Quarterly Access Review Procedure

Owner: Security Officer · Approved by leadership · Version 1.0 · Effective 27 May 2026 · Next review 27 May 2027

1. Purpose

This procedure operationalises section 3.4 of the Information Security Policy by defining a controlled, evidenced cadence under which every grant of access to Glassbreak systems is reviewed against current role and need-to-have. It produces a dated, signed artefact that an auditor can sample.

2. Scope

The review covers every grant recorded in the access register:

Production console, secret-store, and database accounts on each compute stack (AWS Lambda, Scaleway Functions, and any future Fly.io surface).
Source-control, CI, observability, status-page, and sub-processor administrative consoles.
Application-layer organisation and team roles granted to workforce members on the Glassbreak platform itself.
Break-glass and shared accounts, including any standing elevated-privilege grants.
API keys, signing keys, service-account credentials, and any long-lived tokens held by workforce members.

3. Ownership

Accountable owner — the Security Officer runs the review and signs the resulting record.
Counter-signer — at least one member of leadership counter-signs the record to evidence independent oversight.
Contributing reviewers — system owners for each in-scope console confirm or correct the grants reported for their system.

4. Cadence

One review per calendar quarter, scheduled for the first week of the quarter and completed within a +/- 14-day window of the target date.
The next four scheduled review windows are tracked on the Security Officer's calendar.
A missed quarterly review is itself a finding and is recorded as such on the next run.

5. Interim-review triggers

The following events trigger an interim review of the affected subset of grants without waiting for the next quarterly window:

Any workforce-member role change (promotion, transfer, change of duties) — review all grants held by the affected individual.
Departure of any workforce member — verify revocation completed under the Offboarding Policy.
Any anomaly detected through observability, the audit log, or the daily security-posture snapshot that implicates a grant.
Addition, removal, or material role change of a sub-processor.
Discovery of a standing grant that was not on the access register.

6. Procedure

6.1 Prepare

Export the current grant set from each in-scope console.
Reconcile the exports against the access register.
Annotate each grant with the holder, the system, the privilege level, the business justification of record, and the date the grant was last confirmed.

6.2 Review

For each grant, confirm that the holder still requires the privilege for their current role, that the privilege is the minimum needed, and that any compensating controls (MFA, session timeout, audit logging) are in effect.
Flag any grant that is not justified, is excessive, or cannot be reconciled to the access register.
For shared and break-glass accounts, confirm that the credential has been rotated within the documented rotation cadence and that recent use, if any, is accounted for.

6.3 Remediate

Excess access is revoked immediately on identification; the revocation action is captured in the record with timestamp and operator.
Where revocation cannot be immediate (for example, a sub-processor console without granular roles), a compensating control is recorded and a closure deadline set under the Remediation SLA procedure.
The access register is updated to reflect the reviewed state.

6.4 Sign and file

The Security Officer signs the completed record.
The counter-signer reviews the record and signs.
The signed record is filed in the compliance evidence store and indexed by review date.

7. Template

Each quarterly access-review record uses the following structure. This template is the artefact that an auditor may sample.

Header — review identifier, quarter covered, target review date, actual completion date, Security Officer, counter-signer(s).
Scope confirmation — list of in-scope consoles, with the export date of each grant set.
Grant inventory — table of all grants reviewed, with: holder, system, privilege level, justification of record, last-confirmed date, reviewer decision (retain, modify, revoke), action taken, action timestamp.
Findings — numbered list of grants flagged as excess, unjustified, or unreconciled, with severity, owner, remediation deadline.
Interim-review log — any interim reviews triggered since the prior quarterly review, with the trigger event and the outcome.
Carry-over — status of findings from the previous quarterly review (closed, in progress, with the relevant SLA reference).
Sign-off — Security Officer signature and date, counter-signer signature and date.

8. First instance

The inaugural quarterly access review was completed on the effective date of this procedure (27 May 2026). It captured the baseline grant inventory across the in-scope consoles and reconciled them to the access register. The signed record is held in the compliance evidence store and available under NDA.

9. Records

Signed review records are retained for at least 5 years.
The current access register is the live source of truth for grants; superseded versions are retained for the same period.
Interim-review records are filed alongside the quarterly record that immediately follows them.

10. Review of this procedure

This procedure is reviewed at least annually and after any material change to the access surface (for example, a new compute stack, a new sub-processor, or a structural change to the application-layer role model). The next scheduled review is 27 May 2027.

11. Related documents

Counter-signed PDF copy available on request to compliance@glassbreak.io.