Home/BoK/Templates/Access Lockdown Checklist
Back to Hub
Last Reviewed: 2026-06-25
Reviewer Role: Insider Risk / Legal / Privacy review
Advanced Asset
Investigation ModuleInteractive Sheet

Access Lockdown Checklist

An access lockdown checklist helps teams restrict, suspend, or remove access during high-risk situations while preserving business continuity and evidence.

Primary Audience & Scope

IAM, PAM, security operations, IT, HR, Legal

When to Use

  • Triage, investigation, preservation, containment, or legal review is required.
  • A consistent record is needed across teams.
  • A matter may require later review, audit, or legal defensibility.

Interactive Work Area

Fill or track items interactively and copy out to your Clipboard

Template Table Structure

FieldWorking prompt
Case/resource field 1Use this field to document: Confirm trigger and approval authority.
Case/resource field 2Use this field to document: Preserve evidence before account changes when required.
Case/resource field 3Use this field to document: Disable or suspend user identities.
Case/resource field 4Use this field to document: Revoke privileged roles and active sessions.
Case/resource field 5Use this field to document: Rotate passwords, tokens, API keys, SSH keys, certificates, and secrets.
Case/resource field 6Use this field to document: Remove cloud, SaaS, VPN, repository, email, collaboration, and admin console access.
Case/resource field 7Use this field to document: Disable physical badges, keys, and facility access.
Case/resource field 8Use this field to document: Address service accounts and delegated admin rights.

Checklist Audit List

0% Done(0/10)
Check
Checklist item

Confirm trigger and approval authority.

Evidence: Owner / date / evidence

Preserve evidence before account changes when required.

Evidence: Owner / date / evidence

Disable or suspend user identities.

Evidence: Owner / date / evidence

Revoke privileged roles and active sessions.

Evidence: Owner / date / evidence

Rotate passwords, tokens, API keys, SSH keys, certificates, and secrets.

Evidence: Owner / date / evidence

Remove cloud, SaaS, VPN, repository, email, collaboration, and admin console access.

Evidence: Owner / date / evidence

Disable physical badges, keys, and facility access.

Evidence: Owner / date / evidence

Address service accounts and delegated admin rights.

Evidence: Owner / date / evidence

Coordinate communications with HR, Legal, manager, and IT.

Evidence: Owner / date / evidence

Validate removal and record actions.

Evidence: Owner / date / evidence

What Completion Looks Like

  • 1Decision documented.
  • 2Owner assigned.
  • 3Evidence and actions recorded.
  • 4Scope and authority preserved.
  • 5Follow-up action created where needed.

Insider Risk Capability Framework™ (IRCF™) Alignment

Programmatic RelevanceSupports consistent, defensible handling of insider risk matters.
Non-legal-advice Compliance NoteThis resource is a planning aid and does not provide legal advice. Organizations should adapt it to their policies, jurisdictions, labor obligations, privacy requirements, contracts, and risk appetite. Sensitive monitoring, investigation, employment, evidence, legal hold, and employee-data activities should be reviewed by appropriate Legal, Privacy, HR, Compliance, and labor stakeholders before use.

Operationalize This Template in RiskTKO®

Use RiskTKO® or request ITMG® support to adapt this template, align it to the Insider Risk Capability Framework™, and connect the output to measurable exposure reduction. Leaver Risk Checklist