security-policies/policies/access-control.md

24 lines
773 B
Markdown

# Access Control Policy
**Version:** 1.4 | **Owner:** IT Security | **Classification:** Internal
## Principles
All access rights must be granted on a **need-to-know basis** (principle of least privilege).
Access reviews are conducted **quarterly** by department managers.
## Joiner / Mover / Leaver
| Event | Action | Timeline |
|-------|--------|----------|
| Joiner | Provisioning ticket to IT | Before first day |
| Internal move | Access review with old and new manager | Within 5 working days |
| Leaver | Immediate revocation | Within 2 hours of exit |
## Privileged access
All privileged accounts require:
- Separate named account (no shared admin accounts)
- Approval from department head + CISO
- Annual re-certification
- Session recording in CyberArk