BACKGROUND AND KEY RISKS: Effective user access provisioning and deprovisioning controls are critical to help reduce the risk of unauthorized access to sensitive data by granting access only when it is needed, ensuring that the assigned user roles/privileges are appropriate, disabling access within a timely manner when no longer required, and regularly monitoring access for appropriateness. These controls are especially important to be in place and operating effectively for users who have “administrator” access to the system. Access control gaps can result in individuals not having proper authorization to the system and related data, having access beyond what is required for their job role, and retaining access when it is no longer required.


  • Ensure that documentation (e.g., policy, procedure) exists outlining ownership and oversight of system/application provisioning and deprovisioning controls.
  • Ensure that all access requests are documented (preferably through a consistent mechanism, such as an access request form) and are approved by the/an appropriate individual.
  • Implement controls to ensure the timely disablement/removal of system/application access. Authentication that relies on Active Directory settings through a user’s network account can mitigate the risk of a terminated user from using their system/application controls provided that this access is disabled/removed timely. In either case, those responsible for system/application provisioning/deprovisioning should identify ways (e.g., a termination report that HR can produce) to proactively identify terminated employees and transferring employees timely and disable/remove access.
  • Periodically ensure that system/application user accounts are reviewed periodically for continued appropriateness. In many instances, the assistance of an IS team or other individual/function is needed by management in order to produce a system/application user listing that also shows the role(s)/privileges assigned to users. Management – not IS – is in the best position to comment on a user’s need to continued access. Documentation supporting the performance of a user access review should be maintained by the system owner/function who shared user access listings with others for review for a minimum of one year, or until the next review is performed.