Access Provisioning and Deprovisioning Policy
Overview
This policy establishes the requirements and processes for securely granting, modifying, and revoking access to company systems, applications, and data—for all identities, both human and non-human (e.g., API accounts, service accounts, bots). Its goal is to minimize unauthorized access risk, support compliance, and ensure all access is appropriate for the assigned purpose.
Scope
This policy applies to all information systems, applications, data, and resources owned, managed, or controlled by the company. It covers all users, including employees, contractors, vendors, third parties, as well as non-human identities such as service accounts, APIs, automation bots, and application integrations.
Definitions
- Provisioning: The process of granting access to resources, systems, or data.
- Deprovisioning: The process of removing or disabling access when no longer needed.
- Joiner: A new employee, contractor, third party, or non-human identity (such as a service account or API integration) requiring system access.
- Mover: An existing human or non-human identity whose role, configuration, or business need has changed.
- Leaver: A human user whose employment, contract, or business relationship has ended, or a non-human identity (e.g., API key, bot, integration) that is no longer required or authorized.
- Non-Human Identity: Any account, credential, or identity used by applications, scripts, bots, APIs, integrations, or systems—not tied to a specific human individual.
- Privileged Access: Elevated permissions beyond standard access, including admin, root, and service accounts with broad system privileges.
- Access Review: The periodic evaluation of all access rights (human and non-human) to ensure appropriateness.
Policy Requirements
Provisioning:
- Access is granted only upon documented, role-based approval from the appropriate manager or data owner.
- All identities (human and non-human) are granted only the minimum permissions necessary for their purpose (principle of least privilege).
- Provisioning for non-human identities (e.g., API keys, service accounts, bots) must follow the same review, documentation, and approval processes as for human users.
- Service accounts and API keys must be unique, not shared, and clearly documented with their business purpose and owner.
- Requests for privileged access (including for non-human identities) require additional justification and multi-level approval.
Deprovisioning:
- Access must be removed immediately upon employment termination, contract completion, role change, or when a non-human identity is decommissioned or its business purpose ends.
- The HR or business manager must notify IT/Security promptly of all leaver and mover events, including scheduled removal or modification of non-human accounts.
- IT/Security must log and verify all access removals and document the completion of deprovisioning steps for both human and non-human identities.
Modification (Movers):
- Access for movers (including updates to non-human identities such as API permissions or bot scopes) must be updated promptly to reflect new duties or requirements.
- Excess or outdated permissions must be removed during transitions.
Access Reviews:
- Periodic access reviews (at least quarterly for critical systems) must include both human and non-human identities.
- All inappropriate, orphaned, or unnecessary access discovered must be removed immediately.
- Owners of non-human identities must validate ongoing business need and appropriate permission levels.
Audit and Documentation:
- All provisioning, modification, and deprovisioning activities—human and non-human—must be logged and auditable.
- Access management records (including documentation for all non-human identities) must be retained according to company record retention policies.
Roles and Responsibilities
- Managers: Approve and review access requests for all human and non-human identities; participate in periodic access reviews; promptly notify IT/Security of changes or departures.
- IT/Security Team: Implement access changes for all identities; maintain logs and records; enforce provisioning and deprovisioning processes; conduct access reviews; ensure non-human identities are tracked and managed.
- HR Department: Communicate personnel status changes to IT/Security; coordinate onboarding and offboarding.
- Application/Integration Owners: Assign owners for each non-human identity; regularly review and validate necessity, permissions, and security of all such accounts.
- Users: Only use access provided for authorized business purposes; report any inappropriate access or security issues.
Enforcement / Compliance
- Failure to comply with this policy may result in disciplinary action, up to and including termination of employment or contract, and possible legal action.
- Supports compliance with relevant legal, regulatory, and industry standards (e.g., SOX, HIPAA, GDPR, PCI DSS).
Exceptions
Requests for exceptions must be formally documented, approved by the Chief Information Security Officer, and reviewed regularly.
Review and Revision
This policy is reviewed at least annually or upon significant changes to technology, business processes, or regulatory requirements.
Policy Management
Version Control
- Current version: 1.0
- Effective date: [Date]
- Review frequency: Annual or upon significant technology/threat changes
Responsibilities
- Policy Owner: Chief Information Security Officer
- Implementation: IT Security Team
- Compliance Monitoring: Security Operations Center
- User Support: IT Help Desk
References
- NIST Special Publication 800-53: Security and Privacy Controls for Information Systems
- NIST Special Publication 800-63B: Digital Identity Guidelines
- ISO/IEC 27001:2013 Annex A.9: Access Control
- SANS Institute Access Control Policy Templates
- SOX, HIPAA, GDPR, PCI DSS
Everyday Identity – Breaking down Identity, one post at a time.
This document is intended as a general best-practices template and should be customized to meet your organization’s specific legal, compliance, and operational needs.