IAM-08: User Access Review

CSF v1.1 References:

PF v1.0 References:

Threats Addressed:

Info icon.

Control is new to this version of the control set and incorporates the following item from the previous version: IAM-10: User Access Reviews.

Control Statement

Review and revalidate user access for least privilege and separation of duties with a frequency that is commensurate with organizational risk tolerance.

Implementation Guidance

The principle of separation of duties should also be considered when conducting user access reviews. Access should be reviewed when users resign, are terminated, change roles, and/or no longer need the authorization to carry out duties for any other reason.

Auditing Guidance

  1. Determine if the required frequency for review of accounts is established.
  2. Determine if accounts are reviewed for compliance, including the level of access and conflicting access, following the principle of least privilege and consideration of separation of duties.
  3. Determine if accounts are reviewed at the organization-defined frequency.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.