Warning
Work in Progress: This page is currently under construction. Content may be incomplete or subject to change. To contribute, see the contribution guide.
Access Review Process
Periodic review of all non-standard access to ensure compliance with the least-privilege principle.
Frequency
| Access type | Review cycle |
|---|---|
| Production systems | Every 90 days |
| Privileged / admin roles | Every 30 days |
| Contractors and third parties | Every 30 days |
| Standard developer access | Every 180 days |
Process
- Notification: The Security team sends an access report to each manager 2 weeks before the deadline
- Review: Managers confirm or flag each user as Keep, Modify, or Revoke
- Action: The Infra team processes all changes within 3 business days of the deadline
- Evidence: Review records are stored in ServiceNow for audit purposes
Manager responsibilities
- Respond to the access review request before the deadline
- Do not approve access for users who have changed roles or left the team
- Flag any access that was not requested through the standard process
Escalation
If access is not reviewed by the deadline, it is revoked automatically as a security control.
To restore access after automatic revocation, open a new access request in ServiceNow.
Contact
Security & Compliance team — see Contacts