Policies / Policy
Access Review Policy
Periodically review who has access to what.
Template
- Maintain a list of systems, groups, roles, and data locations requiring review.
- Assign a resource owner for each access area.
- Review active users, service accounts, privileged accounts, and external users.
- Remove access that is no longer justified.
- Document exceptions, temporary access, and approvals.
- Record review date, reviewer, changes made, and unresolved questions.
- Repeat on a regular schedule appropriate to risk.
Expected output
Access review record with removed access, exceptions, and next review date.
Use notes
| Owner | Assign one person responsible for keeping the template current. |
|---|---|
| Review | Review after significant changes, incidents, staffing changes, or tool changes. |
| Risk | Adapt the template to local policies, contractual duties, privacy requirements, and operational risk. |