1 Purpose
This policy ensures that access to Tree (tree.com.hk) systems is granted only to authorized users, based on job needs, and removed when no longer required.
2 Scope
| System | Access Type |
|---|---|
| File Server | Shared folders, departmental drives, user home folders |
| QuickBooks | Accounting modules based on job role |
| POS System | Cashier, supervisor, and admin access levels |
| Online Sales System | Order management, product admin, reporting |
| Office Users + PCs | Local user login (standard user, no admin rights); tree.com.hk email and office applications |
Also covers network login, VPN, and remote access where applicable.
3 Policy
3.1 Account Provisioning
- New accounts created only after approval from manager or HR.
- Each office user gets a local user account (standard user — no administrator rights).
- QuickBooks, POS, and online sales accounts granted separately based on job role.
- Closed internal system with flat role structure — minimum access required for daily duties.
3.2 Authentication
- Strong passwords per company standards.
- MFA should be enabled if the application supports it (especially remote/admin).
- Passwords must not be shared.
3.3 Access Review
- Review user access at least once per year.
- Managers confirm team members still require current access.
- Remove access that is clearly no longer needed.
3.4 Access Changes
- Role changes, transfers, or promotions require an access update request.
- Temporary access (e.g., contractors) must have a defined end date.
3.5 Access Termination
- Disable access on office PC, file server, QuickBooks, POS, and online sales as applicable.
- HR or manager must notify IT promptly for offboarding.
- All company devices and credentials must be returned or revoked.
3.6 Privileged Access
- Office users do not have administrator rights and cannot install software.
- Software installation and system changes on office PCs are performed by IT only.
- Admin accounts limited to authorized IT staff; not used for daily routine work.
- Privileged access must be logged and reviewed regularly.
4 End User Responsibilities
- Protect login credentials and report suspected compromise immediately.
- Lock workstations when away from the desk.
- Do not attempt to install software or change PC settings — request IT.
- Use access responsibly within the closed internal environment.
- Report if you can see data or systems you should not have access to.
5 Responsibilities
| Role | Responsibility |
|---|---|
| HR / Manager | Request account creation, changes, and termination |
| IT Team | Provision, review, and revoke access; enforce authentication standards |
| End Users | Safeguard credentials and use access appropriately |
6 Review
This policy will be reviewed at least once per year.