Access control is one of the most fundamental components of a mature security program. Properly managing who can access which systems—and under what conditions—is a core requirement for maintaining confidentiality, integrity, and operational stability. RSI’s Access Control & Authentication Policy provides clients with a clear, structured explanation of how we govern identity lifecycle management, authentication strength, privileged access, and ongoing review. This policy safeguards client environments from unauthorized access, misconfiguration risks, insider threats, and compliance gaps while supporting a scalable, efficient operational model.
Identity governance begins with provisioning. RSI uses documented, auditable workflows to create and modify user accounts across the systems we manage. Every access request must originate from an authorized source, contain a defined business justification, and be approved through formal channels. This prevents ad‑hoc account creation and ensures that every identity has a traceable origin. Clients benefit from clarity, consistency, and assurance that their systems are accessed only by individuals who have been intentionally granted the necessary permissions.
Authentication is enforced through strong, modern methods. Multi‑factor authentication (MFA) is mandatory across all systems that support it, and RSI actively encourages clients to adopt MFA holistically. MFA dramatically reduces the effectiveness of credential compromise attacks by requiring something the user knows (a password) and something they have (an authenticator token or device). RSI also supports the use of conditional access—requiring additional factors, limiting login by geography, or restricting access via device compliance—to further mitigate risk.
Password policies are aligned to current NIST and industry recommendations. RSI emphasizes complexity, length, rotation based on risk rather than arbitrary schedules, and prevention of known-compromised credential use. Additionally, privileged accounts—those with administrative or high‑risk capabilities—are subject to stricter authentication requirements, enhanced monitoring, and separation of duties.
Least privilege is central to RSI’s access philosophy. Users are granted only the minimum level of access required to perform their job responsibilities. Privilege is not a static state; it is assessed continuously through periodic access reviews to ensure that permissions remain appropriate. If a user changes roles or leaves an organization, access must be promptly updated or revoked to prevent unnecessary exposure. RSI’s offboarding workflows ensure that accounts are disabled quickly and consistently, helping prevent orphaned access or unauthorized system use.
Privileged access management (PAM) is a specialized set of controls for accounts with elevated privileges. RSI uses dedicated administrative accounts, session controls, and monitoring to reduce the risk of unauthorized system changes or abuse of elevated capabilities. Administrative actions are logged and auditable, enabling forensic investigation and accountability. This level of control maturity significantly exceeds the standards maintained by many service providers, who often allow technicians to share accounts or maintain persistent administrative access without oversight.
Service accounts and application identities are governed with equal rigor. These accounts often operate behind the scenes but carry significant privilege and therefore significant risk if not managed properly. RSI documents the purpose of each service account, restricts permissions to exactly what is needed, and rotates credentials in accordance with security best practices. Where possible, we promote the adoption of managed identities or key‑vault‑based credentialing to eliminate static passwords.
Monitoring adds an additional layer of assurance. All access attempts—successful or failed—are logged and analyzed for anomalies. Suspicious behaviors, such as excessive authentication failures or unusual administrative activity, generate alerts for further investigation. This proactive approach prevents small authentication irregularities from escalating into full‑scale incidents.
The Access Control & Authentication Policy also establishes clear expectations for client collaboration. Access is a shared responsibility, and clients play an essential role in communicating staffing changes, approving access modifications, and participating in periodic access reviews. RSI provides the tools, governance model, and operational discipline; clients provide the context and organizational insight. Together, this partnership establishes a robust security posture that aligns with SOC 2 Security criteria and supports compliance requirements across industries.
Compared to competitors, RSI distinguishes itself through disciplined identity governance. Many MSPs use shared credentials, inconsistent account creation processes, or insufficient privilege separation. RSI rejects these informal patterns and instead applies enterprise‑grade standards across every service engagement. Clients receive assurance that identity and access controls are not only implemented but backed by documented policies, monitored through automation, and validated through routine reviews.
Access governance is not a one‑time effort; it is an ongoing lifecycle. This policy ensures that RSI maintains continuous accountability over who has access, why, and under what conditions. Through this model, clients gain confidence that their environments remain secure, compliant, and resilient—even as their business evolves.
Trust Policies
- Security Policies
- Availability & Uptime
- Confidentiality Program
- Privacy & Personal Information Handling
- Access Control & Authentication Policy
- Incident Response & Breach Notification
- Change Management & Release Governance
- Data Retention & Secure Disposal Policy
- Vendor Risk Management & Third‑Party Assurance
- Business Continuity & Disaster Recovery
- AI Governance & Machine‑Readable Policy Hub