85 lines
2.8 KiB
Markdown
85 lines
2.8 KiB
Markdown
Title: Access Review Procedure
|
|
Document ID: [PROC-ACCESS-REVIEW-001]
|
|
Version: 0.1 Draft
|
|
Status: Draft
|
|
Owner: CISO (Paul Jenkins)
|
|
Approver: CISO (Paul Jenkins)
|
|
Classification: Internal
|
|
Effective date: [DD Month YYYY]
|
|
Review date: [DD Month YYYY]
|
|
|
|
# Access Review Procedure
|
|
|
|
## Purpose
|
|
|
|
This procedure defines how BlackDice should review user, privileged, and service access to ensure it remains appropriate.
|
|
|
|
## Scope
|
|
|
|
This procedure applies to in-scope systems, services, cloud platforms, repositories, administrative functions, and other controlled access points.
|
|
|
|
## Trigger / When Used
|
|
|
|
Use this procedure:
|
|
|
|
- at planned review intervals
|
|
- after significant role or organisational changes
|
|
- after incidents, audit findings, or suspected misuse
|
|
- when required for high-risk or privileged environments
|
|
|
|
## Procedure Steps
|
|
|
|
1. Define the scope of the review, including the systems, accounts, and review period.
|
|
2. Extract or compile the current access listing from the relevant systems or authoritative source.
|
|
3. Identify account types requiring review, including user accounts, privileged accounts, service accounts, temporary accounts, and shared accounts where they exist.
|
|
4. Send the review to the appropriate manager, asset owner, or system owner for validation.
|
|
5. Confirm whether each access right remains required, appropriate, and proportionate to the current role or system purpose.
|
|
6. Record required changes, including removals, privilege reductions, account disablement, or further investigation.
|
|
7. Complete the approved changes and confirm closure of review actions.
|
|
8. Retain review evidence and track overdue or incomplete reviews to resolution.
|
|
|
|
## Inputs
|
|
|
|
- current access listing
|
|
- system ownership information
|
|
- personnel role information
|
|
- previous review results where relevant
|
|
|
|
## Outputs / Records
|
|
|
|
- completed access review record
|
|
- required remediation actions
|
|
- evidence of changed or removed access
|
|
- escalation record for unresolved items
|
|
|
|
## Roles and Responsibilities
|
|
|
|
- [Role] must coordinate the access review process.
|
|
- Managers and system owners must validate access under their responsibility.
|
|
- Administrators must implement approved changes.
|
|
- Internal reviewers may sample evidence for assurance purposes.
|
|
|
|
## Escalation / Exceptions
|
|
|
|
Escalate when:
|
|
|
|
- reviewers do not complete reviews within the required timeframe
|
|
- privileged access cannot be validated
|
|
- unexplained accounts or excessive permissions are identified
|
|
- technical limitations prevent evidence collection
|
|
|
|
Exceptions must be documented and approved through the defined process.
|
|
|
|
## Related Documents
|
|
|
|
- Access Control Policy
|
|
- Identity and Authentication Standard
|
|
- Joiner Mover Leaver Procedure
|
|
- Corrective Action Procedure
|
|
|
|
## Version Control
|
|
|
|
| Version | Date | Description of Change | Author |
|
|
| --- | --- | --- | --- |
|
|
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
|