Control mapping: HIPAA §164.312(a)(1), §164.308(a)(4); CIS Controls 5 & 6
Provisioning, least privilege, and de-provisioning of system access.
Purpose
This policy ensures that access to Dunder Mifflin information systems and data, including ePHI, is granted on the principle of least privilege and is revoked promptly when no longer required.
Policy
Access is granted based on documented job role and the minimum necessary to perform assigned duties.
Each user is assigned a unique account; shared or generic accounts are prohibited except where technically unavoidable and individually approved.
Access is formally requested, approved by the data or system owner, and recorded before it is granted.
User access rights are reviewed at least quarterly and recertified by management.
Access is disabled within 24 hours of a workforce member's separation or change of role, and associated credentials are revoked.
Privileged (administrative) accounts are inventoried, restricted to authorized personnel, and used only for administrative tasks.
Emergency Access
Procedures exist to obtain necessary ePHI during an emergency. Emergency access is logged, time-limited, and reviewed after use.
Roles & Responsibilities
Executive management is accountable for the security program and for providing the resources needed to sustain it.
The designated Security Official owns this policy, reviews it at least annually, and approves exceptions.
Methodology IT, as the managed services provider, implements and operates the technical controls described here on behalf of Dunder Mifflin.
All workforce members are responsible for complying with this policy and reporting suspected violations.
Enforcement & Exceptions
Compliance with this policy is mandatory. Violations may result in disciplinary action up to and including termination of employment or contracts, and may carry civil or criminal liability.
Any exception must be requested in writing, justified by a documented business need, risk-assessed, and approved by the Security Official before it takes effect. Approved exceptions are reviewed at least annually.