8 Key Considerations When Reviewing User Access

Cybersecurity, IT Risk Advisory, Risk Advisory/Internal Audit
by Nathan Shepler
share with a colleague Download PDF

What are important considerations when reviewing user access?

Organizations not performing regular user access reviews can expose themselves to a multitude of risks, from data breaches to compliance deficiencies. However, before they can start performing reviews, companies must first develop an access review policy to define the process.

The access review policy should consider items such as maintenance of asset owners, frequency of reviews, roles and access levels, exceptions to the policy, etc.

Key Considerations When Reviewing User Access

Roles/Permissions: When reviewing user access, it is essential to consider the role and/or permissions that the users may have as well as who has the ability to grant or revoke user access within the system. The goal here is to implement least privilege principles, so that users are granted only the roles/permissions necessary to fulfill the duties of their job, while not compromising or impeding the operations of the business. Additionally, because  many employees transfer roles, the level of access they require may change.

Inactive Accounts: Inactive stale accounts without a UAR process may stay in the system indefinitely. Consider reviewing the last logon date for the user accounts and remove accounts with no activity within a predetermined period (refer to your organization’s Access Review Policy). Additionally, disabled accounts that have been inactive should be considered for removal as well.

Access to Sensitive Data: Data sensitivity is important to consider when reviewing access. Applications/users with access to sensitive data may need to be reviewed on a more frequent basis. Ask yourself these questions: Does my organization receive, transmit and/or process any sensitive data? Where does this data reside? (Which applications/servers/workstations, etc.)

Look-Back Procedures: When you determine that a user has improper access; either since the review or longer, a look-back procedure process is essential. This procedure involves looking back at the actions of the user in question over the period in which the user had inappropriate access and determining if unauthorized changes have been made.

Consider Third-Party Access/System Accounts/Service Accounts: It is key to determine if your company can reduce third party access to organizational applications or environments by removing this access or implementing compensating controls. The access may be for third parties that you no longer have contracts or agreements with. Additionally, when reviewing system accounts and service accounts, consider where the passwords are stored. If they are stored in a password vault, consider reviewing who has access to the account in the vault.

Make the Review Auditable: User access reviews are typically a key control in most IT related audits; therefore, it is crucial to make sure the user access reviews are auditable. The review should be documented so that an auditor could reperform the review. When exporting user listings, include completeness and accuracy (a screenshot of how the list was generated), create tickets documenting that the review occurred, what changes were necessary, a reference to the tickets with those changes, the lookback procedures, approvals, a user listing for review, a user listing post review (to confirm the changes were made), etc. Additionally, consider creating a template within which business owners can document the reviews. Such templates may contain:

  • An initial user access listing (evidence of how the listing was generated)
  • Results of the review
  • Segregation of duties assessment
  • Reviewers’ sign-off with date
  • Documentation to show that changes were made (ticket evidence)
  • Updated user listing to show access was updated (evidence of how the listing was generated)
  • Risk assessment for any inappropriate access that was detected (look-back procedures)

Privileged Access/Administrative Users: Users with privileged access to systems pose a higher risk than regular users do, making these reviews more critical. Consider reviewing privileged access accounts on a more frequent basis.

Reviewer Independence: When reviewing access to a system, the reviewer should not be reviewing and approving their own access. A secondary independent reviewer should review the initial reviewer’s access to the application/database, ensuring appropriate access of the initial reviewer.

We recommend performing user access reviews on a regular basis (quarterly, semi-annually, annually, etc.). When selecting a review frequency, consider any compliance standards, laws, regulations, etc. that may be applicable to your organization, as well as the risk associated with the application/data in-scope for review.

Additionally, if your organization has the resources, there are tools and software to promote efficiency in the review process.

About Schneider Downs Risk Advisory 

Our team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.

Explore our full Risk Advisory Service offerings or contact the team at [email protected]

 

 

 

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2024 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Cybersecurity, IT Risk Advisory, Risk Advisory/Internal Audit BY Nathan Shepler
8 Key Considerations When Reviewing User Access
read more >
Financial Services, Risk Advisory/Internal Audit BY Marcy King
Enhancing Focus on Risk Management and Consumer Protection
read more >
Financial Services, Fraud/Investigative & Forensic Accounting, Risk Advisory/Internal Audit BY Tyler Caven
Controlling Wire Fraud in the Financial Industry
read more >
Risk Advisory/Internal Audit BY Brendan Leech
The Top Risks Internal Audit Leaders Need to Know for 2024
read more >
IT Risk Advisory, Risk Advisory/Internal Audit, SOC 2 BY Nicholas DeLuca
SOC 2 Terminology: Vendor vs Subservice Organization vs Subcontractor vs Third Party vs Nth Party
read more >
IT Risk Advisory, Risk Advisory/Internal Audit BY Michael Sinkevich
Did Poor Change Management Contribute to the AT&T Wireless and McDonald’s Outages?
read more >
Register to receive our weekly newsletter with our most recent columns and insights.
subscribe for updates
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Pittsburgh
Columbus
Metropolitan Washington
Image of Prime Global Logo
follow us client portal

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.

×
Accept