5.18 Access rights

Authorize access, consider business requirements and policies, remove unnecessary access, give temporary access for limited time, verify access level, activate only after authorization, maintain record of access, review access regularly, consider privileged access, review and adjust access before termination or change based on risk factors.