DailyWF / Policies
Access Review
Define how access is reviewed, changed, approved, and removed.
Policy intent
Access policy should make permissions intentional, reviewable, and removable. It should prevent accounts from surviving role changes simply because nobody owns the cleanup.
Minimum content
- Define who and what the policy covers, including systems, data, tools, users, vendors, and exceptions.
- Joiner, mover, and leaver handling.
- MFA and credential handling expectations.
- Privileged access approval and review.
- Exception expiration and removal evidence.
Expected output
A policy page that states expectations clearly enough to guide approval, exception, and review decisions.
Common failure mode
Leaving access active because ownership, expiration, or review evidence is unclear.
Use notes
| Authority | Identify who can approve, deny, and grant exceptions. |
|---|---|
| Exception handling | Give exceptions an owner, reason, expiration, and review date. |
| Review point | Review when law, tools, contracts, ownership, or operational risk changes. |
Related pages
- Third Party ReviewDefine how vendors, services, and external tools are reviewed before use.
- Access Review ChecklistConfirm account ownership, appropriateness, and removal actions.
- Access Review LogTrack access review findings, approvals, removals, and exceptions.
- Change ManagementDefine when changes require review, approval, notice, or rollback planning.
- Incident NotificationDefine who must be notified when incidents affect service, data, obligations, or reputation.
Use this with a tool
Find related documents, copy a checklist, or request a missing workflow.