24 lines
773 B
Markdown
24 lines
773 B
Markdown
# Access Control Policy
|
|
|
|
**Version:** 1.4 | **Owner:** IT Security | **Classification:** Internal
|
|
|
|
## Principles
|
|
|
|
All access rights must be granted on a **need-to-know basis** (principle of least privilege).
|
|
Access reviews are conducted **quarterly** by department managers.
|
|
|
|
## Joiner / Mover / Leaver
|
|
|
|
| Event | Action | Timeline |
|
|
|-------|--------|----------|
|
|
| Joiner | Provisioning ticket to IT | Before first day |
|
|
| Internal move | Access review with old and new manager | Within 5 working days |
|
|
| Leaver | Immediate revocation | Within 2 hours of exit |
|
|
|
|
## Privileged access
|
|
|
|
All privileged accounts require:
|
|
- Separate named account (no shared admin accounts)
|
|
- Approval from department head + CISO
|
|
- Annual re-certification
|
|
- Session recording in CyberArk
|