This policy applies to FreightWise employees, contractors, and vendors that connect to servers, applications, or network devices that contain or transmit FreigthWise's protected data, per the Data Security & Backup Policies. All servers, applications, or network devices that contain, transmit or process FreigthWise's data are considered secured systems.
Access controls are designed to minimize potential exposure to FreightWise and its clients, partners, and vendors resulting from unauthorized use of resources and to preserve and protect the confidentiality, integrity, and availability of FreightWise's networks, systems, and applications.
Segregation of Duties - Least Privilege Access Model
Access to secured systems will only be provided to users based on business requirements, job function, responsibilities, or need-to-know levels or basis. All additions, changes, and deletions to individual system access must be approved by the CIO, with a valid business justification. Access controls to secured systems are implemented via a variety of systems and processes. Account creation, deletion, and modification as well as access to protected data and network resources are completed by the engineering team at FreightWise.
All users of data systems will abide by the following set of rules:
- Users with access to data systems will utilize a unique FreightWise account this account will conform to the following standards:
- The password will conform, at a minimum to industry standards for the applicable type of system that is in use or will be accessed.
- Inactive accounts will be disabled after 60 days of inactivity.
- Access will be enabled only during the time period needed and disabled when not in use.
- Access will be monitored when an account is in use.
- If a session has been idle for more than 24hours, the user is required to re-authenticate to re-activate the session.
- Administrators will abide by the Access Control Policy.
- Users will abide by the above user access guidelines.
- Administrators will immediately revoke all of a user’s access to data systems when a change in employment status, job function, or responsibilities dictate the user no longer requires such access.
- Administrators must not extend a user group’s permissions in such a way that it provides inappropriate access to any user in that group.
All users and administrators accessing data systems must abide by the following rules:
- No modems or wireless access points are allowed on high-security networks or other unapproved remote access technology.
- All remote access must be authenticated and encrypted through FreigthWise's VPN.
- All remote access will be accomplished through the use of two-factor authentication; a username and password or PIN combination, and a second method not based on user credentials, such as a certificate or token, provisioned to the user.
- Any third-party affiliate that requires remote access to data systems for support, maintenance, or administrative reasons must designate a person to be the Point of Contact (POC) for their organization. In the event the POC changes, the third party must designate a new POC.
- All third-party access to data systems must be approved by the CIO or CTO or their designee.
- Third parties may access only the systems that they support or maintain.
- Data must not be copied from data systems to a user’s remote machine.
- Users will abide by the above user Access Control Policy.
All FreightWise offices will abide by the following physical security requirements:
- Access to FreightWise offices will be based on electronic badge systems.
- Only the officers of the company and designated employees have physical key access.
- Visitors accessing FreightWise will be accompanied by FreightWise personnel.
- Modification, additions, or deletions of physical access to FreightWise offices will be managed by onsite IT of that particular office.
- All terminated onsite personnel will have their access revoked immediately.
- Physical access requires the approval of the It team at that particular office.
Failure to follow this policy can result in disciplinary action as provided in the Employee Handbook. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.