RISK-0010
Risk summary
- Likelihood
- 4
- Impact
- 4
- Score
- 16
- Level
- High
- 01
Asset
Current access rights, group memberships, privileged roles, cloud subscriptions, physical access, third-party access, and access review records.
Business object or system that needs protection. - 02
Threat
Unauthorized data access, excessive privilege use, former-role access, third-party persistence, or privilege escalation through stale group memberships.
Event, actor, or condition that can create harm. - 03
Vulnerability
Access requests, reviews, removals, mover updates, leaver removals, privileged reviews, and shared credential changes are not consistently recorded or completed.
Weakness that makes the threat relevant. - 04
Risk
Because access rights are not reviewed, modified, and removed after role, employment, supplier, or system changes, users may retain access that is no longer justified.
Scenario evaluated with likelihood, impact, and ownership. - 05
Treatment
Mitigate through formal access request records, owner approval, rights registers, scheduled reviews, leaver/mover removal evidence, privileged-access review, and completed correction records.
Decision path for reducing, accepting, transferring, or avoiding risk.
Controls that treat the risk
Evidence that proves operation
Assessment Rationale
Likelihood
The likelihood is high because access rights decay as people move, projects end, suppliers change, and systems accumulate groups. Without review and removal evidence, stale access is expected.
Impact
The impact is high because stale access undermines least privilege, increases breach blast radius, weakens accountability, and often creates direct audit findings.
Residual Risk
After treatment, residual risk is estimated as medium when reviews compare actual access to approved access and removal evidence proves exceptions were corrected.
Review Notes
Review after access review findings, leaver incidents, supplier offboarding, privileged access changes, and major identity or authorization model changes.
Software Object Mapping
- risk
- access_rights
- control
- evidence
- Iso27005
- Risk
- Iso27001
- Access rights
Note Metadata
Aliases: RISK-0010
Source: 05-Risk-Knowledge-Base/RISK-0010-Stale-Access-Rights-After-Business-Change.md