Evaluation of Privilege Requests Procedure
Sometimes, users need access beyond their usual permissions that come with their job function. This procedure outlines how we evaluate and approve privileged access requests.
This is a Controlled Document
In line with Vaxa's governance framework, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged.| Version | Effective | Reviewed | Next review due |
|---|---|---|---|
| 1.0.0 | 2025-02-03 | 2025-02-03 | 2026-02-03 |
Purpose
This procedure defines how privileged access requests are evaluated and approved beyond the access granted to a specific job function, ensuring access is granted based on business necessity and security best practices. This does not cover ordinary access granted to users via their job function as this is automatically granted based on their role.
Scope
Applies to all requests for privileged access to systems, applications, and data within Vaxa Analytics.
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Chief Technology Officer (CTO) | Approves or denies privileged access requests. Ensures appropriate restrictions and timeouts are applied. |
| Information Security Group | Assesses security risks of access requests. Implements controls and logs all privileged access decisions. |
| Requester | Submits access requests with justification. Adheres to all privileged access controls and security requirements. |
Procedure
1. Submission of Privileged Access Request
- Requests must be submitted via the designated access request system at least 5 business days before access is required. The system is accessible through this link.
- The request must include:
- Justification for access (specific task or role requirement).
- Duration for which access is needed.
- Systems, applications, and data requiring access.
- Proposed restrictions (e.g., time-based access, least privilege model).
2. Evaluation Criteria
The CTO, with input from the Information Security Group, assesses each request based on:
- Business necessity.
- Potential security risks.
- Existing access controls and segregation of duties.
- The principle of least privilege.
- Alternative options to mitigate the need for privileged access.
- Alignment with the broader security and policy framework.
3. Decision & Implementation
- Approved requests:
- Privileged access is granted with necessary restrictions and timeouts.
- Default timeouts include automatic disablement after 12 months or 45 days of inactivity.
- Privileged accounts are configured to prevent logging into unprivileged environments.
- Access is logged and monitored.
- Denied requests:
- Requester is notified with justification.
- Alternative solutions (if applicable) are provided.
4. Periodic Review
- The Information Security Group conducts quarterly privileged access reviews.
- Any inactive privileged accounts are automatically disabled after 45 days.
- Annual revalidation is required for continued privileged access.
Exceptions
Exceptions must be submitted in writing and approved by the CTO with documented justification. All exceptions are subject to periodic review.
Compliance & Monitoring
- The Information Security Group will track all privileged access requests and approvals.
- Privileged access logs will be regularly reviewed for suspicious activity.
- Non-compliance will be reported to senior management and may result in revoked access.
References
- Privileged Access Policy.
- Information Security Policy.
- [Identity & Access Management Policy]