Identity (user) deprovisioning is not informed and supported by organisational risk criteria (RISK-2d, RISK-3b)

Identity (user) deprovisioning is not informed and supported by organisational risk criteria (RISK-2d, RISK-3b)

Context and Guidance: RISK-2d and RISK-3b must be at least "Partially Implemented" for this Anti-Pattern to be "Not Present".

Deprovisioning of access (both at the point of employment termination and with a role change) should follow a defined process that includes consideration of organisational risk criteria.

This may include:

• Deprovisioning privileged access as a priority;
• Validating that all access to critical assets is deprovisioned
• Ensuring that identities (users) in Active Directory do not remain active indefinitely;
• Expediting the deprovisioning of access under extenuating circumstances surrounding employment termination.

Ensuring that access is only provided to those that need it, when they need it, is critical to understanding when your organisation may have experienced anomalous access attempts.