6 Steps to Create an Effective User Access Review Program

Taking regular inventories of your users and their needs helps keep information, and your company, safe and secure. In discussing user access Deloitte’s David Mapgaonkar notes:

“Humans can still be bugged or tricked into revealing their passwords. There is malware, or malicious software installed on computers; there is phishing, in which cyber crooks grab login, credit card, and other data in the guise of legitimate-seeming websites or apps; and there are even “zero day” attacks, in which hackers exploit overlooked software vulnerabilities. And of course, old-fashioned human attacks persist, including shoulder-surfing to observe users typing in their passwords, dumpster-diving to find discarded password information, impersonating authority figures to extract passwords from subordinates, discerning information about the individual from social media sources to change their password, and employees selling corporate passwords.”
When the media discusses information security and cybersecurity concerns, passwords get the most attention. However, when it comes to user access reviews, password safety is the lowest risk of all. Reviewing user access is less about reviewing password safety and more about reviewing how much information an employee needs to do their job and verifying who the employee is – in other words, identity and access management.

With human error and electronic risks, internally monitoring your company’s user access is one way to protect information. Six to twelve months is a long time in the user access lifecycle. Particularly in larger corporations, employees enter and exit your workforce on a rotating basis and they change positions within your organization. At each stage, authentication is pivotal and must be managed regularly to ensure level of access for what needs to be done is accurate.
Often, former employees have access for far longer than they’re supposed to if a system administrator misses an employment termination email. An employee may have shifted departments, changing their user access needs and potentially posing a serious security threat. Internal assets can be compromised by employees who have outdated access. Therefore, reviewing a variety of different reports to ensure compliance and security matters. When trying to ensure that user access reviews are implemented successfully, you may want to consider some of the following tips.

What is a user access review?

A User Access Review (UAR), also commonly known as Access Certification or Entitlement Review, is a process that organizations implement to ensure that users have the appropriate access to systems, applications, and data. The primary purpose of a UAR is to prevent excessive or inappropriate access rights, which can pose security risks, especially the risk of insider threats.
The principle of least privilege is important to know when considering access control. Essentially, each user should have the absolute minimum access to systems and software possible. It is far better for them to have to request access to something they need than to discover they have access to many systems they don’t need. By allowing them too much access, the user has the opportunity to end up in places they shouldn’t be, seeing things they do not have reason or right to view, and potentially opening the door for the user to misuse the information or access. Least privilege-based access can be controlled by determining who has privileged access and to what, initiating role-based access control, and continuously monitoring access permissions, user accounts, and access policies through access audits.
Here’s a breakdown of what a User Access Review typically involves:

1. Identification of Access Points: This involves cataloging all the places where a user can access a system, including applications, databases, file servers, and other resources.
2. Listing Current Access Rights: For each user, generate a report or list of all the permissions and roles they currently have across the system. This is sometimes known as an “entitlement report”.
3. Review: Once the list is generated, it is then reviewed either by the user’s manager, the data owner, or a designated authority within the organization. They’ll verify whether the access listed is necessary and appropriate for the user’s role and responsibilities.
4. Remediation: If any discrepancies or excessive permissions are found, the reviewer can initiate a process to revoke or adjust the access rights. This step is crucial in ensuring that users only have access to what they need to perform their job functions.
5. Documentation: It’s vital to maintain records of each UAR, including who reviewed it, what decisions were made, and any actions taken as a result. This documentation can be crucial for audits and for tracking patterns over time.
6. Automation: Given the complexity and the potential for human error in manual reviews, many organizations use automated tools or solutions to manage the UAR process. These tools can schedule reviews, generate entitlement reports, facilitate the review process, track decisions, and even automate the remediation steps.

User Access Reviews are especially important in industries and environments where data security and privacy are paramount, such as healthcare, finance, and government. Regular UARs help organizations remain compliant with various regulatory standards and can significantly reduce the risk of data breaches and insider threats.

What is the difference between access review and access recertification?

“Access review” and “access recertification” are terms that are often used interchangeably, but they can have nuanced differences depending on the context. However, both have their own compliance requirements you’ll want to take note of. Here’s a breakdown of the two:
Access Review: This is the process of regularly examining user permissions and roles across systems, applications, and data to ensure they align with job functions and organizational policies.

1. Frequency: Can be done as often as required based on organizational needs, risk assessment, or regulatory compliance. Some organizations may conduct access reviews more frequently for high-risk areas.
2. Scope: Access reviews can be broad (covering all systems and users) or targeted (specific to an application, system, or set of users).
3. Purpose: To identify any misalignments or discrepancies in user access rights. It serves as a routine checkup.

Access Recertification: This is a subset of access review but specifically focuses on revalidating and reconfirming that existing permissions and roles are still appropriate for users. It’s a formalized process where access rights are typically approved (or revoked) by managers or data owners.

1. Frequency: Usually done at regular intervals, such as quarterly, semi-annually, or annually. The frequency often depends on regulatory requirements or internal policies.
2. Scope: Primarily targets existing permissions and roles to ensure they are still appropriate over time.
3. Purpose: To formally reconfirm and validate user access rights. It often results in approvals or revocations based on changes in job roles, projects, or organizational structures.

While both access review and access recertification aim to ensure the right users have the right access, the key difference often lies in the specificity and formality of the process. Access recertification is more formal and is specifically about revalidating existing access, while access review is a broader examination of user permissions. However, as mentioned earlier, these terms are frequently used interchangeably in many contexts, so it’s essential to clarify the intended meaning when discussing them in specific organizational settings.

Who should conduct a user access review?

A User Access Review (UAR) is an essential process that ensures the appropriate allocation of access rights within an organization. Deciding who should conduct these reviews is crucial to their effectiveness and integrity. Typically, the responsibility for conducting a UAR rests on a combination of several roles within an organization to ensure a comprehensive and unbiased evaluation.
Data or Resource Owners are often at the forefront of the UAR process. These are individuals or teams that have primary responsibility for specific data sets or system resources. Given their intimate knowledge of the data’s sensitivity and its relevance to the organization, they are ideally positioned to evaluate if certain users should have access. They can make informed decisions on who needs access to specific resources based on the data’s nature and its use cases within the organization.

Direct managers of employees also play a pivotal role. These Managers are familiar with the day-to-day responsibilities and tasks of their subordinates. As such, they have a clear understanding of the access rights their team members require to fulfill their roles effectively. By participating in the UAR process, managers ensure that access rights align accurately with job functions and that no excessive permissions are granted.

The involvement of IT or System Administrators is paramount. While they may not always make final decisions about user access, their role is instrumental in generating accurate reports detailing user permissions and access histories. Furthermore, they implement any necessary changes to user access after the review, ensuring that the organization’s systems reflect the decisions made during the UAR process.

Information Security Teams are another vital component of the UAR framework. Their expertise in organizational security policies and best practices provides valuable oversight to the process. They ensure that all reviews align with security guidelines, and often they offer tools, training, and support to those conducting reviews.

For organizations operating within regulated industries, the involvement of Compliance and Audit Teams becomes indispensable. These teams ensure that the UAR processes and decisions meet all regulatory standards and requirements. Their expertise is vital in guiding the frequency, documentation, and methodology of reviews.

In some cases, organizations may choose to engage External Auditors or Consultants. These third-party experts can offer an unbiased perspective, especially if an organization is gearing up for a regulatory audit or if there’s a perceived lack of internal expertise for conducting thorough reviews.

Why are user access reviews important?

UARs are essential for several reasons, primarily centering around security, compliance, and operational efficiency. Here’s a closer look at the significance of UARs:
1. Enhanced Security:

• Prevention of Unauthorized Access: Over time, employees may accumulate access rights due to role changes, project shifts, or evolving responsibilities. Without regular reviews, some users might retain access to data or systems they no longer need, increasing the risk of unauthorized or malicious actions.
• Mitigation of Insider Threats: Insider threats, whether malicious or accidental, are a significant security concern. Regularly verifying that users have appropriate access helps reduce the risk of data breaches or data leaks from within the organization.

2. Regulatory Compliance:

• Meeting Regulatory Standards: Many industries, such as finance, healthcare, and government, are governed by regulations that mandate regular reviews of user access to ensure data protection. Non-compliance can result in hefty fines or legal consequences.
• Audit Preparedness: Regular UARs ensure that organizations are ready for external audits. Proper documentation of these reviews demonstrates due diligence and proactive security measures.

3. Operational Efficiency:

• Streamlining Access: UARs help organizations identify redundant or obsolete access rights. Streamlining these can improve system performance and reduce potential points of confusion for users.
• Accurate Resource Allocation: By understanding who has access to what, organizations can make informed decisions about resource provisioning, licensing costs, and system capacity planning.

4. Risk Management:

• Identifying and Addressing Gaps: UARs can spotlight gaps in the current access control strategy, allowing for timely remediation. This proactive approach aids in risk mitigation.
• Maintaining Trust: For organizations that handle client or customer data, maintaining robust access controls and regular reviews reinforces trust and confidence in the organization’s commitment to data protection.

5. Maintaining Data Integrity:

• Regularly reviewing and adjusting access rights ensures that only authorized and knowledgeable individuals can modify or delete critical data, thereby preserving the integrity and reliability of the data.

6. Change Management:

• As organizations grow, undergo mergers or acquisitions, or experience shifts in structure or strategy, UARs help manage the transitions smoothly. They ensure that access rights remain aligned with the evolving landscape.

What Standards, Laws, and Regulations Encourage User Access Reviews?

UARs are advocated by various standards, laws, and regulations to ensure the security and privacy of data. These frameworks emphasize the importance of regularly checking and verifying user permissions to mitigate risks and uphold data integrity. Regardless of the specific framework, the underlying message is consistent: organizations must proactively manage and review user access to protect sensitive data and maintain trust with stakeholders.

1. Health Insurance Portability and Accountability Act (HIPAA): HIPAA is a U.S. regulation designed to protect the privacy and security of individuals’ health information. Covered entities, which include healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates, are required to implement appropriate administrative, physical, and technical safeguards. One of these administrative measures involves regularly reviewing and verifying user access to electronic protected health information (ePHI) to ensure that only authorized personnel can access patient data.
2. Sarbanes-Oxley Act (SOX): Enacted in 2002, the Sarbanes-Oxley Act mandates U.S. public company boards, management, and public accounting firms to follow strict guidelines to enhance corporate responsibility and financial disclosures. One of the act’s sections, Section 404, emphasizes the importance of internal controls over financial reporting. Regular UARs are an integral part of these controls, ensuring that only authorized individuals have access to critical financial data and systems.
3. Payment Card Industry Data Security Standard (PCI DSS): PCI DSS is a global standard for organizations that handle credit card transactions. It mandates the implementation of strong access control measures. Among its many requirements, PCI DSS stipulates that organizations must regularly review user access to cardholder data and the card transaction environment. This is to ensure that only those with a legitimate business need can access sensitive payment information.
4. International Organization for Standardization (ISO) 27001: ISO 27001 is an international standard detailing best practices for information security management systems (ISMS). Within its framework, it emphasizes the importance of regular access reviews as part of its access control objectives. The standard calls for organizations to manage user access rights and review them regularly to minimize the risk of unauthorized access.
5. General Data Protection Regulation (GDPR): While the GDPR is primarily focused on data privacy rights for European Union citizens, its implications are global for organizations that process EU residents’ data. One of its key principles is ensuring data security, which indirectly encourages organizations to implement robust access controls, including UARs, to safeguard personal data from unauthorized access and breaches.
6. Federal Information Security Modernization Act (FISMA): A U.S. law that governs federal agencies, FISMA mandates the implementation of comprehensive information security programs. Regular reviews of user access form an integral part of this requirement, ensuring that federal data and IT assets remain secure.

What are the benefits of a user access review program?

A UAR program offers a structured approach to managing and verifying user permissions, ensuring alignment with an organization’s security policies, business requirements, and regulatory mandates. Instituting such a program presents several tangible and intangible benefits:

1. Enhanced Security Posture: A UAR program systematically identifies and rectifies instances of excessive or inappropriate access. By ensuring that users only possess permissions essential to their roles, the organization can significantly mitigate the risk of unauthorized access or malicious activities. Regular reviews help pinpoint potential vulnerabilities, reducing the chances of security breaches, either from external attackers exploiting unnecessary access privileges or from insider threats.
2. Regulatory Compliance and Audit Readiness: Many industries are subject to regulations that mandate stringent data protection measures. A UAR program helps organizations consistently meet these requirements, avoiding potential fines, penalties, or reputational damage. Additionally, having a structured review process in place with thorough documentation streamlines the audit process, demonstrating due diligence and proactive risk management to auditors.
3. Operational Efficiency: Through regular access reviews, organizations can optimize system and application performance by removing redundant or obsolete access rights. This streamlining not only minimizes potential access-related issues or conflicts but also can lead to savings, especially if system licenses or access costs are based on the number of active users or roles.
4. Data Integrity and Quality Assurance: By ensuring that only qualified and authorized personnel can access and modify data, a UAR program helps maintain data integrity. This assurance is particularly vital in sectors like healthcare or finance, where data accuracy is paramount. By preventing unauthorized data modifications or deletions, organizations can safeguard the reliability of their data-driven processes and decisions.
5. Fostered Organizational Trust: Regularly verifying and managing user access underscores an organization’s commitment to data protection and privacy. Stakeholders, be it employees, customers, or business partners, can have enhanced confidence in the organization’s dedication to safeguarding sensitive information. This trust can translate into improved business relations, customer loyalty, and an overall positive brand image.
6. Proactive Risk Management: Rather than reacting to security incidents or compliance violations, a UAR program allows organizations to adopt a proactive stance. By continually assessing and adjusting access rights, potential issues can be identified and addressed before they escalate into significant problems. This forward-thinking approach contributes to a robust risk management strategy.

Common challenges associated with user access reviews

User Access Reviews (UARs) are vital for maintaining an organization’s security posture and ensuring compliance. However, implementing and maintaining a UAR program can pose several challenges, both technical and organizational:

1. Volume and Complexity of Access Points: In today’s digital environment, employees often have access to numerous systems, applications, and data repositories. Keeping track of these numerous access points, especially in large or complex organizations, can be daunting. The sheer volume of data points to review can make the UAR process cumbersome and time-consuming.
2. Dynamic Business Environment: Organizational structures, roles, and responsibilities often evolve. Mergers, acquisitions, role changes, and staff turnovers can lead to outdated access rights. Keeping the UAR process updated in such a dynamic environment can be challenging, requiring continuous alignment with the changing business landscape.
3. Lack of Automation and Tools: Many organizations still rely on manual processes for UARs, which are not only labor-intensive but also prone to human error. Without proper tools or automation solutions, ensuring comprehensive and accurate reviews becomes a significant challenge.
4. Inconsistent or Ambiguous Review Criteria: Without clear guidelines or criteria for access reviews, different reviewers might make inconsistent decisions. Ambiguities in what constitutes “appropriate access” can lead to variability in results and potential security gaps.
5. Decentralized Systems and Siloed Information: Organizations often use a multitude of systems and applications, each with its own access control mechanisms and logs. Consolidating this information for a comprehensive review can be difficult, especially if systems don’t easily integrate or share data.
6. Reviewer Fatigue: Frequent or complex UARs can lead to “reviewer fatigue.” Overwhelmed by the volume of data and decisions, reviewers might rush through the process, potentially overlooking critical access issues or making hasty decisions.
7. Resistance to Change: Implementing or refining a UAR process can face resistance from both management and employees. Some might view it as an additional bureaucratic hurdle, while others might have concerns about privacy or micromanagement.
8. Documentation and Audit Trails: Maintaining detailed records of each UAR, including decisions made, rationales, and any subsequent actions, is crucial for both security and compliance. However, ensuring consistent and comprehensive documentation can be challenging, especially without automated systems.
9. Training and Awareness: For UARs to be effective, everyone involved needs to understand their importance and how to conduct them properly. This requires ongoing training and awareness campaigns, which can be resource intensive.
10. Ensuring Timely Remediation: Identifying inappropriate access is just one part of the UAR process. Once issues are spotted, timely remediation is crucial. However, ensuring swift action and follow-up, especially in large organizations, can be a significant challenge.

6 Ways to Create an Effective User Access Review Program

Assess User Access Risks

Risks are inherent in user access simply because people can be malicious or can make mistakes. When looking to review the risks to your organization, you want to assess the greatest risk in terms of who has the most open access to the most systems. In this case, developers and information technology professionals are your largest risk. Their access gives them a higher risk rating, although they are less likely to accidentally intrude upon your systems. This group requires more frequent review because their actions can cause the most business and system damage.

The second most risky group would be third party vendors. This group has access to your systems and information. Often, their uses range from a few weeks to a few months. With this group, the risk lies in forgetting that they have access upon discontinuation of the contractual relationship.

The final category of review involves employees. New employees pose an initial risk. Often, managers simply tell their IT department to add the person at the same level of access as a current employee.

Unfortunately, even though people work in the same department, they do not necessarily need the same system access. Inappropriate access assignation can result in violations of proper segregations of duties.

For those individuals whose employment has terminated, timeliness of access termination becomes another level of risk as involuntary termination can cause people to act maliciously. This means that termination of access should be as close to termination of employment. A final level of risk exists in those employees who transfer from one area to another without adequate review of their access needs. For many companies, the risk reviews are done annually but only glanced at while doing business before being approved.

To truly determine the risks posed to a business, the annual risk reviews need to do more than simply repeat the previous year’s risk. As a business evolves, its risks evolve, and to keep pace with this, user security roles need to match these organizational changes. Revoking privileges or changing roles can meaningfully improve fraud prevention.

Create Risk Appropriate Policies and Procedures

As with any compliance concern, risk-based policies and procedures form the foundation of the program. Once the organization has determined its risks, it can begin to review the ways in which those risks will be mitigated. Two generalized approaches to policies and procedures exist.

With the Deny All approach, no one gets access unless they specifically need it.
With this mindset, IT reviews ongoing requests, determining additional access on a need-to-have, case-by-case basis.

With the Allow All approach, everyone is granted access until they have proven their untrustworthiness.

Traditionally, the Deny All approach is considered the safest; however, for smaller organizations where jobs overlap, the Allow All might be best. Compliance concerns such as segregation of duties need to be reviewed regardless of which method an organization chooses.

To account for these types of compliance issues, different access rights across departments and jobs should also be considered.

Most security lies in action and row security. Action security means securing users from executing actions: for example, some employees may only require read-only rights. Others may need update to information rights. Still, others may need to be able to add and delete information. Row security relates to the type of information or records users can access.

For example, certain group may need to access all customers but not all vendors. Limiting the access to information adds security to the organization. Organizations can make any determination for themselves within these spectrums of access, but they must do so thoughtfully.

Train Staff

Most managers assume that user access review responsibility is solely within the purview of the IT department. When asked to do their own reviews, they look at stacks of sheets, add the required signatures, and submit the forms. Doing this meets the requirement but not the function of user access reviews.
For an organization to be secure, everyone from managers to IT to HR needs to understand their role in the process.

For example, if managers are not thinking about providing employees with appropriate access and simply adding access without clear purpose, security administration becomes unwieldy due to too many users touching too many assets. This, in turn, makes the managers’ stack of review items larger which makes them less likely to clearly understand what they are reviewing.

Breaking this cycle requires training and communication between departments so that everyone understands their roles. When training employees, it’s also important to create a culture of security. This means that the CFO, CIO, and VPs should be attending the trainings as well.

If those reviewing employee performance do not take security seriously, those engaged in protecting the security will not see its value. Schedule reviews regularly since employee populations change so quickly, CISOs and CIOs need to focus on keeping reports updated to match current moments in time. This helps the auditors, who like to see up-to-date materials and evidence. For reports being run on a regular basis, providing audit documentation that is older than 30 days can sometimes be a problem. Additionally, reports can take a while to review, so scheduling them to all run on the same day and being able to review them by a given deadline may not be feasible.

Set Alerts from Monitoring Software

Alerts from Monitoring Software

Most user access reviews are done for compliance, not security purposes, although that line can be blurry. Although more of a security than a compliance function, reviewing daily alerts from monitoring software can help find areas where a user’s access may have been compromised. Lags in rescinding access can lead to gaps in security that highlight compliance.

Compliance seeks to standardize methods of asset protection: report  monthlywhile the daily monitoring of these reports is not related to compliance as such, it is within the purpose of monitoring. Monitoring alert logs can point to weaknesses in controls or failure of controls. Inconsistent deactivation of accounts means that the policy/processes are either unclear or missing key steps.

User Access Changes

Run monthly, these reports can help you target at a high level whether your workflows are efficient. For smaller organizations, review report monthly may be appropriate. For larger organizations, reviewing a random sampling of these reports can help determine whether the users are being granted the appropriate access and whether the revocations are being done in a timely manner. Discrepancies in the sample should trigger a full verification.

Review Function Access Profiles

Reviewing function access profiles is one of the most important parts of user access reviews. Function access reviews not only ensure all employees have the access they need but make sure that your organization is updating what employees don’t need.

If an employee is not using the asset, they shouldn’t have access because it opens a vulnerability.

For example, if an employee moves from the development side of the house to the sales side, their access needs to be limited. If the employee looks for information because they “still have access,” they may accidentally change settings due to updates that they did not know were installed. Some of the key reports that can be used to track access rights are the role listing by functional area, user listing by role, action security by role, row security by role library of applications, and key application reports.

Plugging the holes regularly is important!
Even if the move is within the organization, updated access protects against employee accidents and malicious employee access. Moreover, continually updated access ensures the least damage is done if the employee’s information is used by someone outside the organization.

Manager Reviews of Employee Profiles

Annually asking managers to review the employee access profiles adds not only another protective layer of review but can provide insight into employee access needs that may not be related to intra-organizational moves or employment terminations. Managers know when special projects that added access have ended and including them in the review process annually can close gaps. Equally important to any organization is to make sure that supervisors are trained to understand the consequences of missed notifications.

Review Employee Termination Procedures

At least annually, it’s important to review the termination procedures set by human resources and compare that to a sample list of people who have had their access revoked. No one wants a former employee to have access to their information. More importantly, this review should show how well the two departments are communicating. Communication in these cases is just as important as action.

Automate Reviews and Compliance

Whenever possible, use tools available to your organization to perform user access reviews. Ideally, your organization may want to use some type of identity management tool such as Core Security and SailPoint,to automate the removal of terminated employees’ access. These tools provide an essential bridge between HR systems and directory services and can provide valuable transaction data on changes to a user’s employment status or role within the organization.
When trying to organize large-scale communication between different departments, compliance management software is one of the most cost-effective tools to help IT professionals coordinate with other departments. The importance of ongoing user access reviews cannot be overstated.

Communicate Between Departments

To run a secure business and protect the organization’s assets, constant vigilance is necessary and consistent communication between IT, managers, and HR must happen.

Communication is one of the key assets of automation.
Automation sets the cadence for review so the process can run itself.
For example, ZenGRC automates information sharing and people taking action. Platforms send out reminders to those who need to complete tasks, creating automated “to do” lists. In ZenGRC, by clicking on the assigned task the responsible party is brought directly to the instructions and resources that are linked through the corporate Google Drive. This automation process streamlines the activity making it less burdensome and more likely to be completed in a timely manner.

By connecting the user list and other resources through the automated platform, automation also allows for consistent documentation of these reviews. An automation program like ZenGRC engages communication between all parties in two different ways: workflow and audit documentation. With interdepartmental communication being so important to the user access review process, automation closes the gaps that lead to compliance issues. Automation shares the information across the relationships. This means that as items are updated across the GRC space, any department can view evidence of the related items and controls.

Manage Risks and Compliance with ZenGRC

Undoubtedly, user access reviews play a pivotal role in safeguarding a company’s digital assets, and ZenGRC offers a streamlined solution for this crucial task. Managing risks and ensuring compliance have never been more paramount in today’s interconnected digital landscape. With ZenGRC, organizations can seamlessly control the extent of freedom employees have over proprietary data, warding off potential threats, be they borne out of malicious intent or mere oversight.

It’s essential that access to programs and data is meticulously tailored to an individual’s role within the organization. ZenGRC ensures that such access is granted judiciously, fortifying the safety of the company’s valuable assets. By integrating ZenGRC’s robust platform, top executives to frontline employees can collaboratively foster a holistic culture of security. Embracing ZenGRC not only bolsters an organization’s defense mechanisms but also ensures that regulatory compliance is consistently met, shielding the company from potential liabilities and reinforcing its reputation in the industry.