Skip to content
Lab651 Process

User Access Review - Developers

Overview

Section titled “Overview”

Purpose

Section titled “Purpose”

This policy section governs access to mobile app store accounts (e.g. Apple App Store, Google Play Console, etc.) and other developer accounts to prevent unauthorized access and ensure controlled distribution of applications.

Scope:

Section titled “Scope:”

Applies to employees, contractors and clients with access to the organization’s developer accounts on app stores and other platforms, including beta testing platforms.

Key Areas Covered

Section titled “Key Areas Covered”
  1. Access Control: Defines who may access developer accounts and under what circumstances.
  2. Role-based Permissions: Emphasizes least privilege principles, granting permissions aligned with specific responsibilities (e.g. developer, publisher, analytics viewer).
  3. Review Process: Details a quarterly access review to validate the necessity and appropriateness of each user’s access. Includes guidelines for promptly revoking access when employees or contractors no longer require it.
  4. Activity Monitoring and Logging: Outlines the process for logging and monitoring activities within developer accounts to detect unauthorized access or suspicious activity.

PolicY Statements

Section titled “PolicY Statements”
  1. Access Control
    1. Policy Statement: Access to developer accounts on mobile app stores and testing platforms will be restricted to authorized personnel based on their roles and business needs.
    2. Actionable Item: The IT Security Team, in coordination with team leads, will maintain an approved list of users with access to developer accounts, ensuring access is granted only after obtaining documented approval from relevant department heads.  This will be specific to Lab651 and client data managed by Lab651 and client managed resources
    3. Policy Statement: Temporary access, when necessary, must be explicitly approved by management, with an expiration date defined based on the project’s requirements.
    4. Actionable Item: All temporary access requests will require a documented expiration date, and any extensions must go through the same approval process.
  2. Role-based Permissions
    1. Policy Statement: Role-based permissions will follow the principle of least privilege, ensuring users only have the permissions necessary for their specific responsibilities (e.g., developer, publisher, analytics viewer).
    2. Actionable Item: Each user’s role within developer accounts will be clearly defined, and permissions will be assigned accordingly to limit the potential for unauthorized access or accidental misuse.
    3. Policy Statement: Users will not be granted administrative or publishing permissions unless their role specifically requires it, with such permissions limited to designated personnel.
    4. Actionable Item: The IT Security Team will periodically audit role assignments to ensure compliance with least privilege principles and prevent permission creep.
  3. Review Process
    1. Policy Statement: A quarterly access review of all users with developer account permissions will be conducted to confirm that each user’s access remains necessary and appropriate.
    2. Actionable Item: The IT Security Team will generate and review a quarterly access report with department heads, identifying and revoking access for users who no longer require it.
    3. Policy Statement: Access to developer accounts must be promptly removed when employees, contractors, or clients no longer require it, such as upon role changes or project completion.
    4. Actionable Item: Team leads will immediately notify IT Security of any role changes or departures to ensure timely removal of access from developer accounts.
  4. Activity Monitoring and Logging
    1. Policy Statement: All activities within developer accounts will be logged and monitored to detect unauthorized access or unusual behavior.
    2. Actionable Item: The IT Security Team will enable and maintain activity logging on all mobile app store and developer accounts, with alerts configured for any suspicious actions (e.g., changes to app settings, unexpected logins).
    3. Policy Statement: Activity logs will be reviewed quarterly as part of the access review process and retained for a minimum of one year to support compliance and forensic investigations.
    4. Actionable Item: Anomalies detected in activity logs will trigger an immediate investigation by IT Security, and corrective measures will be implemented as necessary.
Section titled “Related”