Access Review Procedure
Implements: Access Control Policy Section 5 (Access Review) Owner: Security Lead Last Updated: 21 May 2026 Next Review: 21 November 2026
Schedule
Access reviews are conducted quarterly (March, June, September, December) and immediately when:
- A team member leaves the organisation
- A role change removes the need for previous access
- A security incident suggests unauthorised access
Scope
| System | What to Review | How to Check |
|---|---|---|
| GitHub (our GitHub organisation) | Members, teams, outside collaborators, deploy keys | GitHub Settings > People, Teams |
| Cloudflare | Account members, API tokens, Workers Secrets access | Cloudflare Dashboard > Members, API Tokens |
| Admin Portal | Admin users, role assignments (viewer/admin/super_admin) | provii-management user list endpoint |
| Domain registrar | Account access | Registrar dashboard |
| Mailbox access, aliases | Email provider admin |
Review Steps
1. Export Current Access
For each system, list all users and their access level.
2. Compare Against Authorised List
Check each user against:
- Current employees/contractors (from contractor tracking template)
- Their current role and whether it requires this access
- The principle of least privilege. Does anyone have more access than needed?
3. Remove Unnecessary Access
For any user who:
- No longer works with Maelstrom AI → remove immediately
- Has changed roles and no longer needs this access → remove or downgrade
- Has access beyond what their role requires → downgrade
4. Document
Record the review in a simple table:
| User | System | Current Access | Action | Justification |
|---|---|---|---|---|
| Example | GitHub | Admin | Keep | ISMS Owner. requires admin |
| Example | Cloudflare | Member | Remove | Contract ended |
5. Sign Off
Security Lead signs off on the completed review. The review document is saved for audit evidence.
Immediate Revocation (Offboarding)
When someone leaves:
- GitHub: Remove from our GitHub organisation
- Cloudflare: Remove account membership, revoke API tokens they created
- Admin Portal: Disable their admin account
- Rotate shared secrets: If the person had access to production secrets, rotate them
- Confirm by attempting to log in as the removed user (should fail)
- Document in the offboarding checklist