What is the Termination of Access control?
Strike Graph's default control language is: “A user's physical and logical access to IT systems is revoked within 48 hours of termination or transfer and all assets are returned to the organization when employment ends or their contract terminates. Exceptions are documented in an offboarding checklist and/or offboarding ticket.”
This language should be customized to reflect the specific process (and window for termination) that your organization has defined. For example, if your organization always removes access within 24 hours of the termination notice, then you should update the control to reflect that. It’s important to set a termination period that is achievable for your organization, SOC 2 auditors will be testing the control based on the requirements you define. So if you don’t think you’ll be able to remove access within 24 hours every time, set the interval to be longer. This termination interval should also be defined within your Logical Access Policy.
Who is involved with this control?
Typical control owner: CISO or Head of IT
Typical parties involved: Help Desk (for de-provisioning)
How often should I perform this control?
Typical frequency: Continuous
Which framework is this for?
SOC 2 - typically used by larger, more mature organizations
PCI - Required
ISO 27001 - General concept
NIST 800-171 - General concept
Why is this control important?
The removal of access rights (both logical and physical) when a staff member leaves an organization reduces the risk from inappropriate access to information, locations, processes, and security systems. Many organizations strive for a 24-48 hour window to ensure that all access rights have been locked down, removed, or otherwise made unavailable to the terminated individual.
What does evidence look like for this control?
Three evidence items are generally needed for this control:
Termination List (SOC 2 Type 2 only)
This list should be generated from your HRIS or payroll system and should show all employees terminated within your SOC 2 audit review period. During the audit, the auditor will select a sample of terminated employees that they want to see the full termination tickets/checklists.
Access Termination Ticket
This should be a ticket or offboarding checklist showing that all access has been removed for an example terminated employee. The auditor will be checking to make sure the ticket or checklist was completed within the interval specified in the control. For example, if you specify in your control and policy that access is removed within 24 hours of termination, but the termination ticket shows that access was actually removed 48 hours after termination, that can lead to finding or exception in your audit report.
If a terminated user’s accounts need to be kept on for the sake of continuity that is OK, but be sure to clearly note on the ticket or checklist that the terminated employee can no longer access their old account because the password was changed or the account was deactivated.
Access Termination Procedures
These can be included within your Logical Access Policy, or they can be a standalone procedures document. We have an example procedures document, but this is a process that will likely be somewhat different from organization to organization, so you should take care to write a procedures document that closely matches your process.
Generally, this procedures document should include information on who initially notifies the IT department of the access removal request, how that notification is logged, who performs the work of removing the accounts, and whether there is any notification to affected parties (HR and departing employees’ manager) once access removal is complete.