IG1 IG2 IG3

Establish an Access Revoking Process

Control Group: 6. Access Control Management

Asset Type: Users

Security Function: Protect

Description

Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Enable logging on all in-scope systems

7

Configure log forwarding to centralized SIEM

8

Define log retention periods per policy

9

Establish log review schedule and procedures

10

Draft policy/procedure document

11

Obtain stakeholder review and approval

12

Communicate to affected personnel

13

Schedule periodic review and updates

Tool Recommendations

SailPoint Identity Security Gartner MQ Leader, IGA 2024

Identity governance and administration platform with access certification, lifecycle management, and AI-driven access intelligence

SailPoint · Per-identity subscription

Microsoft Entra ID Gartner MQ Leader, Access Management 2024

Cloud identity and access management with SSO, MFA, conditional access, and identity governance

Microsoft · Per-user subscription (P1/P2)

Okta Workforce Identity Gartner MQ Leader, Access Management 2024

Cloud identity platform providing SSO, adaptive MFA, lifecycle management, and API access management

Okta · Per-user subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Terminated Employee Retains System Access

Confidentiality

A terminated employee retains access to enterprise systems for days or weeks after departure because no revocation process exists, enabling data theft or sabotage out of retaliation.

Contractor Access Persists After Engagement Ends

Confidentiality

Third-party contractor accounts remain active indefinitely after their engagement ends because no revocation process triggers deprovisioning when the business relationship terminates.

Privilege Accumulation Without Revocation on Role Change

Integrity

Users who change departments or roles retain their previous access in addition to new role permissions, gradually accumulating excessive privileges across the enterprise.

Vulnerabilities (When Safeguard Absent)

No Formal Access Revocation Process

Without a defined process for revoking access upon termination or role change, accounts remain active and privileged long after the user's authorization has ended.

No Integration Between HR and IT for Deprovisioning

Without automated or procedural links between HR termination events and IT account deprovisioning, there is no trigger to disable accounts when users leave the organization.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Technical	SIEM dashboard showing log sources and collection status	Captured monthly
Record	Log review records and findings	Per review cycle
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Account and Credential Management Policy

Control 5, Control 6

Related Safeguards in Control 6

6.1 Establish an Access Granting Process

6.3 Require MFA for Externally>Exposed Applications

6.4 Require MFA for Remote Network Access

6.5 Require MFA for Administrative Access

6.6 Establish and Maintain an Inventory of Authentication and Authorization Systems

6.7 Centralize Access Control

6.8 Define and Maintain Role>Based Access Control