Skip to main content

IAC-07.2: Termination of Employment

IAC 10 — Critical Protect

Mechanisms exist to revoke user access rights in a timely manner, upon termination of employment or contract.

Control Question: Does the organization revoke user access rights in a timely manner, upon termination of employment or contract?

General (35)
Framework Mapping Values
CSA CCM 4 IAM-07 IAM-16
GovRAMP Core AC-02
GovRAMP Low AC-02
GovRAMP Low+ AC-02
GovRAMP Moderate AC-02
GovRAMP High AC-02
ISO 27002 2022 5.18
ISO 27017 2015 9.2.5
MITRE ATT&CK 10 T1003, T1003.001, T1003.002, T1003.003, T1003.004, T1003.005, T1003.006, T1003.007, T1003.008, T1005, T1021, T1021.001, T1021.002, T1021.003, T1021.004, T1021.005, T1021.006, T1025, T1036, T1036.003, T1036.005, T1041, T1047, T1048, T1048.002, T1048.003, T1052, T1052.001, T1053, T1053.001, T1053.002, T1053.003, T1053.005, T1053.006, T1053.007, T1055, T1055.008, T1056.003, T1059, T1059.001, T1059.002, T1059.003, T1059.004, T1059.005, T1059.006, T1059.007, T1059.008, T1068, T1070, T1070.001, T1070.002, T1070.003, T1072, T1078, T1078.001, T1078.002, T1078.003, T1078.004, T1087.004, T1098, T1098.001, T1098.002, T1098.003, T1110, T1110.001, T1110.002, T1110.003, T1110.004, T1134, T1134.001, T1134.002, T1134.003, T1136, T1136.001, T1136.002, T1136.003, T1185, T1190, T1197, T1210, T1212, T1213, T1213.001, T1213.002, T1213.003, T1218, T1218.007, T1222, T1222.001, T1222.002, T1484, T1489, T1495, T1505, T1505.002, T1505.003, T1525, T1528, T1530, T1537, T1538, T1542, T1542.001, T1542.003, T1542.005, T1543, T1543.001, T1543.002, T1543.003, T1543.004, T1546.003, T1547.004, T1547.006, T1547.009, T1547.012, T1547.013, T1548, T1548.002, T1548.003, T1550, T1550.002, T1550.003, T1552, T1552.001, T1552.002, T1552.004, T1552.006, T1552.007, T1556, T1556.001, T1556.003, T1556.004, T1558, T1558.001, T1558.002, T1558.003, T1558.004, T1559, T1559.001, T1562, T1562.001, T1562.002, T1562.004, T1562.006, T1562.007, T1562.008, T1562.009, T1563, T1563.001, T1563.002, T1567, T1569, T1569.001, T1569.002, T1574, T1574.004, T1574.005, T1574.007, T1574.008, T1574.009, T1574.010, T1574.012, T1578, T1578.001, T1578.002, T1578.003, T1580, T1599, T1599.001, T1601, T1601.001, T1601.002, T1606, T1606.001, T1606.002, T1609, T1610, T1611, T1612, T1613, T1619
NIST 800-53 R4 AC-2(10)
NIST 800-53 R5 (source) AC-2
NIST 800-53B R5 (low) (source) AC-2
NIST 800-53B R5 (moderate) (source) AC-2
NIST 800-53B R5 (high) (source) AC-2
NIST 800-82 R3 LOW OT Overlay AC-2
NIST 800-82 R3 MODERATE OT Overlay AC-2
NIST 800-82 R3 HIGH OT Overlay AC-2
NIST 800-161 R1 AC-2
NIST 800-161 R1 C-SCRM Baseline AC-2
NIST 800-161 R1 Flow Down AC-2
NIST 800-161 R1 Level 2 AC-2
NIST 800-161 R1 Level 3 AC-2
NIST 800-171 R3 (source) 03.09.02.a.01 03.09.02.a.02
OWASP Top 10 2021 A01:2021
PCI DSS 4.0.1 (source) 8.2.4 8.2.5
PCI DSS 4.0.1 SAQ A (source) 8.2.5
PCI DSS 4.0.1 SAQ A-EP (source) 8.2.4 8.2.5
PCI DSS 4.0.1 SAQ C (source) 8.2.4 8.2.5
PCI DSS 4.0.1 SAQ C-VT (source) 8.2.4 8.2.5
PCI DSS 4.0.1 SAQ D Merchant (source) 8.2.4 8.2.5
PCI DSS 4.0.1 SAQ D Service Provider (source) 8.2.4 8.2.5
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) IAC-07.2
SCF CORE ESP Level 1 Foundational IAC-07.2
SCF CORE ESP Level 2 Critical Infrastructure IAC-07.2
SCF CORE ESP Level 3 Advanced Threats IAC-07.2
US (12)
Framework Mapping Values
US CISA CPG 2022 2.D
US CJIS Security Policy 5.9.3 (source) AC-2
US FedRAMP R4 AC-2(10)
US FedRAMP R4 (moderate) AC-2(10)
US FedRAMP R4 (high) AC-2(10)
US HIPAA Administrative Simplification 2013 (source) 164.308(a)(3)(ii)(C)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.308(a)(3)(ii)(C)
US HIPAA HICP Medium Practice 3.M.B
US HIPAA HICP Large Practice 3.M.B
US IRS 1075 AC-2
US - TX DIR Control Standards 2.0 AC-2
US - TX TX-RAMP Level 2 AC-2(10)
EMEA (3)
Framework Mapping Values
EMEA EU NIS2 Annex 10.3.1
EMEA Germany Banking Supervisory Requirements for IT (BAIT) 6.4 6.5 6.6
EMEA Saudi Arabia OTCC-1 2022 2-2-1-10 2-2-1-11
APAC (4)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-0430
APAC Japan ISMAP 9.2.5
APAC New Zealand HISF 2022 HHSP04 HML04 HSUP04
APAC New Zealand HISF Suppliers 2023 HSUP04
Americas (1)
Framework Mapping Values
Americas Canada ITSP-10-171 03.09.02.A.01 03.09.02.A.02

