User Access Review
This week’s control is on user access review. Jose Costa (CISO at Tugboat Logic) and Harpreet Shergill (Senior Manager, IS Risk & Compliance at Tugboat Logic) explain why user access review is important and how you can implement it for your audits.
What Is a User Access Review Procedure?
“AC3.7 – User Account Reviews – Management performs a quarterly user access review for in-scope system components to ensure that access is restricted appropriately. Access is modified or removed in a timely manner based on the results of the review.“
Much like the “Control of the Week” on access control we covered, this control is another gatekeeper for your data. Through careful documentation and ownership over the systems that grant or deny access, User Account Reviews are a preventative control designed to stop potential risks to your data.
PS: Want to streamline risk identification and conduct better assessments, faster? Download The Art of the Enterprise IT Risk Assessment and learn how to get executive buy-in and create a more effective risk management practice across your team and organization.
It’s also another control that many fail in an audit because it’s easy to overlook.
As your organization grows, more users are going to have access to your data, making it difficult to manage who should and should not have access. Ideally, these users would be managed with an on/offboarding process, but organizations sometimes overlook that documentation process.
How to Implement a User Access Review Audit
Follow these three steps to set up a process to check who has access and whether or not they should have access:
- Step 1: Have your “Security Czar” (or someone on the security and or eng team) get a list of all the users, their roles, system accounts, administrators, and other relevant information. Then send it to the application owner, and then request it back to verify that the accounts are correct.
- Step 2: Send the list to all of the application owners (i.e. the admins) to verify that the accounts are correct. Have the application owners send their verification back.
- Step 3: Set a reminder to conduct user access reviews every quarter (or month, if you want to be more stringent in your security). Note that whomever performs the review must remind application owners to clear the review.
[Read More: IT Employee Offboarding Checklist]
User Access Review Additional Audit Checklist
- Put your user access review procedure in place
- Once you get your user access review procedure in place, you have to make sure sure that all requests for access are documented
- Ensure last minute requests and emergency situation privileges are audited frequently
- If someone other than your head of security conducts the user access review procedure, then make sure that s/he adheres to every step.
- Last, but certainly not least: always review your system accounts!
As always, give us a shout if you have any questions about the controls and how to implement them.
PS: Want to streamline risk identification and conduct better assessments, faster? Download The Art of the Enterprise IT Risk Assessment and learn how to get executive buy-in and create a more effective risk management practice across your team and organization.