Introduction: Why the Access Certification Process Can No Longer Be Ignored
Every year, thousands of organizations around the world suffer data breaches — not because of sophisticated cyberattacks, but because of something far more preventable: employees, contractors, and former staff members who had access to systems and data they should never have been allowed to touch. According to the 2023 Verizon Data Breach Investigations Report, over 74% of all breaches involve some form of privilege misuse or human error. At the heart of fixing this problem lies a discipline known as the access certification process.
The access certification process — also called access review, entitlement review, or user access review — is a formal, repeatable workflow in which organizations regularly verify, validate, and either approve or revoke user access rights to critical systems, applications, and data. It is not a one-time event. It is an ongoing governance practice that sits at the core of modern Identity and Access Management (IAM) programs.
Whether you are a security professional, an IT administrator, a compliance officer, or a business leader trying to understand how your organization manages digital risk, this article will walk you through everything you need to know about the access certification process — from foundational concepts to real-world implementation strategies, regulatory requirements, and common pitfalls to avoid.
“Access governance is not just a compliance checkbox. It is a strategic security control that, when done right, dramatically reduces an organization’s attack surface.” — Gartner, Identity and Access Management Market Guide, 2023
What Is the Access Certification Process?
The access certification process is a structured review cycle in which designated reviewers — typically managers, application owners, or data owners — evaluate the access rights of users within an organization and certify whether those rights are still appropriate, necessary, and compliant with the organization’s security policies.
At its simplest, the process answers three fundamental questions:
- Who has access to what?
- Should they still have that access?
- What happens if they shouldn’t?
These questions sound straightforward, but in large enterprises with hundreds of applications, thousands of users, and millions of access entitlements, answering them systematically is an enormous operational and governance challenge. That is exactly why structured access certification workflows exist.
Suggested read: AIB Certification: What It Is and Why It Matters for Food Safety
Key Terms You Need to Know
| Term | Definition |
|---|---|
| Entitlement | A specific permission or role granted to a user (e.g., read, write, admin) |
| Certifier | The person responsible for reviewing and approving or revoking access |
| Campaign | A scheduled access review cycle targeting a specific group of users or systems |
| Remediation | The action taken to revoke or modify access that has been flagged as inappropriate |
| Attestation | The formal act of a reviewer confirming that access is appropriate |
| Orphaned Account | A user account with no active owner, often left behind after an employee departs |
| Toxic Combination | Two or more access rights that, when combined, create a Segregation of Duties (SoD) conflict |
Why the Access Certification Process Is Critical for Cybersecurity
The access certification process is not just a bureaucratic exercise. It serves as one of the most powerful preventive controls an organization can deploy. Here is why it matters so deeply.
1. The Principle of Least Privilege
The most foundational concept in access security is the Principle of Least Privilege (PoLP) — users should have access only to what they need to do their jobs, and nothing more. In practice, access creep happens constantly. Employees get promoted, change roles, take on temporary projects, and accumulate permissions over time that they no longer need. Without regular access certification, these excess permissions pile up invisibly, creating massive exposure.
2. Insider Threat Reduction
Insider threats — whether malicious or accidental — represent one of the fastest-growing categories of cybersecurity risk. The IBM Cost of a Data Breach Report 2023 found that insider threat incidents cost organizations an average of $4.9 million per breach, 9.5% more than the average breach overall. Regular access reviews dramatically shrink the window of opportunity for both malicious insiders and compromised accounts to cause damage.
3. Regulatory Compliance Requirements
Many of the world’s most important data security and privacy regulations explicitly require some form of periodic access review. Failing to perform access certifications can result in massive fines, audit failures, and reputational damage. The most commonly cited regulations include:
- SOX (Sarbanes-Oxley Act) — Requires strict controls over access to financial systems, with annual access reviews as a core control.
- HIPAA (Health Insurance Portability and Accountability Act) — Mandates regular review of who has access to protected health information (PHI).
- PCI-DSS (Payment Card Industry Data Security Standard) — Requires quarterly reviews of access rights for systems that store, process, or transmit cardholder data.
- GDPR (General Data Protection Regulation) — Mandates appropriate access controls and accountability for personal data.
- ISO 27001 — Access control reviews are a core requirement under Annex A.9.
- NIST SP 800-53 — Includes access certifications as part of the AC (Access Control) control family.
