cc6-3 Critical priority Security / Logical and Physical Access

Role-based access is used and reviewed periodically

Access permissions accumulate over time. People change roles, projects end, and permissions granted for a specific purpose are never removed. Periodic access reviews — where each user's access is compared against their current role — are the mechanism for correcting this drift. Without reviews, privileged access grows unchecked and auditors will find accounts with access far exceeding what is justified.

8h estimated effort

access-control rbac access-review least-privilege

Complete first: cc6-2

Implementation steps

1

Define access roles aligned to job functions

Create a role-based access model where permissions are granted by assigning roles, not individually. Define roles for common job functions: developer, admin, read-only, support, etc. Document what each role can access. This makes it possible to review access at the role level rather than per-user.

aws-iam okta google-workspace azure-ad
2

Conduct user access reviews at least quarterly

At least every 90 days, review all user access to in-scope systems. For each user, verify that their current access is appropriate for their current role. Remove or reduce access that is no longer needed. Document the review completion, including reviewer, date, and any access changes made.

okta vanta drata google-sheets notion
3

Review privileged access more frequently

Privileged accounts — production admin access, root accounts, database admin roles — should be reviewed monthly. Privileged access should be time-limited where possible (just-in-time access). The number of users with privileged access should be minimized and documented.

aws-iam cyberark okta-pam hashicorp-vault