Skip to main content

Overview

This collection includes the User Access and Account Management Policy and the Account Deactivation Standard Operating Procedure (SOP) for the fictitious managed service provider (MSP) RS Tech Services.

Description

The policy establishes the organization’s overarching requirements for managing user access throughout the employee lifecycle, including account creation, modification, and termination. The accompanying SOP provides the detailed, step-by-step process used to securely deactivate accounts and recover company assets when an employee, contractor, or third-party user separates from the organization.

Problem

Internal reviews at RS Tech Services revealed that user account deactivations were being performed inconsistently and without defined ownership or documentation. The absence of a standardized policy and supporting procedure increased the risk of unauthorized system access, data exposure, and non-compliance with security and audit requirements.

To address these gaps, RS Tech Services developed a formal User Access and Account Management Policy, User Access and Account Management Standard, and Employee Account Deactivation SOP to ensure all deactivations are executed securely, consistently, and in alignment with industry best practices.

Solution

To address the identified gaps, RS Tech Services established a formal User Access and Account Management Policy supported by a detailed Employee Account Deactivation SOP.

The policy defines governance requirements for provisioning, modifying, and removing user access. The standard defines the minimum technical and procedural requirements for user account management and the SOP provides step-by-step guidance for executing account deactivations. Together, these documents clarify roles and responsibilities, ensure timely removal of access, mandate recovery of company assets, and create an auditable record of compliance.

All artifacts align with recognized frameworks, including ISO 27001 and NIST 800-53, reinforcing the organization’s commitment to secure and accountable offboarding practices.

Impact

The implementation of these documents provided RS Tech Services with a defined, repeatable process for securely offboarding personnel.

IT staff now have clear, authoritative guidance for disabling access, documenting deactivation activities, and recovering company assets—significantly reducing the risk of unauthorized system access after separation.

By defining ownership, enforcing same-day deactivation requirements, and introducing monthly compliance audits, the organization strengthened its overall security posture, improved operational consistency, and enhanced readiness for SOC 2 and ISO 27001 certification audits.

Technologies Used

  • Microsoft Word
  • ChatGPT