Does your organization have a formal process to request, track, review, and fulfill access requests that includes appropriate approval from system or data owners?
Explanation
Disciplined access provisioning is the focus, specifically whether you have a formal process to request, track, review, and fulfill access with approval from the relevant system or data owners. A formal process ensures that access is granted based on legitimate business needs, receives proper authorization, and maintains an audit trail of requests and approvals.
Evidence could include documentation of your access request workflow such as a formal access management policy, screenshots of your ticketing system showing access request workflows, sample access request forms with approval fields, or process diagrams showing the request-to-fulfillment lifecycle with approval gates.
Implementation Example
Initiate requests for new access or additional access for employees, contractors, and others, and track, review, and fulfill the requests, with permission from system or data owners when needed
ID: PR.AA-01.194
Context
- Function
- PR: PROTECT
- Category
- PR.AA: Identity Management, Authentication, and Access Control
- Sub-Category
- Identities and credentials for authorized users, services, and hardware are managed by the organization
Related questions
- Does your organization have a formal process for managing the lifecycle of cryptographic certificates, keys, identity tokens, and other credentials?
- Does your organization use unique device identifiers based on immutable hardware characteristics or secure provisioning methods?
- Does your organization physically label all authorized hardware assets with unique identifiers for inventory tracking and servicing purposes?
- Does your organization verify individuals' identities during enrollment using government-issued credentials?
- Does your organization issue unique credentials to each individual user and prohibit credential sharing?
- Has your organization implemented multifactor authentication (MFA) for all user access to systems containing sensitive data?

