Access Control Policy

1. Purpose

The purpose of this policy is to establish guidelines for granting, monitoring, and revoking access to CTM systems, databases, and sensitive information. Proper access control protects operational integrity, preserves confidentiality, and ensures accountability.

2. Scope

This policy applies to:

  • All CTM personnel, including full-time, part-time, contract staff, volunteers, and interns
  • All systems, databases, physical files, and operational tools containing sensitive or confidential information
  • Access to offices, equipment, and digital resources

3. Policy Statement

  • Access to CTM systems and information must be role-based, granting personnel only the privileges necessary to perform their duties.
  • Unauthorized access or use of information is strictly prohibited.
  • Access rights are reviewed periodically to ensure appropriateness and compliance with organizational and legal standards.

4. Role-Based Access Guidelines

RoleAccess LevelExamples of PermissionsExecutive LeadershipFull accessAll operational, financial, investigative records; policy approval; system adminSupervisors / ManagersModerate accessTeam operational data, reports, incident logs, staff management toolsField InvestigatorsLimited accessAssigned investigation data, public records, fugitive observation notesIT / Security StaffTechnical accessSystem administration, audit logs, security monitoringVolunteers / InternsMinimal accessTraining materials, limited operational info; no sensitive data

  • Access is granted on a “need-to-know” basis and must be formally approved by a supervisor or manager.
  • Temporary access for special projects must be documented and automatically revoked after the project ends.

5. Authentication & Security

  • All users must have unique credentials; sharing accounts is prohibited.
  • Multi-factor authentication (MFA) is required for all systems containing sensitive or personally identifiable information.
  • Passwords must comply with CTM Cybersecurity Policy standards.

6. Access Monitoring & Review

  • Access logs must be maintained and periodically reviewed by supervisors or IT personnel.
  • Unauthorized access attempts or unusual activity must be reported immediately and investigated.
  • Periodic audits of access rights must be conducted at least annually.

7. Revocation of Access

  • Access must be revoked immediately when:
    • Personnel separate from CTM (termination, resignation, end of contract)
    • Role or assignment no longer requires access
    • Security breaches or policy violations occur
  • Revocation procedures include disabling system accounts, retrieving keys, badges, or devices, and documenting actions taken.

8. Training

  • All personnel must complete training on access control procedures, information security, and role-based responsibilities.
  • Refresher training occurs annually or when systems or access rules are updated.

9. Oversight & Accountability

  • Supervisors are responsible for approving, monitoring, and reviewing access for their teams.
  • IT/security personnel enforce technical controls and report violations.
  • Non-compliance may result in disciplinary action, including termination.

10. Policy Review

  • This policy shall be reviewed annually to ensure compliance with legal requirements, best practices, and organizational needs.
  • Updates must be communicated to all affected personnel.