Access Control Policy

Policy Owner: Anders Thomsen

Effective Date: Jan 24, 2022

1. Purpose
To limit access to information and information processing systems, networks, and facilities to
authorized parties in accordance with business objectives.

2. Scope
All SlideHub ApS information systems that process, store, or transmit confidential data as
defined in the SlideHub ApS Data Management Policy. This policy applies to all employees of
SlideHub ApS and to all external parties with access to SlideHub ApS networks and system
resources.

3. Policy
Access to information computing resources is limited to personnel with a business requirement
for such access. Access rights shall be granted or revoked in accordance with this Access
Control Policy.

4. Business Requirements of Access Control

Access Control Policy
SlideHub ApS shall determine the type and level of access granted to individual users based on
the "principle of least privilege." This principle states that users are only granted the level of
access absolutely required to perform their job functions, and is dictated by SlideHub ApS's
business and security requirements. Permissions and access rights not expressly granted shall
be, by default, prohibited.

SlideHub ApS's primary method of assigning and maintaining consistent access controls and
access rights shall be through the implementation of Role-Based Access Control (RBAC).
Wherever feasible, rights and restrictions shall be allocated to groups. Individual user accounts
may be granted additional permissions as needed with approval from the system owner or
authorized party.

All privileged access to production infrastructure shall use Multi-Factor Authentication (MFA).

Access to Networks and Network Services

The following security standards shall govern access to SlideHub production systems and cloud
storage accounts:

Technical access to SlideHub production systems must be formally documented including

the access level, grantor, and date
Only authorized SlideHub employees and third parties working off a signed contract or
statement of work, with a business need, shall be granted access to the SlideHub
production systems.
Remote connections to production systems and networks must be encrypted and pre-
approved by the SlideHub CTO.
5. User Access Management
SlideHub requires that all personnel have a unique user identifier for SlideHub system access
(Office365, SharePoint, OneDrive, Windows) and that user credentials and passwords are not
shared between multiple personnel. Users with multiple levels of access (e.g. administrators)
should be given separate accounts for normal system use and for administrative functions
wherever feasible. Root, service, and administrator accounts may use a password management
system to share passwords for business continuity purposes only. Administrators shall only use
shared administrative accounts as needed. Access to any shared administrator account must be
managed via company provided password manager tool. If a password is compromised or
suspected of compromise the incident should be escalated to the CEO or HR immediately and
the password must be changed.

User Registration and Deregistration

Only authorized administrators shall be permitted to create new user IDs, and may only do so
upon receipt of a documented request from authorized parties. User provisioning requests must
include approval from data owners or SlideHub ApS management authorized to grant system
access. Prior to account creation, administrators should verify that the account does not violate
any SlideHub ApS security or system access control policies such as segregation of duties,
fraud prevention measures, or access rights restrictions.

User IDs shall be promptly disabled or removed when users leave the organization or contract
work ends in accordance with SLAs. User IDs shall not be re-used.

User Access Provisioning

New employees and/or contractors are not to be granted access to any SlideHub ApS
production systems until after they have completed all HR onboarding tasks, which may
include but is not limited to the signed employment agreement, intellectual property
agreement, and acknowledgment of SlideHub ApS's information security policy
Access should be restricted to only what is necessary to perform job duties
No access may be granted earlier than the official employee start date
Access requests and rights modifications shall be documented in an access request ticket
or email. No permissions shall be granted without approval from the system or data owner
or management
Records of all permission and privilege changes shall be maintained for no less than one
year

Management of Privileged Access

Granting of administrative rights shall be strictly controlled, and requires approval from the
asset owner.

User Access Reviews

Administrators shall perform access rights reviews of user, administrator, and service accounts
on a quarterly basis to verify that user access is limited to systems that are required for their
job function. Access reviews shall be documented.

Access reviews may include group membership as well as evaluations of any specific or
exception-based permission. Access rights shall also be reviewed as part of any job role
change, including promotion, demotion, or transfer within the company.

Removal & Adjustment of Access Rights

The access rights of all users shall be promptly removed upon termination of their employment
or contract, or when rights are no longer needed due to a change in job function or role. The
maximum allowable time period for access termination is 24 business hours.

Access Provisioning, Deprovisioning, and Change Procedure

The Access Management Procedure for SlideHub ApS systems can be found in Appendix A to
this policy.

Segregation of Duties
Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for
unauthorized or unintentional modification or misuse of SlideHub ApS assets. When provisioning
access, care should be taken that no single person can access, modify or use assets without
authorization or detection. The initiation of an event should be separated from its authorization.
The possibility of collusion should be considered when determining access levels for individuals
and groups.

