ACCESS CONTROL POLICY

OVERVIEW

Adequate security of information and information systems is a fundamental management responsibility. Nearly all applications that deal with financial, privacy, or safety include some form of access control. Access control is concerned with determining the allowed activities of legitimate users, mediating every attempt by a user to access a resource in the system. A state of access control is said to be safe if no permission can be leaked to an unauthorized, or uninvited principal. To assure the safety of an access control system, it is essential to make certain that the access control configuration will not result in the leakage of permissions to an unauthorized principle.

DEFINITIONS

• Authorized parties: full time or part time employees of Kredit Financial Inc. (“Kredit”) or Kredit contractors (collectively referred to as “users”).

• Principle of least privilege: a security concept that dictates granting users or entities the minimum level of access or privileges required to perform their job functions or tasks. According to this principle, individuals should only be given access to the information systems, resources, or data necessary for them to fulfill their specific roles and responsibilities.

• Segregation of duties: a critical principle in information security and internal control that aims to prevent fraud, errors, and unauthorized activities by distributing key tasks and responsibilities among multiple individuals. The principle ensures that no single individual has complete control or authority over a critical process or system, thereby reducing the risk of abuse, conflicts of interest, and errors going undetected.

• Role-based access: a method of managing and controlling access to resources, systems, or data within an organization based on predefined roles. It is a widely used access control model that simplifies access management by assigning permissions to roles rather than individual users.

• Provisioning: the process of granting user access to applications, systems, and data within a network.

• Deprovisioning: the process of removing user access to applications, systems, and data within a network.

PURPOSE

The purpose of this Access Control Policy is to establish guidelines and procedures for granting and managing access to Kredit's information systems and data. This Policy ensures the confidentiality, integrity, and availability of information assets and protects against unauthorized access or disclosure.

POLICY

It is the policy of Kredit to grant access rights to individuals based on their job roles and responsibilities and limit access privileges to what is necessary to perform their assigned duties effectively.

SCOPE

This Policy applies to all employees, contractors, vendors, and any other individuals or entities who have access to Kredit’s information systems and data. It encompasses all information assets, including but not limited to computer systems, networks, applications, and databases (collectively referred to as “information assets”).

ROLES AND RESPONSIBILITIES

Kredit’s Chief Technology Officer (CTO) is responsible for approving or granting revoking access, permissions, or changes to systems, processes, or resources, and revoking said access within specified timelines. The CTO is also responsible for the ongoing monitoring and logging of user access to Kredit’s systems.

Kredit’s Chief Compliance Officer (CCO) is responsible for ensuring this Policy is reviewed on an annual basis.

PROCEDURE

USER ACCOUNT MANAGEMENT

Users are only granted access to Kredit’s information systems for the purpose of executing their assigned responsibilities; their right to access these systems is not granted unless there is a legitimate business need. Kredit’s CTO ensures that access to Kredit’s information assets is granted based on the functional role of each user. Any changes to access privileges must be approved, granted and documented by the CTO.

USER IDENTIFICATION AND AUTHENTICATION

All users are uniquely identified and authenticated before being granted access to Kredit’s information assets. User authentication mechanisms include the use passwords (see Password Construction and Security Policy) and multi-factor authentication via the issuance of unique security IDs and related certificates, as well as whitelisting for database access, based on a user’s role or job function.

PROVISIONING OF INFORMATION ASSET ACCOUNTS

The provisioning of accounts across Kredit’s information assets must conform to the following requirements:

• Individual user accounts: Individual user accounts must be established according to their assigned role.

• Privileged (administrator) accounts: The administrator account provides elevated privileges and control over critical systems, networks, and resources. It grants the user the ability to make system-wide changes, install software, modify configurations, and potentially access sensitive data. As such, access to privileged or administrator accounts must only be granted when a user's job responsibilities necessitates the need for administrative privileges. The number of users with administrator accounts are limited to the CTO and Principle Engineer.

• Service or process accounts: Service or Process accounts are those accounts associated with Kredit’s consumer or network member portal. Each service has its own service account and they can only access that particular service boundary.

• Temporary accounts: Temporary accounts may need to be created to allow work by short-term contractors, clients, or auditors, however, the access level of the account would only provide basic or read-only access.

DEPROVISIONING OF INFORMATION ASSET ACCOUNTS

The deprovisioning of accounts across Kredit’s information assets must conform to the following requirements:

• Individual user accounts: Terminated users’ (voluntarily or involuntarily) account access must be revoked within twenty-four (24) hours of the termination date.

• Temporary accounts: Temporary accounts must be deactivated upon the expiration date or the date of departure of a contractor, client, or auditor. If no automatic expiration is configured, the CTO must ensure that access is revoked as required.

• Inactive accounts: Network member, advisor, and Kredit Admin accounts that have been inactive for a period of ninety (90) days are automatically deactivated or suspended until it is determined the account is still required.

REMOTE ACCESS

Remote access to the organization's information systems is granted by Kredit’s CTO and Principle Engineer through secure methods, such as two-factor authentication and whitelisting.

MONITORING AND LOGGING

Daily, automatic, monitoring and logging processes occur via Amazon GuardDuty, New Relic, and Black Box to record and track access attempts, activities, and events within the organization's information systems. Logs are regularly reviewed to reduce the risk of security incidents or policy violations, and appropriate actions are taken to mitigate any identified risks.

COMMUNICATION

This Policy shall be communicated to all affected employees via email and maintained in the Policies folder, sub-folder Information Security on Google Drive for reference purposes.

VIOLATIONS

Failure to comply with this Policy may result in unauthorized access to Kredit’s information assets.

CHANGE SUMMARY

Purpose: Internal Policy

Category: Information Security Policy

Policy Name: Access Control Policy