# Access Control Policy **Version:** 1.4 | **Owner:** IT Security | **Classification:** Internal ## Principles All access rights must be granted on a **need-to-know basis** (principle of least privilege). Access reviews are conducted **quarterly** by department managers. ## Joiner / Mover / Leaver | Event | Action | Timeline | |-------|--------|----------| | Joiner | Provisioning ticket to IT | Before first day | | Internal move | Access review with old and new manager | Within 5 working days | | Leaver | Immediate revocation | Within 2 hours of exit | ## Privileged access All privileged accounts require: - Separate named account (no shared admin accounts) - Approval from department head + CISO - Annual re-certification - Session recording in CyberArk