Identity & Access Management Governance SOP

Sub-procedure for Operate pillar managed services - IAM ongoing governance

Service Pillar: Operate Service Category: Identity & Access Management Parent SOP: Cloud Operations SOP Engagement Type: Ongoing Managed Service

---

Overview

Ongoing governance and management of identity and access management controls to maintain security posture, ensure compliance, and adapt to organizational changes. This procedure covers access reviews, policy management, metrics tracking, and continuous improvement of IAM processes.

Scope

Pillar: Operate (Managed Services) Service Area: Identity & Access Management Governance

In Scope

• Access certification and recertification
• Policy lifecycle management
• Privileged access reviews
• Identity security monitoring
• Compliance reporting
• IAM metrics and KPIs
• Exception management
• Continuous improvement

Out of Scope

• Major IAM platform changes (separate project)
• New application integrations (separate engagement)
• Identity provider maintenance (vendor responsibility)

---

Prerequisites

• IAM implementation completed
• Governance framework approved
• Stakeholder roles defined (data owners, reviewers)
• Access review tooling configured
• Reporting infrastructure in place
• Escalation procedures documented
• SLA/OLA agreements in place

---

Procedure

Step 1: Access Certification Program

Objective: Ensure access remains appropriate through periodic reviews

Certification Scope: | Review Type | Scope | Frequency | Reviewer | |-------------|-------|-----------|----------| | User access | All user entitlements | Quarterly | Manager | | Privileged access | Admin accounts | Monthly | Security + IT Lead | | Application access | Per-application | Quarterly | App owner | | Service accounts | Automated accounts | Quarterly | System owner | | Guest access | External users | Monthly | Sponsor |

Certification Workflow: 1. Generate access review campaign 2. Notify reviewers with deadline 3. Reviewers approve/revoke access 4. Escalate non-responses (Day 7) 5. Auto-revoke if no response (Day 14) 6. Generate certification report 7. Remediate revoked access

Review Guidance for Certifiers: - [ ] Does user still require this access? - [ ] Is access level appropriate for role? - [ ] Has access been used recently? - [ ] Are there segregation of duty conflicts? - [ ] Is there a documented business justification?

Certification Metrics: | Metric | Target | Action if Missed | |--------|--------|-----------------| | Completion rate | >95% | Escalation to management | | On-time completion | >90% | Process improvement | | Revocation rate | 5-15% | Review if too low/high | | Exception rate | <5% | Policy review |

Duration: Ongoing (10-15 hours per quarterly cycle)

Step 2: Policy Lifecycle Management

Objective: Maintain current and effective IAM policies

Policy Review Schedule: | Policy | Review Frequency | Owner | |--------|-----------------|-------| | Authentication policy | Annually | Security | | Password policy | Annually | Security | | Privileged access policy | Semi-annually | Security | | Access request policy | Annually | IT/Security | | Guest access policy | Semi-annually | Security | | Service account policy | Annually | IT |

Policy Review Process: 1. Gather policy performance data 2. Review for regulatory changes 3. Assess against threat landscape 4. Gather stakeholder feedback 5. Draft policy updates 6. Obtain approval 7. Communicate changes 8. Update technical controls 9. Retrain affected users

Policy Exception Management: - [ ] Document exception request - [ ] Risk assessment for exception - [ ] Compensating controls required - [ ] Time-limited approval - [ ] Periodic re-evaluation - [ ] Exception registry maintained

Duration: 8-16 hours per policy review

Step 3: Privileged Access Governance

Objective: Maintain strict controls over privileged access

Monthly Privileged Access Review: - [ ] Review all privileged role assignments - [ ] Validate business justification - [ ] Check for role creep (multiple roles) - [ ] Review activation frequency - [ ] Assess standing vs. eligible access ratio - [ ] Review emergency access usage

Privileged Account Audit: | Check | Frequency | Action | |-------|-----------|--------| | Unused privileged accounts | Monthly | Disable/remove | | Stale credentials | Monthly | Force rotation | | Session recording review | Weekly | Security review | | Emergency access usage | Per use | Incident review | | Service account inventory | Quarterly | Update/remove |

Privileged Access Metrics: | Metric | Target | Significance | |--------|--------|--------------| | Standing admin accounts | <10% | Least privilege | | Avg. activation duration | <4 hours | Time-limited access | | Emergency access events | <1/month | Proper planning | | Orphaned privileged accounts | 0 | Lifecycle management |

