Access Control

The institution shall limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). 

 The institution shall limit system access to the types of transactions and functions that authorized users are permitted to execute (role-based access control). 

 The institution shall have a procedure for removal of access rights (termination) for all departing or resigning personnel, both employees and contractors/third parties. This procedure shall coordinate management decisions with the system administrator/personnel who is responsible for executing system access termination. 

 In case of malicious activity done by the employee, or contractor (third-party employee), access rights shall be immediately revoked according to the incident response procedure.