Access Control Policy Template

Purpose

This policy establishes the framework for managing access to company systems and data based on job roles and business requirements, ensuring the principle of least privilege.

Core Principles

• Least privilege: Users get only the access they need for their role, nothing more.
• Need-to-know: Access to sensitive data is restricted to those who require it for their job.
• Separation of duties: Critical actions require two or more people.
• Regular review: Access is reviewed quarterly to ensure it remains appropriate.

Access Request Process

1. Employee submits access request via helpdesk with business justification.
2. Manager approves the request.
3. IT Head reviews for compliance with least privilege principle.
4. Access provisioned within 4 business hours of approval.
5. Access logged in the access control register.

Access Review

• Critical systems: monthly review
• Business tools: quarterly review
• Low-risk tools: bi-annual review
• Immediate revocation on employee offboarding

Offboarding

When an employee leaves, all access must be revoked within 1 hour of their last working day. IT Head verifies revocation and documents the process.