Service Access & Administration Summary

Delivery model (how administration is performed)

This summary explains how Virtus Group performs administration and delivery activities inside a client’s ICT environment in a secure, auditable way.

• Work is performed using client‑approved devices, accounts, and credentials (e.g., client user accounts or delegated admin roles), not shared generic credentials.
• Where permitted, we use named accounts for each resource with role-based access and MFA enforced.
• Administrative activity is logged and traceable to an individual.

Access principles

• Least privilege: access granted only to what is required for the task and revoked when no longer needed.
• Time‑boxed elevation: privileged roles are used only for the duration of approved work (where platform supports).
• Separation of duties: critical changes require peer review or dual approval where agreed.
• Secure remote access: client-approved VPN/conditional access; no direct inbound exposure required.

Privileged access and break‑glass controls

• Break‑glass accounts are limited, monitored, and stored securely (vaulted).
• Use of break‑glass access is recorded with a reason, ticket/change reference, and post‑use review.
• Credential rotation follows incidents, offboarding, and periodic hygiene routines.

Tooling, evidence, and handover

• Changes are executed via documented runbooks and change control (ticket/CR, approval, rollback plan).
• Evidence is captured for material changes (screenshots, exports, logs) and provided to the client on request.
• At close-out, we deliver a knowledge transfer bundle: runbooks, access matrix, and handover notes.

Offboarding and data handling

• Access removal: accounts disabled/removed promptly when a resource leaves or an engagement ends.
• Client data is returned or securely destroyed per contract and retention requirements.
• Devices used for client work follow sanitisation and disposal procedures at end-of-life.