Defines requirements for controlling access to Meridian Seven systems and data based on least privilege, with required authorization, regular review, and prompt revocation.
All employees, contractors, and third-party users who access Meridian Seven systems, including production, staging, and development environments.
MFA is mandatory for all systems that support it. Approved methods: hardware security keys (preferred), authenticator apps (TOTP), push notifications via 1Password. SMS-based MFA is not approved. MFA must be enforced at the identity provider level (Google Workspace, Supabase Auth, GitHub).
| Requirement | Standard |
|---|
| Minimum length | 12 characters |
| Complexity | Uppercase, lowercase, numbers, and special characters |
| Rotation | No forced periodic rotation (NIST 800-63B). Rotate immediately on suspected compromise, employee departure, or Watchtower breach detection. |
| History | Cannot reuse last 5 passwords |
| Lockout | Locked after 5 failed attempts for 30 minutes |
| Storage | All passwords stored in 1Password; no plaintext storage |
- Service accounts must use unique credentials per environment
- API keys and tokens stored in Doppler — never in source code or config files
- Service account and database credentials rotated every 90 days or immediately upon personnel change
- All service accounts must have a designated human owner documented in the access register
- Users receive only the minimum access required for their role
- Access scoped to specific environment(s) required; production access not granted by default
- Elevated privileges (admin, owner) require explicit justification and additional approval
- Temporary elevated access must have a defined expiration and be reviewed upon completion
| Step | Action | Responsible Party | SLA |
|---|
| 1 | Manager submits access request: systems, role, justification | Hiring Manager | Day 1 |
| 2 | CISO reviews and approves | CISO | 1 business day |
| 3 | IT provisions access per Onboarding Checklist | CTO | 1 business day |
| 4 | Requester verifies access | New Employee | 1 business day |
| 5 | Provisioning evidence archived for audit | CTO | Same day |
- Emergency access may be granted by CTO or CISO without standard approval
- Must be documented within 24 hours with justification
- Must be reviewed at the next Monthly Access Review
- Access revoked within 24 hours of termination, contract end, or role change
- For involuntary terminations: revoked within 1 hour
- Offboarding Checklist completed; automation verify runner confirms deprovisioning
- Any shared secrets the departing user accessed must be rotated via Doppler
- CrowdStrike sensor removed, company accounts signed out, and company data removed per the BYOD Endpoint Security Policy offboarding process
| Review Type | Frequency | Scope | Responsible Party |
|---|
| Monthly Access Review | Monthly | All systems — verify user list against expected roster; includes privileged account review | CISO |
| Quarterly Deep Review | Quarterly | Service account rotation audit, API key review, privileged access justification | CISO + CTO |
| Policy Review | Annually | This policy and related procedures | CISO |
All access reviews documented using the Monthly Access Review template and retained for audit.
| System | Access Level | Notes |
|---|
| Google Workspace | Standard user | Company email and collaboration |
| GitHub | Write access to assigned repositories | No admin unless team lead |
| Slack | Standard member | All engineering channels |
| 1Password | Engineering vault | No access to Operations or Finance vaults |
| GCP (Cloud Run) | Cloud Run Developer (dev/staging) | No production access by default |
| Supabase | Developer (dev/staging) | No production access by default |
| Doppler | Developer (dev/staging configs) | Production config requires separate approval |
| GCP Cloud Monitoring | Monitoring Viewer | Uptime check and alert access for debugging |
| System | Access Level | Notes |
|---|
| Google Workspace | Standard user | Company email and collaboration |
| Slack | Standard member | Operations channels |
| 1Password | Operations vault | No access to Engineering or Finance vaults |
| Finance systems | Read-only | Reporting and reconciliation |
| System | Access Level | Notes |
|---|
| Google Workspace | Standard user | Company email and collaboration |
| Slack | Standard member | Finance channels |
| 1Password | Finance vault | No access to Engineering or Operations vaults |
| Accounting tools | Full access | As required by role |
| Stripe | Read-only | Payment and subscription data |
| System | Access Level | Notes |
|---|
| All systems | Per role requirements | Leadership title does not grant blanket access |
| Google Workspace | Admin | Organization management |
| 1Password | Admin | Vault and user management |
| GitHub | Owner | Organization settings |
| System | Auth Method | MFA | SSO | Access Control Mechanism |
|---|
| Google Workspace | Google Identity | Required | N/A (IdP) | OU-based policies, group membership |
| GitHub | GitHub account | Required | Google SSO | Org membership, team-based repo access |
| Slack | Slack account | Required | Google SSO | Workspace membership, channel permissions |
| 1Password | 1Password account | Required (Secret Key + MFA) | N/A | Vault-based access groups |
| GCP (Cloud Run) | Google account | Required | Google SSO | IAM roles (Cloud Run Admin, Developer, Viewer) |
| Supabase | Supabase account | Required | GitHub SSO | Org roles, project-level access |
| Doppler | Doppler account | Required | N/A | Project + config level access |
| Cloudflare | Cloudflare account | Required | N/A | Account roles |
| GCP Cloud Monitoring | Google account | Required | Google SSO | IAM roles (Monitoring Admin, Editor, Viewer) |
| CrowdStrike | CrowdStrike console | Required | N/A | Role-based console access |
Violations are subject to disciplinary actions per the Information Security Policy. Failure to complete access reviews on schedule must be escalated to the CTO.
Meridian Seven — Confidential
