HRS-007 Termination and Access Revocation
Description
Upon termination or role change, all logical access rights are revoked within a defined timeframe. The termination process includes retrieval of physical assets, disabling of authentication credentials, review of ongoing confidentiality obligations, and a documented offboarding checklist. The same process applies to contractors and third-party personnel.
Rationale
Access that persists after employment ends is a direct path for unauthorized access or data exfiltration. A time-bound, documented revocation process limits the window of exposure and provides audit evidence of completion.
Framework Mappings (7)
| HRS-05 | Asset returns | partial |
| HRS-06 | Employment Termination | full |
| 6.5 | Responsibilities after termination or change of employment | full |
| PS-4 | Personnel Termination | full |
| PS-5 | Personnel Transfer | partial |
| PS-7 | External Personnel Security | partial |
| CC6.2 | Prior to Issuing System Credentials and Granting System Access | partial |
Evidence (2)
Completed offboarding checklists confirming logical access revocation and physical asset retrieval were completed within the defined timeframe for a sample of terminated personnel.
Example: Offboarding workflow records (ServiceNow / Jira / HRIS offboarding module) for a sample of terminated employees and contractors, showing: termination date, access revocation date and time, asset return confirmation, and completed checklist sign-off.
Test: Request offboarding records for at least five terminations in the last 12 months (including at least one contractor). For each, verify: (1) access revocation occurred within the defined SLA (e.g. same-day for involuntary termination, by last day for voluntary), (2) physical asset return is confirmed, (3) the offboarding checklist is fully completed with a named verifier and date.
IAM system export showing no active accounts belong to terminated employees or contractors.
Example: Active user account export from Okta, Azure AD, or AWS IAM — cross-referenced against the HR termination log — showing no account is active for any individual whose termination date has passed.
Test: Export the list of active user accounts from the IAM system. Cross-reference against the HR list of terminations in the last 12 months. Verify: (1) no terminated employee or contractor has an active login-capable account, (2) any service accounts associated with terminated individuals are also disabled or re-owned, (3) the check is repeatable via a scheduled report or script.
Questions (3)
Does your organization revoke all logical access rights for terminated employees and contractors within a defined timeframe, using a documented offboarding process?
Completed offboarding checklists should show access revocation dates and confirm the SLA was met (typically same-day for involuntary terminations).
What is your defined maximum timeframe for revoking all logical access after an involuntary termination?
Same-day revocation for involuntary terminations is the expected standard. IAM export cross-referenced against the HR termination log is the verification evidence.
Does your offboarding process explicitly cover contractors and third-party personnel, not just direct employees?
Contractor and third-party access revocation should follow the same SLA and checklist as direct employees. Service accounts associated with contractors should also be disabled or re-owned.