Deactivating User Access Within 24 Hours for Terminated, Retiring, and Extended Leave
Auditors are now routinely reviewing security access management as part of IT. Security access management is an essential part of overall IT security that manages user access to data, systems, and resources within an organization. Failure to timely deactivate security access creates a significant security risk. Access management standards require removal of access within 24 hours of a change in employment status or role. Failure to timely remove access can result in audit findings.
ACTION STEP:
- Verify that there is a system in place so that when someone is offboarded, transferred, or retires, their user access to the network, applications, third-party applications with department data, and enterprise systems (ex. MMARS/LCM, HR/CMS, Commonwealth Information Warehouse) is deactivated within 24 hours.
Always report any suspicious activity to your security staff immediately. See our CTR Cyber page for more cybersecurity internal controls and contact [email protected] with any incidents or suspected incidents of fraud or cyber threats or if you need support from our Statewide Risk Management Team.