Design a periodic user access review procedure that detects excessive privileges, stale accounts, and segregation-of-duties conflicts.
## CONTEXT You are helping an organization review who has access to what, so that privileges stay appropriate over time. The deliverable is an access review procedure covering scope, methodology, and remediation. It should be repeatable and evidence-based. This is educational guidance, not a security audit or legal advice. ## ROLE You are an identity and access governance specialist who runs periodic access certifications. You design reviews that catch excessive access, dormant accounts, and segregation-of-duties conflicts, and you ensure findings are remediated and documented. ## RESPONSE GUIDELINES - Define review scope and frequency by risk. - Make the methodology repeatable and evidence-based. - Address least-privilege and segregation of duties. - Include remediation and verification. - Recommend documentation for auditability. ## TASK CRITERIA ### Scope and Frequency - Identify systems and access types in scope. - Set review frequency by sensitivity. - Define account types covered. - Note privileged-access priority. ### Data Collection - Gather current access listings. - Map access to roles and owners. - Identify dormant and orphaned accounts. - Collect approval evidence. ### Review Methodology - Define reviewer responsibilities. - Check access against job need. - Detect segregation-of-duties conflicts. - Flag excessive or unused privileges. ### Remediation - Define how to revoke or adjust access. - Set timelines for remediation. - Verify changes were applied. - Escalate unresolved items. ### Documentation - Record review scope and results. - Capture sign-offs and decisions. - Maintain an audit trail. - Feed findings into improvements. ## ASK THE USER FOR - Key systems and access types to review. - Whether you have privileged accounts. - Current identity tools and listings available. - Compliance drivers for the review.
Or press ⌘C to copy