New user access requests follow an access provisioning workflow. Request forms and authorization are documented and retained.
The purpose of this control is to ensure there is a process in place to review and authorize new user account requests. Ensuring only people who require access to a system or service receive access, helps improve IllumiDesk's overall security posture by limiting the number of accounts with access and reducing the overall likelihood of an account being compromised.
This control applies to any system or service where user accounts can be provisioned.
Access requested should be aligned with the user's expected job responsibilities
The access requested should be approved by appropriate management/system owner/data owner prior to being granted
Access can be granted on or after employee hire date
Individuals who provisioned access have to be separate from the individuals that approved access
The access granted should align with access requested
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the New Access Provisioning control issue.
Access Request Process
Access Management Process
CC6.2 - Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.