Internal Access, Roles, and Permissions
1. Is user access to Crossbeam’s internal vendor systems granted based upon least privileges and granted only those rights needed to perform their duties? How are access requests and approvals tracked?
Yes. Crossbeam employee access to our internal vendor systems is granted based on least privileges. Access is tracked by system with access granted date, permission level, and access terminated date. We will conduct an internal systems access audit quarterly. Employees are granted privileges to any system only as needed to perform their role.
2. What are the steps for privileged user accounts (e.g. system administrators, security administrators, database administrators, etc) to authenticate and access production environment? Are access to privileged user accounts and API endpoints protected using multi factor authentication solutions?
These users access the production environment via SSH. The production SSH server is firewalled to restrict access outside of our VPN. Production database access is then accessed via username/password authentication. SSH access is protected by Duo MFA and uses key-based authentication.
3. Are user accounts reviewed periodically to determine appropriate access? If inappropriate accesses are identified, what is your timeline for remediating these identified issues?
We review all employee access and permissions on a quarterly basis at minimum. If inappropriate accesses are identified, our timeline for remediation is immediate, and no more than 24 hours from identification.
4. For all facilities supporting the client, are there physical controls in place which restrict an individual's access?
Physical controls are in place to limit access to our floor and office in Philadelphia. Elevators require key cards to operate and our office is restricted using code-access doors. Elevator keys and door codes are granted to employees only. We share an office with Talend Inc. and Roar for Good LLC, where there is no physical separation.