cc6-5 Critical priority Security / Logical and Physical Access

Access is removed or modified when no longer required

Access that is not actively removed when a person leaves or changes roles becomes a standing vulnerability. Former employees with active credentials are one of the most avoidable causes of unauthorized access incidents. This criterion requires a formal process for deprovisioning access promptly when it is no longer needed: terminations, role changes, contractor offboarding, and project completions.

6h estimated effort

offboarding deprovisioning access-removal termination

Complete first: cc6-2

Implementation steps

1

Define and enforce an offboarding process with access revocation

Document an offboarding checklist that includes access revocation as a required step. On the employee's last day, accounts must be disabled: SSO provider, email, cloud consoles, code repositories, SaaS tools, and any shared credentials. Disable accounts before or on the last day; do not leave this to a weekly batch process.

okta google-workspace azure-ad rippling workday
2

Modify access immediately on role changes

When an employee transfers to a different team or takes on a different role, their old access should be removed and new access granted per the access request process. Do not accumulate access over time. Use a role-change ticket or HR workflow that triggers access modification.

okta jira servicenow rippling
3

Audit for orphaned accounts regularly

Run periodic checks (at least quarterly, ideally monthly) to identify accounts that belong to users no longer in your HR system. Cross-reference your identity provider user list against your HR system. Disable or delete accounts that cannot be matched to an active employee or contractor.

okta google-workspace aws-iam drata vanta