Cadence
- User account review — quarterly, owned by the CISO.
- Privileged / admin account review — quarterly, owned by the CISO.
- Service account review — quarterly, owned by the CISO.
- Triggered review — performed on any role change (promotion, demotion, transfer).
Process
- Pull the current user list per system from Vanta access reviews (which ingest identity-of-record from Rippling and reconcile against the Standard Access Matrix). Vanta is the source of truth; spot-check against the system’s native admin console where the system isn’t fully Vanta-integrated.
- The system owner reviews each user’s access against their current role.
- Owner marks each row Approved / Modify / Revoke.
- IT executes changes within 5 business days.
- Evidence (signed-off review document) is filed in the SharePoint evidence library used for SOC 2 / ISO 27001 audits.
Systems in scope
| System | Owner | Last reviewed |
|---|---|---|
| AWS (Identity Center / IAM) | CTO | Pending Q2 2026 |
| Vultr (master + sub-accounts; API keys) | CTO + CISO | Pending Q2 2026 |
GitHub (neuroscale org) | Engineering Lead (CTO) | Pending Q2 2026 |
| Rippling (IdP / SSO / HRIS / MDM) | CHRO + CISO | Pending Q2 2026 |
| Production database (Aurora / Postgres) | Engineering Lead (CTO) | Pending Q2 2026 |
| Microsoft 365 (Outlook / SharePoint) | CISO | Pending Q2 2026 |
| Better Stack (logs + on-call) | CISO | Pending Q2 2026 |
| Linear | CTO | Pending Q2 2026 |
| Dashlane (admin) | CISO + CFO | Pending Q2 2026 |
| HashiCorp Vault (auth methods, policies, root token holders) | CTO + CISO | Pending Q2 2026 |
| Vanta | CISO | Pending Q2 2026 |
| Cloudflare One (Access / Gateway) | CISO | Pending Q2 2026 |
| Tailscale (production cohort) | CISO + CTO | Pending Q2 2026 |
Records
Records of permission and privilege changes are retained for at least one year.Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |