graphgrc

Access Review Process

Quarterly review of user access to ensure access remains appropriate and follows least privilege.

Roles and Responsibilities

• Security Team: Coordinates reviews, generates reports, tracks completion
• Managers: Review and certify team member access
• IT Team: Remediates access issues identified in reviews

Prerequisites

• Up-to-date employee roster in HRIS
• Audit logs from all systems (SSO, AWS, GitHub, etc.)
• Access review scheduled in security team calendar

Process Steps

Step 1: Generate Access Reports

Security team generates access reports from all systems.

Reports include:

• SSO: User accounts and group memberships
• AWS IAM Identity Center: Permission sets assigned to each user
• GitHub: Organization membership and team assignments
• SaaS applications: User lists and roles
• Privileged access: Admin accounts across all systems

Owner: Security Team Duration: 2-3 days before review start

Step 2: Distribute to Managers

Security team sends access reports to each manager for their direct reports.

Delivery method: Secure shared document or dedicated access review tool Instructions: Review each team member, confirm access is appropriate, flag any issues

Owner: Security Team Duration: First day of review period (Q1, Q2, Q3, Q4)

Step 3: Manager Review

Each manager reviews access for their direct reports.

Review criteria:

• Does employee still need access to this system?
• Is the level of access appropriate for their current role?
• Any unused accounts or permissions to remove?
• Any missing access that should be added?

Actions:

• Mark each user as “Approved” or “Needs Change”
• Document required changes
• Sign/date attestation

Owner: Managers Duration: 10 business days

Step 4: Remediation

IT team processes requested changes from managers.

Actions:

• Remove access for terminated employees (should already be done, but verify)
• Downgrade excessive permissions
• Remove inactive accounts (no login in 90 days)
• Document all changes in access review tracker

Owner: IT Team Duration: 5 business days after manager review complete

Step 5: Privileged Access Deep Dive

Security team performs detailed review of all admin/privileged accounts.

Focus areas:

• AWS admin roles
• GitHub organization owners
• SaaS application admins
• Database admin accounts
• Production system access

Review: Verify business justification, check for unused privileged accounts

Owner: Security Team Duration: 3-5 days

Step 6: Report and Document

Security team compiles summary report of access review.

Report includes:

• Number of users reviewed
• Number of access changes made
• Manager attestation completion rate
• Orphaned accounts removed
• Exceptions and open items

Owner: Security Team Duration: 2 days

Validation and Evidence

• Access reports from each system (exported before and after remediation)
• Manager attestations (signed/dated)
• Access review summary report
• Remediation tickets and audit logs

Exception Handling

• Manager non-responsive: Escalate to manager’s manager, security team reviews and makes decisions
• Shared accounts: Document as exception, plan migration to individual accounts
• Service accounts: Reviewed separately by engineering/infrastructure teams

Quarterly Schedule

• Q1 (January): Full access review
• Q2 (April): Full access review
• Q3 (July): Full access review
• Q4 (October): Full access review + annual deep dive

References

• Related controls: ACC-03, ACC-04
• Related standards: saas-iam-standard.md, aws-security-standard.md

Control Mapping

• ACC-03: Access Reviews ^[Quarterly access reviews by managers, SSO and AWS IAM reports, documented certifications]
• ACC-04: Privileged Access Management ^[Security team deep dive review of all admin/privileged accounts quarterly]
• PEO-03: Offboarding ^[Reviews verify terminated employees have no remaining access]

---

Referenced By

This section is automatically generated by make generate-backlinks. Do not edit manually.

This site is open source. Improve this page.