Revocation of security access required within 24 hours of major employment change
Security access management to department systems is a key set of internal controls that requires coordination among your HR/Payroll team, IT staff, and Department Security Officers (DSO). The Executive Office of Technology Services and Security (EOTSS) Enterprise Information Security ISP.003 Access Management Policy and IS.014 Access Management Standard provide guidance on controls that must be built into your written system of internal controls and incorporated into daily operations.
Because access management is a routine focus of audits, departments must pay particular attention to promptly removing system access within 24 hours of a major employment change (e.g., retirement, transfer, termination, suspension). Importantly, disabling network access alone (such as Office365 or Single Sign-On) is not sufficient. All access, across applications, networks, ServiceNow, data repositories, MFA, and VPN, must be removed.
IT staff and DSOs must log and retain documentation of all account security deactivation. Leaving active credentials, especially administrative access, creates security risks and potential audit findings.
Action Steps
-
Maintain employee security profiles that list all system and application access granted at onboarding and throughout employment.
-
Ensure HR/Payroll procedures require immediate notification to IT staff and DSOs of planned employment changes so access can be removed within 24 hours, or immediately in the case of emergency terminations.
-
Require IT staff and DSOs to remove all network and system access listed in the employee’s security profile within 24 hours of the change.
Work with your Internal Control Officer and your IT staff to verify that your department has detailed documentation, day-to-day management, and monitoring of these requirements.
Bookmark our CTR Compliance Corner as your one-stop shop for alerts and success factors that you can integrate into your daily operations to keep you safe on your mission.