Oso limits access control based on job requirements, following the principle of least privilege.
This policy applies to Oso’s internal systems, including its production network, production servers, and SaaS applications.
This policy applies throughout the entire lifecycle of employee, contractor, or vendor access, from onboarding of new individuals who need access, to the removal of existing individuals who no longer need access.
Where possible, access policies are enforced by technical measures.
Oso should implement monitoring on its systems where possible, to record logon attempts and failures, successful logons and date and time of logon and logoff. Activities performed as administrator are logged where it is feasible to do so.
Where possible, more than one person must have full rights to any critical piece of infrastructure serving or storing production services or customer data.
Employees, contractors, and vendors are responsible for safe handling and storage of Oso-provided end user devices. If a device is lost or stolen, the loss must be immediately reported as an incident.
Terminated employees must have their accounts disabled within 1 business day of transfer or termination.
Transferred employee access is reviewed and adjusted as found necessary.