Initial commit
This commit is contained in:
Paul Jenkins
84
03-procedures/access-review-procedure.md
Normal file
84
03-procedures/access-review-procedure.md
Normal file
@@ -0,0 +1,84 @@
|
||||
Title: Access Review Procedure
|
||||
Document ID: [PROC-ACCESS-REVIEW-001]
|
||||
Version: 0.1 Draft
|
||||
Status: Draft
|
||||
Owner: CISO (Paul Jenkins)
|
||||
Approver: CISO (Paul Jenkins)
|
||||
Classification: Internal
|
||||
Effective date: [DD Month YYYY]
|
||||
Review date: [DD Month YYYY]
|
||||
|
||||
# Access Review Procedure
|
||||
|
||||
## Purpose
|
||||
|
||||
This procedure defines how BlackDice should review user, privileged, and service access to ensure it remains appropriate.
|
||||
|
||||
## Scope
|
||||
|
||||
This procedure applies to in-scope systems, services, cloud platforms, repositories, administrative functions, and other controlled access points.
|
||||
|
||||
## Trigger / When Used
|
||||
|
||||
Use this procedure:
|
||||
|
||||
- at planned review intervals
|
||||
- after significant role or organisational changes
|
||||
- after incidents, audit findings, or suspected misuse
|
||||
- when required for high-risk or privileged environments
|
||||
|
||||
## Procedure Steps
|
||||
|
||||
1. Define the scope of the review, including the systems, accounts, and review period.
|
||||
2. Extract or compile the current access listing from the relevant systems or authoritative source.
|
||||
3. Identify account types requiring review, including user accounts, privileged accounts, service accounts, temporary accounts, and shared accounts where they exist.
|
||||
4. Send the review to the appropriate manager, asset owner, or system owner for validation.
|
||||
5. Confirm whether each access right remains required, appropriate, and proportionate to the current role or system purpose.
|
||||
6. Record required changes, including removals, privilege reductions, account disablement, or further investigation.
|
||||
7. Complete the approved changes and confirm closure of review actions.
|
||||
8. Retain review evidence and track overdue or incomplete reviews to resolution.
|
||||
|
||||
## Inputs
|
||||
|
||||
- current access listing
|
||||
- system ownership information
|
||||
- personnel role information
|
||||
- previous review results where relevant
|
||||
|
||||
## Outputs / Records
|
||||
|
||||
- completed access review record
|
||||
- required remediation actions
|
||||
- evidence of changed or removed access
|
||||
- escalation record for unresolved items
|
||||
|
||||
## Roles and Responsibilities
|
||||
|
||||
- [Role] must coordinate the access review process.
|
||||
- Managers and system owners must validate access under their responsibility.
|
||||
- Administrators must implement approved changes.
|
||||
- Internal reviewers may sample evidence for assurance purposes.
|
||||
|
||||
## Escalation / Exceptions
|
||||
|
||||
Escalate when:
|
||||
|
||||
- reviewers do not complete reviews within the required timeframe
|
||||
- privileged access cannot be validated
|
||||
- unexplained accounts or excessive permissions are identified
|
||||
- technical limitations prevent evidence collection
|
||||
|
||||
Exceptions must be documented and approved through the defined process.
|
||||
|
||||
## Related Documents
|
||||
|
||||
- Access Control Policy
|
||||
- Identity and Authentication Standard
|
||||
- Joiner Mover Leaver Procedure
|
||||
- Corrective Action Procedure
|
||||
|
||||
## Version Control
|
||||
|
||||
| Version | Date | Description of Change | Author |
|
||||
| --- | --- | --- | --- |
|
||||
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
|
||||
Reference in New Issue
Block a user