Process approve users getting authorisations to the data in the process.
The requests of individuals that want access to information assets or authorisations to do so, are logged and retained for at least 1 year. It includes the requester, and the approval (or rejection) of the appropriate data owner. Revocation requests, end of employment notifications and changes are recorded and retained for at least 1 year.
After role changes or upon termination of contractual or formal relations between the organisation and the individual, access to data that is no longer part of your role is revoked at first opportunity.
If revocation of access takes place after the date access was no longer needed according to the data owner (applicable to both role changes and termination of relations), logs must be inspected to determine if inappropriate actions have been performed during this window. If so, this is treated as a security incident. The outcome of the inspection is logged.
IST/SOLL control is performed and approved by proces owner.