Purpose
To ensure access to [Organisation] systems and data is granted only to authorised individuals, limited to what their role requires, and removed promptly when no longer needed.
Scope
Applies to all user, administrator, service and third-party accounts across all systems and applications.
Policy statements
- Access is granted based on defined roles (RBAC) and the principle of least privilege.
- Every user has a unique account; shared accounts are prohibited except where explicitly approved and monitored.
- Multi-factor authentication is required for remote access and all privileged accounts.
- Access rights are reviewed at least quarterly and re-certified by the resource owner.
- Access is revoked within [X hours] of an employee’s exit or role change.
- Privileged access is logged and monitored.
Roles & responsibilities
- System owners: approve and periodically certify access to their systems.
- IT/IAM: provision, modify and revoke access per approved requests.
- Managers: initiate access changes for their team members.
Review
Reviewed annually and after any material change to systems or organisational structure.
Template provided by CyberSigma for adaptation. Replace bracketed placeholders and tailor to your environment before adopting. This is guidance, not legal advice.
