not granted broadly by default.
  5. Access rights must be reviewed when an employee changes roles and revoked without delay when an employee separates from the Company (see the Separation of Employment policy).
  6. Use unique login credentials for each individual; do not share passwords or accounts. Follow current password/authentication standards (length, complexity, multi-factor authentication where required) as published by IT.

Test, development, and production environments

  • Non-production (test/development) environments should use synthetic or de-identified data wherever practical. Use of live production data in a test environment should be treated as an elevated-risk activity requiring specific authorization and safeguards.
  • Any activity that grants access to live production data beyond ordinary read access must be documented, authorized by management, and — outside normal channels — treated and logged as emergency access.

Data handling and acceptable use

  • Confidential and restricted information must be kept secure at all times — physically locked when not in use, and protected by appropriate technical controls (encryption, access restrictions) when stored or transmitted electronically.
  • Before leaving a workstation unattended, employees should save their work and lock the device.
  • Use Company systems and information resources only for legitimate business purposes. Incidental personal use, if permitted by other Company policy, must not compromise the security or confidentiality of Company information.
  • Report any lost or stolen devices, suspected data breaches, or unusual system activity to IT/security immediately. All 50 states, the District of Columbia, and several U.S. territories now have data-breach-notification laws requiring notice to affected individuals (and, in many states, to a state regulator) within specific, often short deadlines once a breach involving personal information is confirmed — a legal landscape that did not exist at all when this policy's source was written. Prompt internal reporting under this policy is what allows the Company to meet those external deadlines; do not delay reporting while trying to assess severity. Legal and IT/Security should be notified together so the applicable state-law clock and any regulatory obligations can be assessed immediately.

Business continuity

The Company maintains plans to enable recovery of critical information and systems in the event of a business interruption or disaster. Department and system owners should work with IT to ensure recovery plans and backups are current for the information they are responsible for.

Responsibilities

RoleResponsibilities
EmployeesComply with this policy and related security standards for their job function; safeguard credentials; report incidents promptly.
ManagersMaintain accountability for protecting information in their area; ensure access requests are appropriate and reviewed on role change or separation; promote awareness; address non-compliance.
IT / Information SecurityAdminister the information-protection program; maintain classification and access-control standards; support incident response and business-continuity planning.
Internal Audit / SecurityConduct periodic compliance reviews and report instances of non-compliance to management.

References

  • Confidentiality and Non-Disclosure policy
  • Human Resource Records Policy
  • Employee Privacy policy
  • Separation of Employment policy

General information, not legal advice. Treat this as a drafting starting point, not a finished policy — employment law varies by jurisdiction and changes often, so have a licensed attorney tailor it to your situation before you rely on it.

AI Policy Drafter

Need to draft your own Information Security and Access Control policy? Do it here — free

Free access for HR professionals and corporate counsel. Complete the form below to apply.

Personal email domains (Gmail, Yahoo, etc.) are not accepted.

Submitting this form subscribes you to the ELINFONET newsletter. You may unsubscribe at any time.

Only your email address is retained after verification. All other information is used to confirm your professional credentials and then discarded.