graphgrc

ACC-03: Access Reviews

Objective

Ensure access remains appropriate and remove unnecessary permissions.

Description

User access rights are reviewed quarterly. Terminated employees have access revoked immediately. Role changes trigger access recertification.

Implementation Details

Quarterly Reviews: Managers review team access to AWS, GitHub, production systems. Document reviews in ticketing system.

Automated Reports: Generate quarterly access reports from SSO and AWS IAM Identity Center showing user permissions.

Deprovisioning: Automated employee offboarding removes all access within 1 hour of termination.

Role Changes: Transfer or promotion triggers access review within 5 business days.

Examples

• Q1 2025 access review completed with all managers certifying team permissions
• SCIM integration automatically provisions/deprovisions users in Okta
• GitHub organization access reviewed quarterly with inactive members removed
• AWS access report shows no users with permissions exceeding their role

Audit Evidence

• Quarterly access review records
• Manager approval documentation
• Deprovisioning logs
• Before/after snapshots of user permissions

---

Framework Mapping

SOC 2

• CC6.3 ^[Reviews ensure terminated employees and contractors no longer have access to systems]
• CC6.1 ^[Access reviews verify that logical access controls are functioning as intended]

GDPR

• Article 32 ^[Periodic access reviews are an organizational measure to ensure security of processing]
• Article 5 ^[Access reviews support data minimization principle by removing unnecessary access]

---

Referenced By

This section is automatically generated by make generate-backlinks. Do not edit manually.

Standards:

• AWS Security Standard ^[Quarterly IAM role and policy access reviews]
• GitHub Security Standard ^[Quarterly access reviews of organization members and external collaborators]
• Logging and Monitoring Standard ^[Audit logs track authentication and authorization events for quarterly reviews]
• SaaS IAM Standard ^[Quarterly access reviews to identify orphaned accounts, audit logs for access monitoring]

Processes:

• Access Review Process ^[Quarterly access reviews by managers, SSO and AWS IAM reports, documented certifications]

Policies:

• Data Access Policy ^[Quarterly access reviews with manager certification, enhanced monitoring for Restricted data]

This site is open source. Improve this page.