Skip to main content

Roles Management Policy

Purpose:

To define how roles and permissions are managed within the Pitaka platform, ensuring that users only have access to the necessary resources based on their job responsibilities, in compliance with applicable laws and regulations in the Philippines.

Scope:

This policy applies to all employees, contractors, and third-party users who access Pitaka systems and data.

Policy

1. Role-Based Access Control (RBAC):

Pitaka implements an RBAC system to manage user permissions and access levels. Each role will have predefined permissions aligned with the principle of least privilege, meaning users will only have access to the information and systems necessary for their job functions.

Common roles may include:

  • Admin: Full access to all system features and user management.
  • Customer Support: Access to user accounts, transaction history, and support tools.
  • Regular User: Access to personal accounts and transaction capabilities.
  • Custom Role: Admin will determine which access this user will have to the system (Auditors, Legal, etc)

2. Role Assignment:

Roles will be assigned based on the specific job functions and responsibilities of each user. All role assignments must be documented, including the rationale for the assignment and any changes made over time.

3. Role Review:

Roles and permissions will be reviewed on a quarterly basis to ensure they remain appropriate and aligned with job responsibilities. Any discrepancies or necessary changes will be documented, and roles will be updated accordingly.

4. Separation of Duties:

Critical operations (such as financial transactions and security management) will require the approval of multiple roles to minimize the risk of fraud or error. For example, one role may initiate a transaction while another must approve it.

5. Role Changes:

When an employee’s job changes (e.g., promotion, demotion, or transfer), their access rights must be reviewed and updated. Access to the previous role must be revoked immediately, and the new role’s permissions must be assigned promptly.

6. User Training and Awareness:

All users must receive training on the roles and permissions relevant to their functions, including the importance of adhering to access control policies. Ongoing training programs will be implemented to ensure users understand their responsibilities and the potential risks associated with their roles.

This policy aligns with the Data Privacy Act of 2012, Anti-Money Laundering Act (AMLA), and any other relevant Philippine laws. Regular audits will be conducted to ensure compliance with these laws and to assess the effectiveness of the roles management policy.

8. Documentation and Reporting:

All role assignments, changes, and reviews must be documented and maintained in a secure manner. A designated compliance officer will oversee the documentation and conduct periodic audits to ensure adherence to this policy.

9. Policy Enforcement:

Violations of this policy will result in disciplinary actions, which may include revocation of access, termination of employment, or legal action, depending on the severity of the violation.