security-policies/policies/access-control.md

773 B

Access Control Policy

Version: 1.4 | Owner: IT Security | Classification: Internal

Principles

All access rights must be granted on a need-to-know basis (principle of least privilege). Access reviews are conducted quarterly by department managers.

Joiner / Mover / Leaver

Event Action Timeline
Joiner Provisioning ticket to IT Before first day
Internal move Access review with old and new manager Within 5 working days
Leaver Immediate revocation Within 2 hours of exit

Privileged access

All privileged accounts require:

  • Separate named account (no shared admin accounts)
  • Approval from department head + CISO
  • Annual re-certification
  • Session recording in CyberArk