PR.AA-05.207

Does your organization have a formal process to review and promptly revoke access privileges when employees change roles or leave the organization?

Explanation

Regular review of access privileges ensures that individuals only have access to the systems and data necessary for their current role, reducing the risk of unauthorized access. When employees change roles or leave, outdated access privileges can create security vulnerabilities if not promptly revoked. Evidence could include a documented access review policy, audit logs showing regular privilege reviews, and records of access revocation following personnel changes. Examples might include screenshots of your identity management system showing deactivated accounts, a formal access review schedule, or workflow documentation for the offboarding process.

Implementation Example

Review logical and physical access privileges periodically and whenever someone changes roles or leaves the organization, and promptly rescind privileges that are no longer needed

ID: PR.AA-05.207

Context

Function: PR: PROTECT
Category: PR.AA: Identity Management, Authentication, and Access Control
Sub-Category: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub