Access Review & Audit Policy

WTD Application | Internal Security Protocol

This policy defines the procedures for the periodic review and auditing of access rights within the WTD application ecosystem. The goal is to ensure that access remains limited to authorized personnel and that the Principle of Least Privilege is maintained throughout the software lifecycle.

1. Periodic Access Reviews

WTD conducts formal reviews of all user and system access rights to verify that permissions are still appropriate for each user's current role. These reviews are conducted at least annually, or when specific "Trigger Events" occur.

2. Review Trigger Events

In addition to scheduled annual reviews, an immediate access audit is performed upon the following events:

User or Role Changes: Any time a new family member is added, a user is removed, or an existing user requires a change in their permission level.

Substantial Software Changes: When major updates are made to the WTD codebase, database schema, or third-party integrations (such as Plaid API version upgrades) that impact how data is accessed or processed.

Infrastructure Migrations: Any change to the hosting environment, server configuration, or network architecture.

3. Audit Procedures

During an audit, the Administrator (Policy Owner) performs the following checks:

Verification of Active Users: Ensuring only current family members and active service accounts have credentials.
Credential Rotation: Reviewing the necessity of rotating API keys or administrative passwords.
Log Analysis: Brief review of access logs to identify any anomalous login attempts or unauthorized API calls.
Security Patch Verification: Ensuring the underlying server and application dependencies are running the latest secure versions.

4. Documentation of Findings

Results of these reviews are documented internally. Any discrepancies found during an audit (e.g., an orphaned account) are remediated immediately, typically within 24 hours of discovery.