cc6-2 High priority Security / Logical and Physical Access

Access credentials are issued with appropriate authorization

New access should require explicit approval before it is granted. Access that is provisioned without a formal request and approval process creates accounts that are hard to justify during an audit and often exceed what the user actually needs. This control requires that every grant of access is documented, approved by an appropriate person, and traceable.

6h estimated effort

access-control provisioning authorization onboarding

Complete first: cc6-1

Implementation steps

1

Define an access request and approval process

Document who can request access, who approves it, and what is required in the request. At minimum: the requester, the resource being requested, the business justification, and the approver. Access to sensitive systems (production, customer data, admin consoles) should require manager or security team approval.

jira servicenow confluence notion
2

Implement approval workflows in your IAM or ticketing system

Use your identity management or ITSM system to enforce the approval workflow. When a user requests elevated access, the system should route the request to the appropriate approver and only provision access after approval is recorded. The approval record should be retained for audit evidence.

okta aws-iam jira servicenow
3

Conduct new hire access provisioning with documented approval

For new hires, document the access granted during onboarding and who approved it. Use a checklist or onboarding ticket that lists what access was provisioned, by whom, and with what authorization. This creates a baseline access record for each employee.

rippling workday okta jira