Sign in Subscribe
By devsecopsbook

Access & Identity Management Policy

Document Version: 1.0
Last Updated: July 19, 2025
Owner: Security & Compliance Lead
Applicable Controls: CC6.1, CC6.3, CC7.1

1. Purpose

This policy defines the requirements for secure access and identity management at DevSecOpsBook. It ensures that access to systems and data is granted based on the principle of least privilege, managed securely, and reviewed regularly.

2. Scope

This policy applies to all employees, contractors, systems, applications, and infrastructure managed or operated by DevSecOpsBook, including cloud and on-premise environments.

3. Policy Statements

3.1 Identity and Access Management (IAM) Controls

  • All users must be uniquely identified using individual accounts. Shared accounts are prohibited except for break-glass scenarios, which must be logged and justified.
  • Authentication must be performed using strong mechanisms, including multi-factor authentication (MFA) for all privileged or remote access.
  • Access to systems and services must be provisioned using role-based access control (RBAC).
  • Service accounts must be created with minimal privileges and must not be used by humans.

3.2 Privilege Separation

  • Administrative privileges must be assigned only to users with a documented business need.
  • All elevated access must be explicitly approved by a system owner or compliance officer.
  • Privileged operations must be logged and monitored.
  • Developers and QA engineers must not have direct access to production systems unless required and explicitly approved.

3.3 Access Request & Approval Workflow

  • Access must be requested via a formal process (e.g., ticketing system) and approved by the respective data or system owner.
  • All access grants, changes, and revocations must be logged and auditable.

4. Review and Recertification

4.1 Quarterly Access Reviews

  • Quarterly reviews must be conducted to verify that all users still require access, especially to sensitive systems.
  • System owners must validate active users, roles, and permissions.
  • Findings must be documented, and unnecessary access must be revoked within 5 business days.

4.2 Offboarding & Deprovisioning

  • Upon employee or contractor termination, all access must be revoked within 24 hours.
  • Offboarding must include disabling accounts, revoking credentials, and reclaiming issued devices or tokens.

5. Monitoring and Logging

  • All authentication events (logins, failed attempts, MFA use) and privilege escalations must be logged and monitored.
  • Logs must be retained for at least 1 year and integrated into the central security monitoring platform.

6. Exceptions

Any exceptions to this policy must be formally documented and approved by the Security & Compliance Lead. Compensating controls must be implemented for any deviations.

7. Enforcement

Violations of this policy may result in disciplinary actions up to and including termination, legal action, or both, depending on the severity of the breach.

Subscribe to devsecopsbook

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe