Access & Identity Management
Control
Status
User Access Controls (MFA, RBAC)
We strongly recommend enabling Multi-Factor Authentication (MFA) for an additional layer of security on your account. MFA adds an extra verification step beyond your password, significantly reducing the risk of unauthorised access.
Role-Based Access Control:
For team and organisational accounts, Neuro+ implements granular role-based access controls:
Owner: Full administrative access and billing control
Admin: User management and team configuration
Member: Standard platform access with team visibility
Viewer: Read-only access to shared resources
Session Management
Automatic session timeout for inactive users
Secure session tokens with regular rotation
Remote session termination capabilities
Login monitoring and suspicious activity detection
Access Management Policy
Neuro+ has an Access Management Policy that defines the procedures for granting and revoking system access. The CISO oversees the policy, while System Owners, Line Managers, IT Department, and HR each have specific responsibilities in managing access controls. Access requests must be formally submitted with business justification and require appropriate authorisation before provisioning. The policy mandates that access must be revoked on the same day personnel no longer have a legitimate requirement, immediately upon employment termination, or as soon as practicable when malicious activities are detected. Regular access reviews are conducted quarterly for standard access and monthly for privileged access, with all modifications and revocations being properly documented.
Password Management Policy
Neuro+ has a Password Management Policy, we implement a multi-layered authentication framework that prioritises security while maintaining usability. The policy mandates multi-factor authentication (MFA) for all supported systems, with specific emphasis on remote access, privileged accounts, and systems containing sensitive data. For standard user accounts, passphrases must be at least 15 characters long comprising 4 random words, while privileged accounts require 20 characters with 5 random words. When passphrases aren't supported, standard users must use passwords of at least 15 characters incorporating three character types (uppercase, lowercase, numbers, special characters), while privileged accounts require 20 characters using all four character types. We use a secure password manager, and all credentials must be uniquely generated, securely stored, and changed if compromised or at least every 12 months.
User Access Review Policy
Neuro+'s User Access Review Policy provides a framework for managing and reviewing system access. The policy mandates quarterly reviews for general user access and monthly reviews for privileged accounts, with specific requirements for maintaining detailed access records. These records must document essential information including user identification, authorisation details, access grant dates, access levels, review dates, and any subsequent changes or withdrawals of access rights. The policy emphasises the importance of proper documentation and regular validation of both general and privileged access rights, with particular attention to privileged access management through strict authorisation processes and monitoring requirements.
Acceptable Use Policy
The Acceptable Use Policy at Neuro+ directs the management of system access through need-to-know and least privilege principles. The policy mandates that all users must have unique personal accounts for normal business activities and separate privileged accounts where required, with access rights strictly limited to those necessary for performing job duties. Under the oversight of the CISO and System Owners, access requests must include business justification and receive appropriate approvals, while Line Managers are responsible for validating business requirements and ensuring team compliance. The policy emphasises that access is granted only when there is a legitimate business need, must be regularly reviewed, and should be revoked when no longer required, thereby maintaining strong security controls over both personal and privileged account usage.