Access reviewed quarterly + removed at offboarding
Demonstrate that user access rights are systematically reviewed every 90 days and that access is consistently and promptly revoked during employee offboarding processes.
Description
What this control does
This control requires organizations to conduct formal reviews of user access rights on a quarterly basis and immediately revoke access upon employee termination or role change. The quarterly review ensures access privileges remain aligned with current job responsibilities and the principle of least privilege, while offboarding procedures prevent terminated employees from retaining system access. This dual mechanism addresses both access creep over time and the immediate security risk posed by departing personnel.
Control objective
What auditing this proves
Demonstrate that user access rights are systematically reviewed every 90 days and that access is consistently and promptly revoked during employee offboarding processes.
Associated risks
Risks this control addresses
- Terminated employees retain valid credentials and access sensitive systems or data for malicious purposes or sabotage
- Access creep results in users accumulating excessive privileges over time, violating least privilege and increasing blast radius of compromised accounts
- Stale accounts from incomplete offboarding become targets for credential stuffing or account takeover attacks
- Inactive privileged accounts remain enabled, providing attackers with high-value dormant credentials
- Role changes are not reflected in access permissions, allowing users to retain access incompatible with current responsibilities
- Lack of periodic validation enables unauthorized access grants or privilege escalations to persist undetected
- Orphaned accounts from contractors or vendors remain active beyond engagement period, creating unauthorized entry points
Testing procedure
How an auditor verifies this control
- Obtain the access review policy and offboarding procedure documents to confirm documented quarterly review and immediate revocation requirements
- Retrieve access review reports and sign-off documentation for the most recent four quarters to verify review cadence
- Select a sample of 25-30 user accounts across different roles and privilege levels from the current active directory or identity management system
- For each sampled account, trace access rights documented in the most recent quarterly review to current provisioned permissions in target systems to identify discrepancies
- Obtain the HR termination list for the past 90 days and cross-reference against active accounts to identify any terminated employees with remaining access
- For a sample of 10-15 terminated employees, review offboarding tickets and examine account deactivation timestamps in authentication logs to measure time-to-revocation
- Interview identity and access management personnel to understand the process for triggering access reviews and receiving termination notifications from HR
- Test the technical controls by reviewing identity governance platform configurations, automated review workflows, and deprovisioning rules tied to HR system events
Where this control is tested