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to revoke user access rights in a timely manner, up on termination of employment or contract.

Level 1 — Performed Informally

Identification & Authentication (IAC) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Identity & Access Management (IAM) is decentralized where Active Directory (AD), or a similar technology, may be used to centrally manage identities and permissions, but asset/process owners are authorized to operate a decentralized access control program for their specific systems, applications and services.
  • IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.
  • IT personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.
Level 2 — Planned & Tracked

Identification & Authentication (IAC) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Implement and maintain an Identity & Access Management (IAM) capability for all users to implement “least privileges” Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts. o Govern IAM technologies via RBAC to prohibit privileged access by non-organizational users, unless there is an explicit support contract for privileged IT support services.

  • Logical Access Control (LAC) is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for logical access control.
  • IT personnel:
  • Active Directory (AD), or a similar technology, is primarily used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific systems, applications and services that cannot be integrated into AD.
  • IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.
  • The Human Resources (HR) department governs personnel management operations and notifies IAM personnel of personnel role changes for RBAC-based provisioning and deprovisioning actions.
Level 3 — Well Defined

Identification & Authentication (IAC) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • An Identity & Access Management (IAM) function, or similar function, centrally manages permissions and implements “least privileges” Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.
  • The Human Resources (HR) department governs personnel management operations and notifies IAM personnel of personnel role changes for RBAC-based provisioning and deprovisioning actions.
  • An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and applies the appropriate technology controls to protect the asset and data that conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).
  • An IT infrastructure team, or similar function, ensures that statutory, regulatory and contractual cybersecurity and data privacy obligations are addressed to ensure secure configurations are designed, built and maintained.
  • Active Directory (AD), or a similar technology, is used to centrally manage identities and permissions. Only by exception due to a technical or business limitation are solutions authorized to operate a decentralized access control program for systems, applications and services.
  • The Human Resources (HR) department governs personnel management operations and notifies IAM personnel of personnel role changes for RBAC-based provisioning and deprovisioning actions.
Level 4 — Quantitatively Controlled

Identification & Authentication (IAC) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to revoke user access rights in a timely manner, up on termination of employment or contract.

