Access reviews will be formally documented using the Access Reviews template.
The Security Operations team will periodically perform an access review of IllumiDesk infrastructure accounts, to include a least privilege review.
The Internal Audit team will periodically perform an access review of financial application accounts, to include a least privilege review, as part of routine audits. A comprehensive access audit may be performed based on an annual risk assessment.
Quarterly access reviews and access recertifications are performed for all applications that are determined by Internal Audit to be SOX-in-scope.
For source code security, access reviews for illumidesk.com owners and maintainers will be performed quarterly by the Security Compliance team and verified by Infrastructure for appropriate permissions.
As part of an access review, existing access may be modified or revoked. New access (not modification of existing access) requires the submission of a New Access Request.
An access review includes two parts:
review current access and access level appropriateness, i.e. Does team member need access and are the system entitlements that they have appropriate?
recertification of appropriateness of access and entitlements, i.e. Approve continued access to system at the same level
Please note that access reviews should include a least privilege review. This is considered as part of the review of appropriateness of system entitlements, aka access level.
Review and recertification is generally performed by team member's manager or someone above them in their reporting hierarchy. For example, review can be performed by a Director and include their direct reports' direct reports.
If reviewer is not the manager of team member, reviewer should be the system owner or the data owner, or an individual with sufficient understanding of the system(s), the system entitlements, and the ability to assess the appropriateness of the access granted.
Reviewers must never recertify their own access; this must be reviewed and recertified by an alternate system administrator, system owner, or the primary reviewer's manager (or someone above them in their reporting hierarchy).
An access review should be documented and performed as part of a formal job transfer. This should be initiated by the team member transferring and their new manager.
Please refer to the Access reviews page for additional information.