6. User Responsibility for the Management of Secret

Authentication Information
Control and management of individual user passwords is the responsibility of all SlideHub ApS
personnel and third-party users. Users shall protect secret authentication information in
accordance with the Information Security Policy.

Password Policy
Where feasible, passwords for confidential systems shall be configured for at least minimum
password requirements:

eight (8) characters

one upper case
one number
at least one special character

Furthermore, when possible, all passwords should be managed via a password manager tool
provided by SlideHub. For passwords to Office365 and Windows, passwords must be updated
every 90 days.

All systems that allow Multi-factor authentication (MFA) must enable MFA.

7. System and Application Access

Information Access Restriction

Applications must restrict access to program functions and information to authorized users and
support personnel in accordance with the defined access control policy. The level and type of
restrictions applied by each application should be based on the individual application
requirements, as identified by the data owner. The application-specific access control policy
must also conform to SlideHub ApS policies regarding access controls and data management.

Prior to implementation, evaluation criteria are to be applied to application software to

determine the necessary access controls and data policies. Assessment criteria include, but are
not limited to:

Sensitivity and classification of data.

Risk to the organization of unauthorized access or disclosure of data
The ability to, and granularity of, control(s) on user access rights to the application and
data stored within the application
 Restrictions on data outputs, including filtering sensitive information, controlling output,
and restricting information access to authorized personnel
Controls over access rights between the evaluated application and other applications and
systems
Programmatic restrictions on user access to application functions and privileged
instructions
Logging and auditing functionality for system functions and information access
Data retention and aging features

All unnecessary default accounts must be removed or disabled before making a system
available on the network. Specifically, vendor default passwords and credentials must be
changed on all SlideHub ApS systems, devices, and infrastructure prior to deployment. This
applies to ALL default passwords, including but not limited to those used by operating systems,
software that provides security services, application and system accounts, and Simple Network
Management Protocol (SNMP) community strings where feasible.

Secure Log-on Procedures

Secure log-on controls shall be designed and selected in accordance with the sensitivity of data
and the risk of unauthorized access based on the totality of the security and access control
architecture.

Password Management System

Systems for managing passwords should be interactive and assist SlideHub ApS personnel in
maintaining password standards by enforcing password strength criteria including minimum
length, and password complexity where feasible.

All storage and transmission of passwords are to be protected using appropriate cryptographic
protections, either through hashing or encryption.

Use of Privileged Utility Programs

Use of utility programs, system files, or other software that might be capable of overriding
system and application controls or altering system configurations must be restricted to the
minimum personnel required. Systems are to maintain logs of all use of system utilities or
alteration of system configurations. Extraneous system utilities or other privileged programs are
to be removed or disabled as part of the system build and configuration process.

Management approval is required prior to the installation or use of any ad hoc or third-party
system utilities.
For simplicity, SlideHub maintains a list on the internal company Wiki (part of MS teams general
channel) that lists all approved applications.

Access to Program Source Code

Access to program source code and associated items, including designs, specifications,
verification plans, and validation plans shall be strictly controlled in order to prevent the
introduction of unauthorized functionality into software, avoid unintentional changes, and
protect SlideHub ApS intellectual property.

All access to source code shall be based on business need and must be logged for review and
audit.

Only the SlideHub engineering team has access to the source code.

Exceptions
Requests for an exception to this Policy must be submitted to the SlideHub CTO for approval.
Violations & Enforcement
Any known violations of this policy should be reported to the CTO. Violations of this policy can
result in immediate withdrawal or suspension of the system and network privileges and/or
disciplinary action in accordance with company procedures up to and including termination of
employment.
Version

Version Date Description Author Approved by

1.0 Jan 24 2022 First Version Rune Johansen Anders Thomsen
1.1 Dec 29 2022 Updated Version Beatriz Rico Anders Thomsen

APPENDIX A - Access Management Procedure

As part of onboarding a new employee:

All relevant contracts must be signed

Relevant hardware is to be ordered and shipped to the employee
The new employee must read and approve all relevant policies for their role
The new employee is then granted a login to relevant systems by the HR lead including
temporary login to Microsoft 365
Further role-based access is granted to relevant systems and folders
The new employee must ensure that their computer meets all the requirements within 3
working days
Additional access, beyond standard pre-approved access, must be requested and
approved by a manager or system owner.

As part of offboarding a new employee:

Access to all systems to be removed

The computer of the employee must be returned
Once returned the computer employee of must be cleaned and prepared to be used by a
member of the organization