Assessment Objectives

  1. IAC-07.2_A01 prerequisites and criteria for group and role membership are defined.
  2. IAC-07.2_A02 criteria for account creation, enabling, modification, disabling and removal are defined.
  3. IAC-07.2_A03 personnel or roles required to approve requests to create accounts is/are defined.
  4. IAC-07.2_A04 account managers are assigned.
  5. IAC-07.2_A05 attributes (as required) for each account are defined.
  6. IAC-07.2_A06 personnel or roles to be notified is/are defined.
  7. IAC-07.2_A07 time period within which to notify account managers when accounts are no longer required is defined.
  8. IAC-07.2_A08 time period within which to notify account managers when users are terminated or transferred is defined.
  9. IAC-07.2_A09 time period within which to notify account managers when system usage or the need to know changes for an individual is defined.
  10. IAC-07.2_A10 attributes needed to authorize system access (as required) are defined.
  11. IAC-07.2_A11 the frequency of account review is defined.
  12. IAC-07.2_A12 account types allowed for use within the system are defined and documented.
  13. IAC-07.2_A13 account types specifically prohibited for use within the system are defined and documented.
  14. IAC-07.2_A14 prerequisites and criteria for group and role membership are required.
  15. IAC-07.2_A15 authorized users of the system are specified.
  16. IAC-07.2_A16 group and role memberships are specified.
  17. IAC-07.2_A17 access authorizations (i.e., privileges) for each account are specified.
  18. IAC-07.2_A18 attributes (as required) are specified for each account.
  19. IAC-07.2_A19 approvals are required by personnel or roles for requests to create accounts.
  20. IAC-07.2_A20 accounts are created in accordance with policy, procedures, prerequisites and criteria.
  21. IAC-07.2_A21 accounts are enabled in accordance with policy, procedures, prerequisites and criteria.
  22. IAC-07.2_A22 accounts are modified in accordance with policy, procedures, prerequisites and criteria.
  23. IAC-07.2_A23 accounts are disabled in accordance with policy, procedures, prerequisites and criteria.
  24. IAC-07.2_A24 accounts are removed in accordance with policy, procedures, prerequisites and criteria.
  25. IAC-07.2_A25 the use of accounts is monitored.
  26. IAC-07.2_A26 account managers and personnel or roles are notified within an organization-defined time period when accounts are no longer required.
  27. IAC-07.2_A27 account managers and personnel or roles are notified within an organization-defined time period when users are terminated or transferred.
  28. IAC-07.2_A28 account managers and personnel or roles are notified within an organization-defined time period when system usage or the need to know changes for an individual.
  29. IAC-07.2_A29 access to the system is authorized based on a valid access authorization.
  30. IAC-07.2_A30 access to the system is authorized based on intended system usage.
  31. IAC-07.2_A31 access to the system is authorized based on attributes (as required).
  32. IAC-07.2_A32 accounts are reviewed for compliance with account management requirements frequency.
  33. IAC-07.2_A33 a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group.
  34. IAC-07.2_A34 a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group.
  35. IAC-07.2_A35 account management processes are aligned with personnel termination processes.
  36. IAC-07.2_A36 account management processes are aligned with personnel transfer processes.
  37. IAC-07.2_A37 privileged user accounts are established and administered in accordance with organization-defined criteria.
  38. IAC-07.2_A38 privileged role or attribute assignments are monitored.
  39. IAC-07.2_A39 changes to roles or attributes are monitored.
  40. IAC-07.2_A40 access is revoked when privileged role or attribute assignments are no longer appropriate.

Evidence Requirements

E-HRS-19 Deprovisioning Checklist (Offboarding)

Documented evidence of personnel management practices to formally offboard personnel from their assigned roles due to employment termination or role change.

Human Resources

Technology Recommendations

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free