Citation: The access certification process is formally referenced in regulatory frameworks including SOX Section 404, HIPAA Security Rule §164.308(a)(4), and PCI-DSS Requirement 7. For a technical overview, see the NIST Access Control Guidelines.
How the Access Certification Process Works: A Step-by-Step Breakdown
Understanding the mechanics of the access certification process is essential for any organization looking to implement or improve their IAM program. Below is a comprehensive, step-by-step walkthrough of how a typical access certification campaign runs.
Step 1: Define the Scope and Objectives
Before any campaign can begin, the security or IAM team must clearly define what the review will cover. This includes:
- Which applications or systems will be reviewed (e.g., Active Directory, Salesforce, SAP, cloud platforms)
- Which users or groups are in scope (e.g., all employees, privileged users, third-party contractors)
- Which types of entitlements will be reviewed (e.g., role assignments, group memberships, permissions)
- The review frequency — quarterly, semi-annually, or annually depending on the risk level of the system
High-risk systems such as those hosting financial data, PII, or critical infrastructure should be reviewed more frequently than low-risk internal productivity tools.
Suggested read: Alarm Certificate: What It Is, Why You Need One, and How It Saves You Money on Insurance
Step 2: Pull the Access Data (Entitlement Data Collection)
The next step is to aggregate and normalize entitlement data from all in-scope systems. This is often where organizations face their biggest technical challenges, because access data is scattered across dozens or hundreds of siloed systems, each with its own data format and identity model.
Modern IAM platforms (such as SailPoint, Saviynt, Oracle Identity Governance, or Microsoft Entra ID Governance) automate this data aggregation through connectors that pull entitlement data directly from source systems. Without automation, this step often requires hours of manual CSV exports, spreadsheet consolidation, and data cleansing — a process prone to errors and gaps.
Key data points collected during this phase include:
- User name and employee ID
- Job title and department
- Manager name
- Application name and environment (production vs. non-production)
- Specific roles or permissions held
- Date the access was granted
- Last login date or access activity data
Step 3: Assign Certifiers and Launch the Campaign
Once the data is collected and organized, the certifiers (reviewers) are assigned. Depending on the review type, the certifier may be:
- The user’s manager (most common for user-focused reviews)
- An application owner or system administrator (for application-centric reviews)
- A data owner or data steward (for data-centric reviews)
- A risk or compliance officer (for privileged access reviews)
The campaign is then launched — typically through an IAM platform that sends automated notifications to certifiers and presents them with a structured review interface showing each user’s access entitlements.
Step 4: Certifiers Review and Make Decisions
This is the core activity of the access certification process. For each access entitlement presented, the certifier must make one of several decisions:
| Decision | Meaning |
|---|---|
| Approve / Certify | The user should retain this access — it is appropriate and necessary |
| Revoke | The user should lose this access — it is no longer needed or appropriate |
| Modify | The user’s access level should be changed (e.g., downgraded from admin to read-only) |
| Reassign | Send the review item to another certifier who is better positioned to make the decision |
| Abstain / Escalate | Flag for further investigation or escalation to a risk team |
Best practice: Certifiers should not simply rubber-stamp every access item with an “Approve” decision — a behavior known as “rubber-stamping” or “access certification fatigue.” This is one of the most common and dangerous failure modes of access certification programs and is discussed in detail later in this article.
Step 5: Automated Remediation of Revoked Access
When a certifier decides to revoke access, the remediation action must actually take place in the source system. This is where the value of automated IAM platforms becomes most apparent. Modern platforms can:
Suggested read: UCC Certificates Explained: What They Are, Why They Matter, and How They Work
- Automatically trigger access revocation in connected systems within minutes of a certifier’s decision
- Create a ticketing request in ITSM systems like ServiceNow for manual revocations in non-connected systems
- Generate an audit trail of the decision, the certifier, the timestamp, and the action taken
- Send notifications to the affected user and their manager
Manual remediation processes — where someone reads the certifier’s decision from a spreadsheet and then manually removes access — introduce delays that can extend the risk window by days or even weeks.
Step 6: Escalation and Exception Handling
Not every access certification decision is straightforward. Some items require escalation because:
- The certifier is unavailable or has left the organization
- The access item involves a sensitive or privileged account requiring a second-level review
- A conflict of interest exists (e.g., a manager reviewing their own access)
- Business justification is needed before access can be revoked (e.g., a contractor mid-project)
A mature access certification process will have well-defined escalation paths and exception-handling procedures built in, including deadlines for escalation responses and automatic revocation triggers if no response is received.
Step 7: Reporting, Sign-Off, and Evidence Collection
Every access certification campaign must conclude with comprehensive documentation and reporting — both for internal governance purposes and for external audit evidence. Key deliverables at the close of a campaign include:
- Campaign completion report — summary of items reviewed, approved, revoked, and pending
- Certifier participation report — who completed their reviews, who did not, and completion rates
- Remediation report — confirmation that revoked access was actually removed from source systems
- Exception report — list of any access items that were granted exceptions and the business justification
- Audit evidence package — timestamped records of every certifier decision for regulatory compliance
Types of Access Certification Campaigns
The access certification process is not one-size-fits-all. Organizations typically run several distinct types of campaigns depending on their risk posture and compliance requirements.
1. User Access Reviews (Manager-Based Certifications)
The most common type. Managers review all access held by their direct reports and certify whether it is still appropriate for their current role. These are often run quarterly or annually across the entire organization.
2. Application Owner Certifications
Application owners review all users who have access to their specific application. This is particularly valuable for high-risk systems like ERP platforms, HR systems, and financial applications.
3. Privileged Access Reviews
A focused review of accounts with elevated privileges — system administrators, database administrators, root-level accounts, service accounts, and shared accounts. Because of their elevated risk, privileged accounts should be reviewed more frequently — at minimum quarterly, and ideally monthly or continuously for the highest-risk accounts.
Suggested read: What Is a Workers Comp Insurance Certificate and Why Does Your Business Actually Need One?
4. Role Certification
Rather than reviewing individual user entitlements, role certifications review the definition of roles themselves — verifying that the permissions bundled within each role are still appropriate and free of Segregation of Duties (SoD) conflicts. This is sometimes called “role mining” when done as an analytical exercise.
5. Contractor and Third-Party Reviews
Third-party vendors, contractors, and partners often hold access to critical systems but are not subject to the same onboarding and offboarding controls as employees. Dedicated contractor access reviews ensure these accounts do not become persistent backdoors.
6. Emergency or Event-Driven Certifications
Triggered by specific risk events such as a merger or acquisition, a major reorganization, a security incident, a system migration, or the departure of a key employee. These campaigns may be unscheduled and run on short notice.
Access Certification Process Best Practices
Running a technically functional access certification campaign is table stakes. Running a high-quality, risk-intelligent access certification program requires adherence to proven best practices.
✅ Automate Wherever Possible
Manual access certification — running reviews through spreadsheets and email chains — is slow, error-prone, and leaves significant audit gaps. Automation through an IAM platform reduces review cycle time by up to 80% while dramatically improving data accuracy and audit trail completeness.
✅ Use Risk-Based Prioritization
Not all access is equally risky. Apply risk scoring to prioritize review resources on the entitlements that matter most — privileged accounts, access to sensitive data, and accounts with toxic combinations of permissions.
✅ Fight Certification Fatigue
When certifiers are presented with thousands of access items to review, they often resort to mass-approving everything without genuine review. Combat this by:
- Reducing review scope for low-risk access through pre-approval or continuous monitoring
- Providing context to certifiers — showing last login dates, role descriptions, and peer-group comparisons
- Setting reasonable deadlines and reminder cadences
- Tracking certifier quality metrics — not just completion rates, but revocation rates and decision patterns
✅ Separate Duties for Sensitive Reviews
A manager should never be the sole certifier for their own access. Similarly, privileged access reviews should involve a second-level approver independent of the account owner’s management chain.
Suggested read: What Is a Digital Certificate Manager and Why Does Your Business Need One?
✅ Close the Loop on Remediation
A certification decision that doesn’t result in a timely remediation action is worthless. Implement remediation SLAs and automated tracking to ensure that revoked access is actually removed — and that exceptions are formally documented and time-limited.
✅ Integrate with Joiner-Mover-Leaver Processes
The access certification process is most effective when it integrates with Joiner-Mover-Leaver (JML) lifecycle management. New hires should receive appropriate access from day one. Role changers should have old access removed automatically. Terminated employees should be offboarded immediately — not discovered six months later in an access review.
Common Pitfalls in the Access Certification Process (and How to Avoid Them)
Even organizations with mature IAM programs can fall into these traps.
❌ Pitfall 1: Rubber-Stamping
Problem: Certifiers approve everything without meaningful review, making the process a compliance theater exercise. Solution: Track revocation rates by certifier and department. Flag unusually high approval rates for follow-up. Provide risk intelligence to guide meaningful review.
❌ Pitfall 2: Incomplete Scope
Problem: Reviews cover only some systems, leaving critical applications out of scope. Solution: Maintain a comprehensive application inventory and map it to risk tiers. Ensure high-risk systems are always in scope.
❌ Pitfall 3: Stale Data
Problem: Access data pulled for review is outdated, leading to certifying entitlements that have already changed. Solution: Establish near-real-time or daily connector synchronization with source systems.
❌ Pitfall 4: No Remediation Tracking
Problem: Certifiers make revocation decisions, but no one follows up to confirm the access was actually removed. Solution: Implement automated remediation workflows and require confirmation receipts from source systems before closing campaign items.
Suggested read: Actively Managed Certificates: What They Are, How They Work, and Why Investors Are Paying Attention
❌ Pitfall 5: Treating Access Certification as Annual-Only
Problem: Annual reviews leave a 12-month window during which inappropriate access can persist. Solution: Adopt a tiered approach — continuous monitoring for high-risk access, quarterly reviews for medium-risk, and annual reviews for low-risk.
Access Certification Process and the Regulatory Landscape
To understand the full weight of the access certification process in corporate governance, it’s important to map it to the specific regulatory requirements that most organizations face.
SOX Compliance and Access Certification
The Sarbanes-Oxley Act’s Section 404 requires management to assess and report on the effectiveness of internal controls over financial reporting (ICFR). Access controls — specifically the review of who can access financial systems — are among the most scrutinized controls by external auditors. A missing or poorly executed access certification campaign is one of the most common causes of SOX material weaknesses.
Key SOX access certification requirements:
- At minimum annual review of all financial system access
- Evidence of certifier decisions and remediation actions
- Documented exceptions with business justification and time limits
- Clear ownership and accountability for the review process
HIPAA and Access Reviews
Healthcare organizations subject to HIPAA must implement policies ensuring that only authorized personnel can access protected health information (PHI). While HIPAA’s Security Rule does not prescribe a specific review frequency, the HHS Office for Civil Rights (OCR) has consistently cited lack of access review procedures as a contributing factor in enforcement actions.
PCI-DSS Access Certification Requirements
PCI-DSS Requirement 7 mandates that access to system components and cardholder data is restricted to only those individuals whose job requires such access. Requirement 7.2.3 specifically requires that access rights are reviewed at least every six months for privileged users and annually for all other users.
Case Study: How a Global Financial Services Firm Transformed Their Access Certification Process
Background: A global bank with over 45,000 employees was running their access certification process entirely through spreadsheets and email. Their annual review campaign took 4 months to complete, had a 68% certifier participation rate, and generated 23,000 access items that were approved but never verified for appropriateness. External auditors flagged the process as a significant control deficiency.
What They Did:
Suggested read: Principal Certification Online: How to Earn Your School Leadership Credential in 2024
- Deployed a cloud-based IAM governance platform with automated connectors to 180 business applications
- Established risk scoring for all entitlements, with privileged access flagged for mandatory second-level review
- Launched micro-campaigns — rolling quarterly reviews of high-risk access rather than one massive annual event
- Introduced certifier dashboards providing last-login dates and peer-group comparisons to support meaningful decisions
- Integrated automated remediation with ServiceNow for ticketing and source system updates
Results After 12 Months:
| Metric | Before | After |
|---|---|---|
| Campaign duration | 4 months | 3 weeks |
| Certifier participation rate | 68% | 96% |
| Average review items per certifier | 847 | 112 |
| Access revocations per campaign | 1,200 | 8,700 |
| Time to remediation | 21 days | 2 days |
| Audit findings related to access | 6 | 0 |
This transformation illustrates the dramatic difference between a compliance-theater approach to access certification and a genuinely risk-driven program.
