Back to M4.4.3 - P1 - REMOVAL OF ACCES RIGHTS
Upon termination, the access rights of an individual to assets associated with information systems and services should be reconsidered. This will determine whether it is necessary to remove access rights. Changes of an employment should be reflected in removal of all access rights that were not approved for the new employment. The access rights that should be removed or adapted include physical and logical access, keys, identification cards, information systems, subscriptions, and removal from any documentation that identifies them as a current member of the entity. If a departing employee, contractor or third party user has known passwords for accounts remaining active, these should be changed upon termination or change of employment, contract or agreement.
Access rights for information assets and information systems should be reduced or removed before the employment terminates or changes, depending on the evaluation of risk factors such as:
- A. Whether the termination or change is initiated by the employee, contractor or third party user, or by management and the reason of termination
- B. The current responsibilities of the employee, contractor or any other user
- C. The value of the assets currently accessible
