ACCESS CONTROL POLICY

RiskBirbal Insurance Brokers Pvt. Ltd.

1. Purpose

The purpose of this Access Control Policy is to establish a structured framework for controlling access to the Broker’s websites, internal systems, and digital platforms used for insurance broking operations. This policy ensures that access to information and systems is authorized, role-based, secure, and auditable, thereby safeguarding client data, insurer information, and operational integrity.

2. Scope

This policy applies to:

  • All websites, applications, and systems operated or used by the Broker for insurance broking activities
  • All users accessing such systems, including:
    • Employees of the Broker
    • Authorized management and administrators
    • Relationship managers and operational staff
    • Client-side HR representatives (where applicable)
    • End users such as employees of corporate clients
    • Authorized third parties, insurers, and service providers
  • All environments including production, testing, and staging

3. Access Control Principles

The Broker follows these core access control principles:

3.1 Least Privilege

Users are granted only the minimum level of access necessary to perform their assigned duties.

3.2 Role-Based Access Control (RBAC)

System access is assigned based on predefined job roles rather than individual users.

3.3 Segregation of Duties

Critical operational and administrative functions are segregated to reduce the risk of misuse or unauthorized actions.

3.4 Need-to-Know

Access to sensitive client, insurer, financial, or personal data is restricted strictly to users with a legitimate business requirement.

4. User Roles and Access Categories

Access rights are categorized by role, including but not limited to:

  • System Administrators – Platform configuration, user access management, and system maintenance
  • Management Users – Oversight, reporting, and approval authority
  • Relationship Managers – Client servicing, policy coordination, and insurer interactions
  • Operations and Support Staff – Data processing, endorsements, documentation, and coordination
  • Client HR Users – Limited access to employee data and policy-related workflows
  • End Users – Access limited to their own insurance information and service requests
  • Authorized Third Parties – Restricted access defined by contractual agreements

Each role has clearly documented permissions approved by management.

5. Authentication Controls

The Broker enforces the following authentication measures:

  • Unique user credentials for each authorized user
  • Secure password or OTP-based authentication mechanisms
  • Password complexity and renewal requirements
  • Automatic session timeouts for inactive users
  • Additional authentication controls for privileged or administrative users

6. Authorization and Approval

  • Access rights are granted only after proper authorization.
  • Any creation, modification, or elevation of access requires documented approval.
  • Temporary access, where required, is time-bound and automatically revoked.
  • Periodic access reviews are conducted to ensure continued relevance.

7. User Lifecycle Management

7.1 User Onboarding

  • User access is provisioned only after identity verification and role approval.
  • Access is aligned strictly with assigned responsibilities.

7.2 Role Changes

  • Changes in responsibilities require corresponding access modification.
  • All role changes are logged and approved.

7.3 User Deactivation

Access is revoked promptly upon:

  • Employee exit or role termination
  • Completion of contractual engagement
  • Security or compliance concerns
  • Management instruction

8. Logging, Monitoring, and Audit Trails

  • System access and user activities are logged for monitoring and audit purposes.
  • Logs capture events such as:
    • Login and logout activities
    • Access to sensitive functions or data
    • Administrative and configuration changes
  • Logs are retained as per internal retention and regulatory requirements.
  • Regular audits are conducted to detect and prevent unauthorized access.

9. Third-Party and External Access

  • Third-party access is:
    • Granted only where business necessity exists
    • Restricted to specific functions
    • Governed by contractual and confidentiality obligations
  • Such access is reviewed periodically and revoked when no longer required.

10. Data Confidentiality and Protection

  • Access to personal, financial, and insurance-related data is strictly controlled.
  • Users are required to maintain confidentiality of all information accessed.
  • Unauthorized disclosure, misuse, or access is treated as a serious violation and may lead to disciplinary or legal action.

11. Security Incident Reporting

  • Any suspected or actual unauthorized access must be reported immediately to management.
  • Incidents are investigated in accordance with the Broker’s incident management procedures.
  • Corrective and preventive actions are implemented without delay.

12. Compliance and Regulatory Alignment

This policy is aligned with:

  • IRDAI regulations applicable to insurance brokers
  • Indian cyber and data protection laws
  • Insurer and corporate client IT security expectations
  • Internal governance and risk management standards

13. Policy Review and Maintenance

  • This policy is reviewed periodically and updated as required.
  • Reviews consider:
    • Regulatory changes
    • Operational changes
    • Security assessments and audit findings
  • Continued use of the Broker’s systems constitutes acceptance of this policy.

14. Policy Ownership

This Access Control Policy is owned, maintained, and enforced by:
RiskBirbal Insurance Brokers Pvt. Ltd.
Management and Authorized IT Personnel