The Scenario
A SA insurer has just failed its first external IT audit on identity and access management. Findings include: 14 percent of accounts are stale, dozens of users hold permissions to systems they no longer need, and there is no documented quarterly access review. The CIO wants a plan to fix it inside one quarter.
The Brief
Design a recurring access governance programme. Cover the discovery phase (finding stale accounts and over-permissioned users), the review process, the remediation steps, and the ongoing controls.
Deliverables
- A discovery plan defining which queries and tools to run against AD, M365, and key business systems to find stale and over-permissioned accounts
- A quarterly access review process: who reviews, what evidence they need, how dispute resolution works, and what the timeline looks like
- A remediation playbook covering disable-then-delete timing, ownership transfer, and exception handling
- A KPI dashboard sketch listing the metrics the CIO would see monthly to know the programme is working
Submission Guidance
Auditors care about evidence, not intentions. Every step must produce an artefact (a query log, a manager attestation, a remediation ticket) that an external reviewer can sample. Aim for that bar.
Submit Your Work
Your submission is graded against the rubric on the right. If you pass, you get a public Badge URL you can share on LinkedIn. There is no draft save, so work offline first and paste your finished response here.