UnixTime

Research Note

RISK-0010 Stale Access Rights After Business Change

Because access rights are not reviewed, modified, and removed after role, employment, supplier, or system changes, users may retain access that is no longer justified.

On this page

RISK-0010

Risk summary

Likelihood
4
Impact
4
Score
16
Level
High
  1. 01

    Asset

    Current access rights, group memberships, privileged roles, cloud subscriptions, physical access, third-party access, and access review records.

    Business object or system that needs protection.
  2. 02

    Threat

    Unauthorized data access, excessive privilege use, former-role access, third-party persistence, or privilege escalation through stale group memberships.

    Event, actor, or condition that can create harm.
  3. 03

    Vulnerability

    Access requests, reviews, removals, mover updates, leaver removals, privileged reviews, and shared credential changes are not consistently recorded or completed.

    Weakness that makes the threat relevant.
  4. 04

    Risk

    Because access rights are not reviewed, modified, and removed after role, employment, supplier, or system changes, users may retain access that is no longer justified.

    Scenario evaluated with likelihood, impact, and ownership.
  5. 05

    Treatment

    Mitigate through formal access request records, owner approval, rights registers, scheduled reviews, leaver/mover removal evidence, privileged-access review, and completed correction records.

    Decision path for reducing, accepting, transferring, or avoiding risk.

Assessment Rationale

Likelihood

The likelihood is high because access rights decay as people move, projects end, suppliers change, and systems accumulate groups. Without review and removal evidence, stale access is expected.

Impact

The impact is high because stale access undermines least privilege, increases breach blast radius, weakens accountability, and often creates direct audit findings.

Residual Risk

After treatment, residual risk is estimated as medium when reviews compare actual access to approved access and removal evidence proves exceptions were corrected.

Review Notes

Review after access review findings, leaver incidents, supplier offboarding, privileged access changes, and major identity or authorization model changes.

Software Object Mapping

  • risk
  • access_rights
  • control
  • evidence
  • Iso27005
  • Risk
  • Iso27001
  • Access rights

Note Metadata

Aliases: RISK-0010

Source: 05-Risk-Knowledge-Base/RISK-0010-Stale-Access-Rights-After-Business-Change.md