PR.AA-01.194

Does your organization have a formal process to request, track, review, and fulfill access requests that includes appropriate approval from system or data owners?

Explanation

This question assesses whether your organization has implemented a structured access management process that governs how users obtain new or additional system access. A formal process ensures that access is granted based on legitimate business needs, receives proper authorization, and maintains an audit trail of requests and approvals. Evidence could include documentation of your access request workflow such as a formal access management policy, screenshots of your ticketing system showing access request workflows, sample access request forms with approval fields, or process diagrams showing the request-to-fulfillment lifecycle with approval gates.

Implementation Example

Initiate requests for new access or additional access for employees, contractors, and others, and track, review, and fulfill the requests, with permission from system or data owners when needed

ID: PR.AA-01.194

Context

Function: PR: PROTECT
Category: PR.AA: Identity Management, Authentication, and Access Control
Sub-Category: Identities and credentials for authorized users, services, and hardware are managed by the organization

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub