Performing Effective User Access Reviews

Correcting mistakes that arise in the day-to-day management of access control.
Organizations can take many steps to manage access, such as adopting documented registration and de-registration processes, maintaining a list of service accounts, and segmenting networks. While all are effective ways of managing access, they occasionally fail.
For example, a step may be missed in the on-boarding process. A service account may be created but not documented. Or perhaps a new server is spun up and confidential information is leaked to multiple departments.
To compensate for these potential lapses, organizations should perform regular user access reviews.
User access reviews are compensating controls that help to detect failures in other controls. They also fulfill the criteria of many well-known security frameworks:
ISO 27001 A.9.2.25:
Asset owners should review users’ access rights at regular intervals.
SOC 2 CC6.2 Point of Focus:
Reviews Appropriateness of Access Credentials—The appropriateness of access credentials is reviewed periodically for unnecessary and inappropriate individuals with credentials.
Here are some steps an organization can take to perform effective user access reviews:

1. Establish a list of all entry points into your network

All organizations will have entry points to their systems. These entry points allow access to critical information. Some examples of entry points include:
Entry Point Examples
A user access review does not need to include every entry point used by the organization. Instead, management must establish which of the entry points are the highest risk.
For most organizations, this will include the directory management tool, cloud service provider, source code repository, VPN, and physical access. Some organizations may need to review more entry points, depending on risk.

2. Establish a list of entities that have access and their preferred access levels

Next, an organization should create a list of all entities with access. This may include employees, contractors, service providers, service accounts, and building maintenance. The list should document their recommended level of access.
For instance, a network administrator requires domain admin access to the directory management tool, but employees only need user-level access. Building maintenance might only need access between 5 and 9 p.m.
Management should routinely review this list and update it when changes occur.

3. Compare the list to current access rights

This is the bulk of the access review. At this point, management has established what entry points to check and the level of access required by each entity. Management must now distribute this list to the independent reviewer(s).
The reviewers should compare the list to the current access rights for each entry point. They should then document the review as it occurs through screenshots and write-ups.

4. Follow up on any exceptions

The reviewers must document any inappropriate access rights. The relevant process owner must then amend the access rights or justify the current access level. After the review is complete, management should compile and review all exceptions. The purpose of this review is to find any systematic control failures.
For example, if the reviewers find terminated employees in the physical access system, there may be a problem with the off-boarding process. Management should institute policy and process changes to fix these systematic failures.
Access control is an ongoing job, and sometimes things get missed. Regular user access reviews will catch these mistakes that occur in day-to-day operations.
The purpose of an access review is to help employees to complete their jobs in a minimal risk environment.
Questions about policies or compliance and where to start?
Contact us here! We’d love to chat with you and see how risk3sixty can meet your organization’s needs.

Share to


Share to

Like our content? Subscribe and stay informed.