Does your organization have a formal process to review and promptly revoke access privileges when employees change roles or leave the organization?
Explanation
Regular review of access privileges ensures that individuals only have access to the systems and data necessary for their current role, reducing the risk of unauthorized access. When employees change roles or leave, outdated access privileges can create security vulnerabilities if not promptly revoked.
Evidence could include a documented access review policy, audit logs showing regular privilege reviews, and records of access revocation following personnel changes. Examples might include screenshots of your identity management system showing deactivated accounts, a formal access review schedule, or workflow documentation for the offboarding process.
Implementation Example
Review logical and physical access privileges periodically and whenever someone changes roles or leaves the organization, and promptly rescind privileges that are no longer needed
ID: PR.AA-05.207
Context
- Function
- PR: PROTECT
- Category
- PR.AA: Identity Management, Authentication, and Access Control
- Sub-Category
- Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties
Related questions
- Does your organization have a formal process to request, track, review, and fulfill access requests that includes appropriate approval from system or data owners?
- Does your organization have a formal process for managing the lifecycle of cryptographic certificates, keys, identity tokens, and other credentials?
- Does your organization use unique device identifiers based on immutable hardware characteristics or secure provisioning methods?
- Does your organization physically label all authorized hardware assets with unique identifiers for inventory tracking and servicing purposes?
- Does your organization verify individuals' identities during enrollment using government-issued credentials?
- Does your organization issue unique credentials to each individual user and prohibit credential sharing?

