What are important considerations when reviewing user access?
Organizations not performing regular user access reviews can expose themselves to a multitude of risks, from data breaches to compliance deficiencies. However, before they can start performing reviews, companies must first develop an access review policy to define the process.
The access review policy should consider items such as maintenance of asset owners, frequency of reviews, roles and access levels, exceptions to the policy, etc.
Key Considerations When Reviewing User Access
Roles/Permissions: When reviewing user access, it is essential to consider the role and/or permissions that the users may have as well as who has the ability to grant or revoke user access within the system. The goal here is to implement least privilege principles, so that users are granted only the roles/permissions necessary to fulfill the duties of their job, while not compromising or impeding the operations of the business. Additionally, because  many employees transfer roles, the level of access they require may change.
Inactive Accounts: Inactive stale accounts without a UAR process may stay in the system indefinitely. Consider reviewing the last logon date for the user accounts and remove accounts with no activity within a predetermined period (refer to your organization’s Access Review Policy). Additionally, disabled accounts that have been inactive should be considered for removal as well.
Access to Sensitive Data: Data sensitivity is important to consider when reviewing access. Applications/users with access to sensitive data may need to be reviewed on a more frequent basis. Ask yourself these questions: Does my organization receive, transmit and/or process any sensitive data? Where does this data reside? (Which applications/servers/workstations, etc.)
Look-Back Procedures: When you determine that a user has improper access; either since the review or longer, a look-back procedure process is essential. This procedure involves looking back at the actions of the user in question over the period in which the user had inappropriate access and determining if unauthorized changes have been made.
Consider Third-Party Access/System Accounts/Service Accounts: It is key to determine if your company can reduce third party access to organizational applications or environments by removing this access or implementing compensating controls. The access may be for third parties that you no longer have contracts or agreements with. Additionally, when reviewing system accounts and service accounts, consider where the passwords are stored. If they are stored in a password vault, consider reviewing who has access to the account in the vault.
Make the Review Auditable: User access reviews are typically a key control in most IT related audits; therefore, it is crucial to make sure the user access reviews are auditable. The review should be documented so that an auditor could reperform the review. When exporting user listings, include completeness and accuracy (a screenshot of how the list was generated), create tickets documenting that the review occurred, what changes were necessary, a reference to the tickets with those changes, the lookback procedures, approvals, a user listing for review, a user listing post review (to confirm the changes were made), etc. Additionally, consider creating a template within which business owners can document the reviews. Such templates may contain:
- An initial user access listing (evidence of how the listing was generated)
- Results of the review
- Segregation of duties assessment
- Reviewers’ sign-off with date
- Documentation to show that changes were made (ticket evidence)
- Updated user listing to show access was updated (evidence of how the listing was generated)
- Risk assessment for any inappropriate access that was detected (look-back procedures)
Privileged Access/Administrative Users: Users with privileged access to systems pose a higher risk than regular users do, making these reviews more critical. Consider reviewing privileged access accounts on a more frequent basis.
Reviewer Independence: When reviewing access to a system, the reviewer should not be reviewing and approving their own access. A secondary independent reviewer should review the initial reviewer’s access to the application/database, ensuring appropriate access of the initial reviewer.
We recommend performing user access reviews on a regular basis (quarterly, semi-annually, annually, etc.). When selecting a review frequency, consider any compliance standards, laws, regulations, etc. that may be applicable to your organization, as well as the risk associated with the application/data in-scope for review.
Additionally, if your organization has the resources, there are tools and software to promote efficiency in the review process.
About Schneider Downs Risk Advisory
Our team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.
Explore our full Risk Advisory Service offerings or contact the team at [email protected].
