This section provides information about the access control policies and procedures within the Monito business environment, including user account management, authentication, and authorization protocols.
Our cloud services run securely on Amazon Web Services (AWS). Monito Business is hosted in a private section of the AWS data centers.
Monito services are managed by in-house administrators. Each administrator is assigned a unique user ID and password.
Regardless of permission level, multi-factor authentication (MFA) is applied to all accounts.
Passwords expire after prolonged inactivity and must comply with sufficient length and complexity rules (including uppercase and lowercase letters and special characters). Password reuse is prohibited, and passwords are encrypted in storage and in transit.
After a certain number of failed login attempts, the account is locked, and the user can request that an administrator unlock it. Concurrent logins are allowed to support connections across devices within Monito.
We use an industry-standard, token-based authentication method. Session tokens are encrypted and securely managed within the user's browser, ensuring secure session continuity.
We ensure data security through two core policies: segregation of duties and the principle of least privilege.
To manage access control, we use Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC).
The identity and access management process follows a formal, systematic procedure consisting of the following steps.
User ID request
The request is submitted through a designated application form.
Department head review and approval
The relevant department head reviews and approves the request.
Security officer review and approval
The security officer decides whether to approve the request in accordance with security guidelines.
Account creation
After approval, a system administrator creates the account.
Access reviews are conducted at least once per quarter, with immediate reviews also performed upon role changes or departures.
Production environment access is granted only to authorized personnel under the principle of least privilege. When a product engineer needs temporary access for troubleshooting, access is granted and then revoked immediately after the work is completed.
Server access is carried out through an audited, secure remote access solution. Administrators must complete MFA before accessing the server environment, and all communications are encrypted using industry-standard protocols such as TLS 1.2 or higher, or HTTPS.
Access logs record the following information:
Who accessed which server environment, and when
The actions performed and their timestamps
Logs are reviewed regularly by the security team to ensure transparency and accountability.
If a session remains inactive for a certain period, its network connection is automatically terminated.
During the onboarding of new employees, the HR department conducts a thorough identity verification process — including reference checks with former colleagues and supervisors — to ensure the trustworthiness of personnel.
These procedures are carried out within the scope of background checks permitted under Korean personal information protection regulations.
When an employee leaves, the HR department notifies the security team of the last working day, and the account is deactivated immediately on that date. Unless otherwise requested, the account is permanently deleted two weeks later.