Access Certification Process vs. Access Provisioning: Understanding the Difference
A common source of confusion is the distinction between access certification and access provisioning. While both are pillars of Identity and Access Management, they serve very different functions.
| Dimension | Access Provisioning | Access Certification Process |
|---|---|---|
| When it happens | When a user joins, changes roles, or requests access | Periodically (quarterly, annually) or continuously |
| Direction | Grant access | Review and potentially revoke access |
| Owner | IT/IAM team, help desk | Business managers, application owners |
| Purpose | Enable users to do their jobs | Ensure access remains appropriate over time |
| Regulatory role | Establishes initial access baseline | Maintains ongoing access compliance |
Both processes must work in harmony. A world-class provisioning process ensures the right access is granted upfront. A world-class certification process ensures it stays right over time.
The Role of Technology in Modernizing the Access Certification Process
The modern access certification process is enabled by a category of software solutions known as Identity Governance and Administration (IGA) platforms. These platforms provide end-to-end automation of the access certification lifecycle, from data collection to certifier notification to automated remediation.
Leading IGA Platforms for Access Certification
- SailPoint IdentityNow / IdentityIQ — Market leader for enterprise-grade IGA with deep certification capabilities and AI-driven risk insights
- Saviynt Enterprise Identity Cloud — Strong in cloud and hybrid environments with built-in SoD detection
- Oracle Identity Governance (OIG) — Deep integration with Oracle ERP and enterprise application ecosystems
- Microsoft Entra ID Governance — Native integration with Microsoft 365 and Azure environments, with access reviews built into Entra ID
- One Identity Manager — Comprehensive IGA with strong Active Directory and on-prem coverage
- CyberArk — Specialized in privileged access management with certification capabilities
The Emergence of AI-Driven Access Certification
The next evolution in access certification is AI and machine learning-assisted review. Modern platforms are beginning to use AI to:
- Predict revocation decisions based on peer-group analysis and historical patterns
- Flag anomalous access that deviates significantly from a user’s typical behavior or role
- Auto-certify low-risk, stable access that has a strong track record of being approved, freeing certifiers to focus on high-risk items
- Detect toxic combinations of access rights that create SoD conflicts in real time
Internal Link Anchor: Iowa Teaching Certificate Renewal and Access Certification
If you work in the education sector, particularly in public school administration in the United States, you may encounter access certification requirements tied to educator licensing systems. For example, district IT administrators who manage access to state education portals — including teacher credential databases — must ensure that only authorized personnel can view or modify sensitive licensing records. This directly intersects with the broader iowa teaching certificate renewal process, where digital access to the Iowa Board of Educational Examiners (BOEE) system must be properly governed through periodic access reviews. Unauthorized access to certification records could expose personally identifiable information (PII) and create liability under both FERPA and state data protection law.
How to Get Started: Launching Your First Access Certification Process
If your organization has never formally run an access certification process, or if your current process is largely manual, here is a pragmatic roadmap for getting started.
Suggested read: How to Earn Your Online Principal Certification Programs in Texas: Everything Aspiring School Leaders Need to Know
Phase 1: Foundation (Months 1–2)
- Complete an application inventory — identify all systems that house sensitive data or are subject to regulatory compliance requirements
- Identify data owners and application owners for each system
- Document your current access request and provisioning process — you need to know where access comes from before you can govern it
- Define your access certification policy — who reviews what, how often, and what constitutes appropriate access
Phase 2: Pilot Campaign (Month 3)
- Select 2–3 high-risk applications for your first campaign
- Run a manual (or semi-manual) review using spreadsheets if you don’t yet have an IAM tool
- Train certifiers on what they are reviewing and how to make genuine decisions
- Track and verify remediation — confirm that revoked access was actually removed
Phase 3: Scale and Automate (Months 4–12)
- Evaluate and deploy an IGA platform if access volume and complexity justify it
- Expand scope to cover all in-scope systems
- Establish a recurring campaign calendar tied to your compliance requirements
- Build reporting and metrics to measure program effectiveness over time
Ready to Take Control of Your Access Certification Process?
The access certification process is one of the highest-impact controls your organization can implement to reduce cybersecurity risk, achieve regulatory compliance, and protect sensitive data. The cost of getting it wrong — in breach liability, audit findings, and reputational damage — far exceeds the investment required to get it right.
Start your access certification process today:
- 📋 Audit your current state — do you know who has access to your most critical systems right now?
- 🛠️ Evaluate IGA tools — compare platforms based on your specific environment and compliance requirements
- 📅 Schedule your first campaign — even a manual pilot review of your top 5 high-risk applications is a meaningful first step
- 📚 Train your certifiers — the quality of your access certification process depends entirely on the quality of certifier decisions
Start your access certification process by reviewing NIST SP 800-53 Access Control guidelines — the gold-standard framework for access governance.
Frequently Asked Questions About the Access Certification Process
What is the access certification process in cybersecurity?
The access certification process in cybersecurity is a periodic review workflow in which organizations systematically evaluate user access rights across their systems and applications, and certifiers — typically managers or application owners — formally approve or revoke those rights to ensure they remain appropriate and compliant with security policies.
How often should access certification be performed?
The frequency of the access certification process depends on the risk level of the systems being reviewed. Privileged access should be reviewed at minimum quarterly, and ideally monthly or continuously. Standard user access in high-risk systems (financial, healthcare, PCI environments) should be reviewed quarterly to semi-annually. Lower-risk systems may be reviewed annually. Regulatory requirements such as PCI-DSS, SOX, and HIPAA may dictate minimum frequencies.
What is the difference between access certification and access review?
The terms access certification and access review are often used interchangeably. Both refer to the process of evaluating and validating user access entitlements. The term “certification” often implies a formal, documented attestation by a certifier — making it more suitable for compliance and audit contexts — while “access review” is a broader term for any evaluation of access rights.
What happens if access certification is not performed?
Organizations that fail to perform regular access certification face multiple serious risks: unauthorized access by former employees or contractors, insider threats from users with excessive permissions, violations of regulatory compliance requirements (SOX, HIPAA, PCI-DSS, GDPR) leading to fines and audit failures, and significantly elevated risk of data breaches.
What tools are used to automate the access certification process?
Leading tools for automating the access certification process include SailPoint IdentityNow, Saviynt Enterprise Identity Cloud, Microsoft Entra ID Governance (formerly Azure AD Identity Governance), Oracle Identity Governance, and One Identity Manager. These platforms automate data collection, certifier notification, decision tracking, remediation, and audit reporting.
Suggested read: TPI Certification Promo Code: How to Save Big on Your Titleist Performance Institute Course
Who is responsible for conducting access certification reviews?
Responsibility for the access certification process is typically shared across multiple stakeholders. The IAM or security team owns the program design and platform administration. Business managers certify their direct reports’ access. Application owners certify who has access to their systems. Compliance officers ensure the process meets regulatory requirements. Executives provide sign-off on the overall program effectiveness.
What is access certification fatigue and how do you prevent it?
Access certification fatigue occurs when certifiers are overwhelmed by the volume of review items and begin rubber-stamping approvals without meaningful review. To prevent it, organizations should implement risk-based scoping to reduce low-risk items in scope, provide contextual intelligence to guide decisions, run continuous or rolling campaigns instead of massive annual events, and track certifier quality metrics beyond simple completion rates.
Is access certification the same as Segregation of Duties (SoD)?
They are closely related but distinct concepts. Segregation of Duties (SoD) is a control principle that prevents any single user from having conflicting access rights that could enable fraud or error (e.g., the ability to both create and approve a financial transaction). The access certification process is a vehicle through which SoD conflicts can be detected and remediated — but it is broader in scope, covering all types of access appropriateness, not just SoD.
Conclusion: Making the Access Certification Process a Core Competency
The access certification process is not a project with a finish line. It is a discipline — an ongoing commitment to knowing who has access to what, why they have it, and whether they should keep it. Organizations that treat access certification as merely a compliance checkbox will always be chasing risk. Organizations that embed it as a genuine governance practice will be ahead of it.
The technology has never been more capable, the regulatory environment has never been more demanding, and the threat landscape has never been more unforgiving. Whether you are just starting to build your access certification program or looking to mature an existing one, the principles in this article provide a proven, comprehensive foundation.
The access certification process starts with a decision — the decision to take control of your identity security posture. Make that decision today.
Sources and References:
- Verizon, 2023 Data Breach Investigations Report
- IBM Security, Cost of a Data Breach Report 2023
- Gartner, Identity and Access Management Market Guide 2023
- NIST Special Publication 800-53 Rev. 5 — Access Control (AC) Control Family: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
- PCI Security Standards Council, PCI-DSS v4.0 Requirement 7
- HHS Office for Civil Rights, HIPAA Security Rule §164.308(a)(4)