Duration: 4-6 hours monthly

Step 4: Identity Security Monitoring

Objective: Detect and respond to identity-based threats

Daily Monitoring Activities: - [ ] Review high-risk sign-in alerts - [ ] Check risky user detections - [ ] Monitor privileged access activations - [ ] Review authentication failures - [ ] Check for anomalous behavior - [ ] Validate MFA bypass attempts

Alert Response Procedures: | Alert Type | Severity | Initial Response | Escalation | |------------|----------|-----------------|------------| | Compromised account | Critical | Immediate disable | Security team | | Impossible travel | High | Verify with user | If unconfirmed | | MFA bypass attempt | High | Block + investigate | Security team | | Privilege escalation | High | Review + validate | IT Manager | | Failed auth spike | Medium | Monitor pattern | If persistent |

Weekly Security Review: - [ ] Risk score trend analysis - [ ] Authentication success/failure rates - [ ] MFA adoption metrics - [ ] Guest access activity - [ ] Service account behavior - [ ] Policy effectiveness

Duration: 2-3 hours daily, 4 hours weekly

Step 5: Compliance Reporting

Objective: Maintain evidence for regulatory and audit requirements

Standard Reports: | Report | Frequency | Audience | Purpose | |--------|-----------|----------|---------| | Access certification summary | Quarterly | Compliance/Audit | SOC 2, ISO | | Privileged access report | Monthly | Security/Management | Risk oversight | | Authentication metrics | Monthly | IT/Security | Operational | | Exception report | Quarterly | Compliance | Risk acceptance | | Policy compliance | Quarterly | Management | Governance |

Compliance Framework Mapping: | Framework | IAM Controls | Evidence Required | |-----------|-------------|-------------------| | SOC 2 | CC6.1, CC6.2, CC6.3 | Access reviews, MFA, provisioning | | ISO 27001 | A.9.1-A.9.4 | Access control policy, reviews | | HIPAA | 164.312(d) | Unique user identification, audit | | NIST CSF | PR.AC-1-7 | Access control, authentication |

Audit Support: - [ ] Maintain evidence repository - [ ] Quarterly evidence collection - [ ] Pre-audit readiness review - [ ] Auditor request support - [ ] Finding remediation tracking

Duration: 4-8 hours quarterly

Step 6: Continuous Improvement

Objective: Evolve IAM capabilities based on metrics and feedback

Improvement Sources: - Access review findings - Security incident lessons learned - User feedback - Technology advancements - Regulatory changes - Industry benchmarking

Quarterly Improvement Review: 1. Analyze IAM metrics trends 2. Review security incidents involving identity 3. Assess policy effectiveness 4. Gather stakeholder feedback 5. Research emerging best practices 6. Prioritize improvement initiatives 7. Update roadmap

Improvement Metrics: | Metric | Current | Target | Initiative | |--------|---------|--------|------------| | Time to provision | X hours | <8 hours | Automation | | Time to revoke | X hours | <1 hour | Integration | | MFA coverage | X% | 100% | Enforcement | | Access review completion | X% | >95% | Process |

Annual IAM Maturity Assessment: - [ ] Benchmark against industry standards - [ ] Assess maturity across IAM domains - [ ] Identify capability gaps - [ ] Develop multi-year roadmap - [ ] Present to leadership

Duration: 8 hours quarterly, 16+ hours annually

---

Deliverables

Deliverable	Format	Owner	Frequency
Access Certification Report	PDF	Lead Consultant	Quarterly
Privileged Access Report	PDF	Technical Analyst	Monthly
IAM Security Dashboard	Dashboard	Technical Analyst	Continuous
Policy Review Documentation	Word	Lead Consultant	Per review
Compliance Evidence Package	Various	Engagement Manager	Quarterly
IAM Metrics Report	PDF/Excel	Technical Analyst	Monthly
Improvement Roadmap	Excel/PPT	Engagement Manager	Quarterly

---

Quality Gates

• Access certifications completed on schedule
• Privileged access reviews conducted monthly
• Security alerts triaged within SLA
• Policies reviewed per schedule
• Compliance evidence maintained
• Metrics tracked and reported
• Improvement initiatives progressing
• Stakeholder satisfaction maintained

---

Related Documents

• IAM Assessment SOP
• IAM Implementation SOP
• Managed SOC SOP
• Cross-Pillar SOPs
• Templates

---

Last Updated: February 2026