User Access Review Procedure (AC-PROC-003)
1. Purpose
To define the process for conducting periodic reviews of user access rights to ensure adherence to the principle of least privilege.
2. Scope
This procedure applies to all user accounts with access to company information systems and the managers or system owners responsible for those accounts.
3. Overview
This procedure describes the process for conducting periodic access reviews to ensure users maintain only the access necessary for their current role. Review frequencies are tailored based on access privileges: quarterly reviews for accounts with privileged or administrative access, and semi-annual reviews for all other standard user accounts. Regular reviews help maintain the principle of least privilege and support SOC 2 compliance.
4. Procedure
| Step | Who | What |
|---|---|---|
| 1 | IT Manager/Security Officer | Generates user access reports for all systems and applications according to the review schedule: quarterly for privileged/administrative accounts, semi-annually for standard user accounts. |
| 2 | IT Manager/Security Officer | Reviews each user’s access rights to verify they align with current job responsibilities and access privilege level. |
| 3 | Direct Manager | Attests whether access is still appropriate for each team member’s current role. |
| 4 | IT Manager/Security Officer | Removes any unnecessary access rights identified during the review. |
| 5 | IT Manager/Security Officer | Documents the review results, including review frequency applied, and stores as audit records. |
5. Standards Compliance
| Procedure Step(s) | Standard/Framework | Control Reference |
|---|---|---|
| 1-5 | SOC 2 Trust Services Criteria | CC6.1 - Logical Access Security |
6. Artifact(s)
A completed and signed User Access Review attestation form or ticket.
7. Definitions
- Principle of Least Privilege: The concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, authorized activities.
8. Responsibilities
| Role | Responsibility |
|---|---|
| IT/Security Team | Facilitates the access review process, generates reports, tracks completion, and stores audit records. |
| System Owners/Managers | Perform the detailed review of access rights for their systems or direct reports and attest to their necessity. |
| All Workforce Members | Comply with the process and provide any necessary information to their managers. |