Review and revalidate user access for least privilege and separation of duties with a frequency that is commensurate with organizational risk tolerance.
The principle of separation of duties should also be considered when conducting user access reviews. Access should be reviewed when users resign, are terminated, change roles, and/or no longer need the authorization to carry out duties for any other reason.
- Determine if the required frequency for review of accounts is established.
- Determine if accounts are reviewed for compliance, including the level of access and conflicting access, following the principle of least privilege and consideration of separation of duties.
- Determine if accounts are reviewed at the organization-defined frequency.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.