PS-4 / AC-2 / A.6.1.3 / CIS-5.3 NIST SP 800-53 Rev 5 SOC 2

Is access removed for terminated/transferred users within 24 hours, with evidence?

Demonstrate that user access is consistently deprovisioned within 24 hours of termination or transfer events, with documented evidence of the removal action and its timeliness.

Description

What this control does

This control ensures that user access rights to systems, applications, and data are revoked within 24 hours of employment termination or role transfer. It requires documented evidence of the deprovisioning action, including timestamps and authorizing personnel. Timely access removal prevents unauthorized access by former employees or individuals who have moved to roles with different access requirements, reducing the window of opportunity for malicious activity or inadvertent data exposure.

Control objective

What auditing this proves

Demonstrate that user access is consistently deprovisioned within 24 hours of termination or transfer events, with documented evidence of the removal action and its timeliness.

Associated risks

Risks this control addresses

Former employees retain access credentials and exfiltrate sensitive data or intellectual property after termination
Disgruntled terminated users modify or delete critical business data during the access removal delay window
Transferred employees accumulate excessive privileges across roles, violating least privilege and segregation of duties
Attackers exploit orphaned accounts from incomplete deprovisioning to establish persistent unauthorized access
Regulatory non-compliance and audit findings due to failure to demonstrate timely access revocation controls
Insider threat actors share credentials with external parties after departure, enabling third-party unauthorized access
Compromise of business continuity through unauthorized system configuration changes by former administrators

Testing procedure

How an auditor verifies this control

Obtain the complete list of employee terminations and role transfers from HR for the audit period (typically last 12 months or since last audit)
Request access deprovisioning logs from identity and access management systems, including Active Directory, SSO platforms, privileged access management tools, and application-specific user repositories
Select a statistical sample of 25-40 termination and transfer events, ensuring representation across departments, job functions, and termination types (voluntary, involuntary, transfers)
For each sampled event, identify the official termination/transfer date from HR records and compare against the timestamp of account disablement or removal in access logs
Calculate the time delta between HR-confirmed termination/transfer and actual access removal for each sample item, flagging any exceeding 24 hours
Review documented evidence of the deprovisioning action, including ticketing system records, change management logs, and email confirmations showing who performed the action and when
Interview IT operations and HR personnel to validate the standard operating procedure for termination/transfer processing and escalation paths for delays
Test a subset of deprovisioned accounts by attempting authentication to verify accounts are truly disabled and not merely flagged in logs

Evidence required Access management logs showing disable/delete timestamps for user accounts; HR termination/transfer records with effective dates; IT ticketing system records documenting deprovisioning requests and completion; screenshots or exports from IAM systems showing account status changes; change management records linking termination events to access removal actions; email or workflow automation logs confirming deprovisioning notifications.

Pass criteria 100% of sampled termination and transfer events show documented evidence of access removal within 24 hours of the HR-confirmed effective date, with no material exceptions and compensating controls documented for any justified delays.