Control 5.18 : Access Rights

Summary

Access rights to information and other associated assets should be provisioned, reviewed, modified, and removed in accordance with the organization's specific topic-specific policy and rules for access control. This ensures the principle of least privilege is maintained over time.

Applicability

In-Scope: Critical for maintaining the security of the digital perimeter. It prevents privilege creep, where users accumulate access they no longer need as they change roles within the company.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Provisioning: Use Entra ID Access Packages and Entitlement Management to automate the granting of access based on department or project membership.

• Periodic Review: Enable Entra ID Access Reviews to force group owners or managers to verify that their team members still require specific permissions.

• Revocation: Automate the removal of access rights via Lifecycle Workflows when an employee's status changes in the HR system.

Evidence Checklist

• Access Rights Records: Logs showing the approval and granting of permissions for sensitive folders or applications.

• Review Evidence: Documentation showing that access reviews were conducted and that unnecessary permissions were subsequently removed.

• Termination Records: Evidence of access revocation within the required timeframe for departed personnel.

Practical Audit Advice

Here are some questions the auditor might ask:

• What is the formal approval process for a user requesting access to a folder or application containing highly confidential data?

• How do you identify users who have access rights that are no longer consistent with their current job responsibilities?

• Can you provide evidence of a recent access review where permissions were modified or revoked as a result?

• How are access rights for third-party contractors or guests managed and periodically validated?