AM-07 Access Management
User Access Modification (Movers)
Access stays appropriate when users change roles.
- Domain
- Access Management
- Control type
- Preventive
- Automated / manual
- Manual
- Frequency
- Per event
- Framework reference
- COBIT DSS05.04; MAS TRM – Access
What good looks like
On transfer, prior entitlements are reviewed/removed and new access re-approved by the receiving owner.
Risk if it fails
Privilege accumulation ('access creep'); SoD breaches.
How Tess tests it
4 tests — each concludes only on cited evidence.
Mover procedure incl. HR trigger is defined
Design- Procedure
- Inspect the transfer procedure.
- Expected
- HR role-change triggers an access review.
- Sample
- 1 (design inspection)
- Evidence
- HR mover report, access-change tickets, before/after extracts.
Prior entitlements reviewed on transfer
Operating- Procedure
- Sample movers; inspect the review.
- Expected
- Old access reviewed for each mover.
- Sample
- Judgmental, by population (e.g. 10–25)
- Evidence
- HR mover report, access-change tickets, before/after extracts.
Obsolete entitlements removed
Operating- Procedure
- Compare before/after entitlement extracts.
- Expected
- Access no longer required is revoked.
- Sample
- Judgmental, by population (e.g. 10–25)
- Evidence
- HR mover report, access-change tickets, before/after extracts.
New access re-approved by receiving owner
Operating- Procedure
- Inspect approvals for new entitlements.
- Expected
- New access approved before grant.
- Sample
- Judgmental, by population (e.g. 10–25)
- Evidence
- HR mover report, access-change tickets, before/after extracts.
Evidence Tess looks for
HR mover report, access-change tickets, before/after extracts.
More in Access Management
Want Tess to test AM-07 against your evidence?
Book a demo