Incident Handling Procedure
Security incidents don't wait for a convenient time - and your response shouldn't wait for someone to remember what to d...
8 steps
3 automations
Security/Investigations Information Technology security
IT security workflow for Tallyfy
Stop access creep before auditors find it
That contractor from 2019 still has admin rights. This quarterly review workflow ensures managers certify who needs what, exceptions get flagged, and everything is documented for auditors. Run it before someone asks why the intern has database access.
7 steps
3 automations
Run this workflow in Tallyfy
1
Import this template into Tallyfy and assign IT security to generate access reports across covered systems 2
Set deadlines for manager certification steps and configure exception flagging with required documentation fields 3
Track each review cycle in real-time and capture compliance reporting dates for your next audit Process steps
1
Generate access report
1 day from previous step
Pull a full access report from your identity management system.
Here is what you need to do:
Don't skip dormant accounts or service accounts. They're often the ones that cause problems during audits.
Here is what you need to do:
- Export a list of every active user account across all systems in scope for this review cycle
- Include each user's role, permission level, department, and last login date
- Flag any accounts that haven't been used in 90+ days - those are your first red flags
- Record the report date and total user count so you've got a baseline to compare against next quarter
Don't skip dormant accounts or service accounts. They're often the ones that cause problems during audits.
Form fields in this step
Report generation date *
Total users in report *
Systems covered in this review *
2
Distribute to managers
1 day from previous step
Send each manager their team's access list for review.
Here is what to do:
Pro tip: if a manager doesn't respond by the deadline, follow up immediately. Silence isn't the same as approval.
Here is what to do:
- Split the full access report so each manager only sees their direct reports
- Include clear instructions telling managers exactly what they need to certify
- Set a firm deadline - typically 5 business days works well for most teams
- Let managers know they're personally responsible for confirming that every person on their list actually needs the access they have
Pro tip: if a manager doesn't respond by the deadline, follow up immediately. Silence isn't the same as approval.
3
Manager certification
1 day from previous step
Each manager confirms that their team's access is correct and justified.
What managers need to do:
This is the most important step. If managers don't take it seriously, the whole review is just a checkbox exercise that won't catch real problems.
What managers need to do:
- Review every user on their list one by one - don't just rubber-stamp it
- For each person, confirm they still need the access level they currently have
- Flag anyone who's changed roles, left the team, or has more access than their job requires
- Sign off with their name, the date, and the number of users they reviewed
This is the most important step. If managers don't take it seriously, the whole review is just a checkbox exercise that won't catch real problems.
Form fields in this step
Manager name *
Date certified *
Number of users reviewed *
4
Exception identification
1 day from previous step
Gather all the flagged issues from manager reviews into one list.
You're looking for:
Document every exception with enough detail that someone else could understand the issue without asking you. Record the total count - you'll need it for the compliance report.
You're looking for:
- Users with access they shouldn't have (wrong role, wrong department, or just too much privilege)
- Accounts for people who've left the company but haven't been deactivated yet
- Shared or generic accounts that can't be traced back to a single person
- Any access that a manager couldn't explain or justify
Document every exception with enough detail that someone else could understand the issue without asking you. Record the total count - you'll need it for the compliance report.
Form fields in this step
Exceptions identified *
Total exceptions *
5
Access modification
1 day from previous step
Fix every exception by removing or adjusting access that shouldn't be there.
For each exception:
Don't wait to batch these changes. The longer bad access sits in your systems, the bigger your risk window. Track how many accounts you modified so you can report on it.
For each exception:
- Remove access entirely if the person no longer needs it (departed employees, role changes, etc.)
- Downgrade permissions if someone has more access than their current job requires
- Disable shared accounts and replace them with individual ones wherever possible
- Keep a record of exactly what you changed, when, and why - this is your audit trail
Don't wait to batch these changes. The longer bad access sits in your systems, the bigger your risk window. Track how many accounts you modified so you can report on it.
Form fields in this step
Changes made *
Access removed (count) *
6
Documentation
1 day from previous step
Package up everything from this review cycle into a single, organized record.
Your documentation should include:
Store this somewhere your compliance team and auditors can find it. If an auditor asks for proof of your last access review six months from now, you should be able to hand them this package in under five minutes.
Your documentation should include:
- The original access report you generated at the start
- All manager certification responses (who certified, when, how many users they reviewed)
- The full list of exceptions found and what was done about each one
- A written summary covering the scope, timeline, findings, and outcomes of this review
Store this somewhere your compliance team and auditors can find it. If an auditor asks for proof of your last access review six months from now, you should be able to hand them this package in under five minutes.
Form fields in this step
Where is documentation stored? *
Review summary *
7
Compliance reporting
1 day from previous step
Submit the final review report to your compliance or security leadership team.
The report should cover:
This closes the loop on the whole review cycle. If your organization follows SOX, HIPAA, SOC 2, or similar standards, this report is what proves you're actually doing the work.
The report should cover:
- How many users were reviewed, how many exceptions were found, and how many were resolved
- Any exceptions that are still open and why (sometimes there's a valid business reason to keep access temporarily)
- Who the report was submitted to and the exact submission date
- The scheduled date for the next quarterly review - lock it in now so it doesn't slip
This closes the loop on the whole review cycle. If your organization follows SOX, HIPAA, SOC 2, or similar standards, this report is what proves you're actually doing the work.
Form fields in this step
Report submitted to *
Submission date *
Next review scheduled *
Related templates
Incident Response Plan
When something goes wrong, you need a plan that actually works. This covers detection through recovery and the lessons l...
7 steps
3 automations
Security/Investigations Information Technology security
AI Employee Training Program
This template walks your team through a structured AI training program - from gauging where everyone's starting from to ...
11 steps
Information Technology Human Resources AI training
AI Prompt Engineering for Teams
A step-by-step process to help your team build, test, and manage prompts that get real results from AI tools. You'll set...
10 steps
Information Technology AI training
Ready to use this template?
Sign up free and start running this process in minutes.