Control Statement

New user access requests follow an access provisioning workflow. Request forms and authorization are documented and retained.

Context

The purpose of this control is to ensure there is a process in place to review and authorize new user account requests. Ensuring only people who require access to a system or service receive access, helps improve IllumiDesk's overall security posture by limiting the number of accounts with access and reducing the overall likelihood of an account being compromised.

Scope

This control applies to any system or service where user accounts can be provisioned.

Ownership

Control ownership:

• IT Operations

Process ownership:

• IT Operations

• Managers

• Systems Owners

Guidance

• Access requested should be aligned with the user's expected job responsibilities

• The access requested should be approved by appropriate management/system owner/data owner prior to being granted

• Access can be granted on or after employee hire date

• Individuals who provisioned access have to be separate from the individuals that approved access

• The access granted should align with access requested

Additional control information and project tracking

Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the New Access Provisioning control issue.

Policy Reference

• Access Request Process

• Access Management Process

Framework Mapping

• SOC2 CC

  • CC6.2 - Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.