Skip to content

Access Control Policy

Document ID: POL-002 Document owner: Jan Marc Castlunger (CEO / ISO) Classification: Confidential Version: 1.0 Approved: March 2026 Next review: March 2027 Frameworks: ISO 27001 (A.5.15, A.5.16, A.8.2, A.8.3, A.8.5) | SOC 2 (CC6.1, CC6.2, CC6.3)

1. Purpose

This policy defines the rules for granting, reviewing, and revoking access to information systems and data at CTW Data Solutions GmbH. It ensures that only authorised individuals have access to systems and data appropriate to their role.

2. Scope

This policy applies to all employees, contractors, and third parties accessing CTW Data Solutions systems, including Azure infrastructure, GitHub repositories, Google Workspace, and the Quick-ID API.

3. Access Control Principles

Principle Description
Least privilege Users receive the minimum permissions required for their role
Need-to-know Access to data is granted only when justified by a business need
Segregation of duties Critical functions are divided to prevent single-point-of-failure abuse
Default deny All access is denied unless explicitly granted

4. Authentication Requirements

Requirement Standard
Multi-factor authentication (MFA) Mandatory on all systems (Azure, GitHub, Google Workspace)
Shared accounts Prohibited — each user must have a unique identity
Password complexity Minimum 12 characters; passphrase preferred
Passwordless authentication Preferred where supported (FIDO2, passkeys)
Session timeout 15 minutes inactivity for admin sessions; 60 minutes for standard sessions

5. Role-Based Access Control (RBAC)

5.1 Azure Roles

Role Access Level Assigned To
Owner Full control over Azure subscription Sebastian Windeck (CTO)
Contributor Deploy and manage resources, no access management Malte Toetzke (Chief of AI)
Reader Read-only access to resources None
Security Reader Read security configs and alerts Sebastian Windeck (DPO)

5.2 GitHub Roles

Role Permissions Assigned To
Admin Full repo control, manage settings Sebastian Windeck (CTO)
Maintain Manage without destructive settings Malte Toetzke (Chief of AI)
Write Push, create branches, manage issues All developers
Read View-only access AAll developers

5.3 Google Workspace

Role Access Assigned To
Super Admin Full Workspace admin Jan Marc Castlunger (CEO)
User Standard email, docs, calendar All employees
Restricted viewer Specific shared drives only Contractors (as needed)

6. Privileged Access Management

  • Privileged access (Owner, Admin, Super Admin) is limited to two named individuals: Jan Marc Castlunger (CEO) and Sebastian Windeck (CTO)
  • All privileged access actions are logged via Azure Activity Log and reviewed quarterly
  • Privileged accounts must not be used for day-to-day operations
  • Azure PIM (Privileged Identity Management) is under evaluation for just-in-time admin access (planned Q3 2026)

7. Access Reviews

Review Frequency Owner Output
User access rights review Quarterly Jan Marc Castlunger (ISO) Completed Access Review Template
Privileged access review Quarterly Jan Marc Castlunger (ISO) RBAC role assignment review (Azure PIM planned Q3 2026)
GitHub token and SSH key audit Quarterly Sebastian Windeck (CTO) Stale tokens revoked
Supplier access review Annually Sebastian Windeck (DPO) Supplier register updated

8. Joiners, Movers, Leavers

8.1 New Starters (Joiners)

  1. ISO assigns RBAC role based on job description
  2. MFA enrolled on first day
  3. Security awareness training completed within first week
  4. Access confirmed and recorded in access register

8.2 Role Changes (Movers)

  1. Manager notifies ISO of role change
  2. Previous access reviewed and adjusted within 5 business days
  3. Unnecessary permissions removed

8.3 Leavers

  1. All access revoked within 24 hours of termination
  2. GitHub tokens and SSH keys revoked immediately
  3. Azure AD account disabled
  4. Google Workspace account suspended and data preserved per retention policy
  5. Access revocation confirmed and recorded

9. Remote Access & BYOD

CTW Data Solutions operates a Bring Your Own Device (BYOD) policy. All personal devices used for work must comply with the following:

Requirement Standard
Full-disk encryption Mandatory (FileVault on macOS / BitLocker on Windows)
Screen lock Mandatory — auto-lock after 5 minutes of inactivity
OS updates Mandatory — applied within 7 days of release
MFA on all accounts Mandatory
Unapproved USB data transfer Prohibited
  • VPN is not required — Azure AKS resources are accessed via private endpoints and RBAC
  • Access to production systems is via authenticated, encrypted channels only
  • Company data must not be stored on local devices unless encrypted

10. Review

This policy is reviewed annually or upon significant change to systems or organisational structure.

Approved by: Jan Marc Castlunger, CEO / Information Security Officer, CTW Data Solutions GmbH Date: March 2026