Aligned with NIST SP 800-53r5: AC-6 (Least Privilege), AC-2(4), AC-17(1), AU-2, AU-6, FCA compliance: Emphasizing access control, justification, auditability, and risk management and best practices.
Version: 1.0
Classification: Confidential – Internal Use Only
Owner: Security Governance Team
Purpose: To formally request, justify, and authorize elevated/privileged access for users in critical systems.
Describe the business justification for elevated access. Include tasks to be performed, project name, and criticality.
[Free text field – minimum 200 characters. Example: “As a Security Analyst, I require privileged access to the SIEM and firewall management consoles to investigate threats and configure alerts as part of Xcavate's SOC incident response.”]
Section C: Risk Assessment
Question
Response (Y/N/NA)
Explanation / Mitigation
Can this task be performed using standard access?
Does this role require ongoing privileged access or is it time-bound?
Are there segregation of duties concerns?
Is logging enabled for the requested system(s)?
Will access be monitored or reviewed regularly?
Section D: Access Duration and Expiry
Field
Entry
Start Date
End Date (if temporary)
Recertification Interval
☐ Quarterly ☐ Bi-annually ☐ Annually
Section E: Authorizations
Role
Name
Signature
Date
Line Manager
System Owner
Security Officer
Compliance Reviewer
Section F: Reviewer Notes
Security and compliance team to complete:
[Free text field – audit trail comments, e.g., user assigned to privileged user group “Azure-Privileged-Admin”; access logged in PAM vault]
Notes:
All privileged access requests must be reviewed at least quarterly.
Privileged access must be removed immediately upon role change, departure, or end of task.
Violations may trigger audit review or disciplinary action.