Access Requests, Changes, and Offboarding

Document ID: DPWAT-ISMS-PROC-002
Version: 1.0
Owner: Administrator + CISO — Anna Boros; Timo Andreas Bejan
Approved by: Administrator (ADM) — Anna Boros
Effective date: 2025-11-10
Next review: 2027-02-01 (or on major change)

1. Purpose

Provide a repeatable process for managing access lifecycle (joiner/mover/leaver) and producing audit evidence.

2. Systems in scope (confirm)

At minimum, apply this procedure to: Google Workspace, GitHub, YouTrack, Cloudflare, AWS (if used), and any customer environments where DP WAT access exists.

Also apply to collaboration and security tooling used for DP WAT work (as applicable): Slack workspace devplant, 1Password, AI providers (OpenAI/Anthropic), and cloud platforms (Google Cloud, Microsoft Azure).

2.1 Evidence-critical systems (for periodic access review evidence)

DP WAT prioritizes periodic access review evidence for systems that are critical to confidentiality/integrity/availability of DP WAT-managed information, including:

• Google Workspace (identity and core collaboration)
• Source code hosting (e.g., GitHub)
• Cloud platforms (Google Cloud, Microsoft Azure)
• Edge/security platforms (Cloudflare)
• Password managers (iCloud Keychain; 1Password if used)

Slack workspace devplant is used operationally for communication, but is not treated as evidence-critical (i.e., not a primary repository for customer deliverables or secrets). Access changes still follow this procedure.

3. Process

3.1 Access request

• Access requests are recorded directly in access-register.
• Approval required from:
• Process Owner (business need) and
• Administrator or CISO (security approval), depending on the system/access level.
• The requestor must not approve their own access where feasible.
• Privileged access (admin/owner) should be approved by an Administrator other than the person receiving the privilege where feasible (see 03.15-segregation-of-duties-and-dual-control-policy).

3.2 Provisioning

• Administrator provisions access.
• Record the change in access-register (who/what/when/approved-by).

3.3 Changes

• Role changes require review and adjustment of access rights.
• Record changes in the access register.

3.4 Offboarding

• Immediate disable/revoke upon end of contract/employment.
• Record offboarding completion in the access register, with evidence location in 07-records/.

4. Periodic access review

• Annual review for critical systems, or more frequently if significant access changes occurred.
• Use template-access-review and store completed reviews in 07-records/.