User Access Review Procedure (AC-PROC-003)
1. Purpose
To define the process for conducting periodic reviews of user access rights to ensure adherence to the principle of least privilege.
2. Scope
This procedure applies to all user accounts with access to company information systems and the managers or system owners responsible for those accounts.
3. Overview
This procedure describes the quarterly and annual process for reviewing user access to sensitive systems. It ensures that access rights are regularly verified and that any unnecessary permissions are revoked in a timely manner, thereby minimizing security risks.
4. Procedure
| Step | Who | What |
|---|---|---|
| 1 | IT/Security Team | Generates user access reports for specific systems based on the quarterly and annual review schedule. |
| 2 | IT/Security Team | Sends these reports to the designated system owners or employee managers. |
| 3 | System Owner/Manager | Reviews each user’s access and attests whether it is still appropriate and required for their job function. |
| 4 | System Owner/Manager | Returns the signed-off review form to the IT/Security team. |
| 5 | System Owner/Manager | Returns the signed-off review form to the IT/Security team. |
| 6 | Security Team | Reviews administrative access rights and attests to their necessity. |
| 7 | IT/Security Team | Stores all completed reviews as an audit record. |
5. Standards Compliance
| Procedure Step(s) | Standard/Framework | Control Reference |
|---|---|---|
| 1-6 | SOC 2 | CC6.1 |
| 1-6 | HIPAA | 45 CFR § 164.308(a)(4) (Information Access Management) |
6. Artifact(s)
A completed and signed User Access Review attestation form or ticket.
7. Definitions
- Principle of Least Privilege: The concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, authorized activities.
8. Responsibilities
| Role | Responsibility |
|---|---|
| IT/Security Team | Facilitates the access review process, generates reports, tracks completion, and stores audit records. |
| System Owners/Managers | Perform the detailed review of access rights for their systems or direct reports and attest to their necessity. |
| All Workforce Members | Comply with the process and provide any necessary information to their managers. |