Nextsulting LLC & Romine, Bernicky & Associates Access Management Policy

1. Purpose

At Nextsulting LLC and Romine, Bernicky & Associates, we take the management and security of our clients’ digital assets seriously. As a trusted vendor, we implement safeguards to ensure that access requests and transfers are handled responsibly, securely, and in accordance with best practices.

This policy is designed to:

• Protect our clients’ digital assets from unauthorized access or misuse.
• Ensure accountability by granting access only to authorized individuals.
• Align with governance structures (e.g., board oversight) when required.
• Reduce liability by following standardized procedures for access control.
• Support compliance with Nextsulting’s Privacy Policy, Information Security Policy, Incident Response Policy, and Disaster Recovery & Business Continuity Plan.

2. Scope

This policy applies to all digital assets managed by Nextsulting LLC and its DBA, Romine, Bernicky & Associates, including but not limited to:

• Social media accounts (Facebook, Instagram, LinkedIn, Twitter, etc.).
• Website administrative access.
• Google Business Profiles.
• Paid advertising accounts (Google Ads, Facebook Ads, etc.).
• CRM and marketing automation platforms.
• Any other digital platform that requires administrative control.

This policy applies to all clients, their representatives, and any third parties requesting access to these assets.

3. Access Request & Authorization Process

To ensure that access is securely granted, the following steps must be followed:

Step 1: Submission of Formal Request

All access requests must be submitted through our Access Request Form , which includes:

• Requester’s full name, title, and contact information.
• Organization name and role within the organization.
• The specific accounts or platforms for which access is requested.
• The level of access needed (e.g., Admin, Editor, Contributor).
• Acknowledgment of responsibility for account security and compliance.

Step 2: Verification & Approval

• For businesses without a board of directors: The request must come from an authorized decision-maker(Owner, CEO, or designated representative).
• For organizations with a board of directors: A formal authorization from the board (meeting minutes, signed approval, or written confirmation from an official board representative) is required before access can be granted.
• For government entities or nonprofits: Any internal access protocols established by the organization must be followed, and a designated approver must sign off on the request.
• Verification Process: Nextsulting will confirm the request with the appropriate leadership before granting access. If the authorization is unclear or disputed, Nextsulting reserves the right to withhold access until proper approval is documented.

Step 3: Documentation & Security Compliance

• Access Change Logs: All access modifications will be documented internally to ensure accountability and security tracking.
• Security Compliance: Any individual granted access must comply with Nextsulting’s Information Security Policy, which mandates:
  • Strong password policies.
  • Multi-Factor Authentication (MFA) for high-risk accounts.
  • Secure handling of sensitive credentials.

4. Transfer & Revocation of Access

To maintain security and accountability:

• Transfer of Ownership: If an organization requests a change in ownership of a digital asset, this must be formally documented with clear approval from the appropriate leadership (e.g., business owner, board, or governing body).
• Access Revocation: If there is a dispute regarding access or an unclear chain of command, Nextsulting reserves the right to withhold or revoke access until a resolution is provided in writing by the client’s leadership.
• Departing Employees or Leadership Changes: Clients must inform Nextsulting immediately of any personnel changes affecting access.

5. Incident Response & Liability Limitations

As outlined in Nextsulting’s Incident Response Policy and Disaster Recovery Plan:

• If a security incident occurs related to account access, Nextsulting will follow its Incident Response Policy to contain, investigate, and resolve the issue.
• If an unauthorized party gains access due to a client’s internal mismanagement (e.g., shared passwords, lack of internal oversight), Nextsulting is not liable for resulting damages.
• If an access-related dispute arises, Nextsulting will defer to the organization’s established approval process and will not act as an arbitrator in internal conflicts.

6. Limitation of Liability

Nextsulting acts solely as a steward of client digital assets and does not assume responsibility for:

• Internal disputes regarding who should have access.
• Unauthorized changes made by individuals granted access.
• Security breaches or account misuse after access has been transferred.
• Any damages or losses resulting from delayed or denied access requests due to missing approvals.

By requesting access through Nextsulting LLC, the client acknowledges and agrees that Nextsulting:

• Does not own or control client assets but follows client-approved processes.
• Reserves the right to deny access requests that do not meet security and governance standards.
• Is not responsible for governance disputes within an organization.

7. Policy Acknowledgment & Compliance

By engaging Nextsulting LLC for digital asset management, clients agree to adhere to this policy. Any exceptions to this policy must be approved in writing by both parties.