Standard : Access is continuously verified and contextual

Purpose and Strategic Importance

This standard ensures access control is continuously verified and based on contextual awareness such as user identity, device posture, location, and behaviour. It enforces dynamic trust evaluation, reducing the risk of lateral movement or unauthorised access.

Aligned to our "Zero Trust Architecture" policy, this standard strengthens system resilience by validating each access attempt based on real-time context. Without it, static roles and assumptions leave gaps that attackers can exploit.

Strategic Impact

  • Improved consistency and quality across teams
  • Reduced operational friction and delivery risks
  • Stronger ownership and autonomy in technical decision-making
  • More inclusive and sustainable engineering culture

Risks of Not Having This Standard

  • Reduced ability to respond to change or failure
  • Accumulation of technical debt or friction
  • Poor developer experience and morale
  • Decreased confidence in releases and features
  • Misalignment between technical implementation and business priorities

CMMI Maturity Model

Level 1 – Initial

Category Description
People & Culture Access is based on static roles with little awareness of context.
Trust is assumed rather than verified.
Process & Governance No formal review of access beyond initial provisioning.
Technology & Tools Minimal access enforcement.
Authentication is single-factor and rarely audited.
Measurement & Metrics No tracking of access validity or risk exposure.

Level 2 – Managed

Category Description
People & Culture Teams are aware of over-permissioning.
Occasional access cleanups are done manually.
Process & Governance High-risk applications include periodic access reviews.
Technology & Tools Role-based access is augmented with basic context signals (e.g. IP range, time of day).
Measurement & Metrics Some monitoring of login attempts and authentication failures.

Level 3 – Defined

Category Description
People & Culture Zero trust principles are understood and practiced.
Users follow least-privilege norms.
Process & Governance Access reviews occur regularly and are embedded into change workflows.
Technology & Tools Contextual access (e.g. identity, device, location) is enforced across major systems.
Measurement & Metrics Access patterns are logged and assessed for anomalies.

Level 4 – Quantitatively Managed

Category Description
People & Culture Teams interpret access telemetry and adjust policies.
Access health is part of risk reviews.
Process & Governance Risk-based access policies are tuned based on behaviour and incident history.
Technology & Tools Continuous access validation using signals like device trust score, geo-velocity, or session age.
Measurement & Metrics Dashboards track high-risk access, orphaned accounts, and policy violations.

Level 5 – Optimising

Category Description
People & Culture Adaptive access culture—teams proactively shape policy based on behaviour and needs.
Process & Governance Policy-as-code governs access rules, integrated with CI/CD and architectural guardrails.
Technology & Tools Contextual access is dynamic and real-time.
Sessions are revalidated continuously.
Measurement & Metrics Continuous improvement based on anomaly patterns and cross-system access risk modelling.

Key Measures

  • % of systems enforcing contextual access checks
  • Number of policy-based access denials or re-validations
  • Reduction in privilege creep over time
  • Mean time to revoke access after context changes (e.g. role, location, device)
  • % of automated versus manual access decisions