Skip to content
Home » IT Policies » User Provisioning and Deprovisioning Policy

User Provisioning and Deprovisioning Policy

User Provisioning and Deprovisioning Policy

1. Purpose

The purpose of this User Provisioning and Deprovisioning Policy is to establish requirements for the creation, modification, review, suspension, and removal of user accounts and access rights within the organization.

Effective user lifecycle management is essential for protecting organizational systems and information from unauthorized access. Timely provisioning ensures users receive appropriate access to perform their job responsibilities, while prompt deprovisioning reduces the risk of unauthorized access following role changes, terminations, contract expirations, or changes in business requirements.

This policy establishes a standardized approach for managing user access throughout the user lifecycle.

2. Scope

This policy applies to:

  • All employees
  • Contractors
  • Consultants
  • Temporary personnel
  • Interns
  • Third-party personnel with authorized access to organizational resources

This policy applies to:

  • User accounts
  • Administrative accounts
  • Privileged accounts
  • Service accounts
  • Application accounts
  • Cloud identities
  • Remote access accounts
  • Federated identities
  • Third-party accounts

The policy applies to all organizational systems, applications, networks, cloud services, databases, and information assets.

3. Policy Statement

The organization shall implement and maintain formal processes for provisioning, modifying, reviewing, suspending, and deprovisioning user access.

User access shall be granted based on authorized business requirements and shall be removed promptly when access is no longer required.

Access management activities shall follow the principles of least privilege, need-to-know, and segregation of duties.

4. Objectives

The objectives of this policy are to:

  • Ensure appropriate user access is granted.
  • Reduce risks associated with unauthorized access.
  • Support effective identity lifecycle management.
  • Enforce least privilege principles.
  • Improve accountability and auditability.
  • Ensure timely access revocation.
  • Support regulatory and compliance requirements.
  • Protect organizational information assets.

5. Definitions

Provisioning

The process of creating user accounts and granting authorized access to organizational resources.

Deprovisioning

The process of removing, disabling, or revoking user accounts and access rights.

Access Modification

The process of changing access permissions based on changes in job responsibilities, business requirements, or organizational structure.

User Account

A unique identity assigned to an individual, service, application, or system for authentication and authorization purposes.

Privileged Account

An account with elevated permissions capable of performing administrative or security-sensitive functions.

Least Privilege

The principle of granting only the minimum access necessary to perform assigned responsibilities.

6. Roles and Responsibilities

Executive Management

Responsible for:

  • Supporting access governance activities.
  • Providing resources for access management processes.
  • Reviewing significant access-related risks.

Information Security Team

Responsible for:

  • Establishing access management requirements.
  • Monitoring compliance.
  • Reviewing access-related risks.
  • Supporting access audits and investigations.

Information Technology Team

Responsible for:

  • Provisioning and deprovisioning accounts.
  • Managing identity systems.
  • Maintaining access records.
  • Implementing approved access changes.

Managers and Supervisors

Responsible for:

  • Approving access requests.
  • Verifying business need.
  • Reporting personnel changes.
  • Participating in access reviews.

Human Resources

Responsible for:

  • Communicating personnel changes.
  • Providing notification of hires, transfers, and terminations.
  • Supporting timely access management activities.

Users

Responsible for:

  • Using granted access appropriately.
  • Reporting access issues.
  • Protecting authentication credentials.
  • Following organizational security requirements.

7. User Lifecycle Management

The organization shall maintain documented user lifecycle management processes that address:

  • User onboarding
  • Account creation
  • Access assignment
  • Access modification
  • Periodic review
  • Account suspension
  • Account deactivation
  • Account removal

Lifecycle management processes shall be reviewed periodically.

8. User Provisioning Requirements

User accounts shall be provisioned only after:

  • Identity verification has been completed.
  • Appropriate approvals have been obtained.
  • Business need has been validated.
  • Required documentation has been submitted.

Access shall not be granted without proper authorization.

9. Account Creation

User account creation shall follow approved procedures.

Account creation activities may include:

  • Identity verification
  • Assignment of unique identifiers
  • Authentication setup
  • Initial access assignment
  • Security awareness acknowledgment

Shared user accounts shall be prohibited unless specifically authorized.

10. Access Assignment

Access rights shall be assigned based on:

  • Job responsibilities
  • Business requirements
  • Least privilege principles
  • Need-to-know requirements
  • Regulatory obligations

Users shall receive only the access necessary to perform authorized duties.

11. New Employee Access

Access required for new employees shall be requested and approved prior to onboarding whenever feasible.

Access shall:

  • Be limited to approved resources.
  • Be appropriate for assigned responsibilities.
  • Be reviewed after onboarding when necessary.

Managers shall verify access requirements.

12. Contractor and Third-Party Access

Third-party access shall be:

  • Authorized
  • Documented
  • Time-bound where appropriate
  • Periodically reviewed

Third-party accounts shall be removed when contractual relationships end or access is no longer required.

13. Privileged Access Provisioning

Privileged access shall require additional approval and justification.

Privileged account provisioning shall include:

  • Documented business need
  • Management approval
  • Security review where required
  • Multi-factor authentication requirements
  • Enhanced monitoring

Privileged access shall be granted only when necessary.

14. Access Modification

User access shall be modified when:

  • Job responsibilities change
  • Promotions occur
  • Transfers occur
  • Organizational structures change
  • Business requirements change

Access modifications shall follow documented approval procedures.

15. Role Changes and Transfers

When personnel transfer between departments or job functions:

  • Existing access shall be reviewed.
  • Unnecessary permissions shall be removed.
  • New access shall be approved before assignment.
  • Privileged access shall be reassessed.

Managers shall verify continued access requirements.

16. Temporary Access

Temporary access may be granted when justified by business requirements.

Temporary access shall:

  • Be documented
  • Have defined expiration dates
  • Be reviewed periodically
  • Be removed when no longer required

Time-limited access shall be preferred whenever feasible.

17. Access Reviews

User access rights shall be reviewed periodically.

Reviews shall evaluate:

  • Continued business need
  • Access appropriateness
  • Role alignment
  • Privileged access assignments
  • Third-party access

Inappropriate access shall be removed promptly.

18. Dormant and Inactive Accounts

Inactive accounts shall be identified and managed appropriately.

Inactive accounts may be:

  • Disabled
  • Suspended
  • Reviewed for necessity
  • Removed when appropriate

Periodic reviews shall be conducted.

19. Account Suspension

Accounts may be suspended when:

  • Extended leave occurs
  • Security concerns arise
  • Investigations require access restrictions
  • Business requirements change

Suspended accounts shall be reviewed periodically.

20. User Deprovisioning Requirements

User access shall be revoked promptly when:

  • Employment terminates
  • Contracts expire
  • Business need no longer exists
  • Security concerns require removal
  • Organizational relationships end

Deprovisioning activities shall be documented.

21. Employee Termination

Upon employee termination:

  • Access shall be removed or disabled as soon as practical.
  • Authentication credentials shall be invalidated.
  • Remote access privileges shall be revoked.
  • Privileged access shall be removed immediately where appropriate.

Termination procedures shall be coordinated among management, Human Resources, Information Technology, and Information Security.

22. Contractor and Vendor Offboarding

Third-party accounts shall be removed when:

  • Contracts expire
  • Services are terminated
  • Business relationships end
  • Access is no longer required

Third-party deprovisioning shall be verified and documented.

23. Account Removal and Retention

Accounts that are no longer required may be:

  • Disabled
  • Archived
  • Deleted

Retention requirements shall comply with legal, regulatory, contractual, and business obligations.

Account records shall be retained according to applicable retention requirements.

24. Monitoring and Logging

Provisioning and deprovisioning activities shall be logged and monitored.

Logged events may include:

  • Account creation
  • Access modifications
  • Privileged access assignments
  • Account suspension
  • Account deactivation
  • Account deletion

Logs shall be protected according to organizational requirements.

25. Segregation of Duties

Provisioning and deprovisioning processes shall support segregation of duties where feasible.

No individual should have sole authority to:

  • Request access
  • Approve access
  • Provision access
  • Audit access

Compensating controls may be implemented where segregation is impractical.

26. Security Incident Response

Access-related security incidents shall be managed according to the Incident Response Policy.

Response activities may include:

  • Account suspension
  • Credential resets
  • Access reviews
  • Investigation activities
  • Corrective actions

Security incidents shall be documented and tracked.

27. Compliance and Auditing

Compliance with this policy shall be verified through:

  • Access reviews
  • Internal audits
  • External audits
  • Security assessments
  • Compliance evaluations

Findings shall be documented and addressed through corrective action processes.

28. Exceptions

Exceptions to this policy must:

  • Be documented
  • Include business justification
  • Include risk assessment
  • Identify compensating controls
  • Be approved by management
  • Be reviewed periodically

Temporary exceptions shall include expiration dates.

29. Enforcement

Violations of this policy may result in:

  • Removal of access privileges
  • Suspension of accounts
  • Disciplinary action
  • Contract termination
  • Legal action where applicable

30. Review and Maintenance

This policy shall be reviewed:

  • At least annually
  • Following significant access-related incidents
  • Following regulatory changes
  • Following technology changes
  • Following updates to identity management processes

Updates shall be approved by executive management.

31. Related Policies

  • Information Security Policy
  • Identity and Access Management Policy
  • Access Control Policy
  • Privileged Access Management Policy
  • Password Policy
  • Multi-Factor Authentication Policy
  • Human Resources Security Policy
  • Security Monitoring and Logging Policy

32. Policy Approval

Policy Owner: Chief Information Security Officer (CISO) or Information Security Manager

Approved By: Executive Management

Effective Date: __________________

Review Date: __________________

Version